DIGITAL

AND
MOBILE
FORENSIC
S
 UNIT III

Digital Forensic Readiness

Introduction – Law Enforcement versus
Enterprise Digital Forensic Readiness –
Rationale for Digital Forensic Readiness –
Frameworks, Standards and Methodologies –
Enterprise Digital Forensic Readiness –
Challenges in Digital Forensics
 Introduction
The ability to perform digital investigation with
minimal cost, while maximizing the usefulness of
evidence.
J. Tan has insightfully noted the two objectives of
digital forensic readiness: “Maximizing the usefulness
of incident evidence data and minimizing the cost of
forensics during an incident response.
 Law Enforcement versus
Enterprise Digital Forensic
Readiness
A mix of law enforcement and enterprise forensic analysts involved in an
investigation is also possible.
The enterprise can perform its own initial digital forensic investigation as part of
the incident response procedures before deciding whether to contact law
enforcement and handing off the evidence to a criminal investigation.
Even if enterprises do not initially plan to use the gathered evidence from an
investigation of an incident in a court of law, the investigation might reveal criminal
activity.
However, unlike law enforcement, enterprises are more likely to be required to
ensure business continuity during forensic investigations and limit the potential
disruptions to business operations.
 In addition, different laws and regulations may apply between investigative
activities performed by private investigators and forensic professionals in
enterprise and regulations that apply to law enforcement.
 Enterprise Digital Forensic
Readiness
The ability in an enterprise to perform digital investigations
with minimal cost and disruption to business operations,
while maximizing the usefulness of evidence.
In addition to enterprise digital forensic readiness, you
might encounter other terms: enterprise forensic readiness,
computer forensic readiness, proactive digital forensics
enterprise digital forensics, corporate forensics, and so forth.
All these terms are considered synonymous with each other,
digital forensic readiness and enterprise digital forensic
readiness
A Rationale for Digital Forensic Readiness -

Why?
Two main reasons for considering digital
forensic readiness:
cost and
the usefulness of the digital evidence that has
been collected
 Minimizing the cost
The cost of the investigation involves time spent on the investigation
(which can be measured by hours or investigators’ fees) and level of effort
required, equipment costs, and other costs directly related to conducting
the investigation.
J. Tan (2001) provides the following estimate for the costs involved of a
forensic investigation after the evidence has already been collected.
 A two-hour intrusion resulted, on average, in the forensic investigator
spending 40 hours to perform an analysis and write a report.
 This assumes that the evidence has already been collected beforehand
and the investigators can dive straight into the analysis;
A more accurate estimate must also include the costs related to collecting
and handling the digital evidence
 Examples and Final Decision
 The estimated investigation time in a New Zealand hacker’s case, characterized as a typical
intrusion scenario, was 417 hours, resulting in investigation cost of $27,800 (one victim only).
A Russian hacker’s case (automated online auctions using a stolen credit card) that resulted
in prosecution took 9 months of investigators’ time. A partial estimate of the cost was
$100,000.
In addition, we need to think about indirect costs as well, like resources taken out of daily
business operations to support investigation, disruption of restoration operations due to
investigation requirements, and legal counseling.
Most decisions in enterprises are based on cost–benefit analysis. The cost of an activity should
not outweigh the benefits.
 The same approach is valid for the digital forensic investigations. If the enterprise does not
have a legal obligation to inform law enforcement about the incident, it might choose not to do
so in cases where the cost of informing outweighs the compensation it might receive.
 Finally, if the incident is too expensive to investigate fully, the victims or plaintiffs might
choose to withdraw the charges or dismiss the case,
 Case Study - The Armando
Angulo Case
“The usual route to beating the DEA in a case is arguing that the
evidence is insufficient. But for Armando Angulo, the win comes from
the opposite. . . . A federal judge in Iowa dismissed the charge last
week at the request of prosecutors, who want to throw out the many
records collected over their nine-year investigation to free up space. . .
. Continued storage of these materials is difficult and expensive.” –
4,00,000 documents, 2 TB data, Multi million $ scam - 2007
The successful prosecution of Armando Angulo was unlikely, and
storing nine years’ worth of evidence was too expensive; thus, cost was
greater than the benefit, resulting in dismissal of charges.
Drug charges dropped because of too much evidence (yahoo.com) –
Click this to explore further
 Usefulness of Digital Evidence
One part of the definition of digital forensic readiness deals with
“maximizing the usefulness of incident evidence data.”
What is “useful” digital evidence? The usefulness can be defined
through the intended purpose or the situation in which the evidence
will be used.
