Is endpoint device and data protection needed? Ask Dallas Based Children’s Health

http://www.nbcdfw.com/news/health/Childrens-Health-Pays-3M-Fine-Over-Patient-Data-Breach-412601273.html

Children’s Health recently paid out a penalty of more than $3 Million dollars for the possible exposure of patient data.  A simple mobile device policy and off the shelf security products could have avoided this situation all together.  Mobile devices (laptops included) have numerous vulnerable areas that can be exploited by attack vectors.  In the case of Children’s Health, their lost devices had no control or security mechanisms even placed on the devices.  “It won’t happen to us” is no longer an excuse to pass on endpoint protection.

A few of the mobile environment vulnerable areas include:

  • The device itself
  • SMS exploits
  • Wi-fi device (Access Point)
  • Telco Service Providers Internet Access
  • Bluetooth vulnerabilities
  • The Internet
  • App Stores
  • Web Sites

The aforementioned mobile environment vulnerabilities can introduce the following Mobile Risks:

  • Weak Server Side controls
  • Insecure Data Storage on the device
  • Insufficient transport layer protection/Poor Session Handling
  • Unintended Data leakage
  • Poor Authorization and Authentication
  • Broken Cryptography
  • Client Side Injection

When speaking of mobile devices, remember we’re including laptops.  Basic MDM and overall Mobile Platform Security via Endpoint Protection Solutions are an easy place to start to mitigate these risks.  Additionally, if the data residing on mobile devices is sensitive and or is regulated by Information Security Laws, Standards or Compliance mandates take action now to review your policies.  Are you prepared to handle a Security incident? Here are a few questions to ask your organization.

  1. Are we quickly able to identify, analyze, prioritize and resolve security incidents?
  2. Can we triage and analyze an event or incident with exact detail?
  3. Do we have an Incident Response plan put into place?
  4. Are we able to obtain detection and reporting logs

Richard Mendoza, CISSP

Contention in the courtroom: Admissibility of Digital Evidence Collected from Computer RAM from a Live Computer

©Windham2009_Colo4_Dallas-6333Conventional computer investigations collect, preserve, and analyze computer hard drives and media such as USB drives, floppy disks, zip drives, and optical media (CDs and DVDs). Since investigators typically “pull the plug” on the computer system prior to acquiring an exact copy of the hard drive, this particular methodology is referred to as dead-box forensics—a technique that analyzes the data at rest. (Cummings, 2008)

Cummings also makes reference to live box forensics. “This technique gives investigators access to the entire running system, including the volatile information contained in the memory chips (RAM) and whatever is on the live hard drive.” Live memory data also known as RAM, can maintain an enormous amount of pertinent data related to an investigation. RAM for example, can include temporary Internet browsing locations, passwords & unencrypted documents.

I can understand why the admissibility of evidence obtained from memory is debated. “Against this backdrop, challenges to authenticity and originality often come via claims that evidence has been contaminated or altered at some time between initial collection and eventual presentation in court. The initial actions of persons at the scene, for instance, serve as fodder for challenge. Given that those persons may have inadvertently deposited their own fingerprints, footprints, tool marks, hair, clothing fibers or biological materials at the scene opens a door to challenges that the evidence is not what it purports to be and that resulting analysis and event reconstruction is not reliable. “(JOLT: Articles) However, it is my opinion proper investigations accompanied by legal search warrants would be accompanied by numerous individuals that could attest to the authenticity of the collected live data.

In terms of addressing the admissibility of collected live data found in memory, there are forensic data tools readily available that have shown be reliable in collecting and preserving RAM memory. The available tools coupled with an experienced and certified practitioner appear to adhere to the Federal Rule of Evidence requirements.

According to “the standards for the admissibility of evidence are relevance, authenticity, and reliability. These preliminary determinations can occur under the auspices of Federal Rule of Evidence (F.R.E.) 901’s requirement that the matter in question is what it is claimed to be, or via the more demanding showing of reliability for scientific, technical or specialized evidence under F.R.E. 702.12 This judicial screening is meant to ensure that the evidence is reliable enough to go before a fact-finder, who decides what weight that evidence should carry. A basic evidentiary tenet governing admissibility is that there are guarantees of trustworthiness attached to the evidence so that a jury is not unduly confused or prejudiced. Authentication standards are meant to ensure that the evidence is what it purports to be, and how rigorous a foundation is needed to make this finding depends on the existence of something that can be tested in order to prove a relationship between the evidence and an individual and control against the perpetration of fraud.

Additionally, another evidentiary lynchpin is that evidence is “original.” Known as the Best Evidence Rule, the Federal Rules of Evidence maintain that:

An “original” of a writing or recording is the writing or recording itself or any counterpart intended to have the same effect by a person executing or issuing it. An “original” of a photograph includes the negative or any print therefrom. If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an “original.” (JOLT: Articles.)

Researching specific rules of evidence for my State of Texas, I found the following documentation that relate to electronically stored information.

TEXAS RULES OF EVIDENCE

Effective April 1, 2015

ARTICLE X.
CONTENTS OF WRITINGS, RECORDINGS, AND PHOTOGRAPHS

(d) An “original” of a writing or recording means the writing or recording itself or any counterpart intended to have the same effect by the person who executed or issued it. For electronically stored information, “original” means any printout—or other output readable by sight—if it accurately reflects the information. An “original” of a photograph includes the negative or a print from it.

(e) A “duplicate” means a counterpart produced by a mechanical, photographic, chemical, electronic, or other equivalent process or technique that accurately reproduces the original.

Rule 1003. Admissibility of Duplicates

A duplicate is admissible to the same extent as the original unless a question is raised about the original’s authenticity or the circumstances make it unfair to admit the duplicate. (Texas Judicial Branch)

From my interpretation of the rules set forth in the State of Texas, there doesn’t seem to be much debate whether or not live system memory is not allowed. However, careful consideration as usual should be placed on legal seizure of digital components and their content so that the trustworthiness of the forensic practitioner and their tools do not come into question of doubt.. Most companies and their IT Departments have little experience with the technical aspects and Federal Rules of Digital Evidence. While most civil, criminal, and company policy violations contain some sort of digital evidence, hiring digital forensic professionals is becoming imperative to adhering to the Federal Rules of Evidence.

