Liforac - A Model For Live Forensic Acquisition

Liforac - A Model For Live Forensic

Acquisition

Thesis

MMAARRTTHHAA MMAARRIIAA GGRROOBBLLEERR

MM..SScc ((CCoommppuutteerr SScciieennccee))

992200220000335544

Submitted in fulfilment of the requirements

for the degree

PPHHIILLOOSSOOPPHHIIAAEE DDOOCCTTOORR

CCOOMMPPUUTTEERR SSCCIIEENNCCEE

in the

Faculty of Science

UUNNIIVVEERRSSIITTYY OOFF JJOOHHAANNNNEESSBBUURRGG

Promoter: Prof. S.H. von Solms

Co-promoter: Prof. C.P. Louwrens

Johannesburg

October 2009

AAggoo ffoorreennssiiss ssuubbssttaannttiiaa::

Quis lex ought futurus distinctus ex quis lex est –

id est, onus of suggero res sileo super a vir per persona

auctorita decerno modus operandi scelestus.

Is est expertus ut, corpus delicti destituo digital detritus

actus reus ad infinitum.

Per curiam villa postulo testimonium futurus fundo exigo

ab origine, utriusque mortuus forensis et ago forensis,

demonstro actus reus.

Technologi postulo flagrante delicto quesitio,

no possible per ago forensis, indicia testimonium in situ.

Is sino satis clavis aurea demonstra theca in villa.

Mortui vivos docent - quieta non movere quod omnia

mutantur, nihil interit. Nemo est supra legis!

(The essence of Live Forensics: Laws are changing – authorities need to work hard to

prove the ways in which crimes are committed. It is inevitable that cyber criminals leave

permanent digital footprints of the crimes they commit. To prove these crimes, the court

of law requires that evidence should be copied exactly from the source, in both Dead

Forensics and Live Forensics. Technology requires the investigation technique of Live

Forensics, actively finding evidence in its original destination. This allows for sufficient

discovery of hidden data to prove the case in court. Let the dead teach the living -

don't modify data because this may affect your case. Nobody is above the law!)

* The translation is deemed to be indicative of the thesis content and is not an academic true translation of the Latin text.

Acknowledgements

Thank you…

My promoter Prof von Solms, for your guidance and incredible knowledge through all my

postgraduate studies. It has really been a pleasure to work with you.

My co-promoter Prof Louwrens, for your technical expertise and enthusiasm that originally got me

interested in Digital Forensics.

My husband PC, for your never ending love, support, motivation and creative ideas. You are my

inspiration.

My parents, for years of support and guiding me in my pursuit for academic excellence. Thank you

for the continuous advice and motivation.

My parents in law, for supporting my studies and keeping me motivated.

My brother, sister and their families, for your consistent motivation.

My colleagues at the CSIR: Danie Perold, Simon Nare, Jaco Robertson, Barend Taute, Erna

Meyer, Paul de Kock and Joey Jansen van Vuuren for forensic, technical, engineering and research

help, advice, examples and moral support.

Rudi Coetzee, for your expert knowledge and assistance with technical detail.

Elsa Volschenk from Spiraleye Studios for helping with the animation and graphical requirements.

Minette Lubbe and Modisana Hlomuka for assisting with the original ideas for the graphical interface.

Prof Ansie Lessing, professor in Educational Studies from UNISA for language editing.

Prof Casper Lessing, emeritus professor and Director: Library Services from Potchefstroom

University for Christian Higher Education for helping with the bibliography and references.

Mrs van den Berg from the Faculty of Science, for answering all my questions and double-checking

university policies and regulations.

Liforac - A Model For Live Forensic Acquisition

Martha Maria Grobler i 920200354

Table of Contents Table of Contents .............................................................................................................................................................. i

List of Figures ................................................................................................................................................................ ii

Tables ...............................................................................................................................................................iv

Table of Contents – Accompanying CD (AutoRun)..............................................................................................v

Acronyms ...............................................................................................................................................................vi

Terminology .............................................................................................................................................................viii

Chapter 1: Liforac – A Model For Live Forensic Acquisition........................................................................1

Part 1: Setting the Scene................................................................................................................................4

Chapter 2: Introduction..........................................................................................................................................5

Chapter 3: The Digital Forensic Discipline......................................................................................................17

Part 2: Live Forensic Acquisition...............................................................................................................48

Chapter 4: Forensic Tools ..................................................................................................................................51

Chapter 5: Current Application of Live Forensics.........................................................................................63

Chapter 6: Forensically Sound Live Acquisition Admissible in Court.....................................................86

Part 3: Digital Forensics and the Judicial System .................................................................................99

Chapter 7: Cyber Crime and Criminals..........................................................................................................101

Chapter 8: Cyber Crime Legal Aspects .........................................................................................................118

Part 4: The Possibility of Sound Live Forensic Acquisition .............................................................136

Chapter 9: Building a Model.............................................................................................................................139

Chapter 10: Laws and Regulations Dimension..............................................................................................151

Chapter 11: Timeline Dimension .......................................................................................................................170

Chapter 12: Knowledge Dimension..................................................................................................................202

Chapter 13: Scope Dimension ...........................................................................................................................212

Chapter 14: Presenting the Final Liforac model ............................................................................................231

Chapter 15: Closure..............................................................................................................................................241

References ............................................................................................................................................................248

Publications and Presentations................................................................................................................................264

Martha Maria Grobler ii 920200354

List of Figures Figure 1-1: Parts of the Liforac model development study.......................................................................... 3

Figure Part 1-1: Part 1 of the Liforac model development study................................................................. 4

Figure 2-1: The Liforac model interface ..................................................................................................... 8

Figure 2-2: Objectives of the study.............................................................................................................. 9

Figure 2-3: Liforac model progress............................................................................................................ 14

Figure 2-4: Liforac model development roadmap...................................................................................... 15

Figure 3-1: Liforac model progress - Digital Forensic discipline (a) .......................................................... 17

Figure 3-2: Dead Forensic Acquisition ...................................................................................................... 21

Figure 3-3: Live Forensic Acquisition ........................................................................................................ 26

Figure 3-4: Digital Forensic Acquisition Checklist ..................................................................................... 32

Figure 3-5: The generic Forensic Acquisition process .............................................................................. 33

Figure 3-6: Protecting a dead system from data modification................................................................... 36

Figure 3-7: Protecting a live system from data modification ..................................................................... 37

Figure 3-8: Chain of custody log................................................................................................................ 39

Figure Part 2-1: Part 2 of the Liforac model development study............................................................... 48

Figure 4-1: Liforac model progress - Digital Forensic discipline (b) .......................................................... 51

Figure 4-2: Operating System market share ............................................................................................. 52

Figure 4-3: Forensic investigation tools, toolkits and tool suites ............................................................... 53

Figure 5-1: Liforac model progress – Current Live Forensic techniques .................................................. 63

Figure 5-2: Practical problems associated with Live Forensics ................................................................ 67

Figure 5-3: Example image ....................................................................................................................... 70

Figure 5-4: Example slurred image ........................................................................................................... 70

Figure 5-5: Screenshot - Windows My Computer Properties.................................................................... 76

Figure 5-6: Screenshot - Windows My Computer Properties Advanced Properties ................................. 76

Figure 5-7: Screenshot – NotMyFault ..................................................................................................... 77

Figure 5-8: The Tribble development environment ................................................................................... 80

Figure 6-1: Liforac model progress - Identify sound forensic techniques ................................................. 86

Figure Part 3-1: Part 3 of the Liforac model development study.............................................................. 99

Figure 7-1: Liforac model progress - Crimes and criminals ................................................................... 101

Figure 8-1: Liforac model progress - Laws.............................................................................................. 118

Figure Part 4-1: Part 4 of the Liforac model development study............................................................. 136

Figure 9-1: Liforac model progress - Model development....................................................................... 139

Figure 9-2: Generic Liforac model ........................................................................................................... 141

Figure 9-3: Relation between Liforac model building blocks................................................................... 143

Figure 10-1: Focusing on the Laws and regulations dimension.............................................................. 151

Figure 10-2: Laws and regulations dimension ........................................................................................ 152

Martha Maria Grobler iii 920200354

Figure 10-3: Laws and regulations sub dimensions and respective drivers presented within the Liforac

model ................................................................................................................................... 157

Figure 10-4: Drivers of the common crime laws...................................................................................... 159

Figure 10-5: Drivers of the specific cyber crime laws ............................................................................. 163

Figure 10-6: Drivers of the court cases and precedents ......................................................................... 165

Figure 10-7: Drivers of the definition of court admissibility ..................................................................... 167

Figure 11-1: Focusing on the Timeline dimension .................................................................................. 170

Figure 11-2: Timeline dimension ............................................................................................................. 171

Figure 11-3: Liforac model implied processes......................................................................................... 175

Figure 11-4: Liforac model explicit processes ........................................................................................ 178

Figure 11-5: Liforac model process flow ................................................................................................ 179

Figure 11-6: Liforac model process flow indicating timeframes .............................................................. 180

Figure 11-7: Before the Live Forensic Acquisition timeframe ................................................................ 181

Figure 11-8: During the Live Forensic Acquisition timeframe ................................................................ 188

Figure 11-9: After the Live Forensic Acquisition timeframe .................................................................... 194

Figure 11-10: Complete process flow of Live Forensic investigation ...................................................... 199

Figure 12-1: Focusing on the Knowledge dimension .............................................................................. 202

Figure 12-2: Knowledge dimension ......................................................................................................... 203

Figure 12-3: Knowledge components and important aspects regarding each component presented within

the Liforac model.................................................................................................................. 207

Figure 13-1: Focusing on the Scope dimension...................................................................................... 212

Figure 13-2: Scope dimension................................................................................................................. 213

Figure 13-3: Scope components and drivers presented within the Liforac model .................................. 216

Figure 13-4: Controls for accessing the machine ................................................................................... 219

Figure 13-5: Controls for OS dependency............................................................................................... 220

Figure 13-6: Controls for data modification ............................................................................................ 221

Figure 13-7: Controls for ensuring authenticity ....................................................................................... 227

Figure 13-8: Controls for OS dependency............................................................................................... 228

Figure 14-1: The Liforac model development study................................................................................ 231

Figure 14-2: Screenshot - Main menu of the Liforac study accompanying CD....................................... 232

Figure 14-3: Screenshot - Menu options for Study overview .................................................................. 233

Figure 14-4: Screenshot - Menu option for Forensic tools ...................................................................... 234

Figure 14-5: Screenshot - Menu option for WITSA report....................................................................... 234

Figure 14-6: Screenshot - Menu options for Legislation.......................................................................... 235

Figure 14-7: Screenshot - Menu option for Presenting evidence............................................................ 236

Figure 14-8: Screenshot - Menu option for Liforac model ....................................................................... 236

Figure 14-9: Screenshot - Menu options for Publications ....................................................................... 237

Figure 14-10: Screenshot - Menu options for Presentations................................................................... 238

Figure 14-11: Screenshot - Menu option for Glossary ............................................................................ 238

Martha Maria Grobler iv 920200354

Tables

Table 2-1: Project deliverables .................................................................................................................. 12

Table 3-1: Comparing Dead and Live Forensics....................................................................................... 30

Table 3-2: Handling and preservation guidelines for digital evidence media............................................ 41

Table 3-3: Storage guidelines for digital evidence media ........................................................................ 44

Table 4-1: Forensic abilities of investigation tools, toolkits and tool suites ............................................... 54

Table 5-1: Currently applied techniques for Live Forensic Acquisition ..................................................... 83

Table 7-1: Cyber crime statistics by type ............................................................................................... 108

Table 7-2: Cyber crime classification....................................................................................................... 108

Table 8-1: Comparison of activities in the discussed models ................................................................. 131

Table 8-2: Mapping Ciardhuáin’s processes on the Liforac processes................................................... 132

Table 9-1: Summary of identified drivers................................................................................................. 143

Table 10-1: Identified drivers on the Laws and regulations dimension ................................................... 153

Table 10-2: Drivers applicable to sub dimension 1 ................................................................................. 158

Table 11-1: Summary of identified drivers on the Timeline dimension ................................................... 172

Table 11-2: Digital Forensic equipment needed during a Live Forensic investigation............................ 186

Table 11-3: Evidentiary artefacts to retrieve during Live Forensic investigation .................................... 192

Table 11-4: Guidelines for transporting evidence securely ..................................................................... 198

Table 12-1: Summary of identified drivers on the Knowledge dimension ............................................... 205

Table 13-1: Summary of identified drivers on the Scope dimension....................................................... 214

Table 15-1: Critical appraisal of the Liforac model development ............................................................ 242

Martha Maria Grobler v 920200354

Table of Contents – Accompanying CD (AutoRun)

1. Study overview

2. Forensic tools

3. WITSA report

4. Legislation

5. Presenting evidence

6. Liforac model

7. Publications

8. Presentations

9. Glossary

Martha Maria Grobler vi 920200354

Acronyms AFIS Automated Fingerprint Identification System

API Application Programming Interface

ARP Address Resolution Protocol

ATA Advanced Technology Attachment

BIOS Basic Input Output System

CERT Computer Emergency Response Team

CIO Chief Information Officers

CMOS Complimentary Metal Oxide Semiconductor

COFEE Computer Online Forensic Evidence Extractor

CSIR Council for Scientific and Industrial Research

CSIRT Computer Security Incident Response Team

DCO Device Configuration Overlay

DDoS Distributed Denial of Service

DFRWS Digital Forensics Research Workshop

DMA Direct Memory Access

DNA Deoxyribonucleic Acid

DoS Denial of Service

DSA Digital Signature Algorithm

ECPA Electronic Communications Privacy Act

ECT Electronic Communications and Transactions Act

FBI Federal Bureau of Investigation

FTK Forensic Toolkit

HIPAA Health Insurance Portability and Accountability Act

HPA Hardware Protected Areas

IDE Integrated Development Environment

IIP Information Infrastructure Protection

IIS Internet Information Services

IP Intellectual Property

IP Internet Protocol

IRC Internet Relay Chat

ISP Internet Service Provider

JTAG Joint Test Action Group

KFF Known File Filter

KNPA Korean National Police Agency

Liforac Live Forensic Acquisition

MAC Media Access Control

Martha Maria Grobler vii 920200354

NET No Electronic Theft Act

NIST National Institute of Standards and Technology

OS Operating System

PCMCIA Personal Computer Memory Card International Association

PGP Pretty Good Privacy

POTS Plain Old Telephone Service

RAID Rapid Action Imaging Device

RAID Redundant Array of Independent Disks

RIPA Regulation of Investigatory Powers Act

RSA Rivest-Shamir-Adleman

SOX Sarbanes-Oxley Act

UPS Uninterruptible power supply

VESDA Very Early Smoke Detection Alarm

VOIP Voice Over Internet Protocol

VPN Virtual Private Network

WITSA World Information Technology and Services Alliances

Martha Maria Grobler viii 920200354

Terminology acquisition Acquisition is the act of assuming possession of something or obtaining control of

an object. It is the means to bring outside information into an analysis system. In

this regard, forensic investigators take control of a suspect machine, attaining all

possible information about the system. The Acquisition process is an extension of

the Collection stage, including additional aspects such as the chain of custody,

transport and storage.

analysis Analysis is an investigation of the component parts of a whole and their relations in

making up the whole. When faced with a complex topic, analysis is a systematic

process of simplifying the topic to gain a better understanding of the topic. In the

forensic sense, an analysis breaks down a complex crime scene to simpler terms

where it is possible to identify the cyber criminals.

collection The verb collecting refers to seeking and locating items of interest. In the forensic

sense, the stage Collection is the search and seizure activity where forensic

investigators enter a crime scene, look for evidence and gather it.

Digital Forensics Digital Forensics is the process of copying and analysing data from a computer in

a forensic manner. This discipline includes all activities from gathering the hardware

that needs to be copied, examining and analysing the data, and presenting a report to

an authoritative board regarding the discoveries. Digital Forensics is an investigative

technique that applies scientific and analytical techniques to computer systems in

determining the potential for legal evidence (Mobley 2001:2). It enables organisations

to gather reliable evidence from a mass of organisational information.

investigation An investigation is an inquiry into unfamiliar or questionable activities, done in an

orderly way to ensure thoroughness. An investigation usually implies the transgression

of either a law or a procedure.

methodology A methodology refers to the systematic study of methods followed in a particular

discipline. It is generally a collection of methods, practices, procedures and rules

used and implemented by groups and individuals that work in the same field. The

methodology includes the methods, procedures and techniques used to collect and

analyse given information.

search and

seizure

Search and seizure is a legal procedure used in many civil and common law legal

systems. This grants police and First Responders the necessary authority to do a

search of a person’s property and confiscate any relevant evidence to this crime.

Martha Maria Grobler 1 of 268 Chapter 1

Chapter 1: Liforac – A Model For Live Forensic Acquisition 1{

“If we cannot reengineer our information infrastructure to be completely protected, then we need to address the problems of cyber crime and abuse after they occur: by investigation and corrective action, including application of remedial measures, as well as legal and administrative sanctions.”

- Eugene Spafford

This study discusses the development of a model for Live Forensic Acquisition - Liforac. The Liforac

model is a wide-ranging model that presents many of the most important aspects related to Live Forensic

Acquisition, suggesting ways in which such an acquisition should take place to ensure forensic soundness.

The study presents information on a relatively new field of expertise. The development of the Live

Forensic discipline and the Live Forensic Acquisition technique instigates the development of a method

that allows forensically sound acquisition to stand fast in a court of law. The development of this discipline

revolves around changes in technology, aimed at making it more difficult for criminals to hack into

systems and misuse information. These changes also make it more difficult to crack system passwords

or to retrieve data if accidentally overwritten (e.g. Windows Vista overwrites any deleted data, unlike

earlier operating systems (OS) that just overwrites the link to the data).

This study considers the Digital Forensic discipline, forensic tools, practical problems experienced during

acquisition, legal aspects and cyber crimes. It also looks at technology advances that eradicate the use

of Dead Forensic Acquisition and promote the use of Live Forensic Acquisition. The study finally

presents a comprehensive model for forensically sound Live Forensic Acquisition. By no means is this

model a comprehensive representation of the entire field, but only a depiction of some of the most

relevant aspects of this discipline. The Liforac model is not a flawless new invention, nor so technically

advanced that only technologically adept people can understand its intricacies. It presents a number of

technical and non-technical concepts that are already available within the Digital Forensic and Live

Forensic discipline, as a single easy-to-understand document. This model is not a mandate for forensic

investigators, but a guideline for best practice.

As is the case in many developing disciplines, there are not many scientific publications in the emerging

Digital Forensic field. Therefore, many of the references are either Internet-based or personal interviews.

Digital Forensics, and specifically the specialised Live Forensic discipline, is not as established in the

security field. Since the printed resources on this subject are very limited, most of the references cited in

this research are in the electronic realm and classifies as blogs or online newspaper articles. These

sources are some of the very limited available information and present opinions of individuals that have

experience with Digital Forensics, Live Forensics or cyber crime. Furthermore, many forensic practices

have already been adopted internationally, but are not currently used extensively in South Africa.

