Digital forensics investigations play a vital role in uncovering digital crimes –this includes both crimes targeting computer systems and those that use computer systems to facilitate an offence. Due to its importance in the cyberspace, significant advancements have been made to enhance its techniques, processes and standards. Today, digital forensics investigations can be applied to complex crimes involving multiple offenders and multiple locations. Even so, current techniques, processes and standards face a lot of challenges that inhibit their effectiveness (Lillis et al. 2016). This paper evaluates these challenges and provides recommendations that can be implemented to improve the effectiveness of existing digital forensic processes.
The Impact of Cybercrime to Typical Digital Forensics Investigations
The increasing variants of cyber crime are the cause of all efforts to develop digital forensics as a field. In other words, digital forensics has been established in order to combat cybercrime. However, the ever changing nature of digital crime means that digital forensics processes must equally change (Watson and Dehghantanha 2016).
The following are some of the impact of changes in cybercrime trends to digital forensics investigations.
- Changes in crime techniques require that tools also change to address new gaps in collecting and analysing evidence. For example, the increasing use of obfuscation techniques in cybercrimes means that investigation tools must integrate more ability to recover obfuscated evidence.
- Changes in the scope of possible crimes urges for changes in the legal aspects of digital forensics investigations. Often, prosecutors find it difficult to prosecute digital crimes because the nature of certain crimes has not been well defined in the existing laws (Losavio et al. 2018). Although an offence can still be processed using alternative charges, it is normally effective if there is a specific charge for it. Therefore, as criminals find new ways to exploit the cyberspace, the relevant legislation must evolve accordingly to address the changes.
- The increasing use of complex infrastructures makes maintaining the legitimacy of investigations difficult. This is because an investigation may require probing systems belonging to private entities that cannot be forced to cooperate with the investigations. In such instances, if the investigations transcend such boundaries their legitimacy may be questionable (Bay 2017).
- Cybercrimes are increasingly involving privacy breaches. This means that investigations into such crimes increase the risk of further compromising the information of affected entities. This trend implies that forensics investigations must strive to preserve the privacy of stakeholders involved in an investigation.
- Development of new technologies
Challenges in Evidence Collection and Analysis in Cyberspace
Undertaking a digital forensic investigation involves numerous steps. Sometimes each step will have its own applicable standards. Also, the scope of digital forensics can be very wide, encompassing the investigation of traditional crimes such as murder and arson for example, as well as newer crimes such as network intrusions, cyberwarfare, intellectual property infringements and so forth. Therefore the enormous breadth of archetypal investigations is amongst the factors that make it challenging to reach a successful conclusion.
The following are some of the specific challenges that face evidence collection and analysis in cyberspace:
- The Internet of Things (IoT) has introduced an entirely new dimension to digital forensics processes. IoT involves data communications amongst devices that use different technologies and standards. The main challenge with this scenario is that collecting data from devices running on different standards requires the use of different techniques to address each of the devices. This is not normally possible since the exact kind of devices in an IoT crime scene may be totally different from what investigators have handled previously.
- The Cloud. With cloud computing, the main challenge is that possible evidence is held by devices that belong to an entity that is independent from the investigators. For example, data may be stored by a cloud provider in a different country and is therefore subject to different laws. Unless the investigators obtain a search warrant, a cloud provider is not obliged to provide any information hosted within their data centre. In addition to this, extradition treaties vary between countries. This complexity combined with bureaucracy raises a critical challenge in collecting evidence from cloud sources.
- Encryption. This is becoming a standard practice, which is especially true amongst mobile device manufacturers. Although encryption can be broken, it clearly increases the difficulty in accessing stored data (Anglano, Canonico and Guazzone 2016). It also increases the time spent on investigations. Modern devices are also capable of processing strong encryption (encryption using long keys) which are harder to break.
- The ongoing development of new ways to file data. In spite of the various advances in computing, digital files still remain the most valuable items during a digital investigation. However, the continuous development of new standards in files and file systems suggests that the potential of existing tools will be reduced (Feng, Dawam and Amin 2017). Whilst these tools continue to be important, they may not be able to address new evidence collection scenarios.
