Discipline Of Digital Forensics Research Articles

Part 2: The Phase-oriented Advice and Review Structure (PARS) for digital forensic investigations

This work forms the second part of a two part series providing the necessary scaffolding for the digital forensic discipline to conduct effective peer review in their laboratories and units. The first part articulated the need for a structured approach to peer review in digital forensic investigations (Horsman and Sunde, 2020). Here in part two, the Phase-oriented Advice and Review Structure (PARS) for digital forensic investigations is offered. PARS is the first documented peer review methodology for the digital forensics field, a six staged approach designed to formally support organisations and their staff in their goal of facilitating effective peer review of DF work, from investigative tasks to forensic activities and forensic analysis processes (Pollitt et al., 2018). This article discusses how the PARS methodology can be implemented, and the available options and mechanisms available to ease the interpretation of this model into existing practices. Both the early ‘Advisor’ and later ‘Reviewer’ roles in PARS are discussed and their requirements and expectations are defined. Three template documents are provided and explained: The PARS Advisors template, the PARS Advisor Brief template and the PARS Peer Review Hierarchy template, for direct use by organisations seeking to adopt the PARS methodology.

Analyzing the usage of character groups and keyboard patterns in password creation

PurposeUsing passwords to keep account and data safe is very common in modern computing. The purpose of this paper is to look into methods for cracking passwords as a means of increasing security, a practice commonly used in penetration testing. Further, in the discipline of digital forensics, password cracking is often an essential part of a computer examination as data has to be decrypted to be analyzed. This paper seeks to look into how users that actively encrypt data construct their passwords to benefit the forensics community.Design/methodology/approachThe study began with an automated analysis of over one billion passwords in 22 different password databases that leaked to the internet. The study validated the result with an experiment were passwords created on a local website was analyzed during account creation. Further a survey was used to gather data that was used to identify differences in password behavior between user that actively encrypt their data and other users.FindingsThe result of this study suggests that American lowercase letters and numbers are present in almost every password and that users seem to avoid using special characters if they can. Further, the study suggests that users that actively encrypt their data are more prone to use keyboard patterns as passwords than other users.Originality/valueThis paper contributes to the existing body of knowledge around password behavior and suggests that password-guessing attacks should focus on American letters and numbers. Further, the paper suggests that forensics experts should consider testing patterns-based passwords when performing password-guessing attacks against encrypted data.

The Search and Seizure of Digital Evidence by Forensic Investigators in South Africa

The discipline of digital forensics requires a combination of skills, qualifications and knowledge in the area of forensic investigation, legal aspects and information technology. The uniqueness of digital evidence makes the adoption of traditional legal approaches problematic.
 Information technology terminology is currently used interchangeably without any regard to being unambiguous and consistent in relation to legal texts. Many of the information technology terms or concepts have not yet achieved legal recognition.
 The recognition and standardisation of terminology within a legal context are of the utmost importance to ensure that miscommunication does not occur.
 To provide clarity or guidance on some of the terms and concepts applicable to digital forensics and for the search and seizure of digital evidence, some of the concepts and terms are reviewed and discussed, using the Criminal Procedure Act 51 of 1977 as a point of departure.
 Digital evidence is often collected incorrectly and analysed ineffectively or simply overlooked due to the complexities that digital evidence poses to forensic investigators. As with any forensic science, specific regulations, guidelines, principles or procedures should be followed to meet the objectives of investigations and to ensure the accuracy and acceptance of findings. These regulations, guidelines, principles or procedures are discussed within the context of digital forensics: what processes should be followed and how these processes ensure the acceptability of digital evidence. These processes include international principles and standards such as those of the Association of Chiefs of Police Officers and the International Organisation of Standardisation. A summary is also provided of the most influential or best-recognised international (IOS) standards on digital forensics.
 It is concluded that the originality, reliability, integrity and admissibility of digital evidence should be maintained as follows:
 
 Data should not be changed or altered.
 Original evidence should not be directly examined.
 Forensically sound duplicates should be created.
 Digital forensic analyses should be performed by competent persons.
 Digital forensic analyses should adhere to relevant local legal requirements.
 Audit trails should exist consisting of all required documents and actions.
 The chain of custody should be protected.
 Processes and procedures should be proper, while recognised and accepted by the industry.
 
 If the ACPO (1997) principles and ISO/IEC 27043 and 27037 Standards are followed as a forensic framework, then digital forensic investigators should follow these standards as a legal framework.

Tool testing and reliability issues in the field of digital forensics

The digital forensic discipline is wholly reliant upon software applications and tools designed and marketed for the acquisition, display and interpretation of digital data. The results of any subsequent investigation using such tools must be reliable and repeatable whilst supporting the establishment of fact, allowing criminal justice proceedings the ability to digest any findings during the process of determining guilt or innocence. Errors present at any stage of an examination can undermine an entire investigation, compromising any potentially evidential results. Despite a clear dependence on digital forensic tools, arguably, the field currently lacks sufficient testing standards and procedures to effectively validate their usage during an investigation. Digital forensics is a discipline which provides decision-makers with a reliable understanding of digital traces on any device under investigation, however, it cannot say with 100% certainty that the tools used to undertake this process produce factually accurate results in all cases. This is an increasing concern given the push for digital forensic organisations to now acquire ISO 17025 accreditation. This article examines the current state of digital forensic tool-testing in 2018 along with the difficulties of sufficiently testing applications for use in this discipline. The results of a practitioner survey are offered, providing an insight into industry consensus surrounding tool-testing and reliability.

Formalising investigative decision making in digital forensics: Proposing the Digital Evidence Reporting and Decision Support (DERDS) framework

In the field of digital forensics it is crucial for any practitioner to possess the ability to make reliable investigative decisions which result in the reporting of credible evidence. This competency should be considered a core attribute of a practitioner’s skill set and it is often taken for granted that all practitioners possess this ability; in reality this is not the case. A lack of dedicated research and formalisation of investigative decision making models to support digital forensics practitioner’s is an issue given the complexity of many digital investigations. Often, the ability to make forensically sound decisions regarding the reliability of any findings is arguably an assumed trait of the practitioner, rather than a formally taught competency. As a result, the digital forensic discipline is facing increasing recent scrutiny with regards to the quality and validity of evidence it’s practitioners are producing. This work offers the Digital Evidence Reporting and Decision Support (DERDS) framework, designed to help the practitioner assess the reliability of their ‘inferences, assumptions of conclusions’ in relation to any potentially evidential findings. The structure and application of the DERDS framework is discussed, demonstrating the stages of decision making a practitioner must undergo when evaluating the accuracy of their findings, whilst also recognising when content may be deemed unsafe to report.

US: Dystar — textile colorants

Now approximately 30 years old, the field of digital forensics is arguably facing some of its greatest challenges to date. Whilst currently supporting law enforcement in numerous criminal cases annually, questions are beginning to emerge regarding whether it can sustain this contribution, with digital crime remaining prevalent. In his first live interview in September 2015, Head of MI5, Andrew Parker indicated that individuals are now engaging in computing acts which are beyond the control of authorities, confirming earlier remarks made by British Prime Minister David Cameron in the wake of the Charlie Hebdo attacks. Such comments cast doubt on the future effectiveness of the digital forensic discipline and its ability to effectively investigate those who implement the latest forms of technology to carry out illicit acts. This article debates the controversial question, could we be facing an era where digital crime can no longer be effectively policed?