At the time of this research project, the author is employed at the Council for Scientific and Industrial

Research (CSIR) as Cyber Security Specialist. Her primary role is to investigate the Live Forensic

discipline as a potential research niche for her department. This research project evolved into the

development of the Liforac model. To achieve this role the author integrated research findings from the

literature, internet and personal interviews with knowledgeable and critical peers to inductively build the

model and present the results as a thesis. The author concurrently acted as a project manager with

regard to research on Live Forensics and the findings of this study.

The author acts as co-editor for the international standard ISO/IEC 27037: Guidelines for identification,

collection and/or acquisition and preservation of digital evidence. She applies knowledge gained through

research for this thesis as expert knowledge in the capacity of co-editor. Technical aspects from the

thesis contribute to the technical quality and capability of ISO 27037. The author also contributed

sections on the handling and preservation of digital evidence during the acquisition process and the

process flows of the acquisition, as researched for this thesis. The content of this standard overlaps with

the content of this thesis, and shows the importance of guidelines for forensic acquisition in the

international scope.

A compact disc, MMG PhD 2009, accompanies this research study. To keep the actual research

document compact and to the point, all the additional resources necessary to present a complete study

accompany the study on this CD. This CD also presents additional interesting information contributing to

further understanding, as well as a graphic display of the Liforac model. (This display can be seen under

Liforac model on the CD). The study produced a number of publications and presentations, listed at the end

of this document (see page 264, after the references). Three of these presentations featured at

international conferences. Live Forensic Acquisition as Alternative to Traditional Forensic Processes was

presented at the IT Management and IT Forensics conference in Mannheim, Germany; Modelling Live

Forensic Acquisition was presented at the Workshop on Digital Forensics & Incident Analysis in Piraeus,

Greece; and A Best Practice Approach to Live Forensic Acquisition was presented at ISSA 2009 in

Johannesburg, South Africa. This thesis also served as foundation for a keynote presentation, was

featured in the author’s researcher profile on the CSIR’s intraweb and made headlines in a local

newspaper. The accompanying CD shows these completed works.

This research encompasses four parts, each contributing in a direct manner to the final forensically sound

model. Figure 1-1 shows the four parts and the chronological order, from the bottom to the top. This

indicates that the parts should be completed in a sequential manner to ensure an accurate result.

• Part 1: Setting the Scene;

• Part 2: Live Forensic Acquisition;

• Part 3: Digital Forensics and the Judicial System; and

• Part 4: The Possibility of Sound Live Forensic Acquisition.

Parts 1 to 3 contribute drivers that are necessary to build the Liforac model. These drivers have no specific

definition to ensure its inclusion in the Liforac model, but constitute any definition, concept or detail that

may be of importance to the development of a comprehensive Live Forensic Acquisition model. At the

end of each chapter, a summary lists all the identified drivers before the next chapter starts. In Part 4,

these drivers will be refined and explained in more detail. The final model, presented in Part 4, has four

dimensions: Laws and regulations, Timeline, Knowledge and Scope.

Figure 1-1: Parts of the Liforac model development study (Own compilation)

At the time of writing, this Liforac model is the first document of this nature that could be found for

analysis. It serves as a foundation for future models that can refine the current proposed processes.

This study discusses both the technical and the legal aspects on a high level and are presented as the

interpretation of the author, not a mandate for Law Enforcement agencies or forensic investigators. This

study leaves room for further investigation into this field. Part 1, Setting the Scene, will now initiate the

study.

Martha Maria Grobler 4 of 268 Part 1

Part 1: Setting the Scene

This study, Liforac - A Model For Live Forensic Acquisition, divides into four distinct parts. Figure Part 1-1

presents these four parts with four cylinders, indicating succession and progress from the bottom of the

figure to the top (originally presented in Figure 1-1).

Figure Part 1-1: Part 1 of the Liforac model development study

Part 1, Setting the Scene, mainly comprises the literature study to familiarise the reader with the Digital

Forensic discipline. It comprises the first two chapters of the study.

Chapter 2, Introduction, provides background knowledge to the study and lays out the objectives. This

chapter discusses the research methodology used to investigate Live Forensic Acquisition techniques

and introduces the objectives and limitations of the study. Chapter 2 is an introductory chapter, directing

the administrative aspects of the study.

Chapter 3, The Digital Forensic Discipline, presents insight into the Digital Forensic discipline. This

chapter introduces the traditional Dead Forensic Acquisition and the Live Forensic Acquisition techniques,

and compares these techniques. Additionally, Chapter 3 explains the principles of Digital Forensics. This

chapter is necessary to introduce the basic forensic principles to the reader and to ensure a basic level of

Digital Forensic understanding.

The two chapters in Part 1 combine to introduce a number of aspects relevant to Digital Forensics. It

serves as a concise introduction to the field of Digital Forensics and introduces important concepts that

are necessary for the development of a comprehensive Liforac model in Part 4 of this study. Once the

reader is comfortable with Part 1’s context, the in-depth analysis of forensically sound Live Forensic

Acquisition can start in Part 2. Chapter 2 will now formally introduce the study with background information

on the Digital Forensic discipline.

Chapter 2: Introduction 1

“The modern thief can steal more with a computer than with a gun. Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.”

- National Research Council

The human dependency on computers allows the infiltration of computer technology in almost all aspects of

human life. Computer technology has become synonymous with our fast moving lives, penetrating facets

of both home and work life (Sharma 2008:Internet).

Moore’s law predicts that computing power doubles every 18 months (French 2008:Internet). This ever-

increasing power enables humans to undertake tasks that are more complex and resource intensive. The

intention of this technology advances is to make human lives easier and more fulfilling: hand biometric

applications can ensure that only authorised people can operate guns; online social communities such as

Facebook and MXit can globally connect people; and iris recognition can lead to a keyless environment.

Computers enable humans to an inconceivable amount of power. However, not all humans can suitably

handle power.

A large number of science fiction movies give a glimpse into what can happen when computers and

ethically challenged people combine power: the Matrix and Hackers trilogies, and the Terminator movies

are some examples. The 1957 movie Desk Set is probably one of the first movies that portray the danger

in fully computerising one’s world. Minority Report is also a prime example of what can happen if artificial

intelligence and computerised biometrics take over the world (IMDB 2008:Internet). Even the social

communities can become addictive, and in some cases vindictive and a playground for cyber predators

(Williams 2006:Internet).

Real life examples where criminals use technology for misdoings include a computer attack on the

Australian sewage system (Clarke 2004:Internet), the Estonian Cyber War (Traynor 2007:Internet), the

Chinese hacks into the Pentagon (Sevastopulo 2007:Internet) and the Russian cyber attacks against the

Pentagon (Fishel & Griffin 2008:Internet). These examples indicate that technological advances and the

Internet not only aided worldwide communication and commerce, but also sparked the growth of electronic

crime. Criminals are exploiting the same technological advances that have helped Law Enforcement to

progress (ACPO 2007:8). In fact, the increased availability of broadband connections to homes directly

affected the number of computer systems compromised by attackers and infected with malware (Carvey

2005:10).

Criminals make use of computers on a daily basis to assist with and to commit crimes. This, combined

with the pervasiveness and complexity of modern OSs, makes cyber crime a real and active threat. To act

against these electronic offenders, scientists developed the Digital Forensic discipline to retrieve evidence

from computers (Brungs & Jamieson 2005:57). This discipline has two main approaches relevant to this

study: Dead Forensic Acquisition and Live Forensic Acquisition.

The current forensic acquisition approach, Dead Forensic Acquisition, is to unplug a machine to acquire an

image of the hard drive. This approach can cause data corruption, system downtime and revenue loss for

businesses. Paragraph 3.3.1 introduces Dead Forensic Acquisition in more detail. A newer approach, Live

Forensic Acquisition, emerged to counteract problems caused by technology advancement and restrictions

of the Dead Forensic Acquisition approach. Live Forensic Acquisition refers to the acquisition of a forensically

sound system image from a live machine, i.e. a machine that is still running. This approach makes use of a

small window of opportunity provided by a live connection to acquire the necessary data from a suspect

computer. Paragraph 3.3.2 introduces this acquisition approach in more detail.

Irrespective of the acquisition approach, investigators present the evidence to court in due course. If the data

are admissible in court, cyber investigators refer to it as forensically sound. However, very few South African

courts currently accept Live Forensic Acquisition as forensically sound evidence (Nare 2008:Interview). The

main reasons for the occasional inadmissibility of Live Forensics is firstly the lack of court precedence,

and secondly criminals’ liking to exploit new technology in an innovative manner.

2.1 Research Problem

The nature of incidents and attacks has changed. The pervasive nature of computer systems and applications

make them subject to attack and compromise on an increasingly regular basis (Carvey 2005:21). In many

instances, the combination of innovative criminal techniques and advanced technology limits the

applicability and success of Dead Forensic Acquisition. A number of OSs and encryption techniques can

only be investigated with a Live Forensic Acquisition approach. Live Forensics is thus not a luxury

acquisition approach anymore, but rather a necessity to acquire digital evidence. Investigations

need real time, admissible digital evidence such as volatile evidence, swap files and network processes

to determine the root cause of an incident and prosecute the cyber criminals (Grobler & Louwrens

2009:1).

On the one hand, criminals are constantly pushing the boundaries of technology. They are now using

computers to extend the range of activities they can perform and create new ways of hiding cyber tracks

(Jones 2007:1). Accordingly, new types of crimes surfaced in the virtual world, whilst traditional crimes

are committed using advanced technology (Maat 2004:i). The development of new crime types leaves Law

Enforcement techniques outdated, occasionally providing no safety against new criminal techniques.

On the other hand, advances in technology have effectively negated the success of traditional Dead

Forensics. Law Enforcement incorporated traditional Dead Forensic Acquisition in an attempt to keep up

with cyber crime, allowing forensic investigators to retrieve enough relevant data for the average case.

However, in some instances investigators need to recover additional data only retrievable from live

suspect systems, such as the existence of a running Trojan horse on the suspect machine.

New OSs have made the user interface so powerful and password encryption keys so secure, that it is

virtually impossible for criminals and forensic investigators alike to access a shut down system. For

example, it would take forensic investigators days and high volumes of computer power to crack a whole

disk encryption password, such as Pretty Good Privacy (PGP) Whole Disk Encryption or TrueCrypt (Nare

2008:Interview). However, if this password can be intercepted in a live system, acquisition can

commence immediately. Accordingly, crimes and investigations have become more real time,

necessitating the Live Forensic Acquisition approach.

Research Problem:

The development of Live Forensic Acquisition, albeit a remedy for the problems introduced by Dead

Forensic Acquisition, introduces a variety of additional difficulties, unique to the Live Forensic Acquisition

approach. These difficulties affect the forensic soundness of Live Forensic Acquisition.

At present, forensic investigators cannot be certain that a court of law will consider Live Forensic

Acquisition techniques to be forensically sound (Nare 2008:Interview). Neither can forensic investigators be

certain that evidence acquired with Live Forensic Acquisition techniques are adequately comprehensive,

compared with evidence acquired with Dead Forensic Acquisition techniques, until further research have

been done.

2.2 Research Objectives

This thesis aims to address the research problem and to develop a model that underwrites comprehensive

forensically sound Live Forensic Acquisition. The main premise of the thesis is to advise regarding the

viability of Live Forensic Acquisition as an alternative acquisition technique to traditional Digital Forensic

Acquisition. It is necessary to establish a method that allows forensically sound acquisition to stand fast

in a court of law before it can be used to its full potential. It is important that the forensic investigator also

consider his/her jurisdiction when partaking in an acquisition.

The proposed model for comprehensive forensically sound Live Forensic Acquisition, Liforac, will include

an overview of popular forensic tools (Chapter 4). It will also include current and applied Live Forensic

methods and techniques (Chapters 5 and 6), cyber crime and criminals (Chapter 7) and legal aspects

relevant to cyber crime (Chapter 8). Chapter 14 presents the final model, as constructed from research

and figures presented in Chapters 9 to 13. In addition to the thesis, the accompanying CD includes a

number of supplementary information. Figure 2-1 shows the contents of the CD.

Figure 2-1: The Liforac model interface (Own compilation)

Objective:

The main objective of the study is to develop a model that comprehensively presents aspects related to

Live Forensic Acquisition. This model, Liforac, will guide forensic investigators in suggesting ways in

which a Live Forensic Acquisition should take place to ensure forensic soundness.

To realise this objective, it is necessary to focus on the process of comprehensive forensically sound Live

Forensic Acquisition. The research approach builds on the investigation of the possibility of forensically

sound Live Forensic Acquisition and the associated judicial implications. The following sub objectives

(presented in Figure 2-2, page 9) supports the main objective and builds up to the proposed model:

• Sub objective A: Investigate the Digital Forensic discipline. A comprehensive literature

study on the topic of Digital Forensics introduces the discipline. In fulfilling this objective, it is

possible to identify some important components of the proposed Liforac model at this stage.

• Sub objective B: Identify current Live Forensic practice. By looking at the techniques currently

applied to perform both Dead and Live Forensic Acquisition, it is possible to identify potential

forensically sound Live Forensic Acquisition techniques.

Figure 2-2: Objectives of the study (Own compilation)

• Sub objective C: Identify sound forensic techniques. This sub objective defines forensic

soundness and evaluates some of the identified components based on these criteria.

• Sub objective D: Investigate cyber crime. Cyber crimes are far-ranging and a study of it can

assist in some aspects of the Live Forensic Acquisition model. Since both cyber criminals and

cyber crime are constantly evolving, the Liforac model needs to link directly to the progression of

cyber crimes.

• Sub objective E: Investigate the legal aspects of Digital Forensics. By producing a number of

cyber crime legal requirements, it should be possible to develop a model for Live Forensic

Acquisition. These legal requirements determine which acts classify as cyber crimes, as well as

the processes and responsibilities during the cyber crime investigation. Each country has its own

legal application and jurisdiction. Accordingly, forensic investigators need to be abreast of his/her

country’s legislation, as well as the application thereof. The legal requirements will make a direct

contribution to the model.

These five sub objectives guide the research done in Parts 1 to 3. Combined, these sub objectives produce a

number of deliverables (Table 2-1 on page 12 maps these sub objectives to the relevant deliverables) to

create a single comprehensive, forensically sound Live Forensic Acquisition model - the Liforac model.

Chapter 14 in Part 4 will present this model in its final form.

The objectives set out for this study are to acquire the skills and practical expertise necessary to understand

the Live Forensic Acquisition approach. The completed research will not simply be a process of

knowledge gathering, but will also make an original contribution to the subject of Digital Forensics. This

study may lead to supplementary future research.

2.3 Research Plan

The focal point of this study is the field of Digital Forensics. The research will focus on developing a

model that represents aspects related to Live Forensic Acquisition, as well as a suggested way in which a

Live Forensic Acquisition should take place. The underlying idea is to establish whether Live Forensic

Acquisition can stand fast in a court of law. This study divides into four distinct parts and fifteen chapters.

Part 1: Setting the Scene

Part 1 investigates the current Digital Forensic environment. It comprises two chapters of the study,

combining to introduce a number of aspects relevant to Digital Forensics. Once the reader is

comfortable with Part 1’s context, the in-depth analysis of forensically sound Live Forensic Acquisition

can start.

• Chapter 2, Introduction, provides the reader with background knowledge to the study. It also

lays out the research problem, objectives, deliverables, research approach and limitations.

• Chapter 3, The Digital Forensic Discipline, presents the reader with insight into the Digital

Forensic discipline. This chapter introduces the Dead and Live Forensic Acquisition techniques

and explains the Digital Forensic principles relevant to both techniques. Chapter 3 discusses

both disciplines’ advantages and disadvantages, and compares the two techniques. This chapter

explains the Forensic Acquisition process step-by-step.

Part 2: Live Forensic Acquisition

Part 2 focuses more on the internal workings of the Live Forensic technology. It comprises three chapters of

this study. These chapters introduce the possibilities of forensically sound Live Forensic Acquisition. Part

2 theoretically builds a framework of the positive application of Live Forensic Acquisition within the

Information Security environment. It builds on the knowledge gained in Part 1 and are justified by the

chapters in Part 3. The majority of this part involves the investigation of practical, real world application

of Digital Forensics.

• Chapter 4, Forensic Tools, presents a comparison of a number of popular Digital Forensic tools.

The list of tools is not exhaustive, but provides the reader with sufficient background knowledge

to understand the processes depicted in Part 2. The tool discussion gives the reader a basic

understanding of how Digital Forensics works and ways in which forensic tools can assist

investigators. Additional information regarding the Digital Forensic tools is available on the

accompanying CD (see Forensic tools).

• Chapter 5, Current Application of Live Forensics, provides background knowledge on the

developing technology. This chapter looks at the advances Live Forensic Acquisition has made in

the areas in which traditional Forensic Acquisition lacks. It also focuses on the practical problems

that arise with the application of Live Forensics. Chapter 5 concludes with a discussion on the

current software and hardware techniques applied in Live Forensic Acquisition.

• Chapter 6, Forensically Sound Live Forensic Acquisition Admissible in Court, focuses on the term

forensic soundness and measures different kinds of evidence retrieved through Live Forensics

according to its definition. This chapter focuses on the volatile nature of Digital Forensics.

Part 3: Digital Forensics and the Judicial System

Part 3 forms an important section of this investigation. This part comprises two chapters of the study,

and provides technical information to ensure that forensic investigators understand the subject.

• Chapter 7, Cyber Crime and Criminals, provides the reader with background on the subject. It looks

at the different types and classification of cyber crime. It addresses cyber crime incidents and

occurrence, the reasons for cyber crime, as well as famous court cases in which cyber crime

played a major role. Related to this chapter, the accompanying CD presents the WITSA (World

Information Technology and Services Alliances) Report on Cyber Crime (see WITSA report).

• Chapter 8, Cyber Crime Legal Aspects, discusses the legal acceptance of Digital Forensic evidence

and identifies current laws addressing cyber crime. These laws are discussed in more detail on the

accompanying CD (see Legislation). This chapter also identifies a cyber crime framework, as

well as some legal challenges facing the successful acceptance of Live Forensic Acquisition.

This cyber crime framework is crucial in the successful development of the Liforac model in

Part 4.

Part 4: The Possibility of Sound Live Forensic Acquisition

Part 4 forms the crux of this investigation. This part comprises seven chapters of the study and presents

the climax and conclusions of the study. Part 4 links the entire research study together, presenting the

Liforac model for Live Forensic Acquisition founded on the first three parts of the document.

• Chapter 9, Building A Model, presents the climax of the study. This chapter shows the process

involved in composing a model from the information gathered in Parts 1 to 3, to represent a

comprehensive, forensically sound model consisting of four dimensions. Chapters 10 to 13 discuss

each of these dimensions in detail.

• Chapter 10, Laws and Regulations Dimension, looks in more detail at the dimension relating to

laws and regulations relevant to Digital Forensics. Largely, this dimension builds on Chapter 8.

• Chapter 11, Timeline Dimension, looks in more detail at the sequential order in which

investigators should perform specific actions to ensure sound Live Forensic Acquisition. This

chapter looks at process flows and activities that need to be performed in a specific order.

• Chapter 12, Knowledge Dimension, looks in more detail at the people involved in successful

Live Forensic Acquisition: who they are and what training and skills they should possess. Both

pertinent and inherent knowledge play a part in the development of the Liforac model.

• Chapter 13, Scope Dimension, looks in more detail at the problems associated with Live

Forensic, earlier identified in Chapter 5 of this study. This chapter gives some guidelines on

how to handle these problems.

• Chapter 14, Presenting the Final Liforac model, presents the final model for comprehensive,

forensically sound Live Forensic Acquisition. The accompanying CD also presents this final

model graphically. Chapter 15, Closure, concludes the study and justifies the development of the

Liforac model for comprehensive, forensically sound Live Forensic Acquisition.

Research deliverables

Table 2-1 summarises the previously discussed research plan and shows the deliverables relevant to

each chapter. These fifteen chapters work together to present a comprehensive model for Live Forensic

Acquisition, presented in Chapter 14. This table also maps the five sub objectives (introduced in Figure

2-2) to deliverables in a specific chapter.

Table 2-1: Project deliverables (Own compilation)

PPaarrtt CChhaapptteerr DDeelliivveerraabbllee

Chapter 2 1

Setting the Scene Chapter 3

− Forensic definition and glossary

• Maps to sub objective A: Digital Forensic discipline

Chapter 4 − Forensic tool overview

• Maps to sub objective A: Digital Forensic discipline 2

Live Forensic Acquisition Chapter 5

− Current Live Forensic methods and techniques

• Maps to sub objective B: Current Live Forensic techniques

PPaarrtt CChhaapptteerr DDeelliivveerraabbllee

(continued) Chapter 6

− Extended forensic definition and glossary

• Maps to sub objective C: Identify sound forensic techniques

Chapter 7 − Cyber crime background

• Maps to sub objective D: Crimes and criminals 3

Digital Forensics and the Judicial

System Chapter 8 − Cyber crime legislation and investigation framework

• Maps to sub objective E: Laws

Chapter 9 − Generic Liforac model

Chapter 10 − Laws and Regulations

Chapter 11 − Timeline

Chapter 12 − Knowledge

Chapter 13 − Scope

Chapter 14 − Liforac graphical display

Sound Live Forensic

Acquisition

Chapter 15 − Closure

The chapters indicated in Table 2-1 present most of these deliverables, whilst the accompanying CD

presents the rest of deliverables in more detail. The next section introduces the research approach for

this project.

2.4 Research Approach

The main research methodology that will apply to this particular study is explorative and developmental,

using both existing and new data. The first section of the research focuses on a broad literature survey:

Digital Forensics in general, Dead and Live Forensic Acquisition, forensic tools, current forensic

techniques and practices, and legislation relevant to Digital Forensics. From this literature survey, it is

possible to identify a number of building blocks that can contribute to the development of the Liforac

model.

Most of these building blocks need further investigation, either because it is purely a theoretical statement,

or because the discipline is still relatively new and unexplored. The study will therefore progress from a

very broad discussion of the Digital Forensic field in Part 1, to a proposed model as a solution to the

problems identified related to Live Forensics in Part 4.

Figure 2-3 presents the basic research approach for this study. This figure maps directly onto Figure 2-2,

with sub objectives A to E leading to the development of the Liforac model. Figure 2-3 presents the

research approach as a pyramid, with each completed sub objective laying the foundation for the next

sub objective. The pyramid suggests that each sub objective addresses a more specialised area that

Liforac model

can be used in the Liforac model. This representation enforces the idea that the acquired data from the

literature survey is building blocks used to assemble a model for comprehensive, forensically sound Live

Forensic Acquisition.

Throughout the study, figures similar to Figure 2-3 will depict the development process of the model.

These figures will graphically show the reader the data already gathered that are necessary before the

development of the actual Liforac model can start.

Figure 2-3: Liforac model progress (Own compilation)

Since Live Forensic Acquisition is relatively new and unexplored, it is difficult to identify appropriate

measurement instruments beforehand. However, future research will measure and validate the proposed

model in a live Digital Forensic environment. The result of the study will pose a qualitative contribution to

the Digital Forensic environment, extending the current minimal capacity of Live Forensic Acquisition.

The proposed research study tackles a new, relatively unknown problem.

Based on the information presented in Chapter 2, it is possible to create a roadmap for the development of

the Liforac model. Figure 2-4 shows this roadmap in its generic form. Each of the subsequent chapters

will be introduced with a version of the roadmap, indicating the progress on the figure.

2.5 Limitations

At the time of writing, the literature available on Live Forensics is rather limited and not very scientific in

nature. The direction of this study will definitely contribute to an expanding discipline and aims to

advance the acceptance of Live Forensic Acquisition in the judicial system.

Figure 2-4: Liforac model development roadmap

2.6 Summary

Chapter 2 is an orientation to the planned research. It provides background information to the research

problem and states the objectives of the study. Chapter 2 lays out the platform for the proposed study

and provides figures and tables to visualise the research plan and the extent of the study.

Chapter 3 will now provide a detailed literature study on Digital Forensics. This literature study is crucial

to the reader’s understanding of the discipline and contributes to the motivation of the necessity of a

model for comprehensive Life Forensic Acquisition. Chapter 3 addresses the first sub objective, The

Digital Forensic Discipline. This involves a brief overview of Digital Forensic history, a graphical

depiction of the Dead and Live Forensic Acquisition processes, as well as the graphical depiction of the

generic forensic process diagram. Chapter 3 is also the first chapter to list a number of drivers that can

be used in the Liforac model development.

Chapter 3: The Digital Forensic Discipline

“There’s a lot of interest in these growing fields of forensic science… It is designed to appeal to those who are interested in criminal justice. If you want to ferret out crime and evidence, it all

come together right here.”

- Lamar Jordan

Part 1 focuses on setting the scene for Digital Forensic analysis. The previous chapter introduced the

study holistically and proposed a research approach to follow in order to develop a comprehensive model

for forensically sound Live Forensic Acquisition. Chapter 3 now formally starts the literature study by

introducing the field of Digital Forensics.

Figure 3-1 shows that the Digital Forensic discipline forms the focus of Chapter 3. This objective lays the

foundation for all further research to develop the Liforac model. It introduces the term Digital Forensics

and presents a brief history of the discipline. Chapter 3 further introduces both Dead and Live Forensics

as separate disciplines, investigating both the positive aspects and the limitations, and compares the

disciplines through diagrams. Lastly, Chapter 3 lists and explains the steps involved in the Forensic

Acquisition process, applicable to both Dead and Live Digital Forensics.

Figure 3-1: Liforac model progress - Digital Forensic discipline (a) (Own compilation)

This chapter will also establish a knowledge foundation based on different Digital Forensic Acquisition

approaches and introduce a number of terms unique to this discipline (see Glossary on the accompanying

CD for a formal presentation of these terms).

3.1 Introduction

Digital Forensics forms the foundation of this study. Although this chapter investigates the entire

discipline, the study will mainly focus on Digital Forensic Acquisition and its related activities. Many of the

terms encountered in Chapter 3 are introduced and defined at the beginning of the study (page viii).

The basic understanding of the Digital Forensic discipline is that it combines elements of both law and

computer science to collect and analyse data from computer systems, networks and storage devices in a

way that is admissible as evidence in a court of law (US-CERT 2005:1). It involves “… the exploration

and application of scientifically proven methods… to gather, process, interpret and utilise digital evidence in

order to provide a conclusive description of all cyber-attack activities” (Giordano & Maciag 2002:3).

Louwrens (2009a:2) provides a more comprehensive definition: “Digital Forensics are (sic) the analytical

and investigative techniques used for the preservation, identification, extraction, documentation, analysis

and interpretation of computer media which is digitally stored or encoded for evidentiary and/or root

cause analysis”. For the purpose of this study, acquisition does not include the interpretation of the

acquired data, but involves the transportation of the data from the crime scene to a safe location, as well

as its safe storage.

There are a number of definitions available, varying with regard to the extent of the forensic process.

However, all of the definitions agree that Digital Forensics includes the investigation of digital data. To

understand the complexity of the discipline, it is necessary to look at the origin. The next paragraph

discusses the history of Digital Forensics.

3.2 Digital Forensic History

The profiling of criminals dates back to the 15th century. Although these investigators did not always

document their techniques accurately or performed it according to standard, their early work contributed

to the development of Digital Forensics (Nykodym, Taylor & Vilela 2005:261). In the late 1800s, Alphonse

Bertillon developed one of the first scientific systems of personal identification. This system laid the

groundwork for research by Edmond Locard, the acclaimed father of forensics (Gallo 2008:4), and the

Locard Exchange principle (refer to Paragraph 5.1).

Despite these early beginnings, the American Federal Bureau of Investigation (FBI) only started to formally

employ Digital Forensics in 1984 and it only emerged as an identifiably independent field in 1992 (Fei

2007:24; Spafford 2006:4). Modern criminal identification systems can be traced back to the case of

Jack the Ripper in the late 19th century. Dr Thomas Bond, a famous profiler, investigated this case, far

surpassing his era by applying psychology to profile the perpetrator and assess the scene. Nowadays’

criminal profiling process takes two approaches:

• Prospective profiling creates a template of a specific type of offender, based on the in-depth study

of characteristics of previous offenders. Profilers constantly re-evaluate these profiles in a

process to narrow down and predict who will commit these specific types of offences.

• Retrospective profiling follows an investigation and is normally case specific. This technique

uses clues left behind by the specific criminal. Digital Forensics is of the retrospective profiling

type, used often by the FBI and other Law Enforcement agencies (Nykodym et al. 2005:261).

Since Digital Forensics applies post-incident, the process that investigators follow needs to be accurate.

If the investigator contaminates the crime scene, the evidence will likely not be usable in court. The

following section introduces the basic Digital Forensic process, with the different stages.

3.3 Digital Forensic Process

Heated discussions exist in the world of Digital Forensics. The two most prominent arguments are regarding

pulling the plug or doing the acquisition on a live, running system. In order to investigate the action of

Live Forensic Acquisition (the foundation of this research study), it is necessary to look at and explain

both acquisition approaches. Whichever of the approaches are applied, the basic Digital Forensic

methodology consists of three important steps:

• acquire the evidence without altering or damaging the original;

• authenticate that the recovered evidence is the same as the originally seized data; and

• analyse the data without modifying it (Kruse II & Heiser 2002:3).

The complete Digital Forensic methodology needs to address all three of the abovementioned aspects.

For the purpose of this study, only the first step, acquire the evidence without altering or damaging the

original, is under investigation. The following sections discuss the two different Digital Forensic

Acquisition approaches. It identifies and explains the shortcomings of both Dead Forensic Acquisition

and Live Forensic Acquisition.

3.3.1 Dead Forensic Acquisition

The first of the two Digital Forensic Acquisition approaches is Dead Forensic Acquisition. Investigators often

refer to this method as the traditional Digital Forensic approach. Dead Forensic Acquisition involves pulling

the plug on a suspect system, or shutting the system down through normal administrative procedures.

This method avoids any malicious process from running on the system, potentially deleting data from the

system. It allows the investigator access to create a snapshot of the swap files and system information

as it was last running (Stimmel 2008:2). This section briefly introduces this acquisition approach by

defining the terminology and explaining the role of the First Responder, before looking at the positive

aspects and limitations of the method.

Definition

A formal definition of Dead Forensic Analysis is “… analysis done on a powered off computer” (Jones

2007:2,3). Usually there are four stages to traditional Dead Forensic Analysis. Paragraph 4.2 elaborates

more on these stages, but the list below briefly introduces them:

• Collection is the first stage and entails the process on location: search and seizure, acquisition of the

information and data sources in a forensically sound manner. First Responders (defined below) often

are responsible for the Collection stage. The main action of this stage is the forensic disk duplication.

• Examination composes both a manual and an automatic assessment of the acquired data. This

stage aims to identify and extract data relevant to the specific case. The main action is the feature

extraction, involving file system parsing and extracting mailboxes.

• Analysis (filtering) is the process of using the identified data to prove that one or more specific

individual did the actions on the computer. This stage involves browsing, querying and correlating

existing data (Alink, Bhoedjang, Boncz & De Vries 2006:50) and general data reduction.

• Reporting is the last stage in which the forensic investigator reports the information gathered

(Jones 2007:2,3). This can take a written, oral or electronic form (Pollitt & Whitledge 2006:4).

For the purpose of this study, all four of the abovementioned stages will be regarded (Section 4.2

discusses these stages in more detail). The first stage, Collection, will be covered in additional detail

since it forms the foundation of the study. The remainder of the study will refer to the Collection stage

as the Forensic Acquisition process. The other three stages will be discussed in less detail: acquisition

rarely occurs in isolation without at least some form of reporting done by the forensic investigator. The

next section looks at the roles and responsibilities of the First Responder, as crucial elements of the

Forensic Acquisition process.

First Responder

According to the South African Police Services (SAPS 2007:29), a First Responder is “… a confident

individual that can correctly handle 80% of cyber crime scenes and cyber evidence acquisitions”. These

individuals often arrive first at the crime scene. They are responsible for the legal seizure of items

suspected to be involved in a crime and the basic acquisition of data images of the suspect system. First

Responders are generally involved with both the collection and the acquisition processes during search

and seizure operations.

The forensic copying process is not straightforward, but with sufficient training and the correct forensic

software packages, First Responders are qualified to copy the hard drive image, complete with

unallocated sectors, slack space and file metadata. First Responders can accomplish this by copying

the seized hard drive bit by bit (Jones 2007:3).

Figure 3-2 illustrates the First Responder’s actions chronologically. The First Responder (or a forensic

investigator fulfilling the role of First Responder) needs to approach the computer and determine its power

status. If the computer’s power is on, he/she turns it off by either pulling out the power plug or following

the proper shut down procedure. Once the power is off, the forensic investigator physically removes the

hard drive from the system, attaches it as an external drive to a forensic system and copies its content. The

investigator takes the necessary precautions to ensure that no data modification takes place on the

external drive. Depending on the specific situation, the investigator may either return the hard drive to

the original system or bag it as evidence. This entire process should be documented in the chain of

custody.

Figure 3-2: Dead Forensic Acquisition (Adapted from: Jones 2007:3)

Dead Forensic Acquisition allows investigators to acquire a range of digital data, but it mainly retrieves

static data or data at rest (Forte 2008a:13). This refers to data stored to secondary storage, including:

• file system, networked computers, storage arrays;

• disks, memory, tapes, optical media, cameras;

• smart cards, dongles, biometric scanners;

• PC boards, PCMCIA (Personal Computer Memory Card International Association) cards;

• PDAs, cell phones, USBs, pen recorders;

• servers and clients;

• RAM, swap file and hibernation file;

• VOIP (Voice Over Internet Protocol), POTS (Plain Old Telephone Service);

• VPN (Virtual Private Network) and encrypted data;

• Internet Relay Chat (IRC) sessions;

• radios, cell systems and satellites;

• printers, answering machines, watches; and

• stagnant data on remote places of the hard drive (Cohen 2006:7,8).

For many years, Dead Forensic Acquisition has been the only means to perform forensic acquisitions. It

is a simple procedure to follow and straightforward steps have been tried and tested to perform these

actions. However, a lot of time has passed and many new technological advances have been made that

have either a direct or indirect impact on Forensic Acquisitions. As a result, Dead Forensic Acquisition

has both advantages and disadvantages. The following sections present the advantages and

disadvantages of Dead Forensic Acquisition.

3.3.1.1 Positive Aspects of Dead Forensic Acquisition

The forensic discipline in itself brings about a number of advantages that supports the process of cyber

investigations and prosecutions. The list below shows some of the more prominent advantages:

1. One of the main advantages of forensics, both Dead and Live Forensics, is the ability to retrieve

hidden and deleted data. This retrieved data can be applied in a number of ways, including

inter-organisational disciplinary investigations and jurisdictional court cases.

2. Under normal circumstances, there is no fear of forensic investigators overwriting or modifying

evidentiary data obtained from a forensic acquisition. Generally, sufficient precautions are in

place to ensure that the forensic software allows no modification during the copying process to

either the original or the copied image of the original hard disk (Jones 2007:3). Dead Forensic

Acquisition is a clear-cut process that presents evidence that is admissible in court, when

performed correctly.

3. A distinguishing characteristic between Dead and Live Forensics is that Dead Forensics rarely

acquires live, volatile data. Once the computer is unplugged, the machine loses most of the

volatile memory in the RAM. A little known fact is that most modern RAMs retain their contents

for several seconds after power is lost. The system does not immediately erase the volatile

memory, but its content becomes less reliable when not refreshed regularly. A forensic

investigator that is aware of this can make use of this small window of opportunity to do a

forensic acquisition (Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino, Feldman,

Appelbaum & Felten 2008:12). The technical aspects of this specialised technique are beyond

the scope of this study.

For many years, investigators only had the Dead Forensic approach to do any kind of acquisition on

digital systems. However, with evolving technology and digital techniques, Dead Forensic Acquisition

steadily became inadequate to successfully address modern cyber attacks and adhere to current

legislation. The next section addresses the limitations of Dead Forensic Acquisition.

3.3.1.2 Limitations of Dead Forensic Acquisition

There are a number of limitations and difficulties associated with Dead Forensic Acquisition. Some

limitations are more serious than others are, but it is necessary to look at all instances.

1. Many unique practical and legal constraints make the application of Digital Forensics both

interesting and defiantly complex. An example of a practical constraint would be if the suspect

system were a public machine in an internet café with the owner claiming a possible loss of income

for the duration of the forensic investigation. An example of a legal constraint is the restriction of

the methods in which forensic investigators can obtain data.

2. A lack of standardised procedures leads to uncertainties about the effectiveness of current

investigation techniques. In turn, this has led to the suboptimal use of resources. In some

instances, investigators gather worthless data that take unnecessary time. In addition, this data

have to be stored and take up valuable space (Leigland & Krings 2004:3).

3. To comply with traditional forensic requirements, all data must be gathered and analysed for

evidence. However, modern computers consist of terabytes of data (Leigland & Krings 2004:2).

These advanced technologies, coupled with cyber crimes becoming more complex, lead to more

complex and time-consuming digital investigations. It is increasingly difficult to locate vital evidence

within the massive volumes of data. Log files also tend to increase in size and dimension,

complicating a Digital Forensic investigation even further (Fei 2007:15).

4. In response to the efficiency of Dead Forensic Acquisition, criminals have resorted to the

widespread use of cryptography. Now, even though forensic investigators have a complete bit

for bit hard drive image of the suspect system, it is encrypted and of no practical value. In this

scenario, users can only decrypt the drive with a unique password. Since investigators cannot

always rely on a suspect’s cooperation in supplying this password, the method of acquisition

needs adjustment. By acquiring this encrypted disk with Live Forensic Acquisition techniques,

investigators may have a bigger chance of accessing the disk’s decrypted contents. This whole-

disk encryption is not only limited to criminals, but is now also a default feature of some OSs.

5. Investigators need passwords to access the system. Since the system is not active nor logged

on when a Dead Forensic Acquisition occurs, the investigators need passwords to access all

encrypted files and file systems. The general modus operandi is to run a password cracker on

these files and file systems. However, newer OSs require stronger passwords. This measure was

put in place to protect the computer user, but it inadvertently made it practically impossible for

forensic investigators to crack the passwords within a reasonable amount of time and with

reasonable resources.

6. If forensic investigators do not follow these restrictions to the dot, data acquired in certain ways may

be inadmissible in court and not allowed as intelligence (Jones 2007:1). This negates the criminal

investigation completely. For this reason, it is important that forensic investigators are equipped

with tools and mechanisms that can result in the acquisition of forensically sound system images.

