by James Zjalic
When most people think of digital forensics they think of CSI Miami: hackers in hoodies and Mission Impossible type biometrics. But under the superficial exterior, there is a framework of laws, regulations, best practices, guidelines, and standards surrounding digital forensics which holds the field together.
This framework has never been under as much scrutiny as it is today, with the UK government mandating of the worldwide ISO 17025 standard [1] for all labs dealing with evidence for the courts, the ongoing battles between large Silicon Valley companies with law enforcement over their use of encrypted messaging, and the recent announcements from Apple regarding the security features of their latest operating system and iPhone X.
Digital forensic legislation can be split into two distinct areas: those which are pertinent to the law (such as PACE, Human Rights Act and Regulation of Investigatory Powers Act) and those which are created as guidelines for us to follow (such as ACPO and ENFSI guidelines) [2]. The sanctioning of ISO 17025 has created a blurred line between these worlds.
Seizure
As seizure of evidence is often the most important “legal” aspect since it is the first step in creating a chain of custody and has crossover into many aspects of policing, there is a lot of legislation surrounding it. The most well-known act is that of PACE 1984 (Police and Criminal Evidence Act) [3], which unifies all of the police powers under one act and balances out the powers of the police with the powers of the general public. It includes rulings which allow data on a seized device owned by an individual suspected of committing an offence to be examined. This encompasses devices like computers, mobile phones, fit-bits, and cameras.
But what if the device is password protected? This is where the Regulation of Investigatory Powers Act 2000 (RIPA) [4], comes into effect. Part 3 gives the UK authorities powers to compel the disclosure of encryption keys (e.g. computer passwords and mobile PIN-codes) or face up to 2 years in prison, or 5 years if the case involves national security or child indecency.
But what about the arrival of Apple’s Facial Recognition unlocking with regard to disclosure? As the system is another form of encryption key, individuals will be compelled to look into their phone, opening the system, or face the same punishment as if they were not to give the pin-code. While this gives an advantage to one side, the new iOS will feature a pin code at the computer end, rather than the “Trust / Do not Trust this phone” of the past. As viewing information in an SQL database on a computer provides much faster and more focused investigations as compared to manually scrolling through a phone, this could provide problems for examiners. So that’s 1 for each side. The feature to completely lock the phone if the lock button is pressed 5 times [5] is another plus for the criminal, so the game finishes 2-1 to the bad guys.
Ensuring that the devices obtained from the seizure are relevant to the investigation is essential, as directed by the Human Rights Act [6] and the Data Protection Act [7], both from 1998. These incorporate rights from within the European Convention on Human Rights into UK law and deem evidence to be used only for limited and specific purposes (i.e. the investigation at hand). The information must also be kept in a secure location and discretion used at all times.
Analysis
Once data has been collected it must then be analyzed. Although maintaining the chain of custody through documentation is important throughout the investigation, from seizure of evidence to the final report, the analysis stage is often overlooked in that regard due to the sometimes experimental nature of the work. Since the evidence is now in a static, safe, stored state, analysts may feel it is less necessary to maintain the chain of custody.
The reasoning for documentation at this stage is not so much chain of custody, but more scientific repeatability. For every method used, another expert performing the same examination should be able to get the exact same results. This involves documenting such things as all searches performed, as well as the software and settings used.
Screenshots are a quick and efficient way of providing clear documentation, but these must be organized accordingly and notated. CPIA (Criminal Procedure and Investigations Act) 1996 [8] regulates the recording and retention of evidence during an investigation. Any evidence which was seized but wasn’t used during the investigation must also be disclosed.
Until now, there has been no real crossover between the scientific aspects of forensics, the best practices, and the law. The mandating of ISO 17025 is where this has all changed, and although other forensic disciplines have been compelled to obtain it, only now is digital forensics coming under their watchful gaze. Achieving the standard shows general competence for testing laboratories through the control of data, validation of methods, quality assurance, proper documentation, stated limitations of tests and more. Recent surveys have shown that the digital forensic community is split on their thoughts regarding the implementation and effectiveness of such a standard [9].
Guidelines
And finally, guidelines. These are like the glue holding the framework of legislation together. Although not applicable by law, they fill in the gaps which standards and laws leave and are one of the most important aspects of proper practice in digital forensics.
The most respected within the UK is the ACPO Best Practices for Digital Evidence (the latest edition was released in 2012) [10] as it highlights every stage of an investigation. As the document is designed with the police in mind, if followed correctly, the document encompasses all of the laws and standards discussed and is created by individuals who understand the field and is specific to digital forensics, rather than a one size fits all approach.
For device or technique specific cases, there are many scientific working groups which provide guidelines created by, and for, those working within the field. Some of the most respected include the Scientific Working Group for Digital Evidence (SWGDE), the National Institute of Standards and Technology (NIST) and the European Network of Forensic Science Institutes (ENFSI).
So if we finally return to the framework analogy set out at the beginning of the article, the UK laws form solid bars which cannot be moved, replaced or broken. The ACPO Best Practices document provides the cement to hold these bars in place, and the technique specific guidelines set out by other organisations are the superglue which fills in any cracks or holes in the cement.
Although the future holds many challenges for practitioners due to changing legislation and emerging technology, If we stick to these guidelines, we will not stray far from the road.
[1] Forensic Access, “Digital Forensics: Accreditation Required by October 2017,” Sep-2017.[2] Anthony T.S Ho and Shujun Li, Handbook of Digital Forensics and Multimedia Data Devices. UK: John Wiley & Sons, Ltd, 2015.
[3] UK Government, “Police and Criminal Evidence Act.” 1984.
[4] UK Government, Regulation of Investigatory Powers Act. 2000.
[5] BGR, “iOS 11 will make it impossible for cops to force you to unlock your phone.”
[6] UK Government, Human Rights Act. 1998.
[7] UK Government, Data Protection Act. 1998.
[8] UK Government, Criminal Procedure and Investigations Act. 1996.
[9] Scar, “Challenges of ISO 17025 Accreditation Survey Results.”
[10] ACPO, “Good Practice Guide for Digital Evidence.” 2012.
About The Author
James Zjalic is a Media Forensics Analyst and partner at Verden Forensics in the UK. Education includes a 1st Class Bachelors Degree in Audio Engineering and an expected Masters Degree in Media Forensics from the National Centre for Media Forensics in Denver, Colorado. Research includes work on image authentication for The Pentagon’s Defense & Advanced Research Project Agency (DARPA) and peer-reviewed publications on subjects including forensic acoustics and audio authentication.