Content uploaded by Angus M Marshall
Author content
All content in this area was uploaded by Angus M Marshall on Dec 09, 2014
Content may be subject to copyright.
Enabling
Partnerships for
Innovation in
Forensic Science
tinyurl.com/FoSciSIG
Digital Forensics
Capability Review
June 2013
2
Forensic Science Special Interest Group Digital Forensics Capability Review
Imprint
Digital Forensics
Capability Review
Published by
Electronics, Sensors, Photonics
Knowledge Transfer Network
Bailey House
4-10 Barttelot Road
Horsham
West Sussex
RH12 1DQ
+44 (0)1403 251 354
www.espktn.org
@espktn
© ESP KTN, Horsham, October 2013
* ESP KTN and its collaborators do not accept any legal responsibility for any errors, omissions or mis-
leading statements in this report and cannot endorse products, services or individual organisations ref-
erenced within this report.
The authors of this report and its contents do not necessarily represent the views of the Forensic Sci-
ence Special Interest Group, the Technology Strategy Board or the Department for Business Innovation
& Skills.
3
Forensic Science Special Interest Group Digital Forensics Capability Review
Traditional digital forensics activities involve the recovery and investigation of material found on digital
devices. Such data is at rest on static devices such as hard drives and in solid-state memory on cam-
corders, mobile phones, GPS navigation devices and so on. The market for this activity was driven by
law enforcement and other public sector organisations, hence it was necessary for all activities to be
conducted in line with UK evidential criteria so that evidence produced from the investigations was ad-
missible in a court of law.
Our digital age has seen requirements evolve. With the ubiquitous use of email came a requirement for
a new eld of expertise – that known as “eDiscovery”. This term refers to discovery in civil litigation,
which deals with the exchange of information in electronic form (electronically stored information or ESI).
This data is subject to local rules and processes and is often reviewed for privilege and relevance before
being turned over to opposing counsel, where the burden of proof rests on the balance of probability.
However, with the growth of cyberspace; the trend towards mobile devices; the practice of Bring Your
Own Device (BYOD); and Cloud services, data has taken on a far more transitory nature and the physical
location of data at rest can be difcult, if not impossible, to determine. Data is versioned, distributed,
and stored across differing networks, devices, borders, and boundaries.
The traditional digital forensics practice of imaging and extracting information from disparate physical
devices no longer sufces for incident investigation in cyberspace and there is an increasing require-
ment for technical developments from businesses in the private sector. Therefore, new and emerging
capabilities are required to meet this new and increasing demand in digital forensics.
In producing this report, the Forensic Science Special Interest Group partnered with De Montfort Univer-
sity to establish a core team of industry and academic experts in the eld who were able to engage with
the community and extract information relating to the current digital forensics challenges being faced.
The resulting information compiled here provides a picture of existing capabilities, current challenges,
and ways to reduce the capability gaps that have become apparent.
Throughout the report, some personal comments from the author have also been included based on his
own experience of casework, discussions with other industry practitioners, and other related projects.
A glossary of terms is provided at the end and Annex A provides some supplementary information that
was gathered at a conference held during the course of this project.
Introduction
Digital Forensics
Capability Review
By Angus Marshall
with Stewart Higham and Tony Dyhouse
June 2013
4
Forensic Science Special Interest Group Digital Forensics Capability Review
Contents
Introduction 3
Approach and Methodology 5
Project Outcomes 6
Question 1: What is meant by the term “digital forensics”? 6
Question 2: In which context do you use digital forensics? 8
Question 3: Which types of technology do you deal with in the context of 8
digital forensics?
Question 4: What is the greatest digital forensics challenge faced in 12
everyday activities and how could it be addressed?
Question 5: What challenges do you think you will face in the near-term 16
(1-2 years) and medium-term (2-5 years) future? How do you think
these challenges could be addressed?
Question 6: When you are looking for a solution to a digital forensics problem, 22
who do you turn to for a) off-the-shelf solutions and b) bespoke
solutions or product customisation?
Question 7: Who would you consider to be the key people or organisations 24
relevant to your experience and usage of digital forensics?
Question 8: What other innovations, relating to technology, services or any 26
other issues affecting digital forensics do you think would be useful?
Conclusions 27
Glossary 29
References and Bibliography 34
Annexe A - Other Relevant Conference Outcomes 35
5
Forensic Science Special Interest Group Digital Forensics Capability Review
Approach and Methodology
The project on which this report is based ran from December 2012 to April 2013 with two main aims:
1. To identify those areas where research and development (R&D) are required to support and enhance
the UK’s capability in the eld of digital forensics; and
2. To identify resources, including personnel, technology, and organisations, which currently exist or
are used by the UK for R&D in this area.
Three main activities were conducted:
1. A day-long workshop with key industry representatives;
2. A questionnaire exercise; and
3. A day-long conference with an open invitation to all interested parties to attend.
The following people collaborated in the workshop and in creating the questionnaire:
• Tony Dyhouse ICT KTN Project Manager
• Angus Marshall Programme Lead
• Stewart Higham Programme Assistant
• Mike Andrews Manager, National Trading Standards eCrime Centre (NTSeCC)
• Luke Alexander Analyst, Computer Forensic Alliance (deputising for Simon Janes)
• Roy Isbell Editor, Digital Forensics Magazine and Visiting Lecturer, De Montfort
University, Technical lead at Cyber Inuences Centre
• Sarb Sembhi Director of Consulting Services, Incoming Thought
• Denis Edgar-Neville Project Leader ECENTRE, Canterbury Christ Church University
• Nigel Crockford Forensic Team Leader, Financial Services Authority
• Ali Anjomshoaa Co-ordinator, Forensic Science Special Interest Group
Across the rst two activities, answers to a set of key questions were sought, with the workshop discus-
sion informing the questions that were ultimately posed in the questionnaire. Highlights from an interim
version of this report covering the results obtained from activities 1 and 2 were presented as the basis for
the discussion at the subsequent conference. This conference then served as a forum for the discussion
and validation of those results as well as a means of identifying any additional issues.
Participants for the questionnaire were selected by personal contact and also through the distribution
lists of the ECENTRE project, British Computer Society (BCS) Cybercrime Forensics Specialist Group,
and the Digital Forensics Magazine. The ICT KTN also presented the project aims at a Communica-
tions-Electronics Security Group (CESG) Information Assurance Practitioners’ event and attendees at
this event were invited to contribute to the project through the questionnaire.
6
Forensic Science Special Interest Group Digital Forensics Capability Review
Participants in the conference were largely self-selecting with some key members of the community
invited to speak and contribute.
Project Outcomes
The following project outcomes are presented in the order of the questions that were put forward to the
workshop participants in activity 1, and which were subsequently used to form the questionnaire for
activity 2.
Question 1: What is meant by the term “digital forensics”?
Workshop Result
The workshop participants agreed that although technically its usage is incorrect, as the word “foren-
sic” is an adjective, the term “digital forensics” – synonymous with digital investigations – is a useful
shorthand and exists in common usage amongst the wider community beyond law enforcement and the
criminal justice system.
The participants concluded that two denitions are possible:
1. A strict denition: The recovery and analysis of [digital] material for use in court, as part of a digital
investigation.
2. An extended denition: The recovery and analysis of [digital] material, intelligence gathering, inci-
dent response, etc. including the use of assistive technology and similar applications (e.g. Auto-
matic Number Plate Recognition (ANPR), facial recognition, digital equipment at crime scenes) as
part of a digital investigation.
There was a general consensus within the group that the accepted meaning of the term extends beyond
the strict denition and that, therefore, the extended denition is more useful. This is because it encom-
passes concepts which have applications beyond the purely law enforcement and judicial contexts.
Questionnaire Result
Responses from the questionnaire were varied, but certain key words and phrases occurred more fre-
quently than others in the responses. Most commonly these were: “acquisition”, “recovery”, “digital ev-
idence”, “usage in court”, “usage in legal proceedings”, “examination”, “processing”, “analysis”, “data
in digital format”, “criminal”, “civil”, “investigation”, “reporting”, and “incident response”. With the help
of these key words and phrases, a further composite denition of digital forensics can be produced:
7
Forensic Science Special Interest Group Digital Forensics Capability Review
Composite denition:
The acquisition or recovery, examination, processing, and analysis of any data in a digital format,
including the reporting thereof, for use during an investigation, including usage as digital evidence
during any criminal or civil legal proceedings, or as part of an incident response.
Amalgamated Result
In comparing the extended denition produced as a result of the workshop discussions with the com-
posite denition, it becomes clear that they both identify some sort of interaction with digital material or
data as part of an investigation. Both denitions also specify that this can include some form of incident
response. However, the extended denition also includes intelligence gathering and assistive technolo-
gy, neither of which is mentioned in the composite denition.
In the broader context both denitions are valid, although it may be argued that one is more constrained
by personal viewpoints than the other. A combined denition can, however, be synthesised from the two
of them as follows:
Combined denition:
The acquisition or recovery, examination, processing and analysis of any data held in a digital format,
including the reporting thereof, for use during an investigation. This includes its use as digital evidence
during any criminal or civil legal proceedings; its use as part of an intelligence gathering exercise; or its
use as part of incident response. It may also include the utilisation or investigation of assistive tech-
nology and similar applications (e.g. ANPR, facial recognition, and digital equipment at crime scenes)
during the course of the investigation.
Conference Outcome
The above denitions were presented to the conference attendees and it was agreed that the combined
denition is the most appropriate and useful as it encompasses both intelligence gathering and incident
response activities. This was considered appropriate as it can be necessary to convert the results of
these activities into evidence, even though that may require additional processes and services.
Author’s Comments
The term “digital forensics” may be considered contentious as it seems to have two distinct meanings,
one in the context of law enforcement and another in the context of other types of investigations. In
its broadest sense and in common usage, it refers to any investigative activity which involves digital
devices. Additionally, there is an on-going debate about the use of digital forensics methods for the pro-
8
Forensic Science Special Interest Group Digital Forensics Capability Review
duction of intelligence, i.e. information used to assist and guide investigations without being considered
permissible in court as evidence. It is known that situations arise where there is a need for intelligence
material to be converted into an evidential product and, for this reason, it is considered better practice
for intelligence gathering processes to be treated as evidence-producing processes from the outset.
Question 2: In which context do you use digital forensics?
This question was put only to the questionnaire participants in order to measure the number of industry
sectors covered by that exercise. The results are displayed in Figure 1.
Figure 1: Industry sectors in which digital forensics is used. (Relative scale)
Author’s Comments
Responses were not obtained from everyone who had been invited to participate in the questionnaire
and, as such, the sample group was largely self-selecting. Nonetheless, the proportion of respondents
with experience of each sector seems to reect real-world experience of where digital forensics, in its
broadest sense, is employed. In particular, the inclusion of sectors which do not normally produce evi-
dence for use directly in court ensures that the results map well onto real-world usage of digital forensics
methods in those sectors where investigations are routinely used for internal purposes only.
Question 3: Which types of technology do you deal with in the context of digital
forensics?
This question was only put to the questionnaire participants, but was informed by the workshop partici-
pants’ agreement that there are four major categories of digital evidence sources (described below). Re-
sponses include both sources of evidence and the technologies used to recover and analyse evidence.
The results from the questionnaire have been mapped onto the four categories in Figure 2 and grouped
by technology type in Figure 3.
9
Forensic Science Special Interest Group Digital Forensics Capability Review
The Four Categories of Digital Evidence Sources
The category names given here are derived from the Association of Chief Police Ofcers (ACPO) Princi-
ples (ACPO, 2012) which are generally applied to digital evidence.
1) Principle 1 (also known as “dead box”) Sources
These are primarily systems which contain persistent storage, for example hard disks, and can be
write-protected and copied in order to preserve their contents, although there are some systems that
do not t the conventional model, such as some embedded systems, SCADA and so on. The majority of
work in this area is well-supported through existing commercial and non-commercial efforts and the ma-
jor challenges here currently arise from increasing storage capacity and issues of managing the resulting
evidence or data. There may also be some need for additional work on emerging or unusual le systems
and specic applications.
The workshop participants agreed that further technical work in this area could be considered as low
priority.
2) Principle 2 (also known as “live box”) Sources
This is known to be a rapidly developing area, driven as much by consumer expectations for regular up-
dates as by technological advances. It includes personal mobile and embedded devices such as mobile
phones, GPS, and vehicle electronics. Current development of digital forensics capability in this area
lags behind the devices by some way and solution providers have to make difcult choices about which
devices to target for new releases of investigative tools. The nature of the devices also means that they
are ripe for exploitation in ways which are outside their original design parameters, for example the use
of handsets as triggers for explosives or as hidden recording devices.
Examination of these devices is often hampered by their construction and the difculties inherent in in-
terfacing with them at both the hardware and software levels. Investigators can be forced to work with
only a logical (user) view of the contents, which may obfuscate potentially relevant material. Access to
full data can be extremely costly and difcult, requiring “chip-off” techniques and / or the adoption of
“hacker” tools.
The time between product release and the need for investigative support can be measurable in terms of
hours rather than months, weeks or days.
The workshop participants took the view that further work in this area is required, although some com-
mercial tool providers are already very active in resolving problems in this area.
10
Forensic Science Special Interest Group Digital Forensics Capability Review
3) Remote Sources
This area, covering sources such as website and Cloud storage, was acknowledged as being very un-
der-resourced. It presents some unique challenges, mostly caused by the inability to identify and / or
gain access to the physical systems which present the logical view of the remote service to the user or
investigator. Challenges arise from the potential for distributed or replicated systems, for example peer-
to-peer, and the requirement for investigators to access systems across public networks using methods
similar to those used by normal users. In particular, there is a danger of leaving an investigative “footprint”
or triggering anti-forensic system behaviours, for example web servers which present different pages de-
pending on various HTTP header data. The ease with which new protocols and systems can be created
and modied, such as on social media sites, also presents signicant challenges for investigators.
4) Other Digital Forensics Systems
The workshop participants discussed the use of various types of digital technology as an aid to investi-
gations, including assistive technology at crime scenes, intelligence modelling, and mapping systems.
It was agreed that these systems should be included in any consideration of digital forensics capability.
Questionnaire Results
Figure 2: Evidence sources by category (% reported).
11
Forensic Science Special Interest Group Digital Forensics Capability Review
Figure 3: Technologies encountered, P1 – Principle 1, P2 – Principle 2, R – Remote, O – Other. (Relative scale)
Conference Outcome
There was some discussion in relation to where to place research focus with regards to these categories.
It was suggested that Principle 1 devices are catered for largely by the “big players” – providers of com-
mercial investigative tools – and, although not publicly validated or veried, their tools seem to serve the
purpose.
12
Forensic Science Special Interest Group Digital Forensics Capability Review
It was suggested that Principle 2 devices are very much fashion driven and the increasing release rates of
investigative tools, for example from ve product releases per year to six, demonstrate that it is a growing
area of need for digital forensics capability development. In particular, police mobile phone investigation
units (Principle 2 source) are now often larger in terms of manpower than their “dead-box” (Principle 1
source) counterparts. Despite this, there is no single dominant platform of operating systems and hard-
ware in the Principle 2 space, nor is there a dominant examination solution for Principle 2 sources. This
results in time, and therefore money, being wasted on exporting and importing different formats for dif-
ferent tools. In such cases, it was advised that the development of standards may be of particular use in
bringing about some level of unication and that vendors may consider releasing particular modules for
use with multiple tools, rather than releasing a full set of new tools.
There was consensus that there is also growth in the prevalence and diversity of remote sources, with
distributed and Cloud systems becoming more common, resulting in growing challenges in digital foren-
sics investigations involving these sources.
Further, it was advised that improving the technical standards of CCTV and addressing issues such as
poor placement would also be of value.
Author’s Comments
The results shown in Figure 2 t well with casework experience. Most evidence is still being produced
from Principle 1 devices, with Principle 2 becoming increasingly important. Remote sources currently
tend to appear as evidence in relatively few cases, but they do have increasing usage as intelligence
sources.
Figure 3 shows a sample of the range of technologies currently being encountered in the investigative
process and is by no means an exhaustive or comprehensive list. Although many of these technologies
can be investigated using similar techniques, for example hard disks, solid-state disks, and removable
storage media, many do still require unique tools or techniques such as different models of mobile de-
vices from different manufacturers, social networks, and Cloud storage. If anything, the results of this
question serve to highlight the huge number of potential challenges which are faced now and are likely
to be faced in the future.
Question 4: What is the greatest digital forensics challenge faced in everyday activ-
ities and how could it be addressed?
This question asked the participants to consider challenges at the personal and organisational levels
separately. Figure 4 and Table 1 show the responses with respect to the personal level while Figure 5 and
Table 2 display the feedback obtained regarding the organisational level.
13
Forensic Science Special Interest Group Digital Forensics Capability Review
Personal Challenges
Figure 4: Greatest personal digital forensics challenges in everyday activities. (Relative scale)
Challenge Solution
Data Volumes / Big Data • Improved tools
• Increased use of ltering (le recognition) and predictive
coding
• Research to understand how humans interact with, and
manage, large volumes of data
Personnel exceeding own limits of
knowledge and / or authority
• Education and training
• Registration of practitioners / competence certication
Non-standard operating systems
Lack of integration of tools in detec-
tion and investigative process
Lack of real examples for education
and research
• Greater collaboration between practitioners and education
/ research establishments to produce realistic data
Encryption
Continuing professional develop-
ment (CPD) / skill maintenance due
to changing landscape (technical and
non-technical)
• Use of newsgroups, websites, online communities, blogs,
professional and trade bodies
• More time allocation
• Education and training
Steganography awareness • Community promotional activities
Table 1: Suggested solutions to address personal digital forensics challenges.
14
Forensic Science Special Interest Group Digital Forensics Capability Review
Personal Challenges – Summary
In the case of the non-technical challenges, the single most common proposed solution was increased
education and training for all involved in the process, including end-users, rst responders, managers,
legal professionals, and the judiciary.
To address the technical challenges, a set of proposed solutions was identied for each one as shown
in Table 1.