Only when this is possible, can data be seen as evidence and be admissible in a court of law.

7. Dead Forensic Acquisition can be highly disruptive if a mission or business critical machine

needs to be shut down for acquisition. In many cases, it is impractical to shut down servers that

need to monitor some type of activity constantly. For example, should a cell phone billing server

be shut down but the network itself remains online, customers would still be able to phone

without the cell phone company having any record(s) of the call(s) to bill the client correctly.

Similarly, if the computer in question belongs to an organisation that outsources its mail or file

server, or the computer belongs to an ISP (Internet Service Provider), other clients using the

same server or ISP will be disrupted. The server in question may host multiple systems from

separate and unrelated enterprises containing various levels of data and program resources.

This may result in unproductive time in which the system users (both directly and indirectly

involved with the computer under investigation, as well as bystanders using the same

outsourced service) cannot access necessary documents.

8. Data retrieved from different disks of a Redundant Array of Independent Disks (RAID) system

need to be puzzled together before it can be considered as evidence. A RAID system is the

combination of multiple small, inexpensive disk drives, based on redundancy to maximise the

ability to recover from hard disk crashes. Data on a RAID system is distributed across each of

the drives in a consistent manner. To enable this, the data must be broken into equal-sized

pieces (usually 32K or 64K in size) and written to a hard drive in the RAID system. When the

data is read, the process is reversed to give the impression that the multiple drives are actually

one large drive (RedHat 2009:Internet). If the machine is switched off and an acquisition done,

the data will be split randomly across all the drives.

9. Another limitation of Dead Forensic Acquisition has surfaced in the light of network data. The

need for acquiring network related data (such as currently available ports) grew dramatically.

This type of information is volatile and is lost in the event that the computer powers down – the

foundation of Dead Forensic Acquisition (Jones 2007:3). All links to remote server/drive

connections will also be lost in a Dead Forensic Acquisition, thus Dead Forensics is not the

optimal method to acquire live, volatile data. Although modern RAMs allow a couple of seconds

grace period in which the volatile data is not erased, this time is often too little to do a proper

acquisition (refer to Section 3.3.1.1). Related to the network data limitation is the impact that

cloud computing has on Digital Forensics. Cloud computing distributes software applications by

moving it away from individual computers and offering access to the applications via the internet.

If an application is accessed via the cloud, registry entries and temporary files are stored within

the virtual environment and lost when the user exits. This makes evidence traditionally stored on

the hard drive potentially unrecoverable (Frowen 2009:Internet).

10. Trojan defence cannot be argued. Owners of suspect systems often claim that a third party

hacked into their system and committed some offence as if from their computer, i.e. a hidden

Trojan on their system. With Dead Forensic Acquisition, forensic investigators may be able to

find traces of a Trojan on the suspect system, but it is not always possible to prove whether this

Trojan was active and could have enabled the offence from a remote location.

Due to the many limitations of traditional Dead Forensic Acquisition and the advances in technology,

forensic investigators in theory prefer Live Forensic Acquisition. Live Forensic Acquisition involves the

gathering of data from a system without first shutting down the associated system. This allows forensic

investigators to access a variety of invaluable information that would have been lost in a Dead Forensic

Acquisition (Jones 2007:1). In addition, Live Forensic Acquisition allows for investigations on mission

critical systems that might not have been possible if the machine had to be switched off. Unfortunately,

the practice of Live Forensic Acquisition brings about its own limitations, especially with regard to legal

implications. The next section addresses this approach.

3.3.2 Live Forensic Acquisition

Some aspects of Live Forensic Acquisition are similar to aspects of Dead Forensic Acquisition. However, it

developed in response to the shortcomings of the traditional Dead Forensic Acquisition approach and the

advancing of technology. Live Forensic Acquisition considers the retention of volatile data and the

expanded use of encryption on a live system, stronger OSs with specialised security features, multiple

computers per user and the pervasive use of networks (Brown 2005b:7). These systems cannot be

acquired with Dead Forensic Acquisition, necessitating the use of Live Forensic Acquisition.

The acquisition philosophy is the same in that both approaches need to ensure that the acquired image

remains unchanged. The sequence of stages applies to both the Dead and Live Forensic processes

(Collection, Examination, Analysis, and Reporting). Scientists, however, should tailor the inner workings of

these stages to allow for a forensically sound Live Forensic Acquisition (Jones 2007:3). Figure 3-3

presents the First Responder’s actions during Live Forensic Acquisition. At the time of research, no

analogous diagram was found and the author accordingly developed this figure from knowledge gained

through this research project.

The chain of custody is documented from the moment the investigator first approaches the computer and

determines its power status. If the computer’s power is off, he/she continues with the Dead Forensic

Acquisition procedure discussed in Section 3.3.1. If the computer is switched on, the investigator first

needs to select whether the data will be copied with a crossover connection or over the network. Additionally,

he/she needs to decide whether the investigation will take place overtly or covertly. The difference in

operation during an overt and a covert investigation are addressed in Paragraph 5.2.1.

To initiate acquisition, the investigator needs to activate the forensic agent that was installed on the machine

prior to the incident. The forensic agent is a tiny, covert software component that can be deployed using

standard patch management systems. It functions similar to a rootkit, being used by third parties after gaining

access to a computer system in order to conceal the altering of files, or processes being executed by the third

party without the user's knowledge (Wiktionary 2008:Internet). The forensic agent is placed within the kernel

space of the computer system, giving the forensic investigator administrative rights to the suspect machine.

Figure 3-3: Live Forensic Acquisition (Own compilation)

During a Live Forensic Acquisition, the agent provides a point of contact for the forensic workstation console,

which is used by the forensic investigator to communicate with the suspect computer. The agent allows the

forensic investigator to collect volatile evidence directly from the machine, without the knowledge of the

computer user (BrightForensics 2009:Internet). Once the agent is in place, the entire suspect system

needs to be attached to the forensic system. Agents are completely hidden in the system and can only be

identified if someone tries to install another agent on the same machine. The next section looks at how a

virtual computer environment can affect an acquisition.

Virtual Environment

During a Live Forensic Acquisition, it is necessary to determine whether the logged on account lies in a

real or virtual environment. In essence, the different environments require the same investigation method.

However, if the logged on account links to a virtual machine, the investigator needs to do further seizure

work to acquire both the real machine’s system image, as well as other possible virtual machines located

on the real machine. It may be difficult to detect whether the forensic investigator accessed a real

computing environment or a virtual machine.

A number of techniques exist that can indicate whether a system is real or virtual. The most popular

technique is hardware fingerprinting (checking for hardware that is always present in a virtual machine). This

technique is of a very technical nature. A more reliable technique is to install virtual machine detectors or

fingerprinting tools, but this software may have a negative impact on the forensic soundness of the

evidence. Examples of these tools are Red Pill, Jerry, ScoopyNG and VMware Virtual Machine Detector

(MSDN 2009:Internet). An easier technique is to look for:

− copyright notes or vendor strings in various files;

− VMware specific hardware drivers, Basic Input Output System (BIOS) and Media Access

Control (MAC) addresses;

− installed VMware tools; and

− hardware virtualisation (e.g. virtual sets of some registers).

Similar to Dead Forensic Acquisition, Live Forensic Acquisition allows investigators to acquire a range of

digital data. However, Live Forensic Acquisition can retrieve both static and dynamic, volatile data. This

volatile data includes data residing in the RAM, system and peripheral memory (Forte 2008a:13). These

are the data sources that are most valuable during a forensic investigation.

This study focuses on developing a comprehensive model for Live Forensic Acquisition. It shows that Live

Forensic Acquisition is a viable countermeasure for problems caused by Dead Forensics: not only is Dead

Forensic Acquisition not always able to appropriately address modern technology, but Live Forensic

Acquisition can better handle more powerful hard drives and read obfuscated data by circumventing

encryption. The next sections discuss the advantages and disadvantages of Live Forensic Acquisition.

3.3.2.1 Positive Aspects of Live Forensic Acquisition

The forensic discipline in itself brings about a number of advantages that supports the process of cyber

investigations and prosecutions. Although the application of Live Forensic Acquisition in itself is more

complicated, the advantages are vast when performing this acquisition correctly. The list below shows

some of the more prominent advantages:

1. One of the main advantages of forensics, both Dead and Live Forensics, is the ability to retrieve

hidden and deleted data (see Paragraph 3.3.1.1). This retrieved data can be applied in a

number of ways, including inter-organisational disciplinary investigations and jurisdictional court

cases. In addition, Live Forensic Acquisition can access obfuscated data.

2. In response to the limitations of Dead Forensic Acquisition, Live Forensic Acquisition has

surfaced as a remedy. This analysis allows forensic investigators to retrieve volatile information

specific to the suspect system’s network settings, including any remote server/drive connections

and shared files and folders. Live Forensic Acquisition will also allow the retrieval of domain

information, networked computers and any password constraints (Gallo 2008:20). In many

instances, this information is invaluable to the prosecution of a cyber criminal. It is thus possible

to view the development of Live Forensic Acquisition as an improvement of current methods of

Dead Forensic Acquisition (Nikkel 2006:2).

3. In contrast to Dead Forensic Acquisition, Live Forensic Acquisition can be minimally disruptive

with regard to mission and business critical machines that cannot be shut down. Where it was

previously impractical to shut down the Department of Defence’s server or a heart-lung machine

in a hospital, Live Forensics now presents the opportunity to do analysis on actively running

machines. Other examples of business critical systems that can benefit from Live Forensic

Acquisition is mobile networks, air traffic control systems, banking networks and correctional

services’ access control systems. The Live Acquisition, however, will have an impact on the

bandwidth availability of the specific network.

4. Live Forensic Acquisition collects information about the running state of the machine. This involves

information about the logged on user account, the currently open network ports, applications

listening on open ports, the state of the network interface (promiscuous or not), system date and

time, as well as active applications and web pages (Mandia, Prosise & Pepe 2003:17).

5. In contrast with the deficiency of Dead Forensic Acquisition, Live Forensic Acquisition enables

forensic investigators to access encrypted files systems whilst the system is active and the files

already decrypted. These aspects prove to be very helpful in a number of digital investigations.

In addition to the fact that the live system is already active, the forensic agent works on the

logical system and does not need any passwords or keys to access the machine.

6. Live Forensics remedies the practical problems that Dead Forensic Acquisition encounters when

the suspect machine has implemented a RAID system (discussed in Paragraph 3.3.1.2 (8)).

During a Live Forensic Acquisition, the data is read directly from RAID in the normal manner,

without the need to puzzle the data together before it can be considered as evidence.

7. Partial extractions are possible. A Dead Forensic Acquisition limits a forensic investigator to

imaging the entire drive. Depending on the size of the drive, this may be a lengthy process. Live

Forensic Acquisition allows the extraction or imaging of selected parts of the suspect drive, such

as Ntuser.dat or the SAM file (Brown 2005b:15). This is especially beneficial if the suspect drive

ranges in the Terabytes.

8. Trojan defence can be proven. During Live Forensic Acquisition, investigators can retrieve the

suspect system’s pagefile. This file will indicate whether a Trojan embedded in the system is

active or not, and is facilitating a third party to commit an offence remotely.

The application of Live Forensic Acquisition addresses some of the more recent developments in

technological advances. However, this relatively new techniques has a number of limitations as well.

3.3.2.2 Limitations of Live Forensic Acquisition

Although Live Forensic Acquisition addresses most of the problems associated with Dead Forensic

Acquisition, it brings about additional problems:

1. Many unique practical and legal constraints make the application of Digital Forensics complicated.

These constraints have already been discussed in Paragraph 3.3.1.2 (1). One additional practical

limitation is that Live Forensic Acquisition is much more labour intensive than Dead Forensic

Acquisition and requires a higher level of competency on site (Gallo 2008:48). Live Forensic

Acquisition is also not possible on an offline machine.

2. A lack of standardised procedures leads to uncertainties about the effectiveness of current

investigation techniques. In turn, this has led to the suboptimal use of resources. In some

instances, investigators gather worthless data that take unnecessary time. In addition, this data

have to be stored and take up valuable space (Leigland & Krings 2004:3).

3. Anti-forensic toolkits may block the acquisition of evidence. These toolkits are widely available and

may obstruct the collection of evidence from live network sources (Nikkel 2006:2). This may lead to

the acquisition of incorrect data from the suspect machine, affecting the authenticity and reliability of

the digital evidence.

4. Data modification during the acquisition process and the dependence of the forensic acquisition on

the suspect system’s OS are two of the more prominent concerns regarding Live Forensic Acquisition.

If the acquisition process alters the data, courts will dismiss the data as forensically unsound. The

investigation into this aspect will contribute to the model for forensically sound Live Forensic

Acquisition, presented in Chapter 14. Linked to the problem of data modification are slurred images,

discussed in detail in Paragraph 5.2.1. This potential constant evidence tampering is one of the

main critiques of Live Forensic Acquisition.

5. Forensic investigators have a limited window of opportunity. Live Forensic Acquisition can only be

performed if the suspect machine is in an active session. The suspect machine needs to be logged

on for the forensic investigator to gain access to it.

6. Bandwidth restrictions can limit/slow down the acquisition process. Since the suspect machine is

live and active, forensic investigators need to connect to the agent installed on the machine via a

network. Copying data as digital evidence from the suspect machine to the forensic workstation will

slow down the bandwidth, especially if there are a large number of other computer users also using

the bandwidth at that time. In addition, large remote acquisitions may have to be done after hours to

accommodate the small South African bandwidth capacity (Coetzee 2009:Interview).

7. To ensure the success of a Live Forensic Acquisition, forensic readiness should be in place.

Organisations need to be proactive and install the necessary agents on all machines prior to any

incident. In a large organisation, these agents can be distributed to all machines by using network

management software or USB scripts, or by issuing standard organisational clones (with the agent

already installed) to all employees (Coetzee 2009:Interview). After an incident took place, it is only

possible to perform Live Forensic Acquisition if an agent was installed on that particular machine.

8. Every computer installation is different. Although there are many common components and aspects,

computer users can compile their system to their own desire. For this reason, it is the forensic

investigator’s job to ensure that he/she has sufficient knowledge of a wide variety of hardware,

software and OSs. In addition, the computer may be a single workstation, a server, outsourced or

part of a cloud computing network. It is indeed possible to come across any combination of these

components and the investigator should be prepared to handle all of these. Due to the range of

possibilities provided by Live Forensic Acquisition, forensic investigators should be comfortable with

the acquisition principles and the effect that specific actions may have on the validity of the

evidence. It is further up to the interpretation of the investigator to analyse the situation and apply

the forensic principles in such a way that his/her actions can be justified in a court of law.

This study addresses these limitations to determine whether Live Forensic Acquisition is a viable alternative

to Dead Forensic Acquisition. The next section summarises the current research results, comparing Dead

and Live Forensic Acquisition according to both positive aspects and limitations (presented in the preceding

paragraphs of Section 3.3).

3.3.3 Comparison Between Dead and Live Forensic Acquisition

In conclusion to the discussion on the two Forensic Acquisition approaches, this section summarises all the

information presented in previous chapters. Table 3-1 compares Dead and Live Digital Forensics, based

on the advantages and disadvantages of using the two approaches during a forensic investigation.

Table 3-1: Comparing Dead and Live Forensics (Own compilation)

DDeeaadd FFoorreennssiiccss LLiivvee FFoorreennssiiccss

Possible to retrieve hidden and deleted data. Possible to retrieve hidden, deleted and obfuscated data.

No modification during the copying process. Possible to retrieve volatile information specific to the system’s network settings.

Modern RAMs retain their contents for a short while after power loss, allowing a window of opportunity to do a Forensic Acquisition.

Can be minimally disruptive with regard to mission and business critical machines that cannot be shut down.

Collects information about the running state of the machine.

Access decrypted files whilst the machine is active.

Possible to retrieve readable data from RAID arrays.

Partial extractions are possible.

Trojan defence can be proven.

Unique practical and legal constraints. Unique practical and legal constraints.

A lack of standardised procedures. A lack of standardised procedures.

Massive volumes of data lead to complex, time-consuming investigations.

Anti-forensic toolkits may block the acquisition of evidence.

Cryptography can render a system forensic image useless.

Data modification is a reality with current Live Forensic practices.

Passwords and usernames are needed to Limited window of opportunity (acquisition

DDeeaadd FFoorreennssiiccss LLiivvee FFoorreennssiiccss

access the system. only possible if the system is active).

Data acquired in certain ways may be inadmissible in court.

Bandwidth restrictions can limit/slow down acquisition process.

Highly disruptive if a mission critical machine needs to be shut down for acquisition.

Forensic readiness – agent need to be installed prior to incident.

Data retrieved from different disks of a RAID system need to be puzzled together before it can be considered as evidence.

Customised computer installations complicate the preparation for an investigation.

Volatile network data is regularly lost.

Trojan defence cannot be argued.

This comparative table shows that neither Dead nor Live Forensic Acquisition is a foolproof technique.

However, Dead Forensic Acquisition seems to have more limitations, while Live Forensic Acquisition has

more aspects that are positive. The next section will look at the details of the forensic process, as

applied to both Dead and Live Forensic Acquisition.

3.4 The Digital Forensic Acquisition Process

The basic principles for forensics are very simple. However, the variety of computer hardware and

software, and various types of OSs and platforms complicate the Digital Forensic Acquisition process. It is

very rare that the investigator knows exactly what to expect when walking into a field setting. In many

cases, the client will provide some information regarding the number of systems in question, their

specifications and current state. However, if the person does not have substantial computer knowledge,

or is involved in the crime, the provided information may be completely off track. This scenario correlates

with that of traditional forensics, where forensic investigators get calls to a crime scene, but the

information relayed to them is incorrect (Stimmel 2008:1).

In both Dead and Live Forensic Acquisition, the forensic investigators need to be prepared for any

possible scenario. Figure 3-4 shows a sample Digital Forensic Acquisition checklist, presenting a

systematic guideline to the crime scene areas and components the investigator needs to acquire. Within

the context of this study, this checklist merely serves an explanatory purpose and is not a detailed, set

standard for acquisition checklists. The Digital Forensic Acquisition checklist comprises consecutive

steps with a checkbox for each, allowing the investigator to concentrate on the individual tasks. Should

investigators use this technique, it is unlikely that he/she will forget a step or mix up the order of steps to

compromise the case (Stimmel 2008:1).

The checklist, identified by the case number and the client name, shows 48 different actions that the

investigator needs to do or components that the investigator needs to acquire. The checklist allows for

an additional 10 searches specified by the investigator to acquire specific evidence in unique cases. For

example, when the state charged Michael Jackson with child molestation in 2003, the investigators

defined and performed a specialised search on his Internet history to look for websites related to child

molestation or pornography (Daniel 2006:Internet). This sample checklist needs to be personalised

depending on the nature of the investigation.

