Challenges DIGITAL FORENSIC INVESTIGATORS face
Challenges DFI’s Face
#forensics #cyberlaw #business
In a world where everything is becoming connected with the Internet of Everything (IoE) it will become difficult to distinguish what is real and what is fake. As more things become connected, there are more opportunities for these things to become cyber-targets to disrupt, deceive, prevent or threaten people, processes and technologies. It is these challenges which Digital Forensic Investigators (DFIs) must overcome if a DFI is to ensure any level of confidentiality, availability or integrity was not achieved. As humanity moves forward in time, the need to ensure the confidentiality, availability, and integrity of the data will grow and continue to be a challenge. To resolve these challenges, cybersecurity practitioners need to work with governments, corporations, and people at all levels to help them understand the need for well-defined architecture based upon science, standards, and processes.2 The United Nations10 recommends following the International Organization for Standards (ISO) and International Electrotechnical Commission (IEC)4 which provides such standards. There are additional well-known standards such as NIST’s Forensic Science reference materials and standards7; however, the ISO/IEC 27037:2012 is internationally the most widely accepted standard.4
Defining standards and process are not the only challenges DFIs will face. The proliferation of data will be massive and the ability to hide data in plain sight will add to these challenges. One of the reasons for this particular challenge comes from the notion DFIs will look for programs which hide data and not necessarily discover or analyze what is in the data. DFIs tend to focus on comparing hast sets and the identification or exploitation of software vice looking at the actual data. To add to the ease of hiding data, most DFIs are unable to determine if any hidden data was placed onto a thumb/USB drive or even the cloud. Currently there are very few products on the market which DFIs can leveraged to ascertain this information; however, there is one product with this capability. The RAS Removed Steganography Application Scanner is an open source tool hosted in GitHub which is used as a Forensic Steganalysis Triage and is able to determine if an application was ever run, installed or deleted on a particular target.9
Additional challenges include the lack of a plan to incorporate digital forensics into an organization. By not defining a plan, organizations will not able to identify the types of information needed for evidence or investigations. This lack of organization buy-in often demonstrates the organization’s lack of forensic readiness or policy. Unfortunately, many organizations leave digital forensic planning to the legal system and law enforcement organizations which has led to the ever-growing backlog of court cases.5 To add to the backlog, there is an increased gap in digital complexity of digital evidence6 and a growing gap in identifying and hiring qualified staff to perform digital forensics. As the backlog grows, so do the cost implications, not only with performing the forensics but for administrative processes as well. With the lack of organization governance and standards, these organizations should leverage the standards as defined by ISO/IEC, NIST other governing bodies to assist with ensuring the organization meets all regulatory or legal requirements. In particular, every organization should be familiar with their compliance or regulatory requirements such as: litigation hold requirements, release or disposing of court ordered data, retention and disposal of schedules, storage and disposition costs, disaster and emergency recovery, or dealing with individual or organizational disciplinary issues.5 There are still many more challenges a DFI needs to address. Other challenges include ensuring DFIs are properly trained, using the correct equipment, and knowledgeable with the platform.6
One of the more recent and relevant challenges for DFIs is performing forensic investigations in the cloud. Cloud DFI is a little different than the days of on-premise or data center forensics. In the cloud, there is more ephemeral data, and if a cloud service is turned off, deleted, or closed, all of the data would easily become non-recoverable as ephemeral data is stored on volatile drives. Another challenge with the cloud is the inability to make a forensic image. To remedy this, an identical ‘snapshot’ can be created; however, this does not have the same bit-by-copy a DFI would get from a physical image.3 Because of the cloud, understanding the location of the data prior to conducting any digital forensic investigation is a requirement. This is necessary as the most important or crucial element to ascertain is who has legal jurisdiction. If the DFI does not follow the correct statutory or legal requirements, the DFI does not know what standards or processes to follow.1 To overcome many of the technical challenges, especially as it relates to the cloud, Pourvahab & Ekbatanifard8 proposed a digital forensic architecture based on the use of software defined networks (SDN) and the blockchain to ensure the reliability of evidence in the cloud. With this architecture, authentication is performed by an authentication service to conduct the verification and validation of the requestor. Once authenticated, the requestor is provided with a set of keys based upon the blockchain technology. If a key is tampered with, a simple hash analysis will determine if any of the data has been modified. Additionally, with a blockchain key, an individual is unable to repudiate the use of the credential.8
However, of all of the challenges identified, addressing the cultural lag may be the biggest challenge of them all. This cultural lag is driven by the lack of understanding of technology in culture and therefore a lack of ethical, let alone moral, guides. Individuals need to understand they will be held accountable for their actions, this includes what is posted on social media, any harm resulting from the issue/incident, or sharing what is not rightfully theirs to share.6 Fifty years ago, in the US, there were no laws protecting children involved in pornography, today there are several.11 What is important to understand, laws can change, and they should change with the times. It is time for regulators and policy makers to understand individually that manufacturers and developers must build their products and services with cybersecurity and more importantly with digital forensics included from the beginning. Unfortunately, without regulatory or compliancy requirements in place, most manufacturers and developers will only build products or services with the level of security, privacy, or investigative capability required by their board and stakeholders. As a globally connected world, this level of requirements is not enough, especially when knowing the true identity of the individual or data is the most crucial part of the equation.
Cited Sources
https://doi-org.proxy1.ncu.edu/10.1186/s13677-019-0133-z 1
https://phys.org/news/2015-03-digital-forensics.html 2
https://doi-org.proxy1.ncu.edu/10.1109/ICITECH.2017.8080060 3
https://www.iso.org/standard/44381.html 4
https://search-ebscohost-com.proxy1.ncu.edu/login.aspx?direct=true&db=tsh&AN=129094137&site=eds-live 5
https://search-ebscohost-com.proxy1.ncu.edu/login.aspx?direct=true&db=tsh&AN=128601829&site=eds-live 6
https://doi-org.proxy1.ncu.edu/10.1109/ACCESS.2019.2946978 8