Organisational Challenges
Figure 5: Greatest organisational digital forensics challenges in everyday activities. (Relative scale)
15
Forensic Science Special Interest Group Digital Forensics Capability Review
Challenge Solution
Data Volumes / Big Data • Improved tools
• Increased use of ltering (le recognition) and predictive
coding
• Research to understand how humans interact with, and
manage, large volumes of data
Personnel exceeding own limits of
knowledge and / or authority
• Education and training
• Registration of practitioners / competence certication
Non-standard operating systems (i.e.
those open to customisation by the
vendor or user or those which are
unique to a few devices only)
Lack of integration of tools in detec-
tion and investigative process
Lack of real examples for education
and research
• Greater collaboration between practitioners and educa-
tion / research establishments to produce realistic data
Encryption
CPD / skill maintenance due to chang-
ing landscape (technical and non-tech-
nical)
• Use of newsgroups, websites, online communities, blogs,
professional and trade bodies
• More time allocation
• Education and training
Steganography awareness • Community promotional activities
Table 2: Suggested solutions to address organisational digital forensics challenges.
Organisational Challenges – Summary
As with the personal challenges identied, the major recommendation for dealing with the non-technical
issues is to educate users at all stages of the process.
The suggestions proposed for addressing the technical challenges identied are shown in Table 2.
Overall Analysis
The key challenges for both the personal and organisational levels seem to be in the areas of personnel
and the management of Big Data.
Firstly, there is the issue of personnel being aware of their own limits, in terms of both knowledge and
skills as well as in terms of their own authority to act. This presents technical challenges as their actions
16
Forensic Science Special Interest Group Digital Forensics Capability Review
may alter potential evidence, and non-technical challenges in that their actions may breach policy or law
and result in action being taken against them or their organisation. Addressing these issues requires a
combination of technical solutions, i.e. tools, education about methods and so on, and non-technical
solutions such as education about policy and law.
Secondly, there is the issue of how to manage Big Data, and the associated caseloads and timescales.
Again, there are technical and non-technical issues at play here. At a technical level, there is a perceived
need for better tools to assist with the analysis of large amounts of data, possibly making use of:
• Known le ltering methods – to eliminate known good les, or select only known bad les depend-
ing on the context;
• Predictive coding – to examine and establish relationships between data; and
• Evidence management techniques – to allow for greater parallel processing of material possibly by
larger investigative teams.
A better understanding of how humans actually interact with Big Data systems is also required in order
to develop better algorithms for the analysis of such systems.
Interestingly, the solutions to the technical challenges identied on both the personal and organisational
levels are similar regardless of which level the issue occurs on.
Author’s Comments
Many of the challenges raised here relate to personnel-based issues. Current regulatory work and new
draft ISO standards require a degree of certication of competence of the individuals involved in all stag-
es of an investigation. This may help to address this problem area to some extent. The Forensic Science
Society and the BCS also have robust CPD schemes which may prove useful if applied more widely.
The challenge of managing a high volume of data and casework is an acknowledged problem in various
agencies and some have taken steps to address it by adopting eDiscovery technologies.
Question 5: What challenges do you think you will face in the near-term (1-2 years)
and medium-term (2-5 years) future? How do you think these challenges could be
addressed?
This question was only put to the questionnaire participants. In responding, many of them actually chose
not to distinguish between the near- and medium-term future and, thus, all answers have been aggregat-
ed and are presented collectively in Figure 6.
17
Forensic Science Special Interest Group Digital Forensics Capability Review
Figure 6: Future digital forensics challenges. (Relative scale)
18
Forensic Science Special Interest Group Digital Forensics Capability Review
Analysis
It is clear from Figure 6 that there is a cluster of 5 areas which are seen as presenting the most signicant
challenges. These are:
1. Data volumes and Big Data. As noted in Question 4, dealing with large quantities of data, often
from multiple sources, is a complex process and requires the development of improved techniques
and tools.
2. Cloud systems. With the increasing usage of mobile devices and network-based applications and
storage, there is a tendency for personal data to be held remotely. Investigation of these remote
sources is hampered by jurisdictional issues, i.e. data may be distributed, fragmented and / or rep
licated across equipment in several different geographic locations each potentially containing differ
ent versions of the data at any point in time. It can also be difcult for an investigator to gain access
to a full view of the stored data.
3. Mobile and convergent devices. Moore’s law still applies, albeit in a modied form. Smaller, more
personal, devices are gaining more functionality to the point where a current smartphone contain
more functionality today than a desktop personal computer did at the beginning of the century.
These devices contain special operating systems which are subject to frequent modication and
updates and which do not store information in a consistent manner from one model or manufacturer
to the next. They are almost always Principle 2 devices and, therefore, require the use of methods
which may damage any evidence held on them as part of the investigative process.
4. Divergent standards. To a large extent this relates to the mobile or convergent device problem. The
market for these devices is highly competitive and driven, to a large degree, by fashion. Each man-
ufacturer seeks to create a competitive advantage by offering new features on their devices, thus
there is an impetus for them to continue to develop, modify, and customise software and hardware
in a way which their competition cannot copy. This results in areas of incompatibility which parallel
those seen in the early days of the PC market in the late 1970s and 1980s.
5. Technology ubiquity and the Internet of Things. There is a drive to provide more technology,
preferably with internet connectivity, in more and more devices. This results in a much larger inter-
net where more devices may be subject to attack or may become sources of evidence, some of
them even being remote sources. The issues mentioned in the four categories covered in question
3 converge at this point. The issue of increasing potential for peer-to-peer and machine-to-machine
resource sharing, which makes the Cloud more complex and more distributed, further exacerbates
the problems and presents new investigative challenges which are not yet fully understood.
19
Forensic Science Special Interest Group Digital Forensics Capability Review
The solutions that the participants proposed to the challenges raised by this question are detailed in Table
3.
Challenge Solution
Data volumes/Big Data • New tools
Cloud systems • New tools / frameworks for Cloud investigations
• Collaboration with Cloud providers
• Change legislation to enable Cloud investigation locally
(i.e. make data owned where it is used, not where it is
stored)
Mobile / convergent devices • New tools
• Improved security measures
Divergent standards • Collaboration with manufacturers
Technology ubiquity / Internet of things • Research and development to move from reactive models
to active models of investigation
Lack of manufacturer assistance • Collaboration with manufacturers
Smarter users – obfuscation • Education / training
Ignorant users – side effects • Education / training
Need for better integration between in-
vestigations and cybersecurity
• Improved structures
• Good practice guides
Organisational change resulting in role
change
Need to move from reactive response
to active inbuilt digital forensics capa-
bility
• Educate budget holders / policy makers
Need for better integration of tools and
systems
• Improve tool integration technologies
Increasing anti-forensic obfuscation
methods
Increasing numbers of advanced per-
sistent threats (APT)
• Better APT detection and handling
Increasing device numbers (per inves-
tigation)
More widespread encryption
Table 3: Proposed solutions to future technical challenges.
20
Forensic Science Special Interest Group Digital Forensics Capability Review
Future Challenges Identied During the Workshop
The participants of the workshop also identied a list of future technical challenges and these are includ-
ed below for reference. However, they did not propose any specic indications of priority for resolving
them.
1. Mobile devices (Principle 2 sources). A unied mobile device tool would be an ideal solution, allow-
ing for addition of modules to cope with new devices. This would require greater standardisation of
interface protocols.
2. Some devices currently require the use of methods which are not forensically sound and rely heavily
on the application of ACPO Principle 2, for example jail-breaking iPhones to gain access.
3. The exchange of information or data between investigative tools during the investigative process is
problematic, leading to wasted time and introducing the potential for error during the conversion and
reformatting phases. Standardised information presentation or Application Programming Interfaces
(APIs) would help.
4. CCTV systems in particular pose problems as there are no commonly agreed standards on encod-
er-decoder (CODEC) usage. Cost is also a factor in choice of system and the cheaper systems can
result in very poor quality data. Continued operation of legacy systems, such as VHS or early hard
disk systems, can also present some data format problems.
5. Information sharing. There are many communities holding information, but assuring the quality of
that information can be difcult, as can gaining access to trustworthy communities where high-qual-
ity information is available.
6. Access to reliable and suitable tools can be difcult. It was proposed that a digital forensics “app
store” could be created where information and tools could be made available using a similar model
to that currently being developed by some of the larger personal device vendors. It was suggested
that this would have more value if standard operating procedures and validation were included with
any tools provided. The burden of testing to support this was considered problematic and could be
a barrier to development. Conict with other open-source communities and repositories was also
mentioned as a possible problem.
7. Future technologies, for example the use of Graphene, are likely to create new problems. There
should be an on-going horizon-scanning exercise to attempt to identify these.
8. 3D printing or produce-at-home systems.
9. Personal Area Networks and personally distributed systems.
10. Pacemakers, medical implants, bionics, and the possibility for the subversion of such devices.
11. Healthcare systems.
12. Smart buildings and the smart grid.
13. Proling and attribution of activity.
14. Cell-site analysis and geo-location.
15. Vehicle electronics.
21
Forensic Science Special Interest Group Digital Forensics Capability Review
Conference Outcome (Questions 4 and 5)
The conference participants reviewed the questionnaire results and were, broadly speaking, in agreement
with them. Most notably, they concurred specically with the following challenges that were identied:
• A change in legislation to reect where data is processed or used, rather than where it is stored
would assist with the ability to undertake investigations.
• Managing vast amounts of data is a major problem.
• New investigative frameworks for specic types of investigations, such as Cloud-based investiga-
tions, are required.
• There is little value in pursuing new innovations for the examination of Principle 1 sources.
• There should be a focus on the interoperability of tools, possibly through standardisation.
• There is no central repository for information or tool sharing.
• There may be value in establishing a trusted environment, under an intellectual property-protected
roof, to share information and tools within the community.
• There is a need for more education and training, not only with respect to the digital forensics inves-
tigative process and usage of tools, but also with respect to the limitations of those tools and the
limitations of the user’s own knowledge and ability.
Furthermore, the conference participants felt that a major point of interest was that a lot of non-techno-
logical and non-technical challenges have emerged in the course of this study, such as those relating to
the need for education, lack of experience and so on. It was argued that, in many cases, practitioners
seem to be adopting the attitude that other people require educating and not themselves. Similarly, a
frequent response to challenges was to “produce new tools”, which is arguably synonymous with “let
someone else deal with the problem”. This may demonstrate a negative attitude amongst the digital fo-
rensics community and suggest that the community is unwilling to confront the challenges ahead.
It was also noted that although law enforcement was identied as a major user and provider of digital
forensics, there was little discussion of specic issues or challenges relating to law enforcement. The
conference participants, and in particular the Forensic Science Regulator, commented that law enforce-
ment is suffering from a lack of clear strategic leadership and funding in this area despite the growing
need for digital forensics within law enforcement. It is also evident that law enforcement appears to have
difculty in identifying trusted partners, particularly in relation to commercial providers, and this hinders
progress in this area.
Furthermore, the Regulator emphasised the fact that digital forensics is currently conducted without any
specic regulation and the processes carried out rely on consensus only. The Regulator felt that this is
no longer sufcient and that there now needs to be a valid and reliable quality standards framework;
legislation underpinning the digital forensics investigative process; and a means to validate the digital
forensics process as a whole. Although the questionnaire participants did not provide an opinion on this
as a means to addressing the challenges ahead, there is current regulatory work and draft ISO / IEC stan-
dards in train which will require the certication of the competence of individuals involved in all stages of
an investigation.
22
Forensic Science Special Interest Group Digital Forensics Capability Review
Finally, with respect to the perceived future challenges relating to Cloud storage, a small number of con-
ference participants proposed the idea that a change of legislation could be a means of addressing issues
in this area.
One area in which the conference participants were specically in disagreement with the questionnaire
results was the suggestion that new tools would be benecial. Instead they suggested that perhaps there
should be less focus on developing new tools and more emphasis on developing new methods, or mod-
ules for existing tools in order to improve, extend, and enhance their capabilities.
Author’s Comments
Many of the challenges identied during the workshop were also raised by the questionnaire participants.
However, the range of challenges discussed at the workshop was wider than that resulting from the ques-
tionnaire because those at the workshop had adopted a broader denition of digital forensics.
Question 6: When you are looking for a solution to a digital forensics problem, who
do you turn to for a) o-the-shelf solutions and b) bespoke solutions or product
customisation?
This question was intended to identify existing resources and solution providers which should be consult-
ed and considered for inclusion in further R&D work in this area.
a) O-the shelf Solutions
Figure 7: Off-the-shelf solution providers. (Relative scale)
23
Forensic Science Special Interest Group Digital Forensics Capability Review
b) Bespoke Solutions or Product Customisation
Figure 8: Bespoke or customised solution providers. (Relative scale)
Analysis
Most practitioners tend to seek off-the-shelf solutions from one of the small group of well-known com-
mercial providers in the rst instance. The most common reasons cited for this are often “there isn’t any-
one else” and / or “the product is tried and tested”. The majority of these providers, for the major tools in
particular, are based outside the UK.
It is also noteworthy that the predominant resource for bespoke and customised solutions is “In-house”,
i.e. internal development or tweaking by a more knowledgeable colleague. The workshop participants
suggested there was a need for a central repository for trusted tools and other resources in order to pro-
vide a quality assurance framework and reduce duplication of effort.
Author’s Comments
The results obtained here parallel the results seen from other surveys. From a UK perspective, the depen-
dence on commercial providers is somewhat worrying as all the major players are based outside the UK.
The “tried and tested” argument is a source of some concern too, as none of these providers are known
to publish any records of verication of their tools. Indeed, some seem to rely on community efforts to re-
port aws and debug their products. In the context of developing regulations and international standards,
this is likely to be insufcient to allow their continued use without further effort. Recent developments in
the major tools also suggest that the vendors do not see the UK, or even Europe, as a major market and
are working on repositioning their products to align more with the preference for eDiscovery products
over forensic tools that is apparent in other jurisdictions.
24
Forensic Science Special Interest Group Digital Forensics Capability Review
The idea of having a trusted repository of tools may well be a helpful one and it is something which the
ECENTRE project is known to be pursuing.
Question 7: Who would you consider to be the key people or organisations rele-
vant to your experience and usage of digital forensics?
The list of key stakeholders identied by the questionnaire participants is presented in Figure 9.
Conference Outcome (Questions 6 and 7)
The conference participants agreed that there is no obvious single point of contact for providing com-
mercial solutions to digital forensics requirements in the UK. There is also a lack of an obvious central
repository for tools or information and an absence of comprehensive industry certications, particularly
with regards to those tools produced by the major players who dominate the market.
It was also noted again that participants chose not to differentiate between challenges arising in the im-
mediate future (1-2 years) and those that may arise in the medium-term (2- 5 years). This could indicate
that whatever poses a problem now will likely remain a problem for the foreseeable future.
25
Forensic Science Special Interest Group Digital Forensics Capability Review
Figure 9: Key stakeholders. (Relative scale)
26
Forensic Science Special Interest Group Digital Forensics Capability Review
Question 8: What other innovations, relating to technology, services or any other
issues aecting digital forensics do you think would be useful?
Interestingly each questionnaire participant who provided an answer to this question gave a different
response. They include:
• Mobile device interface or connector standardisation.
• Government support for more research.
• Updating legislation to cope with new developments.
• Greater use of encryption and meta-data to assist automated data auditing.
• End-user involvement in standards development.
• Training development.
• Raising awareness of senior staff.
• Improved automated tools.
• Increased use of Graphical Processing Units (GPUs) to process evidence or nd information.
• Greater use of distributed processing for faster results.
• Open access to a repository of data sets relating to a variety of realistic cases, both for training and
educational purposes and for research.
• Cost-effective triage.
• Enabling seizure or capture of Cloud storage.
• Pure digital forensics research (as opposed to applied).
• Quantum computing.
• Nano-technology.
• Open-source, collaborative, community maintained repository of tools and information.
Conference Outcome
Several additional suggestions were raised during the conference discussion as follows:
• CCTV technical standards should be improved.
• There is a lack of clear strategic leadership, particularly with regards to law enforcement.
• There is a need to validate the digital forensics process as a whole.
• There is no easily identiable, single UK point of contact for developing commercial solutions to
digital forensics challenges.
• The whole digital forensics investigative process should be optimised.
27
Forensic Science Special Interest Group Digital Forensics Capability Review
• There is a need to ensure the engagement of the digital forensics community, particularly with re-
gards to law enforcement, senior management, and the Home Ofce, in innovation.
• There is a need to optimise the approach to digital forensics innovation and progress, ensuring a
top down approach with respect to leadership to drive projects, and a bottom up approach to drive
innovation.
Author’s Comments
As noted under question 7, the ECENTRE project is known to be actively investigating the production
of a central repository of tools and resources for the community. This may include case data, research
papers, and training materials. It is suggested that any future projects arising from this report should
consider making their outcomes available to the community through the ECENTRE portal when it be-
comes available.
Conclusions
The results gathered in the course of this project can be summarised by the assertion that “there is
broad consensus on the problems, but not so much on the solutions”. In general, participants in all three
activities agreed on the nature of the challenges they face, but proposed many different approaches to
addressing these, which suggests perhaps that the eld is ripe for new work in order to improve under-
standing and discover optimal solutions.
It has become clear that, although there are some areas in which technological innovation can be of
benet to the digital forensics arena, there is a denite need to provide an improved context in which to
deploy any innovations. In order to achieve this, further work in the following three categories is required:
1. Regulatory improvements. There is a need to improve the regulation of various aspects of the digital
forensics process; the validation and certication thereof; and the optimisation of the whole investi-
gative process.
2. Professional community improvements. It would be benecial to engage the digital forensics com-
munity more in problem solving and to provide the community with stronger leadership; more col-
laboration opportunities; and improved tool and information sharing facilities.
3. Competence improvements. All those involved in the handling, processing, and use of digital evi-
dence would benet from additional education and training, particularly with regards to applying the
correct methodology and tools as well as improving their understanding of limitations in each area.
28
Forensic Science Special Interest Group Digital Forensics Capability Review
There is also scope for technological developments to improve the UK’s capability signicantly and to
open up the potential for any suitable tools and methods to be exported to other markets. Although major
technology-related innovations, particularly with regards to Principle 1 devices, are currently considered
highly unlikely due to the effective monopoly which the major providers currently enjoy, the following ar-
eas have been identied for this in particular:
• Big Data and data volume management.
• Cloud systems.
• Mobile and convergent devices.
• Divergent standards and improved interoperability.
• Technology ubiquity and the Internet of Things.
29
Forensic Science Special Interest Group Digital Forensics Capability Review
Glossary
ACPO Principles
These are four principles contained within the current version of the Good Practice Guide for Digital Ev-
idence (ACPO GPG), as produced by the Association of Chief Police Ofcers (ACPO). These principles
serve as a guide to good practice for the recovery of digital evidence, however, it should be noted that
the Good Practice Guide is not a comprehensive guide to the examination of that evidence. (ACPO, 2012,
p6).