Grobler et al. (2010) suggest a definition of comprehensive digital
evidence that captures the components of usefulness, namely:
evidentiary weight in a court of law,
relevant and sufficient for determining root cause,
linking the attacker to the incident
 Usefulness of Digital Evidence
Digital evidence is difficult to collect and easy to destroy. The required
evidence might not be available. Some digital data (e.g., network traffic)
exists only for an instant, unless it is captured and preserved.
If activities or actions are not logged, it might be impossible to retrace
them. Order of volatility also plays a role, and we may be changing some
types of data in the process of extracting other types of data.
A user notices that there is something wrong with his computer. The first
thing he does to improve the situation is to restart the computer. Then he
asks a colleague for help. The colleague suggests it is malware. The user
calls IT support all stressed and impatient: “I need to have this up and
running now! I have work to do.” The helpful IT support staff cleans up the
malware. If at this point you were called to do a forensic investigation, how
successful would you be?
 Evidentiary Weight of Digital
Evidence
How much evidentiary weight does digital evidence carry? This can be
expressed through degrees of trustworthiness, relevance, sufficiency, and
validity.
Relevance and Sufficiency of Digital Evidence: Relevancy is described as
demonstrating that the evidence collected contains information of value and
helps to prove or disprove an element in the incident being investigated (see
ISO/IEC 27037.2012; ISO/IEC, 2012).
Sufficiency is defined as having enough material to allow the elements in the
investigation of the incident to be adequately examined (see ISO/IEC
27037.2012; ISO/IEC, 2012).
 Evidentiary Weight of Digital
Evidence
Trustworthiness of Digital Evidence: Even if you manage to collect the digital
evidence, how trustworthy is the evidence? Is it accurate? Did it come from
sources that you can trust? Was it collected and handled appropriately? How do
you know that the evidence has not been changed or forged?
Is the evidence complete, or are there attributes or parts of digital evidence
missing? What impact did the investigator’s tools have on the digital evidence?
All these questions point to various aspects of trustworthiness, namely
authenticity, integrity, and reliability.
An attorney had custody of a client’s computers. Information technology staff
from the opposing counsel’s office insisted on knowing the size of the plaintiff’s
drives. An obliging legal assistant booted the systems and reported the disk
sizes. When the drive was subjected to a proper forensic investigation, 192 files
had been changed and the ‘last modified’ dates corresponded to the time the
assistant started the machines
 Validity of Digital Evidence
Whether or not digital evidence will be accepted in a court of law depends upon the
legal system and regulations related to the digital investigation and the digital evidence.
Different countries have different definitions of digital evidence, including admissibility
requirements in some countries.
Thus, for a specific incident, the jurisdiction and legal basis must be considered.
However, we can apply a rule of thumb when thinking about the validity of evidence:
evidence not collected in a forensically sound manner reduces the evidence quality and
credibility in the court.
The importance of proper evidence collection - “In 2003, an Illinois U.S. District Court
Judge granted a defendant’s motion for sanctions against the plaintiff and recommended
that the case be dismissed with prejudice after it was discovered that the plaintiff had
attempted to delete relevant evidence from his computer by running the Evidence
EliminatorTM software, which claims to defeat forensic analysis software.”
 Frameworks, Standards, and
Methodologies
Various standardization bodies and organizations
propose frameworks and methodologies to address that
question, but there is no “one size fits all” or generally
accepted practice to follow.
In addition to standards and methodologies, the research
community also explores the topic and proposes
guidelines or frameworks.
Digital forensic readiness is still evolving as a discipline,
so most relevant frameworks, standards, and
methodologies that are available at this time are discussed
 Standards
Two of the most well-known standardization
bodies,
ISO and NIST have issued several standards
that relate to the digital forensic investigation
process and digital forensic readiness.
International Standardization for Organization
National Institute of Standards and Technology
 ISO/IEC 27037
The ISO/IEC 27037 standard gives a definition of digital
evidence and describes its three main governance principles:
relevance, reliability, and sufficiency.
General requirements for the handling of the digital evidence
based on those principles are provided.
They include “auditability, justifiability, and either repeatability
or reproducibility depending on particular circumstances”
(ISO/IEC 27037.2012; ISO/IEC, 2012).
The initial digital evidence-handling processes (identification,
collection, acquisition, and preservation) are also detailed
through descriptions of key components within the process.
 ISO/IEC 17025
The requirements for a forensic laboratory are provided in
ISO/IEC 17025 (ISO/IEC, 2005).
They encompass both management and technical
requirements; however, the emphasis is placed on technical
requirements.
These include, for example, requirements related to
methodology, equipment handling, sampling, and quality
assurance.
 NIST SP 800-86
SP 800-86 (NIST SP800-86; NIST, 2006) discusses
the phases of the digital forensic process: collection,
examination, analysis, and reporting.
This standard includes general recommendations as
well as more detailed technical guidelines for evidence
collection and examination from data files, operating
systems, networks, applications, and other sources.
 Guidelines
Guidelines for digital forensics were developed
in parallel and in addition to the standards.
They typically address practices and methods
for performing digital investigations and
handling of digital evidence.
As such, they help to implement digital
forensic readiness for private enterprise as well
as law enforcement.
 IOCE Guidelines
The International Organization on Computer Evidence
(IOCE) Guidelines (IOCE, 2002) are used for implementing
digital forensic examination procedures.
They provide general descriptions of the practices for the
digital investigation and some specific principles.
Most of the requirements are rather high level, for example
the competence requirements and proficiency testing.
However, the requirements related to digital evidence
handling are more detailed and focus on preservation of the
evidence integrity and chain of custody.
 Scientific Working Group on
Digital Evidence (SWGDE)
The Scientific Working Group on Digital Evidence
(SWGDE, 2013) lists the primary types of errors found
in the implementation of digital forensic tools:
incompleteness, inaccuracy, and misinterpretation.
The focus of the guidelines is to understand the
limitations of tools and techniques, as well as to
discuss error mitigation techniques, including tool
testing, verification, procedures, and peer reviews.
 ENFSI Guidelines
The European Network of Forensic Science
Institutes (ENFSI) has published a Best
Practice Manual for the Forensic Examination
of Digital Technology (ENFSI, 2015).
The manual provides guidance for forensic
laboratories and encompasses the framework
for procedures, quality principles, training
processes, and approaches.
 Research
Researchers have worked on digital forensic
readiness for the last few decades, and several
frameworks have been proposed.
Most authoritative ones are discussed here, upon
which many other frameworks and methodologies
have been built.
 Rowlingson’s Ten-Step Process
Rowlingson (2004) considers the objectives for forensic readiness introduced
by Tan (2001) and proposes a framework for digital forensic readiness
consisting of ten steps.
He highlights the benefits of collecting the evidence in a business context and
considers system forensics a part of overall enterprise forensic readiness.
Rowlingson also implies that forensic readiness in corporate environments
should be aligned with business risks and tied with business continuity and
incident response.
The paper focuses on corporate environments and lists issues, benefits, and
costs that an enterprise should consider when deciding on implementation
measures for becoming forensically ready.
The author does not go into analysis of specific policies, tools, or mechanisms,
but gives a general and comprehensive description for each of the ten steps
 Grobler’s Forensic Readiness
Framework
Grobler et al. (2010) introduce the notion of comprehensive digital evidence.
The idea of comprehensive digital evidence, as compared to the traditional notion of
digital evidence, implies that in addition to using information to support or refute
hypotheses, it has to carry evidentiary weight; thus, organizations have to be aware of
the risks and legal requirements that they face when collecting useful data as the
evidence.
 In addition, Grobler et al. (2010) propose a framework for the implementation of
forensic readiness within organizations.
The forensic readiness activities described in the paper are similar to the steps
proposed by Rowlingson (2004), but they are presented in a different manner.
 The activities are grouped, and the groups are called dimensions.
The grouping of forensic readiness activities into dimensions gives a better overview on
how specified activities depend on and relate to each other.
The paper also includes suggested deliverables for each of the dimensions
 Endicott-Popovsky et al.’s
Forensic Readiness Framework
Endicott-Popovsky et al. (2007) propose a framework for network forensics. The
framework consists of three layers to aid enterprises in implementing forensic
readiness.
The first layer is the theoretical base that covers information security governance
and discusses embedding forensics in an enterprise as a component of its
information assurance elements.
 The second layer of the framework analyzes a “3R” strategy model (resistance,
recognition, and recovery) for survivable systems and introduces the notion of a
fourth R – redress: “ability to hold intruders accountable in a court of law.”
The last layer is based on the information systems development life cycle and
notes changes to be made to incorporate forensic capabilities (like chain of custody
procedures) within the networks.
While the first two layers can be applied to more general cases, the third one is
mostly concerned with network forensics
 Becoming “Digital Forensic”
Ready
How do we become ready for digital forensic
investigations? What activities and requirements are parts
of digital forensic readiness?
 Rephrasing from the digital forensic readiness
definition, how do we minimize the cost of the forensic
investigation and increase the chance of acquiring
relevant digital evidence in a forensically sound manner?
 Different forensic readiness dimensions: legal, policy,
processes and procedures, people, tools and
infrastructure.
Alex Case study – Role play
Consider yourself in Alex’s situation .
Would you be able to figure out what
happened?
 Enterprise Digital Forensic
Readiness
Legal Aspects
Policy, Processes, and Procedures
People
Technology: Digital Forensic Laboratory