An Evaluation of the Effectiveness of Digital Forensic Scientific Processes and Methodologies

 An Evaluation of the Effectiveness of Digital Forensic Scientific Processes and Methodologies

#Forensics #Certifications #Forensic_Standards

Introduction

As someone who has spent over twenty years in information security, it was surprising to find a lack of usable and well-defined standards for digital investigators.  However, there are a few standards for people, processes and technology, such as the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 17025,10 ISACA’s Digital Forensic Scientific Process7, the American Society of Crime Laboratory Directors (ASCLD).  Before the development of these standards, digital forensic specialists used the 2012 ISO/IEC 27037 to provide guidelines for identification, collection, acquisition, and preservation of digital evidence.9 Besides being a new technology and industry, one of the reasons for the lack of standardization is due to having six technologically new and distinct branches to digital forensics: Computer, Software, Database, Multimedia, Device and Network forensics.3  Unfortunately, these six branches, which were derived from forensic science, still lack a holistic process model to manage the all encompassing or full-lifecycle methodology for digital forensic processing.14

The goal of this paper is to provide the reader with an evaluation of the methods digital investigators are required to use when performing cyber forensic investigations.  This evaluation includes a description of the logical progression of an investigation from initiation through to a decision by a court.  The takeaway will provide the reader with an evaluation of the effectiveness of the people, processes, and technology used to provide digital forensic services as well as the identification of any potential risks digital forensic scientific processes.

The Process

Although the field of digital forensics is still rather new, there are several best practices, and process models digital forensic specialists can use.  Some are very well known and leveraged across the globe and others are still yet maturing.  Such models which are still maturing include the 2001 Scientific Crime Scene Investigation (SCSI) model for digital forensic investigation proposed by Lee and Un; a 2002 Abstract Digital Forensics Model proposed by Reith, Carr, and Gunsch; a 2004 Enhanced Integrated Digital Investigation Process (EIDIP) model proposed by Baryamureeba & Tushabe, and a 2004 Event-based Digital Forensic Investigation Framework proposed by Carrier & Spafford.  The risk in using these models is due to the holes in the various process models which are taken into account to provide complete, detailed and evidential quality which most judicial arms of justice require.14

There are, however, a few well-known industry and international standards such as the ISACA Digital Forensic Scientific Process and the ISO/IEC 17025.  The ISACA Digital Forensic Scientific Process solidifies the data collection, examination and analysis, and reporting processes. ISACA’s Digital Forensic Scientific Process is based on a three-phased approach to cover the entire evidence gathering procedure for digital forensics: data collection, examination and analysis, and reporting.  Within these phases, there are four areas of focus: the analysis, storage media; hardware and operating systems; and networks and applications.  The three phased approach consists of a total of eight steps to preform the digital forensics scientific process.  Within the Data Collection phase, there are three steps; obtain search authority, document the chain of custody, and hash and duplicate all evidence. Within the examination and analysis phase, there also three steps; tool validation, perform the analysis, and reproduce for assurance.  The final third phase consists of two steps: making conclusions, and presenting expert testimony. Before entering any three-phased approach to digital processing forensics, the organization needs to determine who should be the investigating body.  Organizations need to make this determination in order to follow evidence preservation considerations and whether to bring in law enforcement or an external forensic professional.  To support this process, organizations must define policies for an enterprise cybersecurity program that include: who, when, and how to contact external entities such as law enforcement, monitoring of the enterprise, and regularly reviewing forensic policies, guidelines, SOPs, and desktop procedures.  The output of this process provides a logical progression of events during the investigation from initiation through a court order.7

The goal of ISO/IEC 17025 is for forensic experts and specialists to have a way in which their laboratory consistently produces valid results. The standard provides a methodology for internationally assessing the risk as a result of the customer, stakeholders, the facility/laboratory and the investigator. The standard reflects resourcing as well as the process for management requirements. The resourcing is focused not only on the asset, but also on the people to include education, capability and background requirements. The process tracks the flow of how an item is tested and is very much in line with other ISO standards such as 9001 for quality management, ISO 15189 for quality of medical laboratories, and ISO/IEC 17024-1 to define the requirements for audit and certification.12

ISO/IEC 17025 is a good start and provides a solid foundation for any organization involved in digital forensics. However, this standard is only part of the equation, especially from the perspective of the individual and the individual’s capability. To expand on this notion, some organizations took up the challenge to standardize the individual’s expertise through specialized training and certification.  Like ISACA, ISO/IEC 17025 output of this process provides a logical progression of events during the investigation from initiation through a court order.

