The Data Specimen is the Blood of Cyber Forensics

At first glance, one would assume that the only common thread that runs between a forensic lab that analyzes blood samples, fingerprints and DNA evidence, and a Cyber forensic lab that analyzes data is that both processes verify the facts that assist in the resolution of a civil or criminal proceeding.

However, the basic principles of forensic work pertain to every area of forensic science. In fact, your favorite celebrity charged with a DUI (Driving under the Influence) offense and, perhaps, some of the most nefarious cyber criminals will be prosecuted or vindicated via the very same forensic methods and principles. A thorough and well executed forensic investigation will shed light upon both intricate and obscure cases, and complicated crime scenes.

For the sake of comparison, some of the obstacles that interfere with the successful prosecution of a DUI offense are fundamentally akin.

Indeed, there are core issues in Cybercrimes that will both mimic and mirror the skill and tact a forensic expert needs to employ in order to amass evidence that is infallibly admissible in a court of law.

First and foremost, a forensic investigator will be required to ask the following questions:

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

• How does a law enforcement officer know that he/she is monitoring a possible DUI offense?
• How can he/she verify that he/she witnessed indicators of a possible DUI offense?
• Once he/she has pulled over a suspect, what right does he/she have to inspect the suspect’s vehicle?
• What methods can he/she use to prove that the suspect is intoxicated?
• Did the officer follow guidelines and procedures in respect of the incident?
• Does the officer have records that prove he/she conducted himself/herself within the letter of the law?

If, for example, the officer pulled over the suspect based solely on racial profiling, we would find the remainder of the evidence provided by this officer questionable at best, and possibly inadmissible altogether.

In the likelihood that the officer did, in fact, find alcohol in the vehicle, yet, he did not obtain a warrant to conduct a substance search. The presence of alcohol in this vehicle may bear no weight on the criminal proceeding.

Officers are required to be trained in SFST (Standard Field Sobriety Tests), should an officer not conduct a complete and recorded test, his negligence will override his testimony in a court of law.

In order to substantiate the DUI offence scientifically, one should endeavor to perform a complete Toxicological examination.

Now, this examination is not as simple as drawing blood, and then banking on the results to confirm a DUI offence. Blood can become easily contaminated and the evidence that would have, otherwise, been conclusive may in actuality advocate on behalf of the suspect.

An officer who does not back-up his evidence with tamper-proof video footage of the incident will, ultimately, hamper the possibility of a conviction. Clearly, a forensic investigator relies on the smooth operations of law enforcement, and his, or her, own expertise, to handle fragile evidence, effectively and efficiently.

Technology can be used as a tool with which to commit a crime, alternatively, a crime can be committed within a technological infrastructure. This is known as Cybercrime.

An example of technology being used as a tool to commit a crime is harassment, bribery, or extortion via email. Forced network intrusions (Hacking) and data theft are, unfortunately, common examples of Cybercrimes that have had catastrophic repercussions on the world’s economy.

A Cyber Forensic investigator who investigates an act of an illegal network intrusion will have to gather evidence and ask similar, if not identical, questions to an investigator who investigates a DUI offense. After all, a network intrusion is the illegal abuse of network, or internet traffic.

Hereunder is a translation of the DUI investigators questions into ‘Cyber semantics’ for the Cybercrime investigator:

• How does the law enforcement officer know that he/she is monitoring illegal electronic transactions?
• What indicators signal a possible network intrusion?
• Can he/she identify the user or suspect involved in the network intrusion?
• Once a user is identified, what rights do law enforcement officers have to search for, preserve and document the electronic evidence?
• What methods can be employed to prove that the suspect performed an illegal network intrusion?
• Did the officer follow guidelines and procedures in respect of the incident?
• Does the officer have records that document the “chain of custody” to ensure that the evidence has not been tampered with in any way?

Monitoring an illegal electronic operation or intrusion can be exceedingly difficult.

Nowadays, most employees have the ability and are encouraged to log on to their companies’ networks remotely, for the sake of ‘after hours’ productivity.

As the availability of data becomes accessible from almost anywhere in the world, so does the risk of network intrusion and data theft increase. One has to implement sophisticated tools and software in order to identify the source of network intrusion, and law enforcement officers have to be trained in the tracking of cybercriminals.

In order to have a fighting chance at identifying cybercriminal activity, IT officers are required to adhere strictly to regulations and procedures and carefully monitor internet usage in order to identify activities that do not fall within the range of regular practices (anomalies).
Law enforcement officers have to be aware of the parameters within which the law allows them to perform the following actions in respect of evidence:

• search for the evidence
• preserve the evidence
• document the related data as evidence

Immediate action is often required in order to prevent the tampering of data.

Therefore, a process of expedient ‘court ordered’ warrants need to be in place if there is any hope in the successful prosecution of cybercrimes.

The “Data specimen” is the very blood of cyber forensics, just as blood can become contaminated fairly easily, so too, can data be corrupted, deleted and even erased.

The ineffective storage of evidentiary data can lead to the vindication of cybercriminals. One should never underestimate the recording and documentation that goes hand in hand with the admissibility of evidence in a cybercrime.

If the “chain of custody” is documented inaccurately, and the data evidence is left unsupervised for even a moment, the data becomes fallible and inadmissible in court.

Cyber forensics is not brain surgery, but a cyber-investigator has to be precise, exact and skilled in order to perform a professional investigation.

As technology advances and improves our quality of life, we need to bear in mind that cybercriminals advance and find numerous ways to intrude and attack our “sophisticated” security systems.

One has to be alert and adhere to ‘best practices’ when generating sensitive information, surfing the internet, or sharing experiences on social network sites.

Just as one should steer clear of drivers who don’t seem to have good control of their vehicles, one should veer away from dodgy, yet luring, internet sites, and one should think twice before uploading valuable data.

Released by Leib Melamed (+27 82 771 8683 / +27 82 444 3661)
DFI Managing Director,
BS Administration and Management with a concentration in Finance (Touro College – USA)

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:46 pm

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:14 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles