Computer Incident Investigations: e-forensic Insights on Evidence Acquisition

The growing incidence and risk of inappropriate, illegal and/or criminal computer behaviours has increased the need to build bridges between technical and legal areas of expertise in order to produce more effective defensive and offensive responses. Although there is already a large volume of literature on organizational, technical and legal issues pertaining to computer misuse and e-crime there have until recently been only limited explorations of the interrelationships between these issues. This has been partly because of the lack of a conceptual framework within which to position these different approaches and partly because of the complexity of the specific sets of legal and technical challenges faced (Broucek & Turner, 2001a, 2001b; Hannan, Frings, Broucek, & Turner, 2003; Hannan, Turner, & Broucek, 2003). While at one level conventional approaches to social misconduct (including deterrence, security and education) retain their relevance in cyber-space, the variety of ways that individuals and/or groups can now use digital technologies to engage in computer misuse and e-crime does present unique challenges. As with other types of investigation when an incident occurs or behaviour is detected there is need to formally investigate and assess its extent and effect. There is also a need to gather evidence and proof that may be used as the basis for responses. Significantly, in the case of computer misuse and e-crime, it is these evidence acquisition activities that from an e-forensics perspective present the most difficult technical and legal challenges. On the technical side, problems remain in relation to the processes for detecting, identifying and logging these behaviours. On the legal side, numerous challenging legal considerations exist regarding types of evidence acquisition (“forensic”) activity and the legal admissibility of the digital evidence that these activities produce. To address these challenges is particularly difficult because most technical e-security solutions are not currently designed to support such e-forensic data acquisition and most organisations are unfamiliar with the admissibility requirements for digital evidence collection, collation and presentation (Broucek & Turner, 2002a, 2003c; Sommer, 1998). This research paper provides a forensic computing perspective on these issues through a discussion of a recent legal case against three Australian Universities involving MP3 piracy. The paper also explores the recently developed European CTOSE (Cyber Tools On-line Search for Evidence) methodology (Frings, Stanisic-Petrovic, & Urry, 2003; Leroux & Perez Asinari, 2003; Urry & Mitchison, 2003) and presents some basic key principles for approaching digital evidence handling. Key findings of the paper include: • “Best” practice for digital evidence handling involves deploying the highest investigative standards at all stages in the identification, analysis and presentation of digital data; • Targeted training and education of network administrators and end-users in the key principles of digital evidence handling is urgently required; Authors: Broucek, V. & Turner, P. EICAR 2004 Conference CD-rom: Best Paper Proceedings EICAR 2004 Conference CD-rom Editor: Urs E. Gattiker ISBN: 87-987271-6-8 Copyright © 2004 by EICAR e.V. 4 • Opportunities exist for the further refinement of e-forensic methodologies and processes such as those developed by CTOSE; • Enhancing e-forensic professionalism through the rapid development of processes for e-forensic computing competences and certification will lead to improved outcomes in the investigation and prosecution of computer misuse and e-crime.