- Solid state drives (SSDs). As already referred to, digital files are among the most valuable artefacts in a digital forensics investigation. Therefore, the sources of files in an investigation are of great importance to the investigator. Traditionally, these files have been mostly extracted from hard drives which store information in tracks and sectors. On the contrary, SSDs do not implement linear mapping in the physical storage of data on the device (Neyaz, Shashidar and Karabiyik 2018). As such data may be stored randomly on the media. This presents an immense difficulty when attempting to recover data from such media. Considering that many computer manufacturers are now replacing hard disks with SSDs, this challenge will undoubtedly continue to increase in the coming years.
- Steganography. This is the practice of hiding data amongst unsuspicious files. Whilst it is widely used in embedding secret information such as copyright information into data, criminals are also able use the technique in order to hide data from investigators. The main purpose of steganography in criminal usage is to hide the existence of an illegal message. Unlike encrypted messages, information hidden through steganography is generally unknown to the investigator. Therefore, the investigator must have knowledge of possible steganography to start attempts in rooting out the information. If the investigator does not have sufficient reason to believe that steganography has been used, they cannot risk wasting time on uncovering hidden information (Tian et al. 2017). The inability to easily detect whether steganography has been applied in hiding a message makes it challenging to uncover it for traces of evidence.
- Covert channels. The use of covert channel mechanisms to exfiltrate data poses an immense challenge to investigators. Covert channel refers to an unconventional channel that is hidden from a system’s access control mechanisms. Since these channels are not subject to access control mechanisms, data transmitted through them may be invisible to the system administrator or investigator. This is because investigations will normally focus on exploited access controls when seeking to determine who is culpable.
- Blockchain and cryptocurrency. These two technologies are fast becoming common across many industries that depend on information technology. Similarly, an increasing number of cybercrimes are being conducted using these two innovations. Specifically, cryptocurrencies are the top choice for making illegal payments or purchasing contraband products. The main challenge with blockchain and cryptocurrencies is their anonymity. They present a huge challenge in forensic investigations since criminals can easily hide their identities.
- Data hiding. Cyber criminals can hide data inside the storage space of a victim’s storage drives and make it invisible to the user. This practice is quite common amongst bot masters (people who control botnets). They can install a rootkit that runs on a user’s device without having the user notice any suspicion. The data can also be invisible to the investigator unless they have prior knowledge of the attacker’s specific data hiding technique. Furthermore, such hidden data may be designed to self-destroy in case attempts are made to retrieve it, which further complicates recovery of evidence from such scenarios.
- Residual data wiping. Investigators usually look at residual data (data created unintentionally by a user’s activities on a computer) as potential sources of evidence. In fact, residual data often provides the most useful clues to forensics investigators. Whilst unskilled cyber criminals may not know how to deal with residual data, advanced attackers can use different techniques to wipe traces of their activity on a system. For example, a vulnerability recently discovered on Windows Server 2008 can allow an attacker to delete specific logs that relate to their activities on the system. Since other logs remain intact, investigators may be tricked to think that there was no activity by the attacker on the system.
- Disinformation. Tail obfuscation refers to hiding the real source of an attack mainly through disinformation. For example cyber criminals may use fake email headers and file extensions to drive the investigators’ attention from the main source of the attack. This technique can cause investigators to miss out important clues in the investigation or make it extremely lengthy to get such details.
- Threats to investigators. Investigations can sometimes be emotive. This is especially the case in corporate investigations where high-profile executives are involved. In such instances, investigators face threats on bodily harm to themselves or their loved ones. Although these threats appear to be beyond the scope of digital forensics investigations, their impact on the motivation and ability of investigators is profound.
- Legal challenges –Legal restrictions are usually amongst the topmost limitations in any forensics investigations. It is easy for criminals to hide behind privacy rights and other constitutional freedoms. The recently passed GDPR laws may further complicate evidence collection since a cyber criminal can invoke their “right to be forgotten” before a search warrant for their investigation is obtained. In such a case, an organisation in possession of their data will be compelled to destroy it rendering it inaccessible to forensics investigators.
