SPECIAL CERTIFICATE IN DIGITAL FORENSICS ANALYSIS AND INVESTIGATION (ASSESSMENT)
by Atty. Emmanuel S. Caliwan, JD
A. If a Digital Evidence is found, what should be done to preserve its probative value.
The most effective methods to ensure legal admissibility while preparing to engage a forensic analyst include the following:
Drive Imaging
Hash Values
Chain of Custody
1. Drive Imaging
Before investigators can begin analyzing evidence from a source, they need to image it first. Imaging a drive is a forensic process in which an analyst creates a bit-for-bit duplicate of a drive. This forensic image of all digital media helps retain evidence for the investigation. When analyzing the image, investigators should keep in mind that even wiped drives can retain important recoverable data to identify and catalogue. In the best cases, they can recover all deleted files using forensic techniques.
As a rule, investigators should exclusively operate on the duplicate image and never perform forensic analysis on the original media. In fact, once a system has been compromised, it is important to do as little as possible — and ideally nothing — to the system itself other than isolating it to prevent connections into or out of the system and capturing the contents of live memory (RAM), if needed. Limiting actions on the original computer is important, especially if evidence needs to be taken to court, because forensic investigators must be able to demonstrate that they have not altered the evidence whatsoever by presenting cryptographic hash values, digital timestamps, legal procedures followed, etc. A piece of hardware that helps facilitate the legal defensibility of a forensic image is a “write blocker”, which investigators should use to create the image for analysis whenever one is available.
2. Hash Values
When an investigator images a machine for analysis, the process generates cryptographic hash values (MD5, SHA-1). The purpose of a hash value is to verify the authenticity and integrity of the image as an exact duplicate of the original media.
Hash values are critical, especially when admitting evidence into court, because altering even the smallest bit of data will generate a completely new hash value. When you create a new file or edit an existing file on your computer, it generates a new hash value for that file. This hash value and other file metadata are not visible in a normal file explorer window but analysts can access it using special software. If the hash values do not match the expected values, it may raise concerns in court that the evidence has been tampered with.
3. Chain of Custody
As investigators collect media from their client and transfer it when needed, they should document all transfers of media and evidence on Chain of Custody (CoC) forms and capture signatures and dates upon media handoff.
It is essential to remember chain-of-custody paperwork. This artifact demonstrates that the image has been under known possession since the time the image was created. Any lapse in chain of custody nullifies the legal value of the image, and thus the analysis.
Any gaps in the possession record, including any time the evidence may have been in an unsecured location are problematic. Investigators may still analyze the information but the results are not likely to hold up in court against a reasonably tech-savvy attorney. Forms that investigators use to clearly and easily document all records of change of possession are easy to find on the Internet; we use the NIST Sample CoC to maintain the chain of custody audit trail.
B. Provide proof that suspect digital evidence has child pornographic materials.
In child porn cases, digital evidence may be discovered from several sources. Likely a warrant to gather one’s computer hard drive, smartphone, camera memory card, CDs or thumb drives will be executed.
Examine and look at the digital footprints left behind by visits to child porn websites, downloading of pictures, or communications and transactions concerning child porn.
In this case the following can be the subject of digital forensic investigation:
The Flash drive possibly containing the child pornography
The laptop used to play the video possibly containing the child pornography.
C. Discuss the Forensic Procedure conducted to retrieve digital evidence.
The Digital Forensic Process
The digital forensic process is intensive. First, investigators find evidence on electronic devices and save the data to a safe drive. Then, they analyze and document the information. Once it’s ready, they give the digital evidence to police to help solve a crime or present it in court to help convict a criminal.
The Nine Phases of Digital Forensics
There are nine steps that digital forensic specialists usually take while investigating digital evidence.
1. First Response
As soon as a security incident occurs and is reported, a digital forensic team jumps into action.
2. Search and Seizure
The team searches devices involved in the crime for evidence and data. Investigators seize the devices to make sure the perpetrators can’t continue to act.
3. Evidence Collection
After seizing the devices, professionals collect the data using forensic methods to handle the evidence.
4. Securing of the Evidence
Investigators store evidence in a safe environment. In the secure space, the data can be authenticated and proved to be accurate and accessible.
5. Data Acquisition
The forensic team retrieves electronically stored information (ESI) from the devices. Professionals must use proper procedure and care to avoid altering the data and sacrificing the integrity of the evidence.
6. Data Analysis
Team members sort and examine the authenticated ESI to identify and convert data that is useful in court.
7. Evidence Assessment
Once ESI is identified as evidence, investigators assess it in relation to the security incident. This phase is about relating the data gathered directly to the case.
8. Documentation and Reporting
This phase happens once the initial criminal investigation is done. Team members report and document data and evidence in accordance with the court of law.
9. Expert Witness Testimony
An expert witness is a professional who works in a field related to the case. The expert witness affirms that the data is useful as evidence and presents it in court.
D. How to establish that the collected digital evidence is authentic.
There are four things to keep in mind:
· Chain of custody. It needs to be documented who has had control over evidence from the moment it was determined to be even possible evidence. Having someone touch it that isn’t qualified calls everything into question. You want the minimum number of people touching it and each of them may need to testify.
· Signature consistency, showing a SHA-1 or MD5 signature of the “container” (hard drive, flash drive, etc.) and the image are consistent both before and after collection and examination. More or less proves that reports are from the source without alteration.
· Process is everything. If someone is going to testify but can’t show a consistent and forensically valid process they will be laughed out of court.
· Reputation and certification of the examiner. Someone that has been accepted as an expert in court is less likely to be grilled too hard on procedures. Their testimony will be given more credit than someone not certified.
E. What type of Cybercrimes was committed.
Under REPUBLIC ACT NO. 10175:
Section 4. Cybercrime Offenses. — The following acts constitute the offense of cybercrime punishable under this Act:
XXX
© Content-related Offenses:
(1) Cybersex. — The willful engagement, maintenance, control, or operation, directly or indirectly, of any lascivious exhibition of sexual organs or sexual activity, with the aid of a computer system, for favor or consideration.
(2) Child Pornography. — The unlawful or prohibited acts defined and punishable by Republic Act №9775 or the Anti-Child Pornography Act of 2009, committed through a computer system: Provided, That the penalty to be imposed shall be (1) one degree higher than that provided for in Republic Act №9775.
In the given case the following are the cybercrimes committed:
Cybersex:
For favor or consideration, willful engagement, maintenance, control, or operation, directly or indirectly, of any lascivious presentation of sexual organs or sexual activity via a computer system.
Child Pornography:
Unlawful or banned activities conducted through a computer system, as defined and punished by Republic Act №9775 or the Anti-Child Pornography Act of 2009.
(b) “Child pornography” refers to any representation, whether visual, audio, or written combination thereof, by electronic, mechanical, digital, optical, magnetic or any other means, of child engaged or involved in real or simulated explicit sexual activities. (RA 9775)
References:
https://www.federaldefensenc.com/digital-evidence-in-child-porn-cases/
https://www.realtimenetworks.com/blog/preserving-digital-evidence-the-right-way-your-10-step-guide
