DIGITAL EVIDENCE María del Pilar Jácome August 2012
¿What is Computer Forensics or Digital Forensics? • “Computer Forensics” is the process of identification, preservation, analysis and presentation of digital evidence in a way that will be legally acceptable in any judicial or administrative process”.To recover and analyze information showing that it was not manipulated. (algorithms use from HASH – MD5, SHA-1).
Digital Evidence Characteristics • Intangible • Can be duplicated in an accurate way and the copy can be examined as if it was the original • It is possible to determine if it has been altered • Specialized forensic procedures are required to examine the evidence with warranties • It is more volatile than paper information • It can be easily altered or destroyed • It requires proper care
Why the distinction between digital and traditional evidence? • Electronic document: It has the same validity as traditional evidence. • Creation of Electronic documents • By people • By computers • By people and computers • Electronic data storage.
Digital Evidence Storage Types of Stored Documents • Emails • Financial files • Office Documents • Internet navigation history • Chat records • Address books (e.g. Outlook) • Calendars (e.g. Outlook) Digital Evidence Repository • Personal computers • Email, file and proxy servers • Control or access systems -Firewalls, router • Personal digital assistants - Blackberry, Palm • Mobile phones, music players • Digital cameras • Backup Tapes • Hard disks • Portable storage media –USB memories , CD’s, DVD’s
Digital Evidence Admissibility • In addition to the basic principals of admission of evidence, digital evidence should comply with • Authenticity • Reliability • Adequacy • Attachment and respect of the law and the judicial system.
Authenticity • Authenticity makes reference on how evidence is generated and storage in order to be admitted in court. • Evidence is authentic when it demonstrates that the data came from the source that is supposed to be from and it has been stored without manipulation.
Authenticity • Presumption of authenticity: Private documents are considered authentic while they are not challenged for the opposing party. For this reason, even though digital data has security mechanisms like digital or biometric signatures, this mechanism would not need to be proven while the authenticity of the document is not challenged.
Authenticity • You must determine the security level being offered to the message creator and keeper. Who should: • Certify that the data message retains its initial characteristics by proving the identity of the digital certificate used to generate the digital signature, and • Establish that the HASH (small summary of digital data content) corresponds to the digital data after it has been decrypted.
Reliability • The creators of the message areviable and plausible. • This characteristic is connected with the message creator and data keeper, who should present warranties and be prepared to be audited.
Adequacy It is the ability to convince, that the digital evidence provided is relevant to some specific facts. It is no only required for the exhibition of the digital data, but it is advisable at the moment of presenting the evidence, to explain what technology was used, which processes were implemented for the creation and storage of the data, and exhibit the digital certificates if available. The intent is to provide sufficient support to the electronic documents submitted to the process.
Adequacy • By the same token, authenticity and reliability should reflect the adequacy of the digital evidence to be considered as legal issue in the process.
Attachment and respect of the law • It is necessary to bring out this element which establishes the need that the digital evidence has the same procedural treatment contained in the procedural code without failing to recognize that this class of evidence is contained in a special media that requires special care on its recollection, analysis and reporting to ensure authenticity, reliability and adequacy.
Attachment and respect of the law :Digital evidence administration
Evidence Design • Determine the importance of electronic records. • Electronic records have been identified, are available and usable. • Clear identification of the author of the electronic records.
Evidence Design • Date and hour of creation or modification of the electronic records. • Possible validation of the authenticity of the electronic records. • There is confidence in the electronic record production and storage of the information system; system reliability.
Evidence Production • That the system or the information technologyproduce the electronic records. • Indentify the author of the electronic records stored. • Identify the date and hour of creation • Verify that the application is working correctly while generating the records – creation or modification • Verify the completion of the generated records.
Gathering Evidence • Establish good practices and standards to gather digital evidence. • Prepare evidence to be used now and in the future. • Keep and verify the chain of custody. • Respect and validate the regulations and norms related to gathering digital evidence. • Develop criteria to establish how to determine the relevance of the evidence.