REFERENCES:

Cummings, R. (n.d.). Computer Evidence. Retrieved from http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=116

JOLT: Articles. (n.d.). Retrieved February 02, 2016, from http://www.lawtechjournal.com/articles/2005/05_051201_Kenneally.php

Welcome to the Texas Judicial Branch. (n.d.). Retrieved February 02, 2016, from http://www.txcourts.gov/

The Challenges of Digital Forensic Evidence: Preservation and Retention

DataCenterServers

With almost every crime having possible digital evidence associated with it also comes an enormous amount of digital evidence that will need to be preserved and retained according to state and federal guidelines. The legal and technical requirements to archive, preserve and retain digital and multimedia evidence (DME) is a bigger challenge than one would expect to encounter. “From a law enforcement perspective, more of the information that serves as currency in the judicial process is being stored, transmitted, or processed in digital form. The connectivity resulting from a single world economy in which the companies providing goods and services are truly international has enabled criminals to act trans jurisdictionally with ease. Consequently, a perpetrator may be brought to justice in one jurisdiction while the digital evidence required to successfully prosecute the case may reside only in other jurisdictions. This situation requires that all nations have the ability to collect and preserve digital evidence for their own needs as well as for the potential needs of other sovereigns. Each jurisdiction has its own system of government and administration of justice, but in order for one country to protect itself and its citizens, it must be able to make use of evidence collected by other nations. Though it is not reasonable to expect all nations to know about and abide by the precise laws and rules of other countries, a means that will allow the exchange of evidence must be found.” (SWDGE, 2016)

“The growth in volume and number of devices impacts forensic examinations in many ways, including increasing lengths of time to create forensic copies and conduct analysis, which contributes to the increase in the backlog of requests. Digital forensic practitioners, especially those in government and law enforcement agencies, will continue to be under pressure to deliver more with less especially in today’s economic landscape. This gives rise to a variety of needs and challenges, including:

  • A more efficient method of collecting and preserving evidence.
  • A capacity to triage evidence prior to conducting full analysis.
  • Reduced data storage requirements.
  • An ability to conduct a review of information in a timely manner for intelligence, research and evidential purposes.
  • An ability to archive important data.
  • An ability to quickly retrieve and review archived data.
  • A source of data to enable a review of current and historical cases (intelligence, research and knowledge management).” (Quick, D., & Choo, K, 2014)

Case Study: Regional Computer Forensics Laboratory (RFCL)

“A Regional Computer Forensics Laboratory (RFCL) is a full-service digital forensics laboratory and training center devoted entirely to the impartial analysis of digital evidence in support of criminal or national security investigations. It is a cooperative arrangement between the Federal Bureau of Investigation (FBI) and other law enforcement agencies of federal, state, and local governments operating within a limited and specific geographic area. There are 16 RCFLs in the National Program.” (U.S. Department of Justice, FBI, 2013)

According to the latest Regional Computer Forensics Laboratory’s Annual Report, “from 2011 to 2013 over 16,000 TB of digital evidence will fall under some evidence retention law, whether that be state or federal.” (Federal Bureau of Investigation, RCFL, 2013) At the time of writing this paper, February 2016; I researched the cost to store 16,000 TB of data using commercial pricing obtained from IBM Softlayer’s block storage service. Softlayer’s cost per month per GB is fifteen cents.  If we were to store the RCFLs 16,222 TB of digital evidence procured from 2011 to 2013 using Softlayer’s Block Storage service, the cost per month would total $2,491,699.20 per month. (Softlayer, 2016)

This example of the volume of digital evidence is only looking at one organizations digital evidence and only using data based on three years.  Now imagine year after year growth of digital evidence and our continuous need to preserve, manage and retain such evidence. Digital evidence preservation and retention is currently and will be a challenge for organizations across the globe. Leveraging a cloud based or shared computing infrastructure could certainly assist in creating efficiencies in practically every category and process entailed with evidence preservation and retention.

Factors Contributing to the Overwhelming Volume of Digital Evidence

“The analysis of digital evidence deals with gathering, processing, and interpreting digital evidence, such as electronic documents, lists of phone numbers and call logs, records of a device’s location at a given time, emails, photographs, and more. In addition to traditional desktop and laptop computers, digital devices that store data of possible value in criminal investigations include cell phones, GPS devices, digital cameras, personal digital assistants (PDAs), large servers and storage devices (e.g., RAIDS and SANS), video game consoles (e.g., PlayStation and Xbox), and portable media players (e.g., iPods). The storage media associated with these devices currently fall into three broad categories. The first, magnetic memory, includes hard drives, floppy discs, and tapes. The second, optical memory, includes compact discs (CDs), and digital versatile discs (DVDs). The third, electrical storage, includes USB flash drives, some memory cards, and some microchips. These items are the most commonly encountered in criminal and counterintelligence matters, but laboratories have been asked to ex- amine such items as scuba dive watches in death investigations and black boxes in aircraft mishaps.” (National Research Council, 2009)

“The proliferation of computers and related devices over the past 30 years has led to significant changes in and the expansion of the types of criminal activities that generate digital evidence. Initially, computers were either the weapon or the object of the crime. In the early days, most computer crime involved manipulating computer programs of large businesses in order to steal money or other resources. As computers became more popular, they became storage containers for evidence. Drug dealers, book makers, and white collar criminals began to keep computerized spread sheets detailing their transactions. Digital cameras and the Internet have made child pornography increasingly available, and computers act as a digital file cabinet to hold this contraband material. Finally, digital media have become witnesses to daily activities. Many individuals have two cell phones with text messaging and/or e-mail capability, several computers, a home alarm system, a GPS in the car, and more; even children often possess some subset of these items. Workplaces use magnetic card readers to permit access to buildings. Most communication involves some kind of computer, and by the end of each day, hundreds of megabytes of data may have been generated about where individuals have been, how fast they got there, to whom they spoke, and even what was said. Suicide notes are written on computers. Sexual predators stalk their victims online via e-mail, chat, and instant messaging. Even get-away cars are equipped with GPS devices. Finally, computer systems have become (with ever-increasing frequency) the victims of unauthorized control or intrusions. These intrusions often result in the manipulation of files and the exfiltration of sensitive information. In addition, computers in automobiles that track speed, breaking, and turning are valuable in accident reconstruction. As a result, almost every crime could have digital evidence associated with it.” (National Research Council, 2009)

Scientific Working Group on Imaging Technology Best Practices

In order to ensure that digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system. Standard Operating Procedures (SOPs) are documented quality-control guidelines that must be supported by proper case records and use broadly accepted procedures, equipment, and materials.” (SWGDE, 2016)

It is essential that agencies store their digital and multimedia evidence (DME) in such a way and under conditions that will permit access when it is needed. Archiving is the process of storing data in a manner suitable for long-term availability and retrieval. The archiving process is more than simply the preservation of physical media. In cases where archiving is desired, it should be planned for from the moment the DME is generated, processed, or seized.

Why Archiving Is Needed

Archiving is needed to ensure that stored DME is available for future use and to fulfill state and federal requirements for evidence retention. The techniques employed should be chosen to ensure that data can be located, accessed, and used. DME sometimes is required to be stored for long periods of time according to statutory requirements and/or departmental policies and regulations.

What Should Be Archived

Agencies should archive DME that they are legally permitted to possess and that may be required for future access. It may be necessary to retain original software and hardware or to transfer data from one type of media to another, in order to access archived DME in the future.

Archive Creation Standard Operating Procedures

Departments should ensure that a written archive standard operating procedure (SOP) exists and is implemented. (This SOP does not have to be a stand-alone document.)  The SOP should take into consideration the department’s long-term goals, planning, and needs. New technologies, court precedents, and changing circumstances may dictate an SOP change. All previous versions of SOPs should be maintained for reference.

Physical Plant

Physical-plant concerns are multifaceted. One of the biggest issues is environmental factors that can have an adverse effect on the archive. Some of these factors include temperature and humidity control, electrical surge protection, fire suppression, natural-disaster preparation, and electromagnetic field mitigation. The use of a secondary off-site storage facility is encouraged to provide a backup to the primary archive facility.

Security

To ensure the integrity of the archive, the agency must address security policies and procedures. Security policies should address such issues as physical and electronic access tracking, limitation of access, virus detection, and data suitability. If an archive contains DME requiring a chain of custody, this issue should be addressed as part of agency policy and procedures.

