±Forensic Focus Partners
New Today: 1
New Yesterday: 7
±Follow Forensic Focus
· Can You Get That License Plate?
· How To Decrypt WeChat EnMicroMsg.db Database?
· A guide to RegRipper and the art of timeline building
· Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions
· FT Cyber Security Summit 2014 – Recap
· Why Offender Profiling is Changing Thanks to Mobile Forensics and Increasingly ‘Social’ Criminal Activity
· Understanding Cyber Bullying – Notes for Digital Forensics Examiners
· Investigating the Dark Web – The Challenges of Online Anonymity for Digital Forensics Examiners
· The Complete Workflow of Forensic Image and Video Analysis
InterviewsBack to top Back to main Skip to menu
Michael Kohn, Computer Science Graduate, University of Pretoria
I have been interested in Information Technology and Law for quite some time. I know that there needs to be critical development in the overlap between the two disciplines. I have completed both my LLB and BSc in Computer Science. Its application to digital forensics had developed significantly over the past few years and that seemed like the best place to start with my research. In South Africa digital forensics has been used to a limited extent in that examinations of evidence have been done, but up to now have had limited exposure in court. I would like to make meaningful contributions to the legal arena in this respect.
Please give us an overview of your 'Integrated Digital Forensic Process Model' paper and explain why you decided to focus on this area of digital forensics.
The purpose of the Integrated Digital Forensic Process Model is to provide a comprehensive process for a digital forensic practitioner in completing an investigation where digital evidence is to determine the issue at hand. Various well known academic and industry process models were analysed, compared and integrated into a single process model. The model is inclusive of forensic readiness, preparation, incident response, the digital forensic investigation and presentation of the evidence findings at a forum. The model will also use previous knowledge and findings on evidence to add to the investigator experience.
There are a number of definitions of ‘digital forensics’ in your paper. How would you define the term?
The definition we provide is a specific, predefined and accepted process applied to digitally stored data or digital media using scientifically proven and derived methods, based on a solid legal foundation, to extract after-the-fact digital evidence with the goal of deriving the set of events or actions indicating a possible root cause, where reconstruction of possible events can be used to validate the scientifically derived conclusions.
What were the main challenges you faced when trying to integrate existing process models?
Terminology is probably the biggest challenge, not only in this study but how terminology is used in law and digital forensics. Even the different models, different countries and researchers have various definitions for terms used in digital forensics. Standardisation of terminology would greatly assist forensic practitioners.
Do you think that process models are given enough attention by those actually working in the industry or are they often ignored by those outside academia? If so, what can be done to change that situation?
The models are developed to accommodate changes in technology and they provide for various alternative scenarios. The models are effective and should work if applied correctly in industry. Academia and industry are not always effectively aligned in their goals to extract the best possible evidence by limiting investigation time and resources. Industry however does not take enough notice of extraordinary developments and simply buys the newest technology and tools to assist in an investigation. Industry professionals should either develop their own tools or readily ask academics to assist with solutions.
South Africa is lacking in contributing to and being aware of the latest developments in digital forensics. Most of the techniques used in South Africa are outdated and do not provide for effective evidence analysis. Communication between various role players should be encouraged, including skill developments and professional contributions.
You mention that digital evidence is circumstantial in nature. What, if anything, can be done about that? Do you think it will always be a problem?
The research done at the time strongly indicates that computer evidence is circumstantial in nature. This will probably not always be the case, but the law and information technology will drastically need to be developed in tandem to change this view.
What are your plans now that you’ve finished your Masters?
I am currently an advocate of the High Court of South Africa and practise as such at the Johannesburg Bar at Group 21 Advocates. I do however remain a professional member of the ICFP.
What do you do in your spare time?
I have various interests, including weight training, powerlifting and olympic lifting. Other than that I relax, read quite a bit and enjoy great series.