DIGITAL EVIDENCE

María del Pilar JácomeAugust 2012

¿What is Computer Forensics or Digital Forensics?

• “Computer Forensics” is the process of identification, preservation, analysis and presentation of digital evidence in a way that will be legally acceptable in any judicial or administrative process”. To recover and analyze information showing that it was not manipulated. (algorithms use from HASH – MD5, SHA-1).

2

Digital Evidence Characteristics

• Intangible• Can be duplicated in an accurate way and the copy

can be examined as if it was the original• It is possible to determine if it has been altered• Specialized forensic procedures are required to

examine the evidence with warranties • It is more volatile than paper information• It can be easily altered or destroyed• It requires proper care

3

Why the distinction between digital and traditional evidence?

• Electronic document: It has the same validity as traditional evidence.

• Creation of Electronic documents– By people– By computers– By people and

computers• Electronic data storage.

Digital Evidence Storage

Digital Evidence Repository • Personal computers• Email, file and proxy servers• Control or access systems -Firewalls, router• Personal digital assistants - Blackberry, Palm• Mobile phones, music players• Digital cameras• Backup Tapes• Hard disks• Portable storage media –USB memories ,

CD’s, DVD’s

5

Types of Stored Documents• Emails • Financial files• Office Documents• Internet navigation history• Chat records• Address books (e.g. Outlook)• Calendars (e.g. Outlook)

Digital Evidence Admissibility

• In addition to the basic principals of admission of evidence, digital evidence should comply with– Authenticity– Reliability– Adequacy– Attachment and respect of the law and the

judicial system.

Authenticity

• Authenticity makes reference on how evidence is generated and storage in order to be admitted in court.

• Evidence is authentic when it demonstrates that the data came from the source that is supposed to be from and it has been stored without manipulation.

• Presumption of authenticity: Private

documents are considered authentic

while they are not challenged for the

opposing party. For this reason, even

though digital data has security

mechanisms like digital or biometric

signatures, this mechanism would not

need to be proven while the authenticity

of the document is not challenged.

Authenticity

• You must determine the security level being offered to

the message creator and keeper. Who should:

– Certify that the data message retains its initial

characteristics by proving the identity of the digital

certificate used to generate the digital signature,

and

– Establish that the HASH (small summary of digital

data content) corresponds to the digital data after

it has been decrypted.

Authenticity

• The creators of the message are viable

and plausible.

• This characteristic is connected with

the message creator and data keeper,

who should present warranties and be

prepared to be audited.

Reliability

It is the ability to convince,

that the digital evidence

provided is relevant to some

specific facts. It is no only

required for the exhibition of

the digital data, but it is

advisable at the moment of

presenting the evidence, to

explain what technology was

used, which processes were

implemented for the creation

and storage of the data, and

exhibit the digital certificates

if available. The intent is to

provide sufficient support to

the electronic documents

submitted to the process.

Adequacy

• By the same token, authenticity and reliability should reflect the adequacy of the digital evidence to be considered as legal issue in the process.

Adequacy

Attachment and respect of the law

• It is necessary to bring out

this element which

establishes the need that

the digital evidence has the

same procedural treatment

contained in the procedural

code without failing to

recognize that this class of

evidence is contained in a

special media that requires

special care on its

recollection, analysis and

reporting to ensure

authenticity, reliability and

adequacy.

Attachment and respect of the law : Digital evidence administration

Evidence Design

• Determine the importance of electronic records.• Electronic records have been identified, are

available and usable.• Clear identification of the author of the

electronic records.

• Date and hour of creation or modification of the electronic records.

• Possible validation of the authenticity of the electronic records.

• There is confidence in the electronic record production and storage of the information system; system reliability.

Evidence Design

Evidence Production

• That the system or the information technology produce the electronic records.

• Indentify the author of the electronic records stored.

• Identify the date and hour of creation• Verify that the application is working

correctly while generating the records – creation or modification

• Verify the completion of the generated records.

Gathering Evidence

• Establish good practices and standards to gather digital evidence.

• Prepare evidence to be used now and in the future.

• Keep and verify the chain of custody.