Hardware/Software

As technology progresses and hardware and software are upgraded or changed, it is possible that the original hardware and software used to create/access the DME may need to be retained in functional condition to ensure accessibility. This is especially true in the case of proprietary systems.

Media

In the field of imaging technology, photographic plates, films, and photographic prints have been shown to be appropriate media for archiving purposes, provided they are developed and stored according to industry standards. Videotape has also demonstrated the ability to be stored for long periods of time without degradation when stored correctly. There are many types of media to which DME data can be written for archiving purposes. These include optical media (including CDs and DVDs), magnetic tape, and servers, which may or may not include redundant arrays of independent disks (RAIDs). Serious consideration should be given to the type of media chosen for archiving.

Many law enforcement agencies have chosen to use optical media as an interim solution for storing DME. Concerns about the actual-versus-theoretical lifespan of optical media have been raised. The lifespan of optical media begins at the time of manufacture, not at the time they are first placed into service. While optical media have been shown through common experience to be sufficient for short- to moderate-term storage, they are inadequate for archiving. However, optical media used for any length of storage should be designed specifically for archival purposes, and multiple copies should be maintained. Rewritable optical media should never be used for archiving because they have the shortest lifespan. Steps should be taken to ensure the serviceability of the optical media used by periodically testing and refreshing as required. (In the refreshment process, data from the original media are copied onto new media.)  When media are refreshed, multiple copies still need to be maintained. This process should continue until the DME is placed onto a different type of media, as technology advances, or until the data are to be purged.

Some types of magnetic tape have been shown to be a reliable option in the long-term storage of data, provided the media are refreshed as required per manufacturers’ guidelines. At the time the archive is being planned and the use of magnetic tape archiving equipment has been determined, consideration should be given to using a magnetic tape format designed specifically for long-term archiving purposes. Many of these devices use hardware and/or software compression in their storage of data. Compression concerns are addressed elsewhere in this document.

RAIDs can be implemented using different configurations, which have varying levels of redundancy and fault tolerance. For example, RAID Level 0 provides for no redundancy or fault tolerance, whereas other levels of RAID provide for excellent redundancy and fault tolerance. When RAIDs are used, agencies should determine their long-term needs and resources and choose the appropriate RAID configuration for their archives.

Media Preservation

The advantages and limitations of storage media—such as the unknown lifetime of optical disks, print fading, hard-drive volatility, and other manufacturer research data—should be understood and incorporated into the archival structure. Agencies should use media recommended for long- term storage when archiving data; in cases where servers are used, it may be necessary to have a backup solution. Media should be handled and stored in a manner consistent with the manufacturers’ recommendations.

Data Transmission

When creating an archive, consideration should be given to the individual file size to be archived and the bandwidth available on the network in which the archive is established. Large or numerous files being transferred across a network may influence network performance. If the archive is not a dedicated system, then the transfer rate of the network may be adversely affected.

Data Management

The integrity of the DME to be archived should be verified both before and after the creation of the archive.2 Archived DME should be readily accessible via cataloging and indexing. The metadata3 can be very useful for facilitating broad and accurate searches of the archive. Therefore, metadata always should be archived with the data. Storage facilities should be adequate in size for the data to be maintained as well as to allow for growth. (DME files can be very large in size, and as technology increases, file sizes will increase dramatically.)

Data Compression

Generally speaking, there are two ways to approach the compression of data within the archive: hardware compression and software compression. When compression is used, it is imperative that the hardware and/or software used to decompress the data be archived.

Compression can be either lossless or lossy in nature. Where practicable, it is recommended that data contained within the archives not be compressed. While lossy compression may not render an image unusable, such compression schemes are not recommended. (This is not to say that DME that was originally created in a compressed format cannot or should not be archived.)  File type and content should be considered when determining the amount and degree of compression to be used.

When SOPs call for the conversion of proprietary formats to open-source formats, it is advisable to use uncompressed formats when possible. If a compressed open-source format is selected, lossless compression is highly recommended. As described above, less compression is best if the file must be compressed.

Archive Maintenance

As new versions of hardware and software are released, backward compatibility is not always ensured. Newer versions of software and hardware will not always be able to access the older data. It is necessary over time to ensure that the newer versions of software and hardware will be able to access the older data. Archivists should be aware that software providers occasionally cease support for their proprietary file formats. Long-term retrieval capabilities require that both original hardware and software be archived.

Hardware and Media

Maintenance of physical devices and/or media may require preventive maintenance on a periodic basis per manufacturers’ and industry recommendations. This maintenance should be planned for at the time the archive is developed. Hardware and media should be periodically checked and/or tested for operability and serviceability. If it is found that the hardware or media are no longer serviceable or obsolescence is foreseen, steps should be taken to migrate all data to a proven, stable storage solution as soon as possible. If failures are detected, the possibility of batch failures should be investigated.

Software

Because certain file formats or proprietary software may become unusable as technology progresses, this software should be archived as necessary to ensure accessibility of DME created by the software.

Reverse Compatibility and Interoperability

Reverse compatibility is the ability of newer versions of software and/or firmware to access older file versions. Interoperability is the ability to access data across platforms or applications. These issues should be considered when upgrades to hardware and/or software are planned.

It should be noted that upgrades to the computer operating system may cause installed programs to operate erratically or not at all. When upgrading, it is recommended that the new operating system be tested on a similar type of computer system prior to implementation into the archive system. It is recommended that when the operating system is upgraded, previous versions be archived.

Data Migration

From time to time, it becomes necessary to move data from one type of media to another or to newer media of the same type.

Media Obsolescence and Lifespan

As technology progresses, media storage will evolve. Older versions of media may no longer be readable or supported and will become obsolete. To ensure uninterrupted archive capabilities, it may be necessary to migrate the DME to current media. Additionally, no media have been shown to be completely permanent. A schedule should be implemented to periodically rewrite DME to new media based on industry standards and/or an understanding of the limitations of media.

File Formats

Proprietary formats are formats that are primarily supported by the company producing them. These formats may not be supported as new applications become available and as technology improves. When possible, DME should be retained in its original format and in a nonproprietary format. Additionally, the original accompanying proprietary software should be retained for future accessibility as addressed above.

Archive Retention Periods &Legal/Departmental Retention Requirements

The type of DME and its retention periods may depend upon statutory requirements and/or departmental policies. These may be different, but the longer time will take precedence. Some mechanism should exist to identify this time period and should be included in departmental SOP.

Purging

Legal requirements, storage-space issues, and departmental policy may dictate a purge (complete destruction) of archived DME. The method(s) used should be adequate to ensure that the purge of the data and/or media is accomplished. Proper means of verification should be incorporated into the methodology and documentation of the purge and include the method(s) used and when it was accomplished.

Discipline-Specific Issues

Some disciplines may have unique requirements or special circumstances related to archiving and should be considered at the time the archive is planned. File size, proprietary file types, specialized software, metadata, interoperability, and bandwidth are all factors that need to be considered. Close collaboration between discipline subject-matter experts, administrative personnel, and information technologists is required to ensure that appropriate archival methods are implemented. (SWGIT, 2016)

Cloud Service Providers Incorporated into Best Practices for Archiving Digital and Multimedia (DME) Evidence

The Scientific Working Group on Imaging Technology (SWGIT) published their best practices for archiving DME in 2008. The FBI and other government laboratories continue to  follow these standards.  However, Standard Operating Procedures at that time were thought to apply to localized best practices for individual laboratories and did fully consider the operating and cost efficiencies of recently available cloud computing technologies. It’s been determined that the Federal Government’s current Information Technology (IT) environment is characterized by low asset utilization, a fragmented demand for resources, duplicative systems, environments which are difficult to manage, and long procurement lead times. These inefficiencies negatively impact the Federal Government’s ability to serve the American public.