- Capacity challenges –Many digital crime investigations involve experts from different fields which may include law enforcement, forensic examination, database experts, network analysts and so on. This means that the skillset required to successfully complete a forensics investigation is wide. Most experts in the field are knowledgeable only in their area of expertise. This situation results in numerous weak links in the investigation chain.
The Effectiveness of Current Digital Forensics Principles, Procedures, Techniques and Standards to Address above Mentioned Challenges
The effectiveness of current principles, procedures and techniques is debatable amongst investigators, examiners, prosecutors and other stakeholders in the computer forensics sphere. Various factors influence the perceived effectiveness of these processes. On the one hand, prosecutors will consider their effectiveness based on the existing legal limitations. On the other hand, examiners will consider effectiveness from a technical perspective, such as the quality and efficiency of a tool. Overall, the following concepts outline the perceived effectiveness of current principles, procedures and techniques used in digital forensics investigations.
- Efficiency of the law –The Computer Misuse Act of 1990 is the main law that addresses cybercrime in the UK. The main challenges this law has had is the difficulty in proving that a suspect had the “intent” to commit an offence and poor differentiation of petty offenders from serious cyber criminals. The Act required that prosecutors must prove that a suspect had the intention to commit the offence. This fault in law derives from common law principles where criminal liability is only possible if the circumstances fulfil both actus reus (physical evidence of the crime) and mens rea (intention by the criminal). In conclusion, the law in its current form is not sufficient to efficiently address cybercrime.
- Efficiency of tools –Many of the existing tools provide a considerable level of efficiency in collecting and analysing digital evidence. The biggest problem with tools is that they are not developing as fast as counter-techniques are. A few months ago, it was possible to decrypt encrypted messages from the popular instant messaging application WhatsApp. However, after an update, most of the decrypting tools became irrelevant. It was also relatively easy to extract data from an iPhone without unlocking it. Nonetheless, after hardware changes were made beginning from iPhone 5S, all the extraction tools became useless. Thus, one can conclude that tools are efficient to some extent but their problem is slow advancement.
- Efficiency of the investigation process –The typical digital forensics investigation process follows a widely-accepted format which was mainly established to strengthen the credibility of the process. This process involves following strict guidelines on handling evidence and documenting the procedure. This process has been widely adopted as a guideline for conducting digital forensics investigations. Due to the guideline’s comprehensiveness, one can conclude that they are effective in enhancing digital forensics investigations.
- Efficiency of standards –There are no specific standards for conducting digital forensics in the UK. As such, investigators rely on general legal provisions to guide their work. In the US however, there are established frameworks for conducting the various activities involved in a typical digital investigation. Compared to industry benchmarks, one can conclude that digital forensics standards in the country are less than efficient.
- Efficiency of international co-operation.
Recommendations to Improve Current Digital Forensics Principles, Procedures, Techniques and Standards
More co-operation internationally.
Changing the law. Although it has been updated several times, the Computer Misuse Act was written before the world wide web came into existence. In essence, it is always having to play catch up and rely on case law. With such fast moving technology, playing catch up is the nature of the beast. However, creating a new Cyber Act would Inefficiencies in the law can be addressed by expanding the definition of cybercrime to address both civil and criminal scenarios. For instance, there are scenarios that involve the use of computer systems by one entity to offend another entity but the nature of the offence does not warrant criminal investigations. In such scenarios, a wider definition of cybercrime would give prosecutors more space to work with.
- Creating a new Cyber Body with similar mandate to the GMC and beyond.
- Creation of Cyber Police
- Introduction of Cyber First Aid Certificate
- More cyber security in schools
- More coding clubs for children and teenagers to flex their muscles.