To tapeRecent

To diskDocument links

To clientFile structure

Blown to diskExtract Midi

ReportExtract HTML

MetadataExtract Images

FTK ViewExtract databases

AccountsExtract sheets

Search 10Extract documents

Search 9Internet history

Search 8Unique email

Search 7Link parser

Search 6Initialise case

Search 5Graphics file

Search 4Info record extract

Search 3Hash analysis

Search 2Signature analysis

Search 1Malware scan

ArchitectureRecover files

HTML/WebBIOS data

TempVerified

DesktopImaged

My DocumentsPhotos

FavouritesReceived

SignatureDateTaskSignatureDateTask

Client Name:Case No:

To tapeRecent

To diskDocument links

To clientFile structure

Blown to diskExtract Midi

ReportExtract HTML

MetadataExtract Images

FTK ViewExtract databases

AccountsExtract sheets

Search 10Extract documents

Search 9Internet history

Search 8Unique email

Search 7Link parser

Search 6Initialise case

Search 5Graphics file

Search 4Info record extract

Search 3Hash analysis

Search 2Signature analysis

Search 1Malware scan

ArchitectureRecover files

HTML/WebBIOS data

TempVerified

DesktopImaged

My DocumentsPhotos

FavouritesReceived

SignatureDateTaskSignatureDateTask

Client Name:Case No:

Figure 3-4: Digital Forensic Acquisition Checklist

(Adapted from: Computer Forensics Toolkit 2005:Internet)

Although the Digital Forensic Acquisition process is relatively straightforward and the acquisition

checklist provides an easy-to-follow set of steps, a number of external factors may render the Forensic

Acquisition process unpredictable. However, if there are no irregularities to complicate the acquisition

process, investigators need to access the acquired device and initiate the acquisition with the appropriate

write-blocking strategy, document the chain of custody and securely transport and store the evidence

media (Stimmel 2008:1).

Figure 3-5 presents the generic Forensic Acquisition process, generalising the content of both Figure 3-2

and Figure 3-3 to present the generic steps of any Digital Forensic Acquisition. In addition, Figure 3-5

adds the steps Accusation or incident alert (Casey 2007:104) and Transport and store evidence media

that is applicable to both Dead and Live Forensic Acquisition. The first step, Accusation or incident alert,

normally triggers the instigation of the forensic process. The last step, Transport and store evidence media,

is normally considered part of the remainder of the forensic stages (Examination, Analysis and Reporting

introduced in Paragraph 3.3.1) and is a logical end for the Acquisition stage.

Figure 3-5: The generic Forensic Acquisition process (Own compilation)

This Collection stage is never performed in isolation and therefore the author extended this stage to

include additional aspects (such as the chain of custody, transport and storage). This extended Collection

stage is referred to as the Acquisition process in the remainder of this research study. The next sections

will introduce the steps that form part of the Forensic Acquisition process.

3.4.1 Accusation or Incident Alert

An accusation or incident alert generally is the catalyst for the forensic process. Once the accusation or

alert is made known, actions can be taken to initiate the investigation. Generally, if an organisation has

an internal forensic team, this team would know about the incident alert as it occurs, and should be

notified of all accusations as soon as possible.

This step is the preliminary fact gathering and initial assessment stage. The organisation needs to

decide whether further action is required. If this is the case, the internal forensic team should continue to

apply investigative resources based upon the merits of the evidence examined (Casey 2004a:104). If

the applicable organisation does not have an internal investigating team, an external organisation with

forensic capabilities should be contacted to begin the forensic process.

3.4.2 Approach Computer

This section addresses the second step of Figure 3-5, Approach computer (locally or over the network).

Kruse II and Heiser (2002:5) list three methods that forensic investigators can employ to approach a

computer and access the acquired device. Depending on the acquisition mode that the investigator

chooses to follow, access to the acquired device might be different.

• The first method is to pull the power plug from the back of the computer - Dead Forensic Acquisition.

• The second method is to follow the normal administrative shut down procedure - Dead Forensic

Acquisition.

• The third method is to keep the system running - Live Forensic Acquisition.

The next sections will discuss the need for isolation, as well as the collection of non-technical and

technical information during this step. As a part of accessing the device, investigators need to collect

non-technical and technical information. Some of the information acquired in this manner may provide

the investigator with necessary passwords, or assist them in cracking passwords to access the system.

Isolation

Regardless of the acquisition methods used, the first step in any Forensic Acquisition should be the isolation

of both the system and relevant data. The purpose of this isolation is two-fold: isolation can prevent the

corruption of other systems, reducing the risk of a cascading failure throughout the organisation IT

infrastructure, and isolation freezes the state of the affected system, preserving an exact image to assist

in the subsequent investigation (Weise & Powell 2005:16). This isolation generally occurs on both a

physical and logical system level.

Collecting Non-Technical Information

Investigators should collect information by interviewing system administrators and other users who might

have had contact with the suspect system (Weise & Powell 2005:16). Investigators should always note what

the system administrator and computer users did prior to the arrival of the acquisition team. Although

interviews might not always be possible in the event of a covert acquisition, investigators should still try to

gather as much information about the system before starting the acquisition process. Occasionally it might be

possible to retrieve passwords beforehand, saving a lot of time and effort on the investigator’s side.

Once the system is completely isolated, the investigator should collect all possible non-technical information,

such as the suspect’s office attendance in the days preceding the incident. This information assists in

establishing a probable timeline of events leading to the suspected cyber crime. In many cases, producing

an accurate timeline of events is central to the investigation. It allows investigators to establish the relative

time of events and sequence, correlate events and undertake causal analysis (Stevens 2004:225). The

sooner this collection can start the better for the acquisition, since bystanders often forget relevant facts,

dates and times when investigators only probe them about it long after the incident. At the least, collecting

non-technical information should be able to narrow down the search (Weise & Powell 2005:16).

Collecting Technical Information

Since many different versions of most available hardware and software exist, forensic investigators need

expert knowledge and patience. This will enable them to acquire evidence correctly from any crime

scene with any combination of hardware and software. Occasionally it may be necessary to do additional

research on software encountered on the system. Sometimes expert advice is necessary to take small

devices apart to access the drive. Sometimes a hardware or software incompatibility may cause problems.

On very rare occasions, a forensic hardware failure may delay the acquisition (Stimmel 2008:1).

During any Forensic Acquisition, it is necessary to check the BIOS. The BIOS provides many pieces of

critical information, such as the date and time of the system. It can also provide a variety of other

information, depending on which manufacturer wrote the BIOS software. In addition, it is possible to

identify the Hardware Protected Area (HPA) and the Device Configuration Overlay (DCO) of the computer

by investigating the BIOS. One method to identify these areas is to compare the hard drive settings

stored in the Complimentary Metal Oxide Semiconductor (CMOS) with the values on the drive’s labels.

Alternatively, the investigator can do a similar comparison with a series of Advanced Technology

Attachment (ATA) commands (READ_NATIVE_MAX_ADDRESS and IDENTIFY_DEVICE).

Some forensic applications, such as EnCase and X-Ways Forensics (discussed on the accompanying CD,

see Forensic tools), also allow for the detection of a HPA presence. The HPA and the DCO are reserved

areas for data storage outside the normal file system. Since these areas are normally used for specialised

application data and configuration data, forensic investigators do not necessarily search these areas for

additional hidden data. Knowledgeable cyber criminals can store incriminating data in both the HPA and

the DCO (Bedford 2005:269). Should the two sets of compared values differ, the investigator knows that

a HPA exist and can make a more specialised effort of locating these files.

Once the investigator identified the existence of the HPA and DCO, he/she can make a full bit stream copy

of the system to copy these hidden areas (Stimmel 2008:2). When this process is complete, the forensic

investigator can initiate the Forensic Acquisition with a write blocker to prevent accidental writing to the

protected hard drive.

3.4.3 Acquiring the Evidence

This section addresses the third and fourth steps of Figure 3-5, Protect system from evidence modification

and Make a copy of the system (physical or logical). During forensic acquisition, it is possible to write to

the evidence drive accidentally. Since this may lead to the immediate dismissal of the evidence from

court, the investigator should take care not to compromise the evidence. There are two ways to ensure

the protection of evidential data.

Protect the System from Evidence Modification

Protection of evidential data during Dead Forensic Acquisition can be enforced by using a write blocker.

A write blocker allows a system to read data from an external drive at full speed. At the same time, it

blocks any write commands to the external drive to prevent the unauthorised modification or formatting of

the drive under examination (Paralan 2007:Internet). A computer writes data to or reads data from a

storage device via specific commands, transmitting these commands from the computer's interface

connection to the storage device's interface connection. By using a write blocker, the investigator prevents

the forensic computer from writing to the evidence hard drive’s interface (NIST 2003a:4). Figure 3-6

illustrates this.

Figure 3-6: Protecting a dead system from data modification (Own compilation)

There are two types of write blockers: software write blockers and hardware write blockers. A software

write blocker replaces the suspect machine’s hard drive access interface with forensically sound external

hard drives. It blocks any commands that could modify a hard drive (NIST 2003b:10). A hardware write

blocker is a hardware device that physically attaches to a computer system. Its main purpose is to

intercept and block any modifying commands from reaching the storage device (NIST 2003a:4).

Protection of evidential data during Live Forensic Acquisition can be enforced by installing forensic

software agents on the machines before the incident takes place. Paragraph 3.3.2 introduced the use of

these agents. In contrast with Dead Forensic Acquisition where the use of write blockers completely

blocks all writes to the suspect hard drives, a live system needs to write to its hard drive in order to be

considered live. For that reason, a forensic software agent does not prevent writes to the hard drive, but

facilitates the protection of the data during its normal read/write functioning, whilst enabling the forensic

investigator to read otherwise encrypted data. Figure 3-7 shows this interaction.

Figure 3-7: Protecting a live system from data modification (Adapted from: Battistoni, Di Pietro, Di Biagio, Formica & Mancini 2008:9)

The agent serves as interface between the suspect computer and the forensic investigator. The forensic

investigator therefore never directly interacts with the suspect computer, eliminating the opportunity for

data modification. These forensic software agents have been proven forensically sound and are

accepted in courts (Louwrens 2009b:Interview).

The connection between the suspect machine and the mobile forensic workstation may be a direct

connection, should the investigator use a network crossover. However, although this process is able to

capture live data on the suspect machine, a boot disk is required when a crossover connection is made.

It is unable to capture the volatile RAM memory or the current processes on the machine. This specific

acquisition is thus not purely a Dead nor Live Acquisition (Coetzee 2009:Interview).

In all instances, exceptions may occur, allowing data modification on the suspect drive. To protect the

integrity of both the data and the investigator, the investigator needs to document all steps taken as well

as the motivation behind taking the step. In addition, the investigator should be experienced and

appropriately qualified to perform the acquisition. These precautions are necessary should the

admissibility of the evidence be questioned in court.

Make a Forensically Sound Copy of the System

Both the use of write blockers and forensic software agents are forensically sound and can assist in the

forensic process to make copies of the required data on the suspect system. It is a very important step

in the Forensic Acquisition process to preserve the evidence and create additional copies of the evidence

for analysis purposes (Weise & Powell 2005:17). After the physical acquisition, it is necessary to

document the incident and all the actions taken by the investigators. The chain of custody, discussed in

the next section, reflects this documentation.

3.4.4 Chain of Custody

This section addresses the omnipresent step of Figure 3-5, Document chain of custody. In any investigation,

the investigators should be able to account for all the acquired data and devices during the entire extent

of the forensic acquisition process. Technically, this chain of custody should commence the moment the

First Responder enters the crime scene and continue until the court case completes. Although this step

does not only belong to the acquisition process, it forms a fundamental aspect of the case’s validity.

According to Ghelani (2006:Internet), chain of custody defines as the “… gathering and preservation of the

identity and the integrity of the evidential proof that is required to prosecute the suspect in court”. Scalet

(2005:Internet) provides another definition: “… a chain of custody is the process of validating how any

kind of evidence has been gathered, tracked and protected on its way to a court of law”. Black’s Law

Dictionary provides yet another definition: “… chain of custody is proven if an officer is able to testify that

he or she took control of the item of physical evidence, identified it, placed it in a locked or protected area

and retrieved the item being offered on the day of the trial”. In essence, it is the maintenance of the

integrity of the evidence from seizure until the time the investigator produces it in court (Trench 1994:16).

The main objective of maintaining chain of custody is to protect the integrity of the evidence. Digital

integrity can be defined as “… the property whereby digital data has not been altered in an unauthorised

manner since the time it was created, transmitted or stored by an authorised source” (Hosmer 2002:1).

The protection of this integrity is only successful if an independent third party can examine the recorded

process and achieve the same results (ACPO 2007:69). Additionally, it serves to make it difficult for a

defence attorney to argue that the forensic investigator tampered with the evidence whilst in his/her

custody (Kruse II & Heiser 2002:6).

The chain of custody procedure is very simple. The evidence-tracking log documents anyone who possesses

the evidence, the time at which they took and returned possession, and why they were in possession of

the evidence. It should also document the case and tracking number, acquisition location, suspect and

evidence type. In general, the evidence-tracking log documents answers to the following questions:

• Who collected the evidence?

• How and where did the evidence collection take place?

• What are the date, time and place of the investigation?

• Who took possession of the evidence?

• What is the acquired evidence’s media-specific description (type, manufacturer, serial numbers

and/or volume names, etc.)?

• What tools was used during the acquisition (type, make, version, etc.)?

• What measures ensure the protection of the evidence in storage? (Forte 2008a:13).

• Who took the evidence out of storage and why? (Ghelani 2006:Internet; Kruse II & Heiser 2002:8).

• What is the final fate of the evidence: destruction, secure deletion or returned to owner?

If investigators fill this form in diligently, they appropriately maintain the chain of custody. This will

prevent opposing counsel from arguing evidence dismissal on the grounds of evidence tampering (PMI

Evidence Tracker s.a.:Internet). In addition to this manual evidence-tracking log, many Digital Forensic

tools often have their own logging systems to add to a comprehensive log. Complete and accurate chain

of custody logging procedures help to ensure that the court will authenticate electronic data. It is therefore

crucial to ensure that the chain of custody adheres to the prescribed standards (LexisNexis 2008:

Internet). Figure 3-8 shows the chain of custody log, with all the actions relevant to a specific evidence

item logged into the system. It shows the case and tracking number, as well as the individuals taking

and returning custody of a specific item.

Figure 3-8: Chain of custody log (PMI Evidence Tracker s.a.:Internet)

The ability to prosecute any case rests on the validity of the evidence usable in court. A court considers

evidence valid if forensic investigators can prove that the evidence is in the same condition as during

seizure. To do this, people who handled the evidence should testify as to the condition the evidence was

in before and after it entered their possession. The chain of custody is more timeous (Trench 1994:17)

and can replace this long and tedious process. Scalet (2005:Internet) identified a number of rules when

working with the chain of custody:

• Expect that all evidence will end up in court. A poor chain of custody may cause the dismissal of

digital evidence from a court. Since it is impossible to know the extent of the investigation

beforehand, it is better to treat all investigations as court material. Even a simple internal

investigation of an employee may escalate to a court case if you uncover details that prove it

necessary.

• Guard the "best evidence" closely. Investigators refer to the original image of a hard drive as the

best evidence. The investigator should attach the chain of custody log to this best evidence and

ensure sufficient and secure storage. Storage should preferably be either offsite or in a fireproof

safe. As far as possible, investigators should never work with the best evidence. It is better to

create a second copy and keep the best evidence as back up.

• Chain of custody logs should always be up-to-date. Every time somebody handles the evidence,

he/she needs to update the chain of custody log. This is very important to prove the authenticity

of the evidence in court.

• Do not submit the hardware to court unless you have to. Courts accept validated copies of best

evidence. Therefore, it is unnecessary to submit the original hardware or best evidence as

evidence. In most cases, an affidavit supports the submission of a copy of the best evidence.

Additionally, the original evidence remains safe in storage throughout the entire investigation.

3.4.5 Transport and Storage of Evidence

This section addresses the last step of Figure 3-5, Transport and store evidence media. To complete the

Digital Forensic Acquisition process, investigators transport the evidence from the crime scene to the

forensic laboratory. At the laboratory, the evidence will be stored securely.

3.4.5.1 Handling and Preservation during Transportation

Digital evidence can be stored in various forms and on any of a number of different media. These media

are subject to inadvertent alteration, degradation and loss (PoliceOne.com 2008:Internet). Forensic

investigators need to take all the necessary precautions to ensure that the digital evidence are handled

according to forensic best practice and transported in a safe and secure manner to the forensic

laboratory. Table 3-2 shows some guidelines regarding removable storage media.

Table 3-2: Handling and preservation guidelines for digital evidence media (Australian Government 2008:Internet, Gallo 2008:28, ISO 2009:12-18, PoliceOne.com 2008:Internet,

Preservation101 2006:Internet, Wikirank 2009:Internet)

Handling guidelines Preservation guidelines Media type: Optical Media – CDs and DVDs

Do not label optical media with adhesive material, directly on the surface.

Do not use permanent markers to label CDs/DVDs.

The top side of CDs are more fragile and scratch prone than the top of DVDs. However, special care should be taken to prevent both media types from scratching.

Fingerprints, smudges and scratches may interfere with the ability of the laser to read the data layer on the optical media. Investigators should take care to handle optical media in such a manner to avoid these interferences.

For reliable long-term backup storage, Gold CD-R (Compatible Disc-Recordable) and DVD-R (Digital Video Disc-Recordable or Digital Versatile Disc-Recordable) are preferred by experts over similar media.

Media type: Flash memory – USBs, memory sticks, solid state drives and digital cameras Do not expose media to static electricity by using plastic bags for transporting or photocopying serial numbers as part of chain of evidence.

Flash memory devices need to be secured using anti-static bags.

Never remove the device or turn off power while writing.

Do not expose the flash memory devices to direct sunlight or excessive humidity.

Flash memory devices can sustain limited write and erase cycles before failure. Investigators should handle flash disks only when necessary, and preferably back up on other media as well.

Do not expose the flash memory devices to corrosive environments that can hasten the degradation of the disks.

Remove the power supply cable by first removing the end attached to the computer and not attached to the socket. This will avoid the system from writing data to the computer’s storage media if it is fitted with and uninterruptible power supply (UPS).

Evidence labels should not be placed directly on the mechanical parts of the electronic devices, nor should it cover or conceal information such as the serial number, model number or part number.

Although flash memory devices often have a hard protective casing, a hard bump or drop may damage the inner working of the device, damaging the potential digital evidence.

Media type: Mobile disk drives Do not expose media to static electricity by using plastic bags for transporting or photocopying serial numbers as part of chain of evidence.

Mobile disk drives need to be secured using anti-static bags.

Remove the power supply cable by first removing the end attached to the computer and not attached to the socket. This will avoid the system from writing data to the computer’s storage media if it is fitted with UPS.

Although mobile disk drives often have a hard protective casing, a hard bump or drop may damage the inner working of the drive, damaging the potential digital evidence.

Do not expose the mobile disk drives to direct sunlight or excessive humidity.

Media type: Mobile phones Do not expose media to static electricity by using plastic bags for transporting or photocopying serial numbers as part of chain of evidence.

Mobile phones need to be secured using anti-static bags.

Collect all associated mobile device items such as charger, memory card, SIM card and cradle for synchronisation with a computer.

Special care should be taken not to depress any of the mobile phone’s buttons since this may be

If the mobile device is switched off, carefully package, seal and label the device to avoid any

Handling guidelines Preservation guidelines considered as tampering with the evidence. accidental or deliberate depression of the keys.

Place mobile phones in a Faraday box to prevent the device from connecting to the network and sending/receiving messages - radio frequency shielding material or aluminium foil can be used.