Cloud computing has the potential to play a major part in addressing these inefficiencies and improving government service delivery. The cloud computing model can significantly help agencies grappling with the need to provide highly reliable, innovative services quickly despite resource constraints. Commercial service providers are expanding their available cloud offerings to include the entire traditional IT stack of hardware and software infrastructure, middleware platforms, application system components, software services, and turnkey applications. The private sector has taken advantage of these technologies to improve resource utilization, increase service responsiveness, and accrue meaningful benefits in efficiency, agility, and innovation. Similarly, for the Federal Government, cloud computing holds tremendous potential to deliver public value by increasing operational efficiency and responding faster to constituent needs.” (Kundra, V. 2011).

Cloud solutions allow for faster processing and more elasticity in computing in an on demand, more efficient platform. However, incorporating the cloud into our Federal IT infrastructure has proven difficult. Currently, there is a redundant, inconsistent, time consuming, costly, and inefficient risk management approach to cloud adoption. In addition, there is little incentive to leverage existing Authorizations to Operate (ATOs) among agencies.  The Federal Government spends hundreds of millions of dollars a year securing the use of IT systems.

The solution: FedRAMP

The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves an estimated 30-40% of government costs, as well as both time and staff required to conduct redundant agency security assessments. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.

Goals

  • Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
  • Increase confidence in security of cloud solutions
  • Achieve consistent security authorizations using a baseline set of agreed upon standards to be used for cloud product approval in or outside of FedRAMP
  • Ensure consistent application of existing security practice
  • Increase confidence in security assessments
  • Increase automation and near real-time data for continuous monitoring

Benefits

  • Increase re-use of existing security assessments across agencies
  • Save significant cost, time, and resources – “do once, use many times”
  • Improve real-time security visibility
  • Provide a uniform approach to risk-based management
  • Enhance transparency between government and Cloud Service Providers (CSPs)
  • Improve the trustworthiness, reliability, consistency, and quality of the Federal security authorization process

Main Players

There are three main players in the FedRAMP process: Agencies, CSPs, and Third Party Assessment Organizations (3PAOs). Agencies are responsible for selecting a cloud service, leveraging the FedRAMP Process, and requiring CSPs to meet FedRAMP requirements. CSPs provide the actual cloud service to an Agency, and must meet all FedRAMP requirements before they implement their services. 3PAOs perform initial and periodic assessment of CSP systems per FedRAMP requirements, provide evidence of compliance, and play an on-going role in ensuring CSPs meet requirements.  FedRAMP provisional authorizations (P-ATOs) must include an assessment by an accredited 3PAO to ensure a consistent assessment process.

Key Processes

FedRAMP authorizes cloud systems in a three step process:

  • Security Assessment: The security assessment process uses a standardized set of requirements in accordance with FISMA using a baseline set of NIST 800-53 controls to grant security authorizations.
  • Leveraging and Authorization:Federal agencies view security authorization packages in the FedRAMP repository and leverage the security authorization packages to grant a security authorization at their own agency.
  • Ongoing Assessment & Authorization: Once an authorization is granted, ongoing assessment and authorization activities must be completed to maintain the security authorization.

Governance

FedRAMP is a government-wide program with input from numerous departments, agencies, and government groups. The program’s primary decision-making body is the Joint Authorization Board (JAB), comprised of the CIOs from DOD, DHS, and GSA.  In addition to the JAB, OMB, the Federal CIO Council, NIST, DHS, and the FedRAMP Program Management Office (PMO) play keys roles in effectively running FedRAMP. (FedRAMP, 2016)

Conclusion

As a result of the FedRAMP framework, cloud based networking and computing platforms should assist government departments and agencies of all types to achieve efficiencies and facilitate national and global collaboration of data when needed. There is still a tremendous amount of research, development and training that needs to be conducted in order to holistically adopt services provided by Cloud Service Providers. This research will need to encompass practically ever layer of the OSI model to be able to increase the level of confidence in using cloud based services.  For this reason, I can only be optimistic that federal funding, training, and proper oversight of the FedRAMP initiative will be closely managed and supported by our lawmakers.

References

Block Storage. (n.d.). Retrieved March 02, 2016, from http://www.softlayer.com/block-storage

Committee on Identifying the Needs of the Forensic Sciences Community, National Research Council, Dept. of Justice. (2009). Strengthening forensic science in the United States, a path forward. Washington: U.S. G.P.O.

FedRAMP Program Overview. (n.d.). Retrieved March 04, 2016, from http://www.fedramp.gov/about-us/about/

Kundra, V. (2011). Federal cloud computing strategy. https://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/federal-cloud-computing-strategy.pdf Washington: The White House.

Quick, D., & Choo, K. (2014, September). Data reduction and data mining framework for digital forensic evidence: Storage, intelligence, review and archive. Retrieved March 03, 2016, from http://www.aic.gov.au/publications/current series/tandi/461-480/tandi480.html

Regional Computer Forensics Laboratory Program. (2013). Annual report. https://www.rcfl.gov/downloads/documents/fiscal-year-2013 . Quantico, VA: U.S. Dept. of Justice, Federal Bureau of Investigation, Regional Computer Forensics Laboratory.

Scientific Working Group on Digital Evidence (SWGDE)International Organization on Digital Evidence (IOCE) Retrieved March 02, 2016, from https://www.fbi.gov/about-us/lab/forensic-science-communications/fsc/april2008/standards/2008_04_standards03.htm/ – 5

Scientific Working Group on Imaging Technology (SWGIT) (2008, April 01). Best Practices for Archiving Digital and Multimedia Evidence (DME) in the Criminal Justice System, Retrieved March 04, 2016, from https://www.fbi.gov/about-us/lab/forensic-science-communications/fsc/april2008/index.htm/standards/2008_04_standards03.htm Forensic Science Communications

 

 

Requirements for the Collection and Admissibility of Digital Evidence in a Criminal Court of Law

GettyImages-155385366_comp

This overview of the collection and admissibility of digital evidence in a criminal court of law isn’t meant to be a legal reference; as I am not an attorney.  However, it was written for the consideration of Digital Forensic Investigators and businesses or business owners.

Special consideration should be given to the ability of corporate America to collect user behavior on corporate networks. Although there are many options on how corporations or employers extend the use of computing devices, including mobile devices, to their employees, most employers want to own the data that resides on corporate owned devices.

The use of a personally owned device for the use of business purposes can be confusing.  Since the device is owned by the employee, one could ask who actually owns the data that resides on the device and because the device is owned by the employee, would they be protected by the 4th amendment for unauthorized search and seizure in the event the employer wanted to collect data on the employee owned device? In the event that the employer owns the device, they most likely will have an acceptable use policy that is acknowledge and signed by the employee.  The employee consent of the user policy generally allows for an explicit notice to the employee that all corporate owned devices are subject to be monitored and the data collected is owned by the company. Conversely, if the employee owns the device and there is a need for the collection of digital evidence, the employee or person could seek the protection of the 5th Amendment.