• Respect and validate the regulations and norms related to gathering digital evidence.

• Develop criteria to establish how to determine the relevance of the evidence.

Evidence Analysis

• Following the collection of the

evidence, it is necessary to establish

the facts to be proven in order to

define if the evidence is sufficient or if

more documents are need to convince

the judge.

Report and Presentation

• Document the procedures followed by

the experts in charge.

• Keep a journal of the technical

processes used.

• Fulfillment of the comprehensive

processes established in relation to the

chain of custody.

1. CNUDMI: This type of evidence should be submitted under documentary

evidence. This circumstance makes more flexible the procedural rules.

Nevertheless, given the specialty and technical nature of this type of

evidence, it is need it to perform additional tests, like expert evidence or

court inspection.

2. What is the ideal mechanism to gather digital evidence? Should be gather

in the same environment where it is now. If it is materialized throughout

printing, does the evidence lose its value.

3. In many countries, the opportunity to submit evidence is when presenting

the lawsuit, when replying to the lawsuit or when the judge order it sua

sponte.

Report and Presentation

• Today in many countries there is not abundant legislation about this matter and no specific law about how to value electronic evidence. This could be done in two ways

• Through an expert evidence order decreed by the judge, and

• As with simple evidence, known facts that allow inference of unknown facts, in case it does not comply with the minimum requirements that give legal security and certainty to the judge.

Report and Presentation

Determination of Relevant Evidence

• Probative value : any electronic document that has

an emblem of authorship, authenticity, and is the

result of a proper and reliable operation of the

system.

• Evidence rules: Establish that the appropriate

procedures and rules to gather and manage

evidence have been followed.

International Regulatory Framework

International Organization on

Computer Evidence(IOCE)

European Community:Conventions against

cybercrime

United States Regulation: “Forensic Examination of

Digital Evidence: a Guide for Law Enforcement”

“Electronic Crime Scene Investigation: a Guide for First

Responders”

“Computer forensics” is process of the identification, preservation, analysis and presentation of digital evidences in a way that will be legally acceptable in any judicial and administrative process. Recover and analyze information showing that there was not manipulated (algorithms use from Hash-MD5 , SHA-1).

• Actions taken to gather digital evidence should not affect the integrity of the evidence.• People in charge of handling and gathering digital evidence will be trained for it. • Activities directed to examine, maintain or transfer digital evidence should be documented and reserved for

future analysis.

International Protocols

SCENEDocument in detail every procedure perform on the evidences.

Insurescene

Identifyevidence

Captureevidence

Proper handing and documentation of the evidences in order to ensure the “chain of custody”.

Analyze evidences following a specialized forensic methodology using tools appropriates for each case.

Use forensic tools and indexing of information to analyze large amount of data.

Present the Results through a detailed report of the analyzed information and the conclusions obtained.

Writing reports that illustrate the facts clearly and concisely.

Experience ratifying experts reports.

protect the scene to avoid the modification or destruction of digital evidence.

Define the protocols to be follow in case fraud investigation.

Identify among the company information systems which ones could contain relevant information.

Experience in investigations and information systems in order to identify the appropriate data sources.

Make exact copies of the identify evidences minimizing the impact on the original evidence.

Use of the fastest and most reliable tools of the market to ensure non-intrusion and minimal alteration of the original evidence.

FORENSIC LAB

Preserve evidence

Analyzeevidence

Presentresults

CONCLUSIONS

• Lawyers and judges should stop fearing using digital evidence to prove facts.

• The starting point should be that all “documents” submitted to a process are presume valid until they are challenge as false by the other party. This is why when gathering the evidence must be determine if digital signature certifications, expert reports or technical reports are needed or not.

CONCLUSIONS

• The correct use of digital evidence should follow strict practices

CONCLUSIONS

• All parts involved (companies,

consumers, lawyers, public entities)

should create policies for storing data

contained on data messages with the

purpose of classifying what

information require heavier or lighter

controls.

CONCLUSIONS

• Training must be done to give

lawyers and judges the tools for presenting and accepting digital evidence on processes; breaking also the fear on its use; having always in consideration its different forms of presentation and its probative value.

CONCLUSIONS