by Colin Armstrong
Curtin University of Technology
School of Information Systems
WA
Australia

Abstract

Forensic science is the application of science to those criminal and civil laws that are enforced by police agencies in a criminal justice system. The discipline of computer forensics is growing because it is making an important transition from being a "black art", restricted to a few experts, into an essential element of the information security enterprise. A major factor influencing this transition is the latest generation of highly efficient computer forensic software tools. These new tools may lead corporate information security staff to rely on "point & click" wizardry that could jeopardise the prosecution of a case.

This paper discusses a research project that examines criteria that will help development of a framework to evaluate the appropriateness of computer forensic tools. The framework is intended for use by State and Federal Policing agencies. It is to be used to attest to the validity of the tools used in the gaining of forensic evidence. The project aims to develop a practically relevant and useful framework for Police that will uncover a set of reliable and acceptable criteria on which a framework can be built.

A law enforcement investigator may use tools, procedures and methods not readily available to the public and therefore not be readily understood and accepted. For an investigators finding to be accepted they must be recognised by other experts within the field and conform to national and international standards of practice. A computer forensic investigator risks loss of credibility if doubt can be introduced into the appropriateness of tools and / or actions deployed in the presented evidence. This research project will develop a framework to assist investigators remedy this situation.

Introduction

This research project was instigated by personnel at the Computer Crime Unit of the Western Australia Police Service Major Crime Squad and is being undertaken in conjunction with State and Federal computer forensic policing agencies within Australia. It addresses how issues faced by expert computer forensic witnesses and investigators presenting information regarding the examination and analysis of computer systems are addressed within the legal system.

Forensic is defined as belonging to, used in, or suitable to courts of judicature or to public discussion and debate (Bologna and Lindquist, 1995). Computer Forensics is the coherent application of methodical investigatory techniques to solve crime cases (Kruse and Heiser, 2001).

Police are responsible for upholding the law and investigating, apprehending and prosecuting breaches of the law. The successful prosecution of computer based crime is reliant upon the investigator being able to prove beyond a reasonable doubt who, what, how and when a criminal event occurred within the stringent principles of forensic examination of evidence. Computer crime is of such a nature that it is often difficult for the general public to perceive or to understand that a crime has actually occurred. Criminals are using computers to store records regarding drug deals, money laundering, embezzlement, mail fraud, telemarketing fraud, prostitution, gambling matters, extortion, and a myriad of other criminal activities (Icove et al, 1995). The victim may be a large corporation, may be far away, or may be considered an unfriendly nation, competitor or even an enemy.

An investigation may use tools, procedures and methods not readily be available to the public and therefore not be readily understood and accepted. For these investigative finding to be accepted they must be recognised by other experts within the field and conform to national and international standards of practice. The risks facing a computer forensic investigator include loss of credibility if another expert witness can demonstrate that proper or appropriate courses of action were mismanaged. It is the role of the independent expert to explain technical issues in layman's terms so that the judge, jury, accused, barrister and solicitor alike can understand the evidence put before them. (Armstrong, 2002)

This research project will examine a number of computer forensic tools and relate their attributes and performance to a framework that the researcher shall construct. This Computer Forensic Tool Evaluation Framework (CFTEF) would then enable the investigator to evaluate whether the tool chosen meets the requirements demanded to improve the success of a presentation of a case to the court.

Objectives

The primary aim of this research is to build and test a framework for the evaluation of software tools for use by State and Federal policing agencies in the forensic examination of computer systems. The framework would conform with and assist in the determination of a standard operating procedure to be adopted by computer forensic investigators. The research objectives will culminate with the discovery of a set of measurements that will permit the framework to determine the appropriateness of a computer forensic tool for a particular situation.

The objectives of this research are;

1. Identify and review the practices currently in use by policing agencies computer forensic investigators.

2. Determine the measurable criteria and desired outcomes required of software tools by policing agencies.

3. Evaluate a selection of software tools or products such as; Encase, Silent Witness, NTI, iLook, SMART,

4. Figure 2, shows the model for the construction of the framework to meet these objectives.