Perhaps upon completion of these considerations as it pertains to the collection of network and application log data, organizations will be prompted to review their acceptable use policies and device policies.  Understanding that the collection of network logs at some point will not only be maintained  for the purpose of compliance or audit but for the eventual use as digital forensic evidence.

The rapid, widespread adoption of new technology often outpaces society’s development of a shared ethic governing its use and the ability of legal systems to deal with it. The handling of digital evidence is a perfect example.

Although computers have existed for more than 60 years, it has been only since the late 1980s, as computers have proliferated in businesses, homes, and government agencies, that digital evidence has been used to solve crimes and prosecute offenders.

Once the province of “computer crime” cases such as hacking, digital evidence is now found in every crime category. Too often, though, law enforcement agencies and the judiciary are ill-prepared to deal with the issues created by the increasing use of this evidence.

Some judges, attorneys, and jurors may harbor doubts about the reliability and significance of digital evidence. To prevent misunderstandings at trial, concepts must be explained in simple terms with carefully selected analogies and visual aids.

Prosecutors should not assume that investigators understand how to avoid creating confusion at trial. Technically sophisticated investigators or examiners should not assume that prosecutors fully grasp the problems encountered in recovering and analyzing the evidence. Prosecutors, investigators, and examiners should share their knowledge of technical problems and discuss strategies. Addressed to law enforcement and prosecutors, this report is subject to several important limitations and, therefore, is only a guide. First, it identifies and briefly addresses some of the key issues related to digital evidence. Second, many issues discussed are subject to laws that vary from jurisdiction to jurisdiction. Third, the technology and law in this area are rapidly evolving. Finally, this guide does not address the acquisition of digital evidence from outside the United States. (criminal investigators and prosecutors should consult the Office of International Affairs, U.S. Department of Justice, 202-–514–0000)”

The collection of digital evidence in criminal cases is governed at the Federal and State levels by numerous constitutional and statutory provisions, including statutes that regulate the communications and computer industries and that directly govern the gathering and use of digital evidence.

Both for purposes of admissibility and persuasive value of digital evidence, the prosecutor must show in court that the information obtained from the media is a true and accurate representation of the data originally contained in the media, irrespective of whether the acquisition was done entirely by law enforcement or in part or entirely by a civilian witness or victim (U.S. Department of Justice, 2007)

Three areas of Law Related to Computer Security

Three areas of law related to computer security will be examined:

  1. S. Constitution
    1. 4th Amendment “Protection against unreasonable search and seizure”
    2. 5th Amendment “Protection against self incrimination”
  2. S. Statutory Law
  • 18 U.S.C. 2510-22 (The Wiretap Act)
  • 18 U.S.C. 3121-27 (The Pen Registers and Trap and Trace Devices Statute)
  • 18 U.S.C. 2701-12 (The Stored Wired and Electronic Communication Act)
  1. Federal Rules of Evidence
  • Hearsay
  • Authentication
  • Reliability
  • Best Evidence

In the United States of America, there are two primary areas of legal governance affecting cyber security actions related to the collection of network data: (1) authority to monitor and collect the data and (2) the admissibility of the collection methods. Of the three areas above, the U.S. Constitutional and U.S. Statutory Laws primarily govern the collection process, while the Federal Rules of Evidence deal primarily with admissibility. (Carnegie Mellon Software Engineering Institute, 2005)

The 4th Amendment to the U.S. Constitution

The 4th Amendment to the United States Constitution is as follows:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The 4th Amendment protects individuals from unreasonable searches and seizures conducted by agents of the government. It does not extend protection from searches conducted by private parties who are not acting as agents of the government. The question is whether or not your organization can be considered as “government”, or under the direction of a government agent, under the 4th Amendment. There isn’t always a bright line answer to that question (in law, a bright line is a rule that clearly and unambiguously delineates what is so and what is CMU/SEI-2005-HB-001 9 not). If in doubt, organizations should always seek the advice of legal counsel in determining the answer. (Carnegie Mellon Software Engineering Institute, 2005)

The 5th Amendment to the U.S. Constitution

The 5th Amendment provides that No person shall be compelled in any criminal case to be a witness against himself.

The core issue related to computer forensics is that under current jurisprudence the 5th Amendment’s protections against self incrimination extend to cryptographic keys. “Under the Fifth Amendment, an individual cannot be compelled to testify to his or her memorized key” [CDT 04]. The word “memorized” is an important qualifier, however, meaning that the key (passphrase) was never written down. Remember, the 5th Amendment only protects an individual from being compelled to provide incriminating testimony. Its protections do not extend to existing written and/or documentary evidence. This affects system or network administrators because if encrypted files are found during a collection or examination of a system or network, little can be done to force an individual to decrypt them. (Carnegie Mellon Software Engineering Institute, 2005)

U.S. Statutory Law

Wiretap Act/Electronic Communications Privacy Act

Generally speaking, the Wiretap Act, 18 U.S.C. §§ 2510-22, prohibits the interception of real- time electronic data communications (specifically the content), unless one of the statutory exceptions applies.

Pen Registers and Trap and Trace Devices

Whereas the Wiretap Act focuses on the content of electronic communications, this statute, 18 U.S.C. §§ 3121-27, prohibits the installation of a device that records or decodes dialing, routing, addressing, or signaling information for outgoing (Pen Registers) and incoming (Trap and Trace) wired or electronic communications, except for certain purposes.

Statutory definitions:

Pen Register – 18 U.S.C.§ 3127(3)

The term “pen register” means a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication, but such term does not include any device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device or process used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business.

Trap and Trace -18 U.S.C.§ 3127(4)

The term “trap and trace device” means a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to CMU/SEI-2005-HB-001identify the source of a wire or electronic communication, provided, however, that such information shall not include the contents of any communication.

Stored Wired and Electronic Communications Act

The Stored Wired and Electronic Communication Act, 18 U.S.C. §§ 2701-12, deals with general protections for stored communications. There are several other statutes that may affect the level of protection, access, and disclosure of stored electronic communication, such as HIPAA and the Family Educational Rights and Privacy Act (FERPA). Consultation with legal counsel should be sought regarding whether your organization may be governed by these special types of privacy laws. (Carnegie Mellon Software Engineering Institute, 2005)

Legal Governance Related to Admissibility (Federal Rules of Evidence)

Hearsay

Hearsay is defined by the Federal Rule of Evidence 801(c) as “a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted.” Further, according to Rule 802, “Hearsay is not admissible except as provided by these rules or by other rules prescribed by the Supreme Court pursuant to statutory authority or by Act of Congress.”

Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, published by the Computer Crime and Intellectual Property Section, Criminal Division, of the United States Department of Justice, is an excellent source for detailed information related to this topic, as well as other general topics dealing with electronic evidence [USDOJ 02]. Its importance to this topic relates to understanding the difference between computer- generated records and computer-stored records. Basically there are two types of computer records: those that “contain the writings of some person or persons and happen to be in electronic form” (i.e., computer-stored records) and those that “contain the output of computer programs, untouched by human hands” (i.e., computer-generated records).

