Research published last month covered a wide range of issues in digital forensics, from limitations and challenges to new tools and techniques and lessons for those in higher education.
Digital forensic techniques, now and in the future
The National Institute of Standards and Technology (NIST) published its draft “Digital Investigation Techniques: A NIST Scientific Foundation Review.” This in-depth review of a wide range of descriptions of digital investigation techniques comes at a time when the field continues to evolve, and techniques based on established computer science methods can be limited.
According to the report, these limitations consist of:
- Not always discovering all the evidence.
- Having to parse “extraneous material” associated with the recovery of deleted data.
- Changing significance of digital artifacts created by ever-changing software, including both operating systems and applications.
- The possibility that “two examiners may find different information, and both can be correct” as a result of the availability of multiple ways to search data.
However, the report noted, although digital forensic methods may not be formally peer reviewed, “trustworthiness is established by members of the digital forensic community trying out proposed methods, testing, and updates circulated within the community. This process strengthens an examiner’s awareness of the capabilities and limitations of their techniques.”
The draft is open for public comment through July 11, 2022. Please send comments to [email protected]
On the other side of digital forensic methodology is the interpretation of artifacts, or traces, left on a given digital system. “Erroneously interpreted data that is communicated to a client and subsequently relied upon can have far-reaching consequences for all those involved in the investigative process,” writes Cranfield University’s Graeme Horsman in “Forming an investigative opinion in digital forensics.”
Cautioning that investigative opinions may not always be appropriate, and are also different to expert evaluative opinions, Horsman offers a three-step process flowchart of actions to take throughout three stages: case processing and hypothesis formation, testing and evaluation, and opinion formation and communication.
The complexity of digital forensic investigations is compounded when cases are multinational. “SoK: Cross-border Criminal Investigations and Digital Evidence” is a literature review examining current protocols for collaboration, with an eye toward “enabling practitioners and stakeholders to leverage horizontal strategies to fill in the identified gaps timely and accurately.”
The authors concluded: “…the current mechanisms used for cross-border collaboration are solving partial issues and challenges, but there is no panacea.” Moreover, efforts to solve these issues and challenges actually introduced new ones. The paper laid the groundwork for future research, in particular the use of blockchain technology for chain of custody and evidence exchanges.
Structuring inferences in digital and other forensic sciences
Encouraging hypothesis formation – and using a standard practice to do so – as part of digital forensic science continues in “Likelihood ratio method for the interpretation of iPhone health app data in digital forensics,” authored by a team of researchers at the Netherlands Forensic Institute.
Their method focused on the use of a numerical likelihood probability ratio applied to walking distances. Acknowledging that the method’s performance is “highly case-dependent,” the authors stressed, “the method and validation procedure are straightforward and can therefore easily be repeated for different data… within and outside the field of digital forensics.”
More broadly in forensic science, whether data science and machine learning could help human practitioners with likelihood ratios and other structured evaluation methods was the topic of a set of papers in May, including:
- “A strawman with machine learning for a brain: A response to Biedermann (2022) the strange persistence of (source) “identification” claims in forensic literature” arguing in support of the use of machine learning for forensic inference.
- “Machine learning enthusiasts should stick to the facts. Response to Morrison et al. (2022)” refutes this response.
- “Advancing a paradigm shift in evaluation of forensic evidence: The rise of forensic data science,” a written version of a keynote presentation given at the European Academy of Forensic Science 2022 conference.
Although these papers focus on forensic sciences like fingerprint, toolmarks, footwear and tire tread pattern comparison analysis, they are more broadly written about the same quantitative and statistical ways to overcome cognitive bias being discussed in digital forensics.
South Korean researchers contributed “A study on data acquisition based on the Huawei smartphone backup protocol,” exploring a workaround to digital device extraction. By reverse engineering Huawei’s data backup protocol program, HiSuite, the researchers “experimentally verified” the ability to use a HiSuite replacement tool obtain backup data from Huawei smartphones.
In “Cloud Evidence Tracing System: An integrated forensics investigation system for large-scale public cloud platform,” Chinese researchers developed a tool that uses service providers’ existing APIs to forensically acquire, preserve, and emulate data, as well as analyze and manage it.
The CETS methodology is designed to collect data consistently, across multiple providers’ virtual machines, and to track all the files created during their workflow. As of publication, the authors wrote, “CETS has collected data exceeding 2 PB, rerun more than 2000 virtual hosts, including servers and databases, supported more than 300 investigation cases related to cloud platforms.”
In India, researchers discussed “Security and privacy issues in fog computing environment.” Designed to overcome the challenges posed by a future internet to existing cloud computing paradigms, fog computing “has extended the cloud computing standards to the edge of the network.” The researchers thus examine characteristics, applications and associated technologies of fog computing towards understanding its own unique challenges.
Researchers in Qatar, the United Arab Emirates, and the United Kingdom offered an overview of methods for “Digital forensic analysis for source video identification: A survey.” Compression, stabilization, scaling, cropping, and differences between frame types can all make it difficult to identify source videos for authentication
These limitations have had the results that 1) most authentication techniques are focused on source camera identification and 2) few large standard digital video databases, or updated databases with new devices based on new technologies, exist. The researchers sought to describe some of the databases that are available, along with existing identification techniques.
Researchers from India’s Vellore Institute of Technology discussed the “Implementation of high speed and lightweight symmetric key encryption algorithm-based authentication protocol for resource constrained devices.” Their algorithm combines AES with SHA mechanisms “to achieve a high degree of data protection.”
Lessons for educators and students in higher learning
The literature around pivots to remote learning in pandemic-stricken institutions continued in May with “Lockdown labs: Pivoting to remote learning in forensic science higher education.” There, researchers at Scotland’s University of Strathclyde, Centre for Forensic Science offered a case study of its one-year MSc Forensic Science programme.
The paper discusses innovative teaching practices, including the online, practical, and interactive resources and activities that helped remote learners to understand the material they would need to advance. Both long-term teaching practices and temporary pandemic responses are covered.
In England, Staffordshire University’s Rachel S.Bolton-King explored “Student mentoring to enhance graduates’ employability potential.” Conducted over three years, the “subject-specific, classroom-based, voluntary extra-curricular” mentoring scheme saw almost 400 first-year undergraduate students mentored by 26 more advanced undergrads, including via remote means during the COVID-19 pandemic. The research supports a framework enabling mentors to identify skills alignment with prospective employers’ requirements.
Finally, the Leahy Center for Digital Forensics & Cybersecurity ran a series on various career fields relevant and adjacent to digital forensics:
- Erik Biedrzycki wrote about working as an IT technician.
- Mohammed Hussein discussed building a cyber range.
- Colin Westgate described creating a new ticket system for the center.
- Ryan Harvey wrote about learning Elastic.
- Internships were the focus of blogs by Damion Lyman, Jacob Mayotte, Reece Cristea, and Michael Coyne.