Evidence Analysis • Following the collection of the evidence, it is necessary to establish the facts to be proven in order to define if the evidence is sufficient or if more documents are need to convince the judge.
Report and Presentation • Document the procedures followed by the experts in charge. • Keep a journal of the technical processes used. • Fulfillment of the comprehensive processes established in relation to the chain of custody.
Report and Presentation • CNUDMI: This type of evidence should be submitted under documentary evidence. This circumstance makes more flexible the procedural rules. Nevertheless, given the specialty and technical nature of this type of evidence, it is need it to perform additional tests, like expert evidence or court inspection. • What is the ideal mechanism to gather digital evidence? Should be gather in the same environment where it is now. If it is materialized throughout printing, does the evidence lose its value. • In many countries, the opportunity to submit evidence is when presenting the lawsuit, when replying to the lawsuit or when the judge order it sua sponte.
Report and Presentation • Today in many countries there is not abundant legislation about this matter and no specific law about how to value electronic evidence. This could be done in two ways • Through an expert evidence orderdecreed by the judge, and • As with simple evidence, known facts that allow inference of unknown facts, in case it does not comply with the minimum requirements that give legal security and certainty to the judge.
Determination of Relevant Evidence • Probative value : any electronic document that has an emblem of authorship, authenticity, and is the result of a proper and reliable operation of the system. • Evidence rules: Establish that the appropriate procedures and rules to gather and manage evidence have been followed.
International Regulatory Framework International Organization on Computer Evidence (IOCE) European Community: Conventions against cybercrime United States Regulation: “Forensic Examination of Digital Evidence: a Guide for Law Enforcement” “Electronic Crime Scene Investigation: a Guide for First Responders” “Computer forensics” is process of the identification, preservation, analysis and presentation of digital evidences in a way that will be legally acceptable in any judicial and administrative process. Recover and analyze information showing that there was not manipulated (algorithms use from Hash-MD5 , SHA-1). • Actions taken to gather digital evidence should not affect the integrity of the evidence. • People in charge of handling and gathering digital evidence will be trained for it. • Activities directed to examine, maintain or transfer digital evidence should be documented and reserved forfuture analysis.
International Protocols Document in detail every procedure perform on the evidences. Analyze evidences following a specialized forensic methodology using tools appropriates for each case. Present the Results through a detailed report of the analyzed information and the conclusions obtained. SCENE Insure scene Identify evidence Capture evidence Proper handing and documentation of the evidences in order to ensure the “chain of custody”. Use forensic tools and indexing of information to analyze large amount of data. Writing reports that illustrate the facts clearly and concisely. Experience ratifying experts reports. protect the scene to avoid the modification or destruction of digital evidence. Identify among the company information systems which ones could contain relevant information. Make exact copies of the identify evidences minimizing the impact on the original evidence. Preserve evidence Analyze evidence Present results Define the protocols to be follow in case fraud investigation. Experience in investigations and information systems in order to identify the appropriate data sources. Use of the fastest and most reliable tools of the market to ensure non-intrusion and minimal alteration of the original evidence. FORENSIC LAB
CONCLUSIONS • Lawyers and judges should stop fearing using digital evidence to prove facts.
CONCLUSIONS • The starting point should be that all “documents” submitted to a process are presume valid until they are challenge as false by the other party. This is why when gathering the evidence must be determine if digital signature certifications, expert reports or technical reports are needed or not.
CONCLUSIONS • The correct use of digital evidence should follow strict practices
CONCLUSIONS • All parts involved (companies, consumers, lawyers, public entities) should create policies for storing data contained on data messages with the purpose of classifying what information require heavier or lighter controls.
CONCLUSIONS • Training must be done to give lawyers and judges the tools for presenting and accepting digital evidence on processes; breaking also the fear on its use; having always in consideration its different forms of presentation and its probative value.