The People

Many organizations such as the International Association of Computer Investigative Specialists (IACIS) certifies the individual in Certified Forensic Computer Examiner (CFCE).4  The International Society of Forensic Computer Examiners (ISFCE) provides a certification for a Certified Computer Examiner (CCE)8, the Global Information Assurance Certification (GIAC), and a Certified Forensic Analyst (GCFA).11  Initially, achieving the IACIS’s 1989 CFCE is very exclusive.  To achieve this certification, the candidate must attend the Seized Computer and Evidence Recovery (SCER) training course, which is held at the Federal Law Enforcement Training Center (FLETC) in Georgia.  Since then, IACIS has expanded training to include IACIS training as well as training approved by the  Forensic Specialties Accreditation Board (FSAB).  Today the CFCE is one of the most widely recognized certifications used in the digital forensics industry.7

Another well-known certification an individual can obtain is the ISFCE’s CCE. The ISFCE’s CCE was developed in 2003 to boost the level of professionalism and expand the field and science of computer forensics.  This certification is accepted in 28 countries, including the U.S., as it demonstrates the minimum competency level and a high-forensic baseline for quality and ethical standards for a forensic computer examiner.  The benefit to the judicial system is it provides a methodology to conduct research and development in new and emerging technologies as well as solidifying methods for digital forensics.8

The GIA’s GIAC series of certifications, established in 1999, has the broadest scope of certifications.  Currently, the GIAC series of certifications consists of over thirty distinct and unique certifications in cyber defense, pen testing, incident response and forensics, management – audit – legal, development, and industrial control systems.  The benefit for forensic investigators in having at GIA certification is to define an investigators area of specialization and subject matter expertise.11

Unfortunately, even with the standards and certifications as mentioned above, the examiners are still making mistakes, and lots of them.  Based on a 2015 FBI report, investigators with the United States Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), the Innocence Project, and the National Association of Criminal Defense Lawyers (NACDL) identified FBI investigators misinterpreted forensic data over 90% of the time.  This misinterpretation of data at the FBI has been occurring for over 100 years of using well-defined processes and standards.  Therefore, this misinterpretation of forensic evidence is the biggest challenge facing forensic science. Thankfully, technology is helping; however, it is only as good as those who can interpret what the technology produces.2

The Technology

When comparing certifications in people, processes, and technology, technology-specific certifications are the newest form of certification.  One of the industry leaders in vendor specific technologies was created by OpentextTM.  Opentext developed the EnCase™ Certified Examiner (EnCE) which can be obtained by public and private sector professionals to log the entire forensic lifecycle.  Encase logs are recognized widely across the law enforcement, investigative and judicial communities.13 For an investigator or specialist to achieve this certification, the applicate must have 12 months of working experience in computer forensics and have completed at least 64 hours of authorized computer forensic training. The exam is completed using six steps across a two-phased approach consisting of 1) a 180 written question and answer exam, as well as a 2) practical application exam consisting of 18 questions.  The biggest challenge and risk with this certification is it lacks a code of ethics.5

The next technical certification addressed is the AccessData Certified Examiner (ACE).  The ACE is less about a specific vendor and focuses on several technologies to make up a forensic toolkit (FTK).1  The FTK is a collection of tools which perform; deep email and packet analysis, file decryption to crack passwords or decrypt files, a data carving engine to define the search parameters, data visualization to analyze textual data, web viewers to grant access of case files, Cerberus for malware detection, and an optical character recognition (OCR) for converting images to readable text.  Access Data provides free downloads of both the FTK and FTK Images; however, there is a catch.  While the FTK Imager is available for free indefinitely, the FTK has a limited trial version and requires a license for unlimited use.  All of these tools are recognized and used by many legal, judicial and investigative organizations to include the SANS Institute on Digital Forensics and Incident Response (DFIR).6

Cited Sources

https://accessdata.com/training/computer-forensics-certification 1

https://www.fbi.gov/news/pressrel/press-releases/fbi-testimony-on-microscopic-hair-analysis-contained-errors-in-at-least-90-percent-of-cases-in-ongoing-review 2

https://doi.org/10.1016/j.diin.2018.01.010 3

https://www.iacis.com/certification-2/cfce/ 4

https://resources.infosecinstitute.com/category/computerforensics/introduction/computer-forensics-certifications/ 5

https://resources.infosecinstitute.com/category/computerforensics/introduction/commercial-computer-forensics-tools/ftk-forensic-toolkit-overview/ 6

http://www.isaca.org/Knowledge-Center/Research/Documents/Overview-of-Digital-Forensics_whp_Eng_0315.pdf 7

https://www.isfce.com/certification.htm 8

https://www.iso.org/standard/44381.html 9

https://www.iso.org/publication/PUB100424.html 10

https://www.giac.org/certification/certified-forensic-analyst-gcfa 11

https://www.iso.org/news/ref2250.html 12

https://www.opentext.com/products-and-solutions/services/training-and-learning-services/encase-training/examiner-certification 13

https://search-ebscohost-com.proxy1.ncu.edu/login.aspx?direct=true&db=tsh&AN=124282827&site=eds-live 14

Max Justice