Revisiting Risk Sensitive Digital Evidence Collection Erin E. Kenneally[1] Christopher L. T. Brown[2] [email protected] [email protected] Abstract Over the past decade or so, well-understood procedures and methodologies have evolved within computer forensics digital evidence collection that emphasized disk imaging procedures. In their paper Risk Sensitive Digital Evidence Collection [3], the authors posit that the current methodology which focuses on collecting entire bit-stream images of original evidence disk could increase legal and financial risks. The authors go on to state that the rapidly increasing and changing volume of data within corporate network information systems and personal computers is driving the need to revisit current evidence collection methodologies. No assertion is made in the foundation paper that current methodologies are no longer valid; moreover it is presented that in some situations selective evidence extraction could be accomplished while still ensuring reliability, completeness, accuracy, and verifiability of computer disk evidence. Risk Sensitive Digital Evidence Collection was presented in three sections with the first section framing the debate and change drivers for a risk-sensitive approach to digital evidence collection. Section 2 outlined the current methods of evidence collection along with a cost-benefit analysis. Section 3 described the methodology components of the risk-sensitive approach to collection, and then concludes with a legal and resource risk assessment of this approach. This paper will revisit the original abstract methodology framework proposal highlighting the work to be done for successful evaluation and peer review. 1. Balancing the Risk: Refining Collection Methods Without Compromising Forensic Principles Modifying current digital forensic techniques - identification, acquisition, preservation, analysis and presentation - in response to changing contexts does not necessarily mean that results are less reliable for forensic proof purposes. This paper specifically addresses the risks of insisting on bit-stream imaging methodology in large volume (e.g. greater than 200 GB), time-sensitive, and network based contexts. Correspondingly, this paper explores a methodology that balances the risks of selective imaging so that evidentiary reliability can be attained in concert with resource sensitivities. The hallmark of this risk-sensitive methodology is the filtering and reduction of data collection at the front-end acquisition stage, rather than wholesale collection and filtering of data at the back-end examination stage. As such, the goal of reduced legal risk and economic burden is attainable. A primary risk associated with the current bit-stream imaging process can be gauged by cost metrics- time and resources. Both costs are becoming unmanageable in civil and criminal proceedings, exacting a toll on victims and investigators alike. This derives from the fact that the context within which we are applying our forensic tools and methodology has changed. Computer forensic autopsies are no longer performed on single machines with small data storage capacities. Rather, the scope for potential evidence has expanded to networks of interconnectedcomputers, each with vast storage capacities containing potential artifacts of legal relevance. This challenges our conceptual and technical ability to erect electronic crime scene tape. Thus, cost pressures must be managed by interpreting and applying traditional standards in parallel with this evolving context. Specifically, the traditional legal standards of “reasonableness” must continue to shape the application of technology to evidentiary standards. Reasonableness is most often evaluated in terms of the time and resource costs described earlier. Just as it would be unreasonable to expect that investigators cordon-off an entire building, mercury fulminate hundreds of offices for latent fingerprints, and seize every file cabinet during the course of a robbery scene investigation, it is similarly unreasonable to expect the analogous situation in the electronic crime scene even though there is conceivably trace evidence of the crime beyond what was searched and seized. The reasonableness standard takes into account cost and capabilities, and does not require perfection. In this digital forensic setting, factors driving cost include large volume data sets and complicated data accessibility (e.g. network environments). One risk of remaining steadfast to bit-stream acquisition amidst this emerging resource tug-of-war is the ultimate imperilment to evidentiary reliability- the outright failure to collect digital evidence. It is one issue if this failure can be ascribed to incompetence or mistake, yet quite another when it results from a conscious choice based on insufficient processing resources. The question has become whether forensic professionals will continue to force an ineffective strategy on a changing opponent, or, adapt the strategy to better control against the opponent. The opponent here is the time and resource cost variables, exacerbated by relatively static evidentiary reliability requirements. The strategy here is the methodology chosen to meet evidentiary standards. 2. Responding to Change: Risk Sensitive Evidence Collection Methodology The proposed Risk Sensitive Evidence Collection Methodology [3] calls for selective artifact extraction during the initial collection phase of the computer forensics process. This methodology can be performed on dead systems using standard connections to the target computer systems such as directly attached IDE converter cables or client/server disk redirection software allowing selective artifact extraction to a forensics collection platform. While selective artifacts of interest can be identified and extracted from a dead system, one of the greatest advantages of this methodology is its ability to allow live system evidence identification and selective extraction while allowing the original systems to continue normal operations. This methodology involves a pre-acquisition evidence search and filtering for purposes of minimizing the collection of irrelevant data, which in the traditional bit-stream methodology occurs post-acquisition during the laboratory examination phase. Two critical components of the proposed methodology are: (1) live
View Full Document
Unlocking...