If the device is continued to be left on, the battery life will be reduced due to power loss. These devices should be delivered to the forensic lab as soon as possible and power charged in a monitored environment.

Media type: Laptops Do not expose media to static electricity by using plastic bags for transporting or photocopying serial numbers as part of chain of evidence.

Laptops need to be secured using anti-static bags.

Remove the power supply cable by first removing the end attached to the computer and not attached to the socket. This will avoid the system from writing data to the computer’s storage media if it is fitted with UPS.

Remove the main power source battery of the laptop. Ensure the volatile data is acquired before removing the battery.

Disconnect and secure all cables from the computer and label the ports so that the system can be reconstructed in a later stage.

Remove the main power source battery from the laptop after ensuring that the laptop is powered off and not in standby mode (some laptops may power on by opening the lid).

If the device is left on, the battery life will be reduced due to power loss. These devices should be delivered to the forensic lab as soon as possible and power charged in a monitored environment.

Collect all associated laptop device items such as charger, memory card and cradle.

If the laptop is live, either an individual should be designated or a Mouse Jiggler employed to prevent the screen saver from activating and potentially locking the system from use.

Media type: Magnetic media Do not expose media to static electricity by using plastic bags for transporting or photocopying serial numbers as part of chain of evidence.

Magnetic media need to be secured using anti-static bags.

Magnetic media consists of a carrier of plastic film coated with magnetisable particles and should be handled as carefully as possible.

Investigators should only remove items from their protective packaging for immediate use.

Magnetic tape should not be touched, but rather picked up by their protective cases. Investigators should always wear lint-free gloves and ensure that hands are clean and dry. The labels should stick onto a protective case and not directly onto the magnetic tape or disk.

Magnetic media should never be stored in paper or cardboard enclosures which tend to generate dust that interferes with the media’s functioning. Investigators should store magnetic media in cases made of nonmagnetic immobile material, such as polypropylene.

Magnetic media should never be flexed or bent. Place tape over the floppy or stiffy disk slot, if present.

Investigators should label evidence with ink rather than pencil, since the pencil’s graphite dust can interfere with the reading of the disk or tape.

Cassettes and tapes should be wound to the end of one side after use, and not be left in a partly wound state for any length of time.

Magnetic media should not be bumped or dropped, since these actions can drastically damage the stored data.

Media type: Computer peripherals

Computers and digital devices should be packaged in such a way to prevent damage from shock and vibration during transportation.

All peripherals should be placed in aerated packaging to prevent mould growth.

Keep all peripherals out of direct sunlight and high humidity.

Table 3-2 provides some guidelines regarding the handling and preservation of storage media and other

digital devices containing potential digital evidence. This list is not comprehensive, but gives the forensic

investigator basic guidance. Some preservation principles are applicable to all/most storage media and

other digital devices. These general guidelines are listed below:

• Seal the acquired digital data by using hashing algorithm, digital signatures or biometric

features. This is necessary to confirm that the contents of the copied image have not been

spoiled or tampered with since the image was created.

− Hash the original data by using any hashing function specified in ISO/IEC 10118 and

record the hash value to prove that data acquired is the exact copy of the original data.

− Digital signatures are a secure method of binding the identity of the signer with digital data

integrity methods. It involves attaching a piece of code to an electronically transmitted

message with the sole purpose of establishing identity.

− Biometrics uses physical and behavioural characteristics to determine the identity of an

individual (ISO 2009:14,15).

• All devices collected should be sealed with tamper evident seals, labelled and signed.

• Storage media should be wrapped or placed in appropriate packaging suitable for the nature of

the media, e.g. shrink-wrap plastic to avoid contamination of the media prior to transportation,

and shock resistance packaging to avoid physical damage to the media. All digital evidence

should be packaged in a manner that will prevent it from being bent, scratched or deformed.

The ideal would be to transport evidence in tamper-evident packaging.

• If the device/media has a power button, the forensic investigator should place a strip of tape

over this button to prevent accidental powering on/off.

• Digital evidence may contain latent, trace or biological evidence and the forensic investigator

should take the appropriate steps to preserve it. Digital evidence imaging should be done

before latent, trace or biological evidence processes are conducted on the evidence.

To ensure that nobody tampers with the evidence during transportation, the last investigator to handle

the evidence at the crime scene should seal the package. He/she then labels the package and signs the

seal. If anybody attempts to open the package, the seal will be broken and the signature spoiled. Every

time somebody needs to access the evidence, the old package should be put into a new package, and

the new package be sealed and signed (Kruse II & Heiser 2002:11).

To ensure correct identification, the investigator should tag each evidence media with the client name,

attorney’s office and evidence number. It is required that each evidence media links up with a chain of

custody document, a job and an evidence number (Stimmel 2008:2). Both during transportation and

storage, the evidence should be stored in static-free packaging. Generally, the pink bubble wrap is used

(Kruse II & Heiser 2002:11).

3.4.5.2 Storage Guidelines

Some court cases are postponed several times, stretching over a number of years. Accordingly, it is

necessary to control bit rot. According to Church (2007:Internet), bit rot can be defined as “… the

degradation of magnetic media over time”. It can be hugely problematic if the evidence has deteriorated

beyond use when the court date comes up. It is therefore crucial to protect the evidence as best as

possible, and use the original data as little as possible. This will not stop the deterioration, but at least

slow it down a bit (Australian Government 2008:Internet).

Table 3-3 provides some guidelines regarding the storage of digital evidence media and other digital

devices containing potential digital evidence. This list is not comprehensive, but gives the forensic

investigator basic guidance.

Table 3-3: Storage guidelines for digital evidence media (Australian Government 2008:Internet, Gallo 2008:28, ISO 2009:12-18, Patriot Memory 2009:Internet, PoliceOne.com 2008:Internet,

Preservation101 2006:Internet, Wikirank 2009:Internet)

Media type: Optical Media – CDs and DVDs Keep optical media away from direct sunlight. Keep optical media away from high humidity to prevent fungi growth between the physical layers. Optical media should be stored in a temperature range of 18 – 23°C, humidity range of 30 - 50 % (ISO 9660 compliance). Higher temperatures may cause the disks to warp or crack. Keep multiple copies for added protection. Extensive exposure to ultraviolet light will accelerate the deterioration of the dyes used in optical media, making disk reading difficult. With proper care, optical media should be able to last up to 3 years. Media type: Flash memory – USBs, memory sticks, solid state drives and digital cameras Keep flash disks away from static electricity. Do not expose the flash disks to direct sunlight, excessive humidity or corrosive environments. Flash memory devices may be stored in a temperature range of 5 – 70°C. It is generally able to retain data for 5 years, if stored at the optimum 25°C. Media type: Mobile disk drives Keep mobile disk drives away from static electricity. Do not expose the flash disks to direct sunlight or excessive humidity. Media type: Mobile phones Keep mobile phones away from static electricity. A live mobile phone need to be constantly monitored to ensure that the battery does not run flat and spoil digital evidence. Mobile phones may be charged in a monitored environment to ensure the availability of the evidence. Mobile phones need to be stored in Faraday boxes to prevent the devices connecting to the network. Media type: Laptops Keep laptops away from static electricity. A live laptop need to be constantly monitored to ensure that the battery does not run flat and spoil digital evidence. Laptops may be charged in a monitored environment. Laptops need to be stored in Faraday boxes to prevent the devices connecting to the network. If the laptop is live, a Mouse Jiggler should be employed to prevent the screen saver from activating and potentially locking the system from use. Media type: Magnetic media Keep magnetic media away from static electricity. Investigators should only remove items from their protective packaging for immediate use. Magnetic media should never be stored in paper or cardboard enclosures which tend to generate

dust that interferes with the media’s functioning. Investigators should store magnetic media in cases made of nonmagnetic immobile material, such as polypropylene. Cassettes and tapes should be wound to the end of one side after use, and not be left in a partly wound state for any length of time. Dust, grease and chemical pollutants promote oxidative deterioration and moisture condensation on the magnetic layer and can interfere with the playback head/tape interaction and result in a weakened playback signal. Print-through occurs when tapes are stored for long periods without active usage. This is the transfer of a signal from one loop of tape onto an adjacent loop, similar to a carbon copy, resulting in poor signal quality. Magnetic tapes are inclined to support mould growth. The tapes’ mechanical pieces trap pockets of air to create an ideal growing environment. Magnetic media should be stored in a temperature range of 18 - 20°C, and humidity should range between 35 and 40%. If the humidity rises to around 60%, mould will start to grow. More than 10% humidity variance in 24 hours or a too high temperature will deteriorate items faster. Variable temperature and humidity levels may cause changes in the magnetic and base layers. Either it can separate completely, or adjoining layers can stick together. High temperatures may also weaken or demagnetise the magnetic layer. Magnetic media should ideally be stored in closed metal cabinets to provide extra protection against heat and dust. Media type: Computer peripherals Keep all peripherals away from static electricity. Do not expose peripherals to direct sunlight, excessive humidity or corrosive environments.

Some storage principles are applicable to most/all storage media and other digital devices. These

general guidelines are listed below:

• The collected digital device(s) should be stored in a secure, climate controlled environment or a

location that is not subject to extreme temperature or humidity. It should not be exposed to

magnetic fields, dust, vibration, or any other environmental elements that may damage it.

• Storage areas should be fitted with special alarm systems, such as VESDA (Very Early Smoke

Detection Alarm). These systems provide early warnings of fire or high dust levels.

• Storage areas need to be completely void of magnets or magnetic fields. The areas should

also be free from potential sources of dust.

• Exposure to ultraviolet (UV) light will also hasten degradation. It is necessary to invest in

fluorescent tubes with UV-filters and a light meter to measure the level of UV light. The

investigator needs to ensure that these levels never exceed 75µW/lumen. The overhead lights

should be off when not in use (Australian Government 2008:Internet).

• All stored media should periodically be reviewed and reread to determine the status of bit rot.

These guidelines will assist forensic investigators in correctly handling, preserving and storing digital

evidence media. This is a very important aspect of the Digital Forensic Acquisition process.

3.4.6 Closing the Digital Forensic Acquisition Process

Section 3.4 focused on the Forensic Acquisition process, more specialised than the generic Digital Forensic

process discussion in Section 3.3. This section provided technical details to aid the understanding of the

Digital Forensic Acquisition process, focusing on all the steps that are necessary to ensure a successful

Forensic Acquisition: accessing the acquired device and initiating the acquisition with the appropriate

write-blocking strategy, the chain of custody and media transport and storage.

This section on the Digital Forensic Acquisition Process includes more detail than the original Digital

Forensic stage Collection (the acquisition process includes the accusation or incident alert, the entire

Collection stage, as well as the chain of custody, transport and storage of the evidence). However, this

acquisition is only a small part of the Digital Forensic process, but the focus point of this particular study.

Therefore, Examination, Analysis and Reporting were not discussed in this section.

The next paragraph summarises the content of Chapter 3 and puts the chapter into context with Chapter

2 and Chapter 4. The summary also presents a number of drivers identified from Chapter 3 that can

assist in the later development of the Liforac model.

3.5 Summary

Chapter 3 introduced the field of Digital Forensics by defining necessary terminology and presenting a

basic historical timeline. This chapter mainly focused on two aspects of Digital Forensics: the Digital

Forensic process and the forensic acquisition process as a subsection of the Digital Forensic process.

In the Digital Forensic process discussion, this chapter established a knowledge foundation based on

different Digital Forensic Acquisition approaches: Dead and Live Forensics. This chapter discussed both

the advantages and disadvantages of these techniques and compared them in tabular format (Table 3-1).

The forensic acquisition process discussion introduced and explained the steps necessary to ensure a

successful Forensic Acquisition, whether the investigator uses Dead or Live Forensic Acquisition.

In summary, the 12 drivers identified from Chapter 3 to contribute to the development of the Liforac

model are as follows, with the originating paragraph between brackets:

• A formal Digital Forensic definition ensures understanding of the discipline. This definition forms

the core of the Liforac model in determining what relates to the model and what does not

(Paragraph 3.1);

• The retrospective profiling nature of Digital Forensics can contribute to the legal understanding of

the discipline. Although this specific aspect would probably not be adopted into the Liforac

model, the historic value contributes to the understanding of the discipline within the legal

context (Paragraph 3.2);

• The contamination of the crime scene by a negligent investigator can render the evidence

inadmissible in court, as stipulated in forensic related legislation. This driver is key to the Liforac

model and determines the admissibility of evidence in court (Paragraph 3.2);

• The current debate on either pulling the plug, or exercising the analysis on a live, running system

has an impact of both legislation regarding the discipline, as well as the amount of forensic

knowledge that an investigator needs to possess (Paragraph 3.3);

• The Digital Forensic methodology consists of three important steps that need to be performed

meticulously to ensure evidence admission in court. This methodology directly influences the

sequence of activities required by the Liforac model (Paragraph 3.3);

• The complete Digital Forensic process consists of four stages that support the Digital Forensic

methodology when performed in order. These four stages are the foundation for the forensic tool

analysis in Chapter 4, and directs the Liforac model development (Paragraph 3.3.1);

• A formal First Responder definition supports a better understanding of the discipline. The

Liforac model focuses on the development of an acquisition model and accordingly First

Responders will play a prominent role in the enacting of the model (Paragraph 3.3.1);

• Comparison between Dead and Live Forensics widens the forensic knowledge base and

introduces potential new problems that needs to be addressed by the Liforac model (Paragraph

3.3.3, Table 3-1);

• A consistently unpredictable field setting requires knowledgeable forensic investigators and

introduces new problems that needs to be addressed by the Liforac model (Paragraph 3.4);

• The generic forensic acquisition process applies to both Dead and Live Forensic Acquisition and

consists of stages that need to be incorporated into the Liforac model (Paragraph 3.4, Figure 3-5);

• A formal chain of custody definition supports a better understanding of the discipline. Chain of

custody plays an important part in the admissibility of forensically sound evidence in court and

accordingly is a very important driver for the Liforac model (Paragraph 3.4.4);

• Investigators should be trained to protect the integrity of the evidence at all times in order to

address some of the problems identified by the Liforac model (Paragraph 3.4.4).

When considered individually, some of these drivers suggest a knowledge component while others refer

to stages or steps that imply some link with time or sequence. These two themes will influence the

identification of possible dimensions for the Liforac model.

At the completion of Part 1, this study has completed Objective A, the Digital Forensic discipline. Chapter 2

introduced the study whilst Chapter 3 introduced the Digital Forensic discipline, focusing on both Dead

and Live Forensic Acquisition. Chapter 4 will now extend this objective by examining a number of tools

developed for Digital Forensic investigations. This chapter builds on Chapter 3 by elaborating on the

existing knowledge base of forensic methodologies. Each of the identified Digital Forensic toolkits are

discussed according to the forensic stages identified in Paragraph 3.3.1 (listed under Definition). Part 2

will now introduce this chapter.

Part 2: Live Forensic Acquisition

This study, Liforac - A Model For Live Forensic Acquisition, divides into four distinct parts (originally

presented in Figure 1-1). Figure Part 2-1 presents the status of the Liforac model development study.

Part 1 has already been completed. Part 2, Live Forensic Acquisition, investigates the current Digital

Forensic environment and comprises three chapters of the study.

Chapter 4, Forensic Tools, presents a literature survey of a number of popular Digital Forensic tools.

Although this list is by no means exhaustive, it provides background knowledge to understand the process

depicted in Part 2. A basic understanding of some of these tools will enforce deeper understanding of

some of the forensic principles that form an integral part of the proposed Liforac model.

Chapter 5, Current Application of Live Forensics, provides background knowledge on the developing

Live Forensic technology. This chapter looks at the advances Live Forensic Acquisition has made in the

areas in which traditional Dead Forensic Acquisition lacks and focuses on the problems that arise with the

application of Live Forensic Acquisition. This chapter also introduces forensic concepts such as evidential

weight and validity of digital evidence. Chapter 5 concludes with a discussion on currently applied software

and hardware Live Forensic Acquisition techniques. The rationale behind Chapter 5 is to focus on specific

Live Forensic Acquisition practices that are currently applied around the globe.

Chapter 6, Forensically Sound Live Forensic Acquisition Admissible in Court, focuses on the term

forensic soundness and measures different kinds of evidence retrieved through Live Forensic techniques

according to its definition. This chapter identifies a number of potential problems that may render digital

evidence inadmissible in court. It also compares Digital Forensics with Biological Forensics and discusses

the volatile nature of Digital Forensics.

Chapters 4, 5 and 6 focus on the internal workings of the Live Forensic technology and lay the foundation

of the application of Live Forensic Acquisition as sound practice. It familiarises the reader with the concept

of forensic soundness and inadmissibility in a court of law. Chapter 4 will now introduce the currently

used forensic tools, as applied in a number of countries.

Chapter 4: Forensic Tools

“The kids are fascinated by it. Teachers want to grab that interest and motivate them to do better in science. It’s very exciting and dramatic because of the cinema sense to it, but the real forensic

sciences is a serious sober business.”

- Jim Hurley

Part 1 focuses on setting the scene for Digital Forensic analysis. Chapter 2 introduced the study holistically

and Chapter 3 introduced the field of Digital Forensics, focusing on Dead and Live Forensics. Chapter 4 will

now examine tools applicable to Digital Forensics. This chapter will look at tools for different OSs and

discuss them according to functionality in the different forensic stages identified in Paragraph 3.3.1 (listed

under Definition).

The unique needs of Digital Forensics spurred the creation of specialised tools and techniques (Fei 2007:24)

to ensure the proper acquisition and preservation of digital evidence to maintain the integrity of digital

evidence. This tool discussion is two-fold: it provides background information and an understanding of

how forensic tools assist investigators in the Forensic Acquisition process, whilst the advantages and

limitations discussed can assist in the development of a comprehensive, forensically sound Live Forensic

Acquisition model in Part 4 of this study.

Figure 4-1 indicates the current level of progress with regard to identifying building blocks for the Liforac

model. Chapter 4 partly fulfils Objective A, Digital Forensic discipline (originally presented in Figure 2-2).

Figure 4-1: Liforac model progress - Digital Forensic discipline (b) (Own compilation)

4.1 Introduction

In order for forensic investigators to do a thorough Digital Forensic Acquisition, it is necessary to have the

correct supporting software packages and applications. This is true whether the acquisition is dead or

alive. For that reason, investigators can use Digital Forensic tools developed to assist in conducting accurate

and comprehensive acquisition, ensuring appropriate acquisition techniques and preservation of digital

evidence (Fei 2007:30).

There are a number of Digital Forensic tools on the market, each differing in characteristics and applications.

Many platform specific tools exist, whilst some tools perform on multiple platforms. Figure 4-2 shows the

total market share (current in August 2009) related to OSs. Based on these statistics, Chapter 4 will look

at forensic tools, toolkits and suites from the Windows, Mac and Linux OSs. Although the Windows OS

is the holder of the majority market share, Mac and Linux have a more than 1% share and warrant a brief

tool discussion.