It is important to understand the difference between these two types of computer records because computer-stored records can contain hearsay and computer-generated records, which IT professionals are more likely to deal with, cannot. In practice, however, most federal courts have viewed all computer records as potentially containing hearsay. But this view is likely to change:

As the federal courts develop a more nuanced appreciation of the distinctions to be made between different kinds of computer records, they are likely to see that the admission of computer records generally raises two distinct issues. First, the government must establish the authenticity of all computer records by providing “evidence sufficient to support a finding that the matter in question is what its proponent claims.” Fed. R. Evid. 901(a). Second, if the computer records are computer-stored records that contain human statements, the government must show that those human statements are not inadmissible hearsay.

In dealing with computer-generated records, two issues arise: authentication and reliability, which will be explained in subsequent sections.

Exceptions

There are twenty-four enumerated exceptions to the Hearsay Rule. Rule 803(6), “records of regularly conducted activity,” deals with issues pertinent to computer forensics. This exception deals with “regularly conducted business activities.” This is why an IT policy is so critical regarding network monitoring and incident response. The outcomes from random, ad hoc procedures will not fall under this exception. Rule 803(6) reads as follows:

A memorandum, report, record, or data compilation, in any form, of acts, events, conditions, opinions, or diagnoses, made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record, or data compilation, all as shown by the testimony of the custodian or other qualified witness, unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness. The term “business” as used in this paragraph includes business, institution, association, profession, occupation, and calling of every kind, whether or not conducted for profit.

The best example of this would be logging. If a company logs everything as a practice, it is very likely that those logs will be admissible. However, if only partial logging is done and during an incident additional logging is turned on, a question of admissibility may arise.

Authentication in Cyber Law

It is the burden of the person/party attempting to admit a computer-generated record to authenticate that record. Federal Rule of Evidence 901(a) states the following:

The requirement of authentication or identification as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.

To authenticate a computer record, a person who acquired the record or caused the record to be generated can testify to the authenticity of the record (i.e., say that the record is what it purports to be). An example of this is when a system administrator records the open connections on a system by running a netstat command and has that information saved on a diskette. This same system administrator would need to authenticate this diskette at court by testifying that he or she ran the command that caused the output and, further, that the output was saved to that diskette. It is not important or required that the system administrator have programming knowledge and understand how the netstat command works or to be able to provide analysis of the results of the netstat command. All that is required is that the system administrator has first-hand knowledge, i.e., that he or she ran the command and generated the output that was then saved to the diskette.

In addition, chain of custody plays a significant role in the process of authentication. It is not enough to just testify after the fact about what was collected. Having a process in place that will track collected information and ensure that it is preserved and not tampered with is also required.

Reliability

Another issue that IT personnel should be prepared to deal with is the reliability of the computer programs that generate the computer records. This area is of particular interest to IT staff, since it is where software that is used in the collection of information related to an incident may be challenged.

For the purpose of establishing reliability, computer programs are distinguished by whether they are or are not run in the normal course of business. An example of programs run in the normal course of business is RADIUS servers at an ISP supporting dial-up users. RADIUS servers provide several functions related to an ISP’s business operations. For example, a RADIUS server would be used to maintain logs of when users dial in to access the network. The ISP normally uses this information for billing purposes, but the same information may become important in the event of an incident. When the information is used to support an incident, the fact the program that generated the information was used in the normal course of business gives it reliability.

The more difficult situation in terms of reliability is when programs are used to collect information that are not run in the normal course of business. The guidance from the courts is more complicated in this area, as indicated in this excerpt from Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations:

The courts have indicated that the government can overcome this challenge so long as “the government provides sufficient facts to warrant a finding that the records are trustworthy and the opposing party is afforded an opportunity to inquire into the accuracy thereof[.]” United States v. Briscoe, 896 F.2d 1476, 1494 (7th Cir. 1990). See also Liebert, 519 F.2d at 547; DeGeorgia, 420 F.2d. at 893 n.11. Compare Fed. R. Evid. 901(b)(9) (indicating that matters created according to a process or system can be authenticated with “[e]vidence describing a process or system used…and showing that the process or system produces an accurate result”)…the government may need to disclose “what operations the computer had been instructed to perform [as well as] the precise instruction that had been given” if the opposing party requests. Dioguardi, 428 F.2d at 1038 [USDOJ 02].

How does this translate into working knowledge for IT staff? Module 2, “File Systems, Du- plication, Wiping, and Trusted Tools,” will describe some of the technical implications of dealing with reliability issues.

The Best Evidence Rule

The Best Evidence rule (Federal Rule of Evidence 1002) states that to prove the content of writing, recording, or photograph, the original writing, recording, or photograph is ordinarily required. Federal Rule of Evidence 1001(3) defines “original”:

If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an “original”.

The courts have long recognized that at times it may be both impractical and unreasonable to require originals, which might be entire computers or large volumes of data, for information that otherwise could be represented in a chart or graph. In fact, in the 9th Circuit the courts require that during seizures of computers, on-site imaging must be done, leaving the original behind and taking only a “copy,” that is, a true bit by bit forensic image. (Carnegie Mellon Software Engineering Institute, 2005)

Additionally, the Texas Rules of Evidence and by the Code of Criminal Procedure.

  1. CODE OF CRIMINAL PROCEDURE: Title 1. Code of Criminal Procedure Chapter 38. Evidence in Criminal Actions: http://www.statutes.legis.state.tx.us/Docs/CR/htm/CR.38.htm – 38.35
  2. TEXAS RULES OF EVIDENCE: http://www.txcourts.gov/media/1240932/Texas-Rules-of-Evidence-updated-with-amendments-effective-112016-.pdf

Requirements for Presenting Expert Evidence: Federal and State of Texas

In federal court, expert testimony is governed by Federal Rules of Evidence 702 through 706. Rule 702—Testimony of Experts—provides:

If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise, if (1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.

Under the federal rules, a testifying expert is any witness a party may use at trial to present evidence under Federal Rule of Evidence 702, 703, or 705. The Federal Rules of Civil Procedure make a distinction between experts retained or specially employed to provide expert testimony in the case—or one whose duties as the party’s employee regularly involve giving expert testimony—and other experts.

In state court, expert witnesses are governed by rules 702 through 706 of the Texas Rules of Evidence, which generally follow, but do not mirror, their federal counterparts. Rule 702 provides:

If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training or education may testify thereto in the form of an opinion or otherwise.

State rules define an expert as a “person with knowledge of relevant facts” only if that knowledge was obtained first- hand or if it was not obtained in preparation for trial or in anticipation of litigation. Further, under state rules, a testifying expert is an expert who may be called to testify as an expert witness at trial. The Texas rules make a further differentiation between experts retained by, employed by, or otherwise subject to the control of the responding party and other experts. (The Law Firm of Beck Redden, 2016)

Expert Reports Under the Texas Rules

Unlike the federal rules, the Texas rules do not require a party to automatically produce an expert report upon disclosing a testifying expert. (The Law Firm of Beck Redden, 2016)

A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:

(a) the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;

(b) the testimony is based on sufficient facts or data;

(c) the testimony is the product of reliable principles and methods; and

(d) the expert has reliably applied the principles and methods to the facts of the case.

Notes (Pub. L. 93–595, §1, Jan. 2, 1975, 88 Stat. 1937; Apr. 17, 2000, eff. Dec. 1, 2000; Apr. 26, 2011, eff. Dec. 1, 2011.)