- More co-operation with other forensics fields such as forensic psychology
Although it is highly debatable, enabling backdoor access for law enforcement can eliminate many of the barriers experienced in evidence collection. For example, if phone manufacturers can provide decryption keys if a court warrant has been issued, then investigators can have a relatively easy time when dealing with decryption issues. The challenge with this solution is that such backdoor access can be easily misused by company employees and other entrusted entities.
- Develop digital forensics frameworks –Frameworks help to standardise processes giving them more credibility (Ab Rahman et al. 2016). However, the frameworks must be customised to the region/ jurisdiction’s specific challenges. Although implementing foreign frameworks like those proposed by the United States’ National Institute for Science and Technology can raise the standards, developing customised frameworks will always provide better solutions.
- Improving the tools –The problem with existing tools is that they do not advance as fast as anti-forensics technologies. Advances in other areas of technology plus evolving techniques used by cyber criminals make tools to become obsolete too fast. Therefore, an appropriate solution would be to improve tool updating processes or schedules.
- Make forensics tools more accessible to those
- Capacity building –Improving the capacity of investigators, examiners and prosecutors can significantly enhance the outcomes of digital forensic investigations. The wide skill gap and in the field results in many weak links in the investigation chain since typical cybercrime investigations have a multidisciplinary nature. This can be achieved by training existing professionals and recruiting more into the field.
- Addressing blockchain and cryptocurrency challenges –Since these two technologies are relatively new, solutions to enhance forensics investigative capacity on them remains speculative. However, investigators can focus on developing special exploits for tracking targeted blockchain and cryptocurrency activities. Such exploits have used to a satisfactory degree in the past on Tor, the anonymity network which shows that it is a feasible solution.
Despite the important role of digital forensics investigations in promoting law and justice in the cyberspace, it faces many challenges that weaken its effectiveness. This paper has shown that some of the challenges are technical whilst other are social or professional. Advances in technology such as developments in filesystems and digital media are amongst the factors that raise challenges in evidence acquisition. Anti-forensics techniques used by cyber criminals also create significant challenges in conducting forensic investigations. Other issues are human resource-related such as lack of enough skills and understaffing. Some of these challenges can be addressed through changes in law to widen the scope of cybercrime investigations, the development of digital forensics frameworks and improvements on tool updating procedures.
- Lillis, D., Becker, B., O’Sullivan, T. and Scanlon, M., 2016. Current challenges and future research areas for digital forensic investigation. arXiv preprint arXiv:1604.03850.
- Watson, S. and Dehghantanha, A., 2016. Digital forensics: the missing piece of the internet of things promise. Computer Fraud & Security, 2016(6), pp.5-8.
- Losavio, M.M., Chow, K.P., Koltay, A. and James, J., 2018. The Internet of Things and the Smart City: Legal challenges with digital forensics, privacy, and security. Security and Privacy, 1(3), p.e23.
- Bay, M., 2017. The ethics of unbreakable encryption: Rawlsian privacy and the San Bernardino iPhone. First Monday, 22(2).
- Feng, X., Dawam, E.S. and Amin, S., 2017, June. A new digital forensics model of smart city automated vehicles. In Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), 2017 IEEE International Conference on (pp. 274-279). IEEE.
- Neyaz, A., Shashidhar, N. and Karabiyik, U., 2018, August. Forensic Analysis of Wear Leveling on Solid-State Media. In 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE) (pp. 1706-1710). IEEE.
- Anglano, C., Canonico, M. and Guazzone, M., 2016. Forensic analysis of the chatsecure instant messaging application on android smartphones. Digital investigation, 19, pp.44-59.
- Tian, H., Sun, J., Huang, Y., Wang, T., Chen, Y. and Cai, Y., 2017. Detecting Steganography of Adaptive Multirate Speech with Unknown Embedding Rate. Mobile Information Systems, 2017.
Ab Rahman, N.H., Glisson, W.B., Yang, Y. and Choo, K.K.R., 2016. Forensic-by-design framework for cyber-physical cloud systems. IEEE Cloud Computing, 3(1), pp.50-59.
...(download the rest of the essay above)