by Dr Chris Hargreaves, lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK
It does not require too much imagination to foresee how data from such devices could be potentially useful (particularly as evidence related to alibis, for example). Really, any additional source of potential digital evidence should be welcomed, and this is particularly true for devices that are difficult to tamper with (there is not yet an evidence eliminator for electricity usage monitors as far as I am aware). There is also an additional benefit from using digital evidence in this way – rather than relying on digital evidence from a single PC or device, multiple, independent devices can be examined for evidence that supports (or refutes) the current working hypothesis of what events occurred. More data sources can only increase the accuracy of any inferences drawn from the evidence.
While there are potential benefits of using digital evidence from such devices, there are significant challenges in doing so. Assuming for the purpose of this article a reasonably simple digital investigation process model (identification, acquisition, extraction, analysis and presentation), the identification at a scene of physical evidence on which digital evidence could reside is much more difficult than in the past – this article has mentioned only a small subset of the devices that could contain relevant digital evidence. It is therefore important to remember that the question to ask when seizing evidence is not ‘where is the computer?’ but ‘what devices are here that could contain relevant digital evidence?’
With the devices identified and collected, the problem of acquisition remains. Acquisition of data from non-standard devices can be challenging, often due to the data storage components being integrated to the device and non-standard interfaces to the device itself. The current offerings of mobile phone acquisition products (as an example of non-traditional computer evidence) include a range of adaptors for compatibility with the large variety of devices and interfaces. Could this sort of approach extend in future to include acquisitions from other non-traditional computer based digital evidence sources?
Assuming that data can actually be acquired from these devices, an additional challenge remains — the extraction of digital artifacts (in this context meaning the transformation from the raw data into usable information i.e. how are the binary patterns to be correctly interpreted?). A new file format on a traditional computer usually involves experimentation in order to reverse engineer the format to understand it and extract information. These experiments can involve (amongst other things) feeding known data into a test system and inspecting the data object in which it is stored. If the acquisition of the device is difficult or destructive then this can make this experimentation process much harder, slower and cumbersome. In addition, there does seem to be a trend for traditional computer applications to make use of more standard data formats e.g. SQL, XML etc; however, for low power, low resource devices these formats may not necessarily be appropriate and therefore bespoke formats more common. This increases the challenge of artifact extraction.
Like all new technologies, small dedicated devices for ‘self-tracking’ present new challenges and new opportunities for digital forensics. It remains to be seen if this trend moves beyond early adopters, but the idea that potentially relevant digital evidence is present in far more devices than the traditional computer is fairly uncontroversial. The first step for addressing this challenge is probably at the identification stage; it is to raise awareness that such devices exist and the sort of artifacts they could contain. Hopefully this article has at least contributed to that first step.
Click here to discuss this article.
Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK. Chris is involved to some extent in all of the Centre’s core activities: Education, Research and Consultancy. Chris’s main focus is research (publication list available here), but he also teaches on several of the modules within Cranfield’s MSc programme including Advanced Forensics, the newly revamped Programming for Practitioners, and also some of the new courses planned for next year. Before taking on a lecturing position, Chris obtained his PhD at Cranfield on the topic of “Assessing the Reliability of Digital Evidence from Live Investigations involving Encryption”.