Notes of Advisory Committee on Proposed Rules

An intelligent evaluation of facts is often difficult or impossible without the application of some scientific, technical, or other specialized knowledge. The most common source of this knowledge is the expert witness, although there are other techniques for supplying it.

Rule 702 has been amended in response to Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993), and to the many cases applying Daubert, including Kumho Tire Co. v. Carmichael, 119 S.Ct. 1167 (1999). In Daubert the Court charged trial judges with the responsibility of acting as gatekeepers to exclude unreliable expert testimony, and the Court in Kumho clarified that this gatekeeper function applies to all expert testimony, not just testimony based in science. See also Kumho, 119 S.Ct. at 1178 (citing the Committee Note to the proposed amendment to Rule 702, which had been released for public comment before the date of the Kumho decision). The amendment affirms the trial court’s role as gatekeeper and provides some general standards that the trial court must use to assess the reliability and helpfulness of proffered expert testimony. Consistently with Kumho, the Rule as amended provides that all types of expert testimony present questions of admissibility for the trial court in deciding whether the evidence is reliable and helpful. Consequently, the admissibility of all expert testimony is governed by the principles of Rule 104(a). Under that Rule, the proponent has the burden of establishing that the pertinent admissibility requirements are met by a preponderance of the evidence. See Bourjaily v. United States, 483 U.S. 171 (1987).

Daubert set forth a non-exclusive checklist for trial courts to use in assessing the reliability of scientific expert testimony. The specific factors explicated by the Daubert Court are (1) whether the expert’s technique or theory can be or has been tested—that is, whether the expert’s theory can be challenged in some objective sense, or whether it is instead simply a subjective, conclusory approach that cannot reasonably be assessed for reliability; (2) whether the technique or theory has been subject to peer review and publication; (3) the known or potential rate of error of the technique or theory when applied; (4) the existence and maintenance of standards and controls; and (5) whether the technique or theory has been generally accepted in the scientific community. The Court in Kumho held that these factors might also be applicable in assessing the reliability of nonscientific expert testimony, depending upon “the particular circumstances of the particular case at issue.” 119 S.Ct. at 1175. (Federal Rules of Evidence, 2016)

A digital forensics expert can be used in a variety of ways: as an expert witness, for litigation support, “to conduct Non-Invasive Data Acquisition (NIDA), to proactively investigate potential disputes . . . [prior to litigation], [and] to recover data negligently or intentionally destroyed.” Whether or not a digital forensics expert is retained to testify in court proceedings, a written report is still mandatory unless otherwise stipulated or ordered by the court. This written report, if properly done, practically negates the need to provide expert testimony.

Over the last several years, commercial hardware and software vendors who specialize in digital forensic analysis tools and applications have made significant improvements in the methodologies necessary to analyze digital evidence. As a result, what was once an almost entirely ad hoc manual-analysis process is now structured to a point where years of experience and training are no longer necessary for the production of a digital forensic report. This trend increased the number of forensic examiners and lowered costs, but also reduced the depth of knowledge held by the average forensic examiner.

As a result, the reviewer of a forensic expert report should scrutinize the qualifications of a forensic examiner to avoid the unfortunate scenario wherein an unqualified forensic examiner produces a flawed or unreliable report. While no uniform set of standards exists to gauge the competency of a digital forensic examiner, reviewers should consider the most appropriate combination of certification, education, and real- world experience, given the case at hand. The examiner’s training will likely include a number of hours in the classroom as well as practical experience in the real world and in the lab. This training should be considered in the context of the levels of experience and quality of the instructors and institutions administering such training.

While individual vendor certifications can have value, the education marketplace is seeing the emergence of vendor-neutral certification programs to validate technology skills of varying levels. Accordingly, as certification programs become more salable, the value of any particular certification must be assessed in the context of a growing industry in which establishing credentials is simply the monetization of a product. The true measure of expertise goes well beyond certification and solidly into the realm of actual field experience in real-world situations and/or years of study. Thus, the bench and the bar should interpret a forensic certification only as an indication of additional testing that the forensic examiner navigated in a particular area, or in a specific type of software, that is particular to that examiner’s education and experience.

Finally, in addition to technical expertise, an ideal expert will have experience on the witness stand. Although direct examination will set out the baseline requirements of a competent expert, the ability to calmly and confidently relay findings while undergoing rigorous cross-examination is critical.

A digital forensic report should document with sufficient detail the steps undertaken by the examiner so that an independent third-party could replicate the conclusions. This also means that the forensic images should be available for copying by a third-party. (The Law Firm of Beck Redden, 2016)

Structure of a Digital Forensic Report

Generally, the forensic report is outlined as follows:

(1) Brief summary of information

(2) Tools used in the investigation process, including their purpose and any

underlying assumptions associated with the tool

(3) Evidence Item #1 (For example: Employee A’s work computer)

(a) Summary of evidence found on Employee A’s work computer (b) Analysis of relevant portions of Employee A’s work computer

(i) Email history

(ii) Internet search history

(iii) USB registry analysis

(c) Repetition of above steps for other evidence items (which may include other computers and mobile devices, etc.)

(4) Recommendations and next steps for counsel to continue or cease investigation based on the findings in the report

Generally speaking, the report should not volunteer superfluous information that may be vulnerable to scrutiny under cross-examination. Further, all findings should be accurately qualified as to the limitations of the particular tool(s) used, the applicability of the current technology and industry-standard best practices, the methodology or techniques (such as search criteria or formulae), and the scope of the investigation.

The scope of the investigation is limited by relevancy and also by budget (a factor of which is the time necessary to conduct the investigation), which almost always places significant constraints on what data is found or not found and the inferences to be drawn therefrom. Moreover, the digital forensic report only investigates those areas where responsive evidence can be found. For example, in a case investigating the theft of proprietary software code, it would be outside the scope of the report to discuss a search for child pornography on the hard drive in question.

Further, when evaluating a digital forensic report, a reviewer should evaluate the substance of the report to ascertain if information overload exists. The digital forensic report should provide a cohesive and logical framework on its face and not delve into the underlying technical minutiae. In this context, information overload rests on whether the report contains hundreds of pictures, documents, or other such digital items in the body of the report that distract from the underlying conclusions.

Examiners must resist overtures by attorneys, however well-intended or abstract, to submit any testimony or work product that is disrespectful of the truth, including overstating, understating, or omitting findings. The findings should be concise and carefully circumscribed. The report cannot be tailored to support a particular outcome, as a material omission may constitute fraud. (Garrie, 2014).

Digital forensic science is a new forensic discipline however it is maturing.  The procedural and legal collection, preservation, and analysis of digital evidence should strictly be pursued within a scientific and legal manner; ultimately delivering objective admissible evidence that can assist in establishing truth.

References

Carnegie Mellon Software Engineering Institute. (2005). First Responders Guide to Computer Forensics. Carnegie Mellon Software Engineering Institute. Carnegie Mellon University.

Federal Rules of Evidence. (2016, February 8). Cornell University Law School. Retrieved from Legal Information Institute: https://www.law.cornell.edu/rules/fre

Garrie, B. D. (2014, March). Digital Forensic Evidence in the Courtroom: Understanding Content and Quality. Northwestern Journal of Technology and Intellectual Property, 12(2).