The four principles are as follows:
• Principle 1: No action taken by law enforcement agencies, persons employed within those agencies
or their agents should change data which may subsequently be relied upon in court.
• Principle 2: In circumstances where a person nds it necessary to access original data, that person
must be competent to do so and be able to give evidence explaining the relevance and the implica-
tions of their actions.
• Principle 3: An audit trail or other record of all processes applied to digital evidence should be cre-
ated and preserved. An independent third party should be able to examine those processes and
achieve the same result.
• Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the
law and these principles are adhered to.
ANPR
Automated Number Plate Recognition. An automated method of reading vehicle registration plates using
optical character recognition technology.
API
Application Programming Interface. An application-specic protocol, standardised to allow communica-
tion between different software components, which generally allows programmers or software develop-
ers to produce or modify content for that application.
APT
Advanced Persistent Threat. Threats which differ from traditional cyber security threats in that they tend
to be conducted by more technically-procient organised groups, often covertly and in a systematic
manner, focusing on critical data or information such as that belonging to large corporate bodies or gov-
ernment organisations. (Cole, 2012, p.3; Trend Micro, 2013).
30
Forensic Science Special Interest Group Digital Forensics Capability Review
Assistive Technology
Technology used in support of the non-digital investigative process, for example crime scene aids, intel-
ligence mapping tools, and evidence and case management systems.
CODEC
(En)co(der)-dec(oder). Hardware or software used for the encoding and / or decoding of a digital data
stream or signal, primarily with regards to audio or video.
Deleted Data
Data that was live at some point in the past, but which the user or operating system has chosen to re-
move. In practice, this is carried out by the operating system marking the area of the storage device that
was occupied by those data as being available for reuse. (Marshall, 2008, p.50).
Digital Device
Electronic equipment used to process or store digital data. (BS ISO / IEC 27037:2012).
Digital Forensics
The acquisition or recovery, examination, processing and analysis of any data held in a digital format,
including the reporting thereof, for use during an investigation. This includes its use as digital evidence
during any criminal or civil legal proceedings; its use as part of an intelligence gathering exercise; or its
use as part of incident response. This may include the utilisation or investigation of assistive technology
and similar applications (e.g. ANPR, facial recognition, and digital equipment at crime scenes) during the
course of the investigation.
eDiscovery
The process of identifying, preserving, collecting, processing, searching, reviewing, and producing elec-
tronically stored information that may be relevant to a civil, criminal, or regulatory matter. (Cormack and
Grossman, 2013, p.15).
GPU
Graphics Processing Unit. Hardware which is optimised for and (ordinarily) exclusively dedicated to the
output of processed data to display devices. However, their optimisation can make them viable for atyp-
ical usage, particularly in repetitive calculation tasks such as password cracking.
31
Forensic Science Special Interest Group Digital Forensics Capability Review
Imaging
The process used to obtain all of the data present on a storage medium, for example a hard disk, whether
it is live data, deleted data, data in slack space, data in swap space, or data in unallocated space, in such
a way as to allow it to be examined as if it were the original data. (ACPO, 2007, p.56).
Jail-breaking
The process of exploiting conguration oversights, bugs or aws in the design of a piece of hardware
or software, primarily with regards to mobile or similar devices, in order to escalate one’s privileges with
respect to that hardware or software. This could include gaining full (root) access to a device’s underly-
ing operating system, accessing features unintended for access by a developer, modifying features, and
bypassing security.
Live Data
Data present on a system in a format which makes them accessible to the user or the normal software
directly and typically represents the outcome of some normal operation of the device or software as a
result of deliberate action. (Marshall, 2008, p.50).
Moore’s Law
A law inferred from an observation made by Gordon Moore in 1965, which originally stated that the max-
imum number of transistors, i.e. the transistor density, on any given area of an integrated circuit will dou-
ble every 18 months. More recently, though, this rate has slowed, resulting in transistor density doubling
approximately once every two years. (Marshall, 2008, p.1; Moore, 1965, p.115-116).
Nano-technology
The logical name for any technology which has sub-microscopic physical dimensions, though the term
may be applied more generally to any physically very small piece of technology.
Obfuscation
The act of making data unintelligible whilst still preserving its functionality, for example for the protection
of commercial software source code or for use in cryptography. (Goldwasser and Rothblum, 2007, p.1).
Predictive Coding
A term generally used to describe a technology-assisted review process involving the use of a specialised
32
Forensic Science Special Interest Group Digital Forensics Capability Review
algorithm (a machine learning algorithm) whereby a piece of hardware or software is able to ‘learn’ to
distinguish relevant from non-relevant material based on an experts’ knowledge of a given subject matter.
(Cormack and Grossman, 2013, p.26).
Principle 1 (“dead box”) Sources
Devices which can be examined in line with ACPO principle number 1 and contain a non-volatile storage
medium, i.e. the data persists when no power is being supplied to the device. Such devices are generally
suitable for copying in a forensically sound manner and such imaging procedures can be shown to have
made no changes to the original device. These devices may be described as “dead box” sources as they
are generally examined or imaged whilst the device is powered down, i.e. dead. Such Principle 1 sources
can include, but are not limited to:
• Hard disk drives
• Floppy disk drives
• USB storage devices
• SD cards
Principle 2 (“live box”) Sources
Devices which must be interacted with in some way, risking making changes to the device or its contents,
and as such require the invocation of ACPO principle number 2 during their examination. These are often
mobile or embedded devices, or devices with non-removable storage media. Such devices tend to evolve
rapidly and contain proprietary hardware and / or software. As such there are fewer agreed standards
relating to their examination, hence an examiner must be competent to do so and be able to fully justify
their actions. These devices may be described as “live box” sources as they are generally examined while
the device is on, i.e. live. Such Principle 2 sources can include, but are not limited to:
• Mobile / Smart phones
• Tablets
• GPS devices
Quantum Computing
The application of quantum physics theory to existing computing theory as alternative modes of informa-
tion processing. (Centre for Quantum Computation, 2012).
Remote Sources
Devices which an examiner does not have physical access to and, thus, cannot examine directly. As
such, an examiner, as a remote user, must capture and interpret relevant available data in whatever log-
ical form is presented to them by the remote networked service or server, rather than the true data as it
is stored on that remote source. Data gathered from remote sources is generally platform independent.
33
Forensic Science Special Interest Group Digital Forensics Capability Review
Such remote sources may include, but are not limited to, the following though it is important to consider
that new sources (particularly social-media-based sources) are being established regularly:
• Facebook
• Twitter
• Ebay
• Google Mail
SCADA
Supervisory Control and Data Acquisition. A computer system, generally in an industrial setting, used for
the gathering and analysis of data in real-time.
Slack Space
Where le systems have a minimum amount of data which must be written to or read from a storage de-
vice, if a program does not meet this minimum, the system is free to grab data from anywhere in memory
to pad the extra space, known as ‘slack space’. The user has no control over what data is used in this
slack space. For example, to function correctly a le system may require exactly 4KB of space on a hard
drive to be occupied by a le, and so a user-generated le of 3KB will be padded with an additional 1KB
of data taken from the memory. (Marshall, 2008, p.52).
Steganography
From the Greek meaning “covered or concealed writing”. This is the practice of hiding information within
a carrier medium in order to disguise its presence, generally without signicantly affecting the use of the
carrier le. (Steel, 2006, p.232; Marshall, 2008, p.81).
Swap Space
Space on a storage device, for example a hard drive, which can be used as though it were primary phys-
ical memory (RAM), where data in memory is automatically swapped in to storage space (in the form of
a swap le) and back out by the operating system as required, based upon priority as determined by the
operating system, to ensure operating efciency. (Marshall, 2008, p.51).
Unallocated Space
Area on digital media, including primary memory, which has not been allocated by the operating system,
and which is available for the storage of data, including metadata. (BS ISO / IEC 27037:2012).
34
Forensic Science Special Interest Group Digital Forensics Capability Review
References and Bibliography
ACPO (2012), Good Practice Guide for Digital Evidence, v5, online at: http://library.npia.police.uk/docs/
acpo/digital-evidence-2012.pdf [14/06/2013]
BS ISO/IEC IS 27037:2012, Information technology - Security Techniques - Guidelines for Identication,
Collection, Acquisition and Preservation of Digital Evidence, International Organisation for Standardiza-
tion.
Centre for Quantum Computation (2012), online at: http://www.qubit.org/
Cole, C. (2012), Advanced Persistent Threat: Understanding the Danger and How to Protect Your Orga-
nization, Syngress, MA, USA.
Cormack, G. V. and Grossman, M. R. (2013), The Grossman-Cormack Glossary of Technology Assisted
Review, Federal Courts Law Review, 7(1).
Goldwasser, S. and Rothblum, G. N. (2007), Proceedings of the 4th Theory of Cryptography Conference,
Amsterdam, The Netherlands.
Jenkinson, B. and Sammes, T. (2007), Forensic Computing - A Practitioner’s Guide, Second Edition,
Springer, London, UK.
Marshall, A. M. (2008), Digital Forensics - Digital Evidence in Criminal Investigation, Wiley-Blackwell, UK.
Moore, G. E. (1965), Cramming More Components onto Integrated Circuits, Electronics, 38(8), p.114-117.
Steel, C. (2006), Windows Forensics, Wiley Publishing Inc., IN, USA.
Trend Micro (2013), Only a Custom Defense Effectively Combats Advanced Persistent Threats, online at:
http://www.trendmicro.com/us/enterprise/challenges/advance-targeted-attacks/index.html [07/04/2013]
Vinson & Elkins LLP Practice Support, EDD Glossary via EDRM online at: http://www.edrm.net/resourc-
es/glossaries/glossary/ [21/01/13]
35
Forensic Science Special Interest Group Digital Forensics Capability Review
Annex A – Other Relevant Conference Outcomes
Input from the Forensic Science Regulator
During the conference, Andrew Rennison, the Forensic Science Regulator offered his perspective on the
challenges within the eld of digital forensics. His focus was primarily on the current lack of validation
within the eld and the need to be able to validate tools and / or processes in such a way that satises
the criminal justice system, including the need for all material to be disclosable.
It was also noted that there is a current push for regulation in digital forensics as it is one of the least
regulated areas of police forensics, despite being one of – if not the – largest and fastest growing area of
forensics. Given the claim that to date most digital forensics processes are conducted without regulation
and are done by consensus only, the Regulator emphasised that there was a need for a clear quality
standards framework.
Other current challenges raised by the Regulator were the lack of leadership, in particular within the po-
lice, and the need to manage vast amounts of digital forensics data globally.
Additional Issues Discussed
The following issues were also raised during the conference and are worthy of particular note in addition
to the results discussed in this report:
• There is a current backlog of digital forensics, particularly within law enforcement, arguably due to
privatisation of the market.
• There is a potential growing role for the Centre for Applied Science and Technology (CAST) at the
Home Ofce in commercial product assurance.
• A valid and reliable quality standards framework in digital forensics is required.
• Remote device innovation is almost hobbyist, undertaken by only a few small active groups. Their
developments tend to be in the form of add-ons for larger commercial tools.
• The “big 5” companies provide tools which cover approximately 80% of the categories, and the
scope left for innovation is very small and mainly in areas we know very little about.
• There may be value in repeating this project in a number of years due to the environment currently
being in a state of transition with regards to digital devices.
• There may be value in establishing a trusted environment, under an intellectual property-protected
roof, to share information and tools within the community. This could be participated in by invitation
only.
36
Forensic Science Special Interest Group Digital Forensics Capability Review
• A great focus should be placed on the non-technological aspects of digital forensics, such as:
◊ Education and training;
◊ Optimising the investigative process as a whole;
◊ Ensuring the engagement of the digital forensics community (particularly with regards to law en-
forcement, senior management, and the Home Ofce; and
◊ Optimising the approach to digital forensics innovation and progress to ensure a top down ap-
proach with respect to leadership in driving projects and a bottom up approach to driving innova-
tion.
Forensic Science
Special Interest Group
Bailey House
4-10 Barttelot Road
Horsham
RH12 1DQ
+44 (1403) 251 354
tinyurl.com/FoSciSIG
@FoSciSIG
Enabling
Partnerships for
Innovation in
Forensic Science
tinyurl.com/FoSciSIG