Jasmin, you are currently an independent researcher, consultant, and ICT expert witness in the digital forensics domain – can you tell us more about your work?
My main job is in Cantonal police, where I am leading a big ICT Department. From another side I am a university assistant professor, where I am teaching students on a few IT courses.
I also lecture in summer and winter schools about digital forensics and information security, focusing on digital evidence and the digital forensic investigation process.For more than 10 years, I have participated in the digital investigation process, as an independent (court) ICT expert witness. The focus of my interest and research is on digital evidence and digital chain of custody.
You've been in digital forensics a long time; how did you first become interested in digital forensics as a scientific field?
My interest in digital forensics arose about 15 years ago, when I had my first conversation with few judges about one criminal case (computer crime). I gave them technical advice and wrote the report in this case, and after that, I realized that besides technical aspects it is necessary to know the legal side and criminal procedures. It was interesting for me; I did a lot of research at this time, visiting big universities in this part of the world and trying to find various books focusing on computer forensics in the bookstore located in the campus of one of them. I started browsing some of these books, and after that, I have “been in love” with digital forensics. In 2008, I started my PhD study, met my mentor and after a long, long conversation and lot of coffee, I had a topic for my dissertation.
In 2014 I completed my doctoral studies, got my PhD, published over 40 scientific papers and a few books about the problem of chain of custody of digital evidence.
Could you tell us about some of the things you are working on at the moment?
As I already said, the focus of my research is digital evidence and standardization, not only of digital evidence, but also a meta-data of chain of custody. The concept of CoC is very old, but very often forgotten in digital forensic investigation.
We always must to know answer the old journalist questions 5ws&1h (what, who, where, why, when and how) when we deal with digital evidence! Why is this so important? Because digital evidence is specific, it differs from “other” evidence, and can be altered, destroyed, or deleted very easy. In my early work, I recommended a DEMF framework – this presents very useful models for persons conducting digital investigations – investigators, prosecutors, judges, layers, etc. The framework is based on 5ws&1h and uses ontology. After that, I implemented a DEMF as a java application to prove a concept!
You have spoken about the need for standardisation in digital evidence meta-data. Could you elaborate on your views for our readers?
In addition to the exchange of digital evidence, it is also necessary to exchange the so-called “5ws&1h data” or metadata that are key to chain of custody identification. This is necessary because of the large number of factors that can influence the evidence and undermine the integrity of digital evidence, after which the evidence will not be accepted by the court. The need for the standardization of metadata exchange procedures and processes that ensure the chain of custody has been imposed, as a necessity and through the realization of DEMF (Digital Evidence Management Framework), as a possible solution.
The DEMF framework, in addition to conducting a chain of evidence, ensures the integrity and inviolability of digital evidence, as well as the proving of 5ws&1h which is the strict procedure on which the courts insist (Daubert principle). Every moment, we must know what, who, where, when, why and how digital evidence has been accessed.
Given that, a large number of participants are involved in this process – from investigators to court attorneys, court experts, prosecutors, judges, police officers, bystanders and similar. There will be a large amount of data, and in every single step of the chain all data must be collected. DEMF as the proposed framework, but also a finished solution, offers complete control of digital evidence management. In addition to metadata exchange, it also offers control of the digital evidence itself and proves its inviolability and integrity, which is most important in the forensic investigation.
You have mentioned the term “DEMF” several times, what does “DEMF” stand for and what will it bring to the forensic community?
Yes, indeed, DEMF (Digital Evidence Management Framework), a few years ago, was my idea and conceptual framework for digital evidence management. DEMF not only allows recording and managing the chain of evidence at all stages of the digital forensic investigation, but also ensures the integrity of the digital evidence itself. It also enables packing of all 5ws&1h data together with digital evidence and then secure protection with the help of powerful AES256 encryption.
The model can be applied and used in digital investigations when we want to prove that the proof was not altered and that it is known at any time when, where, where, why, how and by whom digital evidence was handled throughout its life cycle.
The power of DEMF is not just a chain of custody and assurance of metadata integrity, but also the possibility of preserving the whole case (digital evidence and their metadata), and also the chain of evidence meta data in one container. The so-called container or “.demf” file is additionally secured with AES256 encryption, allowing full protection. This practically means that the exchange of evidence between the participants in the digital forensic investigation process would also exchange digital evidence themselves, their metadata, as well as the metadata needed to prove the chain of custody. On the other hand, DEMF’s strength lies in the fact that this tool has integrated fully functional forensic tool features, because the tool reads data from digital evidence with the help of built-in libraries.
You also have written a lot of scientific papers and a few books for students. What would you say is the biggest challenge for new students in the digital forensics domain?
I think that there are a few “fronts” in digital forensic domain. We cannot observe digital forensics like something that is closely related only to police and criminal investigation. Digital forensics is also related to information security and when everything fails, digital forensic comes into play.
From another side, today digital forensics needs banks, insurance companies, and corporations and there are a lot of open questions and problems to resolve, from standardisation to acceptability, the challenge of dealing with big data, IoT, cloud, new embedded systems. Students and young people who want to “step into the magical world of digital forensics” must choose their own way, and take a small part of the cake and eat it.
Finally, what do you enjoy doing in your spare time?
Unfortunately, I do not have a lot of “free time”. I usually share free time with my family; I have a beautiful wife and two beautiful daughters. I enjoy spending time with them; it relaxes me and refills my batteries. From another side, my hobbies are mountain biking, hiking and droning; I love to explore and drone untouched nature.
Jasmin Cosic was born in Bosanska Krupa, Bosnia and Herzegovina. He received his B.S. and M.A. degrees in software engineering from the Faculty of Information Technology – University of Mostar, Bosnia and Herzegovina, and a Ph.D. degree in Information and Communication Science from the Faculty of Organisation and Informatics-University of Zagreb, Croatia in 2014. Since 2008, he has been an assistant and later assistant professor at a few IT courses. He is a Court Expert Witness for ICT and an independent researcher more than 10 years. He has published over 40 scientific papers, 2 books and one book chapter in the digital forensic domain. His research interests are digital forensics, information security, privacy, databases and computer networks.