The Law Firm of Beck Redden. (2016, February 8). The Rules Governing Expert Witnesses: Federal and State of Texas. Retrieved from http://www.beckredden.com: http://beckredden.com/uploads/1113/doc/4_Expert_Witnesses.pdf

U.S. Department of Justice. (2007). Digital Evidence in the Court: Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors. Washington: U.S. Department of Justice

Our Digital Footprint and how it can used as Digital Evidence

GettyImages-530020423_comp
“Our Digital Footprint”

Our daily lives create a digital footprint of our actions and behaviors. There are diminishing activities we perform that are not digitally documented. When we purchase goods and services with our credit cards, the time and location and even the contents of our purchases are documented. Unified communication methods such as voice over IP, instant messaging, and text can all be documented and logged. The Internet of things and mobile devices has created the ability for live GPS tracking of our movements throughout the day.  Smart home devices and digital assistance are listening in on our every conversation. Cameras in every type of environment capture our images and location almost constantly.  Social media can create a timeline of your life events, available for the world to see. TV viewing is cataloged by our service providers. Social and data scientist from practically any website or application can use this data to perhaps calculate your social, political and financial status or views. These simple examples of our digital footprint create not only objective evidence of our actions but can also create metadata about very specific intimate personal behavior whether that be legal or criminal in nature.

There are many individuals and nation states concerned with internet privacy laws and how third-parties can preserve and analyze our digital footprints. The majority of the data that we create about ourselves and how this data is used may be considered is insignificant or trivial in context. However, when matters of truth are needed to determine justice in our legal system, data residing within computer systems or digital devices we use everyday is often a major contributor of evidence.

A French pathologist by the name of Edmund Locard stated “when two objects come into contact with each other, there is a reciprocal transfer of material from one to the other.” Stephenson (2014). Dr. Locard’s words became known as “Locards Principle of Transference.” Stephenson (2014).  Dr. Locard’s concept was developed in the early 20th century without having the knowledge of our modern digital components and their ubiquitous use in our society. Dr. Locard’s concept has survived the test of time. The unprecedented use of computers, photography, the internet of things, and mobile devices has created a unique medium for investigators to examine for evidence. That exchange of physical material Dr. Locard mentioned is now known as binary 1’s and 0’s rather than dirt and DNA.

As science and technology advanced “The legal system began to give more credence to objective, scientific methods that relied less on eyewitness evidence and confessions and more on physical evidence, such as that linking a suspect to a victim or crime scene. Forensic science is the discipline where various scientific methods and techniques are utilized to identify, examine, and analyze evidence, and using that evidence to link the suspect, victim, and crime scene together. It also proves the various legal elements of a crime. Forensic science can essentially be considered the “glue’’ that holds everything together” Stephenson (2014) and in our modern world, that glue is often digital in nature.

Just a few decades ago; it was investigators that learned they could search digital medium for evidence in their cases. However, their digital technical experience, methodologies, and tools were limited. Our legal system quickly acknowledged that digital forensic investigations needed to become a formal component of the forensic sciences and should be treated as such. McKemmish (2008) stated “One of the significant drivers of the move of digital forensics from an investigative discipline to a forensic science discipline was the increasing need in the court systems to address the admissibility of digital evidence.”

The American Academy of Forensic Sciences acknowledges eleven disciplines of forensic scientist. Those disciplines include, “anthropology, criminalistics, digital and multimedia sciences, engineering sciences, general, jurisprudence, odontology, pathology, psychiatry and behavioral sciences, question documents, and toxicology” (AAFS, 2016).  Digital forensic science is one of the newest forms of forensic sciences and it required the “development of terminology describing the role of computers in crime.” Casey (2011)

“Early on it was determined that a computer could take on numerous roles to facilitate a crime and that specific role can determine how it can be used as evidence. Donn Parker proposed the following four categories of computer related crimes.

  1. A computer can be the object of a crime. For example, when a computer is stolen or destroyed.
  2. A computer can be the subject of a crime. For example, when a computer is the subject of the crime (e.g. when a computer is infected by a virus or impaired in some other way to inconvenience the individual who use it.)
  3. The Computer can be used as the tool for conducting or planning a crime. For example, when a computer is used to forge documents that or break into other computers, it is the instrument of the crime.
  4. The symbol of the computer itself can be used to intimidate or deceive. “ Casey (2011)

These categories didn’t take into account or reference digital evidence and required further explanation.  “In 1994, the USDOJ created a set of categories and an associated set of search and seizure guidelines” U.S. Department of Justice (as cited in Casey, 2011) “These categories made the necessary distinction between hardware (electronic evidence) and information (digital evidence), which is useful when developing procedures and, from a probative standpoint, for instance, developing a parallel process for physical and digital crime scene investigations, (Carrier & Spafford, 2003).  In this context, hardware refers to all of the physical components of a computer, and information refers to the data and programs that are stored on and transmitted using a computer.  The three categories that refer to information all fall under the guise of digital evidence:

  1. Hardware as Contraband or Fruits of Crime.
  2. Hardware as an Instrumentality.
  3. Hardware as Evidence.
  4. Information as Contraband or Fruits of Crime.
  5. Information as an Instrumentality.
  6. Information as Evidence.

These categories are not intended to be mutually exclusive.  A single crime can fall into more than one category.” Casey (2011)

Due to the consistent change in technology year after year the “USDOJ developed a manual (as opposed to guidelines), “Searching and Seizing Computures and Obtaining Electronic Evidence in Criminal Investigations” (U.S. Department of Justice, 2002).  The manual was updated again in 2009 to incorporate developments in technology, procedures, and case law.” Casey (2011) Anticipation of continual updates to the manual are to be expected.

These categories of computer crimes the UDOJ speaks of can range from nation states launching distributed denial of service attacks (DDOS) to render critical infrastructure and information assets unavailable, theft of personal identity, intellectual property and trade secrets to corporate espionage, violent crime, child pornography, cyberstalking, computer viruses known as ransomware, and even cyberbullying. The explosive adoption of technology and devices and the overwhelming minute by minute creation of digital evidence will challenge the digital forensic industry and scientist. Digital forensic investigation will be a part of practically every legal case in today’s justice system. The sheer volume of case work and not to mention anti-forensic methods of technology such as encryption will certainly introduce challenges in the years to come.  The application of science and technology as it pertains to the law will forever be most critical to our justice system.

REFERENCES

American Academy of Forensic Sciences, AAFS. (2016). Entry post. retrieved January 23, 2016, from http://www.aafs.org/students/choosing-a-career/types-of-forensic-scientists-disciplines-of-aafs/

Carrier, B., Spafford, E. H. (2003). Getting physical with the digital investigation process. International Journal of Digital Evidence, 2(2). Available from http://www.ijde.org/docs/03_fall_carrier_Spa.pdf.

Casey, E, cmdLabs, (2011). Digital Evidence and Computer Crime Forensic Science, Computers and the Internet,Third Edition. Elsevier Inc.

McKemmish, R. (2008). When is Digital Evidence Forensically Sound? In I. Ray, & S. Senoi (Eds.), Advances in Digital Forensics IV (pp. 3-16). New York: Springer.

Stephenson, P. (Ed.). (2014). Official (ISC)2 Guide to the CCFP. Boca Raton, Florida: CRC Press