Figure 4-2: Operating System market share (Format adapted: Market Share 2009:Internet)

In addition, this chapter will also look at forensic tools, toolkits and suites from the Microsoft Disk Operating

System (DOS) environment. DOS was first introduced in 1981 and was the main OS for all IBM compatible

computers until the launch of Windows 95 in 1995. Although DOS is rarely used as OS nowadays, it was

running on more than 100 million computers worldwide in 1994 (White 2005:Internet). Many modern OS

incorporated the DOS prompt from the original DOS. Modern forensic tools address this, often

performing critical portions of the investigation on DOS level.

Figure 4-3 shows the four OSs mentioned, with a selection of forensic tools, toolkits and suites relevant to

them. From the Windows environment, this chapter looks at eight packages, from the Mac environment

six packages, from the Linux environment seven packages and from the DOS environment five packages.

Some of the packages are multi-platform. The author chose the tools based on industry popularity and

availability.

Figure 4-3: Forensic investigation tools, toolkits and tool suites (Own compilation)

To complement the range of activities of a forensic investigator, it may be necessary to employ a number

of different forensic tools. Although many of the tools have overlapping functionalities, some software

developing organisations included unique functions and capabilities to specific tools to make them

exclusive and a preferable choice for forensic investigators. The next section shows a comparative

classification of the Digital Forensic tools shown in Figure 4-3. The accompanying CD provides a more

in-depth discussion of the individual tools (see Forensic tools).

4.2 Classification of Digital Forensic Tools

Earlier research done by Fei (2007:54) provides a Digital Forensic tool classification founded on the

Windows, DOS and Linux platforms. This research is extended to include additional forensic packages for

these platforms, as well as tools for the Mac platform. In support of this classification process, the

accompanying CD presents a more comprehensive portrayal of the relevant forensic suites. This

classification is borrowed directly from Fei’s research, adapting it to add additional packages and

Live Forensic Acquisition capabilities.

This study presents the tools included in the classification according to the forensic stages identified in

Paragraph 3.3.1 (listed under Definition): Collection, Examination, Analysis and Reporting. Although the

study focuses only on the acquisition of forensic evidence (the extended Collection stage), this chapter

discusses the three other forensic stages to present a thorough understanding of the Digital Forensic

process and how acquisition fits within the bigger forensic framework. Table 4-1 shows a brief summary

of the tools and the forensic stages in which they apply. This table can be of assistance when selecting

the right tool. No single tool, toolkit or suite can retrieve all evidence from a system. It is recommended

to use a combination of tools to facilitate more effective investigations (Coetzee 2009:Interview).

Table 4-1: Forensic abilities of investigation tools, toolkits and tool suites (Own compilation, adapted from: Fei 2007:54)

ll lleecctt ii

EExxaamm

ii nnaatt ii

aall yy

ssii ss

RReepp

oorr tt

ii nngg

LLii vv

oorr ee

nnssii cc

AAccqq

uuii ss

ii ttii oo

ccaapp

ii llii tt

ii eess

Windows-based

EnCase Forensic � � � �

EnCase Enterprise � � � � �

Forensic Toolkit � � � �

FTK Enterprise � � � � �

X-Ways Forensics � � � � �

MacForensicsLab � � � � �

Perl � � � � �

ProDiscover Forensics � � � � �

Mac-based

BlackBag Forensic Suite � � � � �

Autopsy Forensic Browser � � � �

ll lleecctt ii

EExxaamm

ii nnaatt ii

aall yy

ssii ss

RReepp

oorr tt

ii nngg

LLii vv

oorr ee

nnssii cc

AAccqq

uuii ss

ii ttii oo

ccaapp

ii llii tt

ii eess

Forensic Toolkit � � � �

FTK Enterprise � � � � �

MacMarshal � � � �

Linux-based

SMART � � � �

Autopsy Forensic Browser � � � �

The Coroner’s Toolkit � � � �

Perl � � � � �

DOS-based

ByteBack �

SafeBack � �

X-Ways Forensics � � � � �

Fei (2007:54) classified the original list of tools in an informal, not scientifically validated manner. He compared

different packages used by forensic investigators according to analysis capabilities, allowing for a

classification of more comprehensive tools versus less comprehensive tools. Fei’s original classification

focused on the general Digital Forensic processes and do not clearly distinguish between Dead and Live

Forensic Acquisition. Table 4-1 presents a number of additional forensic investigation tools, toolkits and

suites, as well as an additional column to indicate the possible contribution of the Digital Forensic tools

on Live Forensic Acquisition as considered by the author, based on the preliminary study.

It is important to note that the forensic tools attributed with Live Forensic Acquisition capabilities have varying

degrees of the Live Acquisition ability. The author has not conducted any formal research to prove that these

forensic tools can acquire evidence in a forensically sound manner. Literature studies do show, however,

that these tools have some ability to acquire live data. The area of Live Forensic Acquisition still needs

more research and validation as part of a practical analysis in Part 2 of this study. The next four sections

look at the forensic stages identified in Paragraph 3.3.1 (listed under Definition), presented in the first

four columns of Table 4-1. These sections look at the forensic stages in general. A more detailed, tool-

specific discussion is available on the accompanying CD.

4.2.1 Collection

Collection is a very important aspect of the forensic acquisition process. It was already discussed briefly in

relation to Dead Forensic Acquisition (Paragraph 3.3.1) and Live Forensic Acquisition (Paragraph 3.3.2).

The most important aspect of collection is the forensic tool’s ability to image media. This is the delicate

process of copying data sector-by-sector from a piece of media to create a bit stream copy, known as an

image of the media. Specialist software reads a piece of media and creates an image file containing all the

data in exactly the same order as the software read it. This includes all active data (residing on the direct access

storage media of computer systems) and residual data (not active on a computer system) (Fei 2007:51).

The most important focus of Digital Forensic tools is to ensure the accuracy of results and maintain the

integrity of digital evidence. At the end of the forensic acquisition process, the forensic investigator obtains

the outcome of the process by applying the MD5 and SHA-1 hash algorithms (Fei 2007:48, 51). If it is

not possible to maintain the integrity or prove the accuracy of the data without a doubt, a court of law

may dismiss all data from being used as evidence. This can literally disable the current investigation.

Therefore, it is very important to pay close attention during the Collection stage.

With the exception of Autopsy Forensic Browser and MacMarshal, all the investigated tools have imaging

and collection abilities. All these tools met the requirements set by the National Institute of Standards

and Technology (NIST) for Digital Forensic tools when performing imaging. According to NIST, the

imaging tools should produce a bit stream copy of a piece of media without any alteration and should

verify the integrity of the image file (Fei 2007:48). This stage of the Digital Forensic investigation process is

the only of the four stages that applies directly to the forensic acquisition process. The next section

discusses the Examination stage and tools with examination capabilities. The Examination stage is part

of the holistic Digital Forensic process.

4.2.2 Examination

The Examination stage is crucial in any digital investigation and was already briefly discussed in relation

to Dead Forensics (Paragraph 3.3.1) and Live Forensics (Paragraph 3.3.2). Right after the imaging, before

the actual analysis of the evidence, forensic investigators may find it necessary to locate specific pieces

of data and determine their contents. For example, in the case of child pornography it is necessary to

locate graphical images and determine the nature thereof to establish the applicability of the acquired

image to the case (Fei 2007:52).

At the time of writing there was no publicly available software developed solely to search and classify

graphical images. The result is a time consuming process, where forensic investigators are required to

extract all unknown graphical images from the acquired media and manually search through them.

However, international anti cyber crime agencies, such as the FBI and AccessData, daily publish

updated databases with the hash values of known pornographic images. These databases can be used

to compare the hash values of unknown images on the suspect system in order to eliminate known

pornography.

From the discussion in the previous section, however, it is clear that most Digital Forensic tools have a

viewing capability that can help to greatly reduce the human processing time required during this part of

the Digital Forensic process (Fei 2007:52). With the exception of ByteBack and SafeBack, both DOS-

based, all the forensic tools allow for examination of the image before formal analysis starts. The next

section discusses the Analysis stage and tools with analysis capabilities. The Analysis stage is part of

the holistic Digital Forensic process.

4.2.3 Analysis

The third stage in the forensic investigation process is the Analysis stage, already briefly discussed in

relation to Dead Forensics (Paragraph 3.3.1) and Live Forensics (Paragraph 3.3.2). This stage follows

the successful completion of the collection, imaging and possible examination, and mainly concerns the

analysis of the acquired bit stream copy.

Analysis is an investigation of the component parts of a whole and their relations in making up the whole.

When faced with a complex topic, analysis is a systematic process of simplifying the topic to gain a better

understanding of the topic. In the forensic sense, an analysis breaks down a complex crime scene to

simpler terms where it is possible to identify the criminals. The aim of this stage is to extract any relevant

evidence, interpret the resultant data and to place it in a logical and useful format. During this stage, it is

also possible to determine the importance of the data and draw conclusions from it. The investigator

should also be able to retrieve and analyse both active and residual data (Fei 2007:52).

Majority of the mentioned tools offer analysis capabilities, with the exception of ByteBack and SafeBack.

The rest of the tools have the capabilities to perform hash analysis, registry analysis, file signature

analysis, filtering and keyword searches (Fei 2007:48). The following section discusses the Reporting

stage and associated capabilities.

4.2.4 Reporting

The final step in Digital Forensic investigation involves reporting. All forensic investigations need to terminate

with a full report. Reporting was accordingly already discussed briefly in relation to Dead Forensics

(Paragraph 3.3.1) and Live Forensics (Paragraph 3.3.2). The investigator needs to document and report

every activity and event of the investigation. This includes recommendations to the relevant authorities

on whether the result should include prosecution (Fei 2007:49). Reporting is therefore the process of

capturing the findings of an investigation.

The final forensic report should contain critical details from each of these four stages of the investigation:

Collection, Examination, Analysis and Reporting. This should reference procedures followed and methods used

to seize, document, collect, preserve, recover, reconstruct, organise and search key evidence. Relevant

evidence, comments, recovered pictures, search criteria, search results, the date and time of the search

process should be included meticulously in the report. Normally, the forensic investigator presents the

report in legal proceedings as a role-player in the outcome of the prosecution (Fei 2007:53).

Most tools have the ability to build reports that can include some information regarding the acquisition

process, bookmarked files, graphical images and other relevant pieces of information. The scripting tools

offer less refined reports, but can still output results to text files to use as reports. According to Table

4-1, all the tools have built-in or implied report capabilities, with the exception of ByteBack, SafeBack and

The Coroner’s Toolkit. Although each of these tools has different reporting capabilities, most of them are

comprehensive enough to report for official evidence in a court of law (Fei 2007:49). The next section

gives a holistic overview of the tool capabilities according to OS.

4.2.5 Classification Overview

A general overview of Table 4-1 shows that publicly available tools for the Windows OS seem to be the

most comprehensive. This is a reasonable observation since Windows is also the holder of the majority

market share and accordingly computers with this OS are more pervasive in the community. As a result,

computers with the Windows OS are more frequently the targets of computer crime, or used by cyber

criminals to perform the crime. Windows Forensics consequently tends to dominate the market.

Mac-based forensic tools also seem to be rather comprehensive, with most tools covering all four the

forensic stages. The only gaps in the Mac Forensic spectrum is Autopsy Forensic Browser and

MacMarshal that does not cover the Collection stage, and Forensic Toolkit (FTK) that does not allow Live

The trend for Linux-based forensic tools is very similar to that of the Windows forensic tools. These tools

do provide for the Collection stage, but focus largely on capabilities for the Analysis stage. Autopsy

Forensic Browser does not cover the Collection stage, and The Coroner’s Toolkit does not cover the

Reporting stage. Both EnCase and SMART do not cover Live Forensic Acquisition, although EnCase

Enterprise enables Live Forensic Acquisition.

The DOS-based forensic tools all are usable in the Collection stage. EnCase, EnCase Enterprise and X-

Ways Forensics address all the forensic stages, whilst ByteBack and SafeBack only caters for the

Collection stage. EnCase Enterprise, SafeBack and X-Ways Forensics enables Live Forensic Acquisition.

Each of these tools, as well as a detailed application on the forensic stages, is presented on the

accompanying CD (see Forensic tools).

4.2.6 Limitations of Forensic Tools

Resulting from the previous sections, a fully functional Digital Forensic tool offers capabilities that match

the requirements of the Digital Forensic stages: Collection, Examination, Analysis and Reporting. It is

important to have a well balanced mixture of these capabilities to ensure the investigation is done

comprehensively and that the volumes of data do not affect the case negatively with regard to time and

complexity (Fei 2007:55).

There are three main limitations concerning forensic tools. The first is the problem of acquisition and

imaging data on a live system. The second problem is that tools adapt poorly to large-scale investigations.

Forensic investigators find it increasingly difficult to use current tools to locate vital evidence within

massive volumes of data. The third problem is a result of many forensic tools presenting evidence files

in a spreadsheet-style format: the process of scrolling through many rows of data can be extremely

tedious when working with large data sets. It is also difficult to view the evidence file holistically to see

the overall pattern of the data set (Fei 2007:55).

In the development of a forensic tool used specifically for Live Forensic Acquisition, these limitations

need to be addressed. Although the Liforac model does not address the development of forensic tools, it

is necessary to look at all facets of Live Forensic Acquisition, both the process and the tools, to ensure a

complete understanding of the discipline. The next section concludes the forensic tool classification.

4.2.7 Conclusion of Forensic Tool Classification

The previous section discussed and classified the forensic investigation tools according to the forensic

stages. These tools apply to the Windows, Mac, Linux and DOS platforms and have varying degrees of

capabilities for the Collection, Examination, Analysis and Reporting stages. This section gave a brief

overview of all the different operating platforms and compared the abilities of forensic tools on these

platforms. Additional information of forensic tools can be found on the study’s accompanying CD.

The next paragraph summarises the content of Chapter 4 and puts the chapter into context with Chapter

3 and Chapter 5. The summary also presents a number of drivers identified from Chapter 4 that can give

a better understanding in the later development of the Liforac model.

4.3 Summary

The increasing number of Digital Forensic tools available on the market creates a complex environment

in which the cyber investigator needs to choose applicable tools. This chapter introduced a number of

Digital Forensic investigative tools suitable for the Windows, Mac, Linux and DOS platforms. This

section also provided a basic classification of the discussed tools.

In summary, the seven drivers identified from Chapter 4 to contribute to the development of the Liforac

• The correct supporting software packages and applications are necessary to do a thorough Digital

Forensic Acquisition. Without properly developed software packages, the Acquisition process can

not be forensically sound, nor used to its full extent in a court of law (Paragraph 4.1);

• A number of different forensic suites exist for Windows, Mac, Linux and DOS. Although these

tools, toolkits and suites do not have a direct impact on the development of the Liforac model, the

understanding of a number of different forensic suites, available for a number of different operating

platforms, provides a better understanding of the discipline. This aspect may lead to better

understanding and insight into the knowledge aspect of the Liforac model (Paragraph 4.1);

• Summary of the tools and the stages in which they can be applied. Similar to the motivation for

the inclusion of a number of different forensic suites for different OSs, this aspect of tools and the

specific stages in which they apply aids the understanding of the Liforac model. Although this

aspect is not a direct driver to the model, the understanding of this aspect can improve a forensic

investigator’s experience, which in turn are beneficial in the acquisition of forensic data

(Paragraph 4.2, Table 4-1);

• Many traditional forensic suites also cater to some extent for Live Forensic Acquisition. This

aspect has not been tested in a real forensic scenario, but research indicates that many of the

existing packages have some abilities to comply with Live Forensic Acquisition. This knowledge

may directly impact the Liforac model (Paragraph 4.2, Table 4-1);

• Collection, Examination, Analysis and Reporting all form an important part of the Digital Forensic

process. Similar to the Digital Forensic methodology in Chapter 3, these steps are a prominent

aspect of the Liforac model development (Paragraph 4.2, Table 4-1);

• The most important focus of Digital Forensic tools is to ensure the accuracy of results and

maintain the integrity of digital evidence. This aspect is crucial for the development of the Liforac

model and lays the foundation for forensically sound evidence (Paragraph 4.2.1);

• There are three main limitations concerning forensic toolkits (Paragraph 4.2.6):

− the problem of acquisition and imaging data on a live system,

− tools adapt poorly to large-scale investigations involving multiple machines, and

− difficult to view large evidence files holistically to see the overall pattern of the data set.

These limitations may not be used directly in the development of the Liforac model, but

knowledge about these limitations can extend a forensic investigator’s skill and understanding.

When considered individually, all seven of these drivers suggest a knowledge component or refer to stages

or steps that imply some link with time or sequence. They also address potential problems and refer

consistently to the admission of evidence to court. Depending on the drivers identified in subsequent

chapters, these themes may influence the identification of possible dimensions for the Liforac model.

Chapter 4 looked in more detail at the tools used to do a Forensic Acquisition, contributing seven

potential drivers to the final Liforac model. Part 2 will now continue with a focus on Live Forensic

Acquisition, focusing on Objective B, Current Live Forensic techniques. Chapter 5 looks at the current

application of Live Forensic Acquisition.

Chapter 5: Current Application of Live Forensics

“In today’s world, people put most everything on computers. We need the forensics capability to go in and retrieve that information off the company’s networks.”

- Earl Devaney

Part 1 provides a literature study to set the scene for Digital Forensics and all the related aspects, whilst

Part 2 focuses specifically on Live Forensics, its uses and applications within the cyber environment.

Part 2 orientates the reader in a more specialised environment, focusing exclusively on Live Forensics

and the differences between this discipline and Dead and Physiological Forensics.

Chapter 5 starts this orientation with a brief discussion on the different ways that organisations currently

use globally to respond to a cyber attack. The chapter also looks at the properties of digital evidence that

are addressed by a court of law when determining the validity of the evidence. Chapter 5 then looks at the

practical problems experienced by forensic investigators when implementing Live Forensic Acquisition,

ending with the current application of Live Forensics with software- and hardware-based techniques.

This entire chapter focuses on the current application of Live Forensics when acquiring evidence.

Figure 5-1 indicates the current level of progress of the research study, showing the building blocks/

objectives (originally presented in Figure 2-2) that need to be fulfilled to successfully develop the Liforac

model. Chapter 5 fulfils Objective B, Current Live Forensic techniques.

Figure 5-1: Liforac model progress – Current Live Forensic techniques (Own compilation)

The information portrayed in this chapter will form an integral part of the proposed model for forensically

sound Live Forensics, the Liforac model.

5.1 Introduction

Research done by Amenya (2004:4) shows that as much as 30% of information stored on computers never

reduces to printed form. In addition, the electronic version of a document usually contains information that

does not appear in the printed version (this information is referred to as metadata or data about data).

This electronic information is a valuable resource for any organisation and needs proper security.

It has now become commonplace for lawyers to request evidence in electronic format as routine evidence

discovery. Since the average lawyer does not have sufficient experience in collecting and analysing

electronic data, they can use the expertise of forensic investigators to ensure that they collect and

authenticate data in a forensically sound manner. The next sections further the background discussion

on currently applied Live Forensics. The sections address different ways of responding to cyber attacks,

the validity of digital evidence and the occurrence of cyber trails.

How to Respond to an Attack

In the event of a suspected attack on a computer system, the first step is to decide how to respond to the

attack. Organisations generally have three possible options for responding:

• Firstly, the organisation does nothing. At present, many organisations simply do not recognise

the existence of cyber crime, resulting in an inaccurate statistical representation of cyber crime.

• The second option is to perform an internal investigation to assess the extent of the damage, but

the organisation still does not report the incident.

• Thirdly, the organisation can perform a detailed analysis with the intention to prosecute the cyber

criminal (Weise & Powell 2005:10).

Naturally, the recommended option in most cases would be to perform a detailed analysis. To gather all

the necessary evidence, investigators apply all Digital Forensic principles. By incorporating traditional

Dead Forensic Acquisition techniques, it is possible to gain enough data for most cases. However, the

problem arises when this collected data needs to be introduced as evidence in a court.

Many unique practical and legal constraints make the implementation of Digital Forensic Acquisition both

interesting and complex. Paragraph 3.1 already looked at some of these constraints. If forensic investigators

do not follow these restrictions exactly, data acquired in certain ways may be inadmissible in court and

not allowed as intelligence (Jones 2007:1), negating the forensic investigation. For this reason, it is

important that forensic investigators are equipped with tools and mechanisms that can result in the

acquisition of forensically sound system images. Only when this is possible can data be seen as evidence

and be admissible in a court of law. The next section looks at properties of evidence that render it either

valid or inadmissible in court.

Validity of Digital Evidence

Although lawyers and the physical admission of evidence to court generally takes place at a later stage

in the forensic process, it is necessary to know whether the evidence acquired in the forensic acquisition

process will be valid. If this evidence is rejected at the end of the forensic investigation process, all the

stages completed before the admission will be a waste of time and energy. Accordingly, the original

Collection stage is extended to form the Forensic Acquisition process. This process considers aspects

that will ensure successful admission of the evidence to court at a later stage.

At first, lawyers disputed the validity of digital evidence as a type of physical evidence. However, they

finally concluded that digital evidence, although less tangible than other forms of physical evidence, do

classify as physical evidence. In this sense, digital evidence includes all items composed of magnetic fields

and electronic pulses. Investigators can collect and analyse these fields and pulses using special tools

and techniques (Casey 2000:4). Although digital evidence corresponds to physical evidence in a number

of ways, it has some properties that make it unique:

• Latent nature. It can only be seen, understood, analysed and presented with specialised software.

Digital evidence is naturally fragmented.

• Ambiguous meaning. Patterns of data combine to provide a specific meaning in context.

• Fragile and time sensitive. Data can easily be destroyed or modified and is very volatile in

nature if not specifically saved to secondary storage (Cohen 2006:7).

Considering these aspects, digital evidence has a number of advantages over traditional physical evidence.

Digital evidence should therefore be valid in more cases than where physical evidence is valid. Some of

these advantages are:

• Investigators can make exact duplicates and examine it as if it were the original;

• Specialised tools enable investigators to identify any modification to the digital evidence, compared

with the original; and

• Electronic evidence is difficult to destroy (Casey 2000:4).

The next section extends the discussion on evidence properties. It introduces and explains the concept

of cyber trails and how it can be useful in a forensic investigation.

Cyber Trails

The Locard principle largely validates the existence of digital evidence: “… when any two objects come

into contact, there is always transference of material from each object onto the other”. For example,

although knowledgeable hackers might be able to remove some of the evidence of their tampering with a

system, it is not possible to remove all evidence. Small sections of bits and bytes might be transferred to

unallocated sectors, slack space or swap space on a hard disks, waiting for a knowledgeable forensic

investigator to retrieve it (Brown 2005a:5). However, it must be properly collected, preserved and

interpreted to be suitable for presentation as evidence in court proceedings. These leftover bits and

bytes can be referred to as digital detritus, or the remains of something that does not exist as a whole

anymore (Gallo 2008:6).

Investigators refer to the pieces of digital evidence that cyber criminals leave all over the cyber realm, as

cyber trails. These are “… rich sources of digital evidence that include, but are not limited to, web pages,

e-mail, digitised still images, digitised video, digitised audio, digital logs of synchronous chat sessions,

files stored on a personal computer and computer logs from an ISP” (Casey 2000:10). Adhering to the

Locard principle, any action of an electronic system will always transfer some kind of evidence.

A cyber trail extends to both the physical world and the electronic world. It can therefore provide evidence in

both a murder investigation and an electronic money laundering investigation. Cyber trails can prove to be

critical in some investigations. If investigators neglect to follow these trails, they risk losing valuable evidence.

Additionally, investigators may face negligent liability charges (Casey 2000:10). The forensic investigation

ends with the investigator producing a report to the client, either the authority or an independent organisation

(refer to Paragraph 4.2.4). In order to produce a thorough report, it is necessary to examine and investigate

several aspects concerned with the implementation of Live Forensic Acquisition.

All aspects considered in this thesis aim to investigate the status of current forensic investigations in South

Africa, both the positive aspects and the limitations thereof. Additionally, this research study aims to add

to the positive features and attempt to salvage the limitations by investigating the process of Live Forensic

Acquisition. The following section introduces some of the most prominent practical problems countering

successful Live Forensic Acquisition. These problems will play an important role in the final Liforac model.

5.2 Practical Problems Experienced With Live Forensic Acquisition

This section looks at the current practical problems identified as related to Live Forensic Acquisition.

This section and the following sub sections will look at these problems in detail and discuss it in context

of the Live Forensic discipline.

One of the most critical problems regarding Live Forensic Acquisition is that the forensic investigator has

a constant job of knowledge building. Technology is constantly developing and therefore it is crucial for

the investigator to ensure that he/she is familiar with the technology. However, this problem is relevant to

all new technologies and applies not only to Live Forensics.

The current most critical problem concerning Live Forensic Acquisition specifically is to ensure forensic

soundness. Most of the problems identified and presented in Figure 5-2 relate directly to forensic

soundness. All of these challenges can create major problems later in the investigation and the

proposed Liforac model will accordingly address this. The problems presented in Figure 5-2 have been

identified earlier in Paragraph 3.3.2.2. These problems are grouped in a chronological fashion based on

the Live Forensic Acquisition process depicted in Figure 3-3.

Practical problem 5: Ensuring full

acceptance of technology by

the court

Practical problem 4:

Demonstrate authenticity

Data modificationduring

acquisition

Practical problem 2: Acquisition dependant

Gaining access to the machine

ProblemswithLive

Forensics

Practical problem 5: Ensuring full

acceptance of technology by

the court

Demonstrate authenticity

Data modificationduring

acquisition

Practical problem 2: Acquisition dependant

Gaining access to the machine

ProblemswithLive

Forensics

Figure 5-2: Practical problems associated with Live Forensics (Own compilation)

Although these five identified problems are not the only problems that a forensic investigator may

encounter during the Live Forensic Acquisition process, the author deems these as the most prominent

practical obstacles that can have a potentially negative affect on the forensic soundness and admissibility

of digital evidence in a court of law. The following sections address these problems in chronological

order, starting with the investigator gaining access to the suspect machine.

5.2.1 Practical Problem 1: Gaining Access to the Suspect System

Gaining access to the machine is the first practical problem that a forensic investigator may encounter.

Not only must the investigator gain access to the building in question, but also to the office in which the

computer is located and the physical machine by means of a username and password combination. In

addition to these physical barriers, mandate and search warrants prove to be another logical problem.

To ensure the success of a Live Forensic Acquisition, forensic readiness should be in place. Due to the

nature of Live Forensic Acquisition, investigations are generally covert. However, the investigator or a

representative of the forensic team requires prior access to the machines in question to install the

software forensic agent (refer to Paragraph 3.3.2). This in itself brings about problems regarding access

and privacy.

Once the incident has been reported, the investigators do not necessarily need direct access to the

machine, since only a remote connection to the suspect machine is needed for the acquisition (refer to

Figure 3-7). The inherent risk with this remote connection is that those under investigation may have put

measures in place to create alerts or countermeasures (such as logic bombs) when their computers are

accessed remotely. Furthermore, the remote network connection must be free from port and bandwidth

restrictions and access control mechanisms that might prevent the investigator from connecting to the

software agent on the subject computer (Casey 2004b:284,286). In this sense, Live Forensic Acquisition

stands in close relation to Network Forensics, facilitating remote data collection over the network, and

potentially affecting network traffic.

In the event of a covert Live Forensic Acquisition, the suspect machine’s legitimate user will be active on

the machine. He/she will continue normally, without knowing that the machine is investigated. However,

should the acquisition be overt, the legitimate user may not access his/her machine or office, and one of

the investigating team’s members need to sit with the machine and move the mouse cursor to keep the

machine active and logged on. All investigations must be done with the permission and consent of either

the machine’s owner or user, or the possession of a search warrant. The assumption is made that

organisations set system administrators as the machines’ owners and not the employees using the machines.

This is relevant in the case of a covert investigation.

Gaining access to the suspect machine is one of the most critical times in an investigation. Should the

investigator not strictly adhere to the applicable laws, the court may later reject the evidence either as

forensically unsound, or on the grounds of illegal acquisition. Once the investigator has considered these

practical problems, he/she can start with the physical Forensic Acquisition process. This process is often

directly dependant on the OS. The next section looks at this dependency.

5.2.2 Practical Problem 2: Acquisition Dependant on Operating System

The current forensic practices require the forensic investigation to interact with the suspect machine’s

OS. Not only can this practice accidentally modify evidentiary data, but it can also pose a serious problem

in the event of a covert investigation. This dependency on the OS can potentially render evidence

forensically unsound.

Criminals that foresee the use of forensic acquisition techniques used against them, may modify the OS - it

is possible to provide programmes in user space with deliberately sanitised data, which can deliberately

feed forensic investigators with incorrect information (Jones 2007:5). Anti-forensics toolkits may block

the acquisition of evidence. Different types of OSs also present different problems and opportunities.

Volatile memory loses its data when power is removed (traditional Dead Forensic Acquisition). Therefore, the

acquisition of data from a live system seems much more reliable. However, rootkits (a hacker security tool

that captures passwords and message traffic to and from a computer) and Trojan attacks against OSs and

applications can cause the system to produce unreliable data. Technically, before an investigator can submit

evidence to a court, he/she needs to prove that there was no attack present on the suspect system before

or during the acquisition. Such attacks, with the resultant unreliable data, may cause the dismissal of

evidence from court (Carrier & Grand 2003:51).

Once the investigator bypassed the problem related to the OS, he/she needs to be careful not to tamper

with or modify any of the data on the suspect machine. In the event that the data has been modified, a

court of law will definitely dismiss the data as evidence. The next section looks at the problem associated

with data modification.

5.2.3 Practical Problem 3: Data Modification during the Acquisition Process

Evidence dynamics is a very volatile process. Anything that interacts with the computer in one way or

another can change the dynamics and eventually modify computer data during a forensic acquisition.

These interactions can be human force (investigator interacting with the suspect computer and system),

natural force (progress of time and a change in the environment) or tool force (the forensic tools used

during the investigation) (Brown 2005b:9). This section identifies and discusses four sub categories of

ways in which evidence can possibly change on a suspect system (Jones 2007:4).

• Forensic investigators can potentially modify the evidence. Part of the Live Forensic Acquisition

process is to execute code running on the CPU of the suspect system, potentially changing data in

the registers or the RAM. Even if the forensic system specifies no explicit write commands, the

suspect system’s OS may decide to swap the programme to hard disk. This may potentially

render the relevant evidence inadmissible in court (Jones 2007:4), if the software used is not

forensically sound and the evidence’s integrity are not maintained.

• Inappropriate action taken by forensic investigators may ruin evidence. In the event that a forensic

investigator handles a situation incorrectly, a preventable amount of data may be changed. For

example, running an application on the suspect hard drive may overwrite some of the associated

properties, such as recent actions. If the specifics of this application were critical to the case, it

will cause many issues in court (Jones 2007:4).

• Images can slur. Similar to taking a photo of a moving object, slurred images is the result of acquiring

a file system while another programme modifies it. The smallest modification may cause a problem,

since the file system first reads the metadata section of the hard disk. If the files or folders on the

file system change after the file system have read the metadata and before the files system

acquires the data, the metadata and sectors do not correlate anymore (Jones 2007:4).

Similarly, volatile memory does not represent a single point in time, but rather a time sliding view.

When acquiring volatile data, investigators cannot always use write blockers, nor is there always

a MD5 comparison to the original data (Vidas 2006:21). Figure 5-3 shows an example real image.

Figure 5-4 shows the results if that real image slurs. Although the forensic data image cannot be

presented as a real image, Figure 5-4 gives an indication of the extent of the damage on the image.

Figure 5-3: Example image (O’Neal 1997:Internet)

Figure 5-4: Example slurred image (O’Neal 1997:Internet)

• Criminals use anti-forensic programmes. By applying anti-forensic measures, clued-up criminals

may reduce the effectiveness of a potential forensic investigation. It is, for example, possible to

write a logic bomb that destroys evidence when a Forensic Acquisition tool is detected on the

system (Jones 2007:4). These types of programmes is developed by individuals or organisations

that want to thwart legitimate forensic investigations, and aims to delete all incriminating evidence

on the victim computer and system. Some of these programmes include Evidence Eliminator, The

Defiler’s Toolkit, Diskzapper, CryptoMite and Invisible Secrets (Computer Network Defence 2007:

Internet).

The Metasploit Project developed another type of anti-forensic software to target specific

functionalities of legitimate forensic investigation tools. These anti-forensic programmes interfere

with the forensic software’s results during an investigation (Hilley 2007:13). Anti-forensic tools

work on a variety of platforms and perform a number of different functions.

Problems regarding data modification during acquisition make it difficult for investigators if they cannot

prove its legitimacy and demonstrate the authenticity of the evidence. This can limit the investigator’s

ability to prove the integrity and security of data in court, ensuring full acceptance of computer technology by

the judicial system and to establish a proper chain of custody (Amenya 2004:17). This section concentrated

on data modification, whilst the next section looks at the investigator’s ability to demonstrate the authenticity

of evidence.

5.2.4 Practical Problem 4: Demonstrate the Authenticity of Evidence

The importance of electronic data to modern organisations has been mentioned numerous times in this

study. According to Klaff (2008:Internet), electronic records have literally taken over the business world.

Not only have e-mail become the preferred method for business communication, but financial records,

legal documents and assignments are now primarily kept in electronic format. Klaff claims that 93% of all

corporate data is in electronic format and that almost 80% of organisations accept e-mail as formal

confirmation documents.

Despite the fact that the nature of traditional evidence and electronic evidence differs completely, electronic

evidence still needs to meet the same criteria as traditional evidence. These criteria require evidence to:

• be relevant to the issue at hand;

• be authentic (the evidence is what it purports to be);

• not be unfairly prejudicial to either party in relation to the evidence’s probative value; and

• not be hearsay or if hearsay, able to meet the requirements for an exception; be the original or

duplicate of the evidence or able to meet an exception to that rule (Klaff 2008:Internet).

The problem regarding authenticity lies in the technical detail. The court considers an original signed

document as authentic evidence, but a printout of an electronic document or a scanned-in version of a

paper original as hearsay and remote evidence. Although this classification can complicate a legal matter,

the justice system accepts it since it is very easy to alter electronic documents deliberately. It is accordingly

just much more difficult to prove the authenticity of electronic evidence (Information Age 2006:Internet).

United States Magistrate Judge Paul W. Grimm in the case of Lorraine v. Markel, 2007, handled the first

landmark court case. Judge Grimm would not allow either party to submit electronic evidence since

neither followed proper authentication measures prior to trial. A sure way to render electronic evidence

admissible is to ensure that all requested documents are produced in native file format as “… metadata may

be especially relevant in a case such as this where the integrity of dates entered facially on documents

authorising the award of stock options is at the heart of the dispute” (Klaff 2008:Internet). In essence,

authentication can be considered as conditional relevancy.

The evidence should also have “… the tendency to make the existence of any fact… more or less

probable” (LexisNexis 2007:3). Interestingly, Judge Grimm states “… there is a distinction between the

admissibility of evidence and the weight to which it is entitled in the eyes of the fact finder”. Should the

judge find the evidence irrelevant to the case at any point, the inquiry ends and the evidence is

considered inadmissible. The main objective of ensuring authenticity is to assure that the digital data

and records are as valid on retrieval, as when they were first stored and preserved. Largely, authenticity

walks hand in hand with reliability, or the trustworthiness of the content of the record. An authentic record

defines as “… reliable records that over time have not been altered, changed or otherwise corrupted”. It

guarantees that the record is not changed or manipulated after creation (Sanett & Park 2002:15).

Forensic investigators can use any of a number of data-level authenticity controls to address authenticity

and trustworthiness successfully. The problem remains, however, that the current lack of standardised

procedures can lead to uncertainties about the effectiveness of investigation techniques. This makes it

more difficult for the investigator to prove authenticity. Specific controls for authenticating the evidence

are discussed in Chapter 13. The next section looks at the last practical problem that an investigator

may encounter during a Live Forensic investigation - acceptance in court.

5.2.5 Practical Problem 5: Ensuring Full Acceptance of Computer Technology

by the Court

In South Africa, the Electronic Communications and Transactions (ECT) Act was formalised in 2002.

This act discusses the admissibility of computer evidence and emphasises the necessity of digital

evidence integrity.

One of the Act’s main objectives is to promote the understanding and acceptance of growth in the

number of electronic transactions. It should form the basis of discussion of data requirements for

evidential purposes in South Africa (South Africa 2002:Internet). However, many individuals in South

Africa are still not computer literate, let alone able to understand the intricacies and complexities of

advanced computer technology.

A further problem is the general global fear of older generations to embrace technology, this being a

particular prevalent problem within the global judicial system: “While judges may resist the use of

technological advances within the court itself, we cannot avoid the impact of these scientific and

information revolutions on the substance of what we do. The rush of new scientific developments has

been so swift that the court system is struggling to deal with the expert testimony they produce…”

(Shelton 2006:63). According to studies done by Jones and Fox (2009:Internet), between 85% and 95%

of 18 to 30-year olds are online, whilst only 50% of 50-year olds and older are online.

Although courts do accept technology as evidence in court, as guided by the ECT Act of 2002, ensuring

full acceptance of computer technology in court may prove to be a prolonged process. This complicates

the processing of Digital Forensic cases. The next paragraph summarises the practical problems that

may be encountered during a Live Forensic Acquisition.

5.2.6 Summary of Practical Problems

So far, this study has revealed five prominent problems that may hamper the further development of the

Live Forensic discipline. These problems are:

• how to gain forensically sound access to a suspect machine (Paragraph 5.2.1);

• the dependency of the acquisition on OS (Paragraph 5.2.2);

• the inherent possibility of data modification (Paragraph 5.2.3);

• how to prove authenticity of the evidence (Paragraph 5.2.4); and

• how to ensure acceptance of the technology use in a court of law (Paragraph 5.2.5).

The previous sections introduced these five potential problems. Chapter 13 will look at them in more detail

and suggest possible control measures. The next section looks at current techniques used to perform

Live Forensic Acquisition.

5.3 Currently Applied Techniques for Live Forensic Acquisition

The implementation of Live Forensic Acquisition can be very complicated, especially if the investigator

needs to consider the problems mentioned in Paragraph 5.2. There are several methods to perform Live

Forensic Acquisition, based on either software applications or hardware devices. Most of these involve

running an agent or application of some kind on the system itself, or installing a hardware device

beforehand. Accordingly, these techniques can potentially allow for possible data modification.

Regardless of the acquisition approach used by the forensic investigator, a number of basic rules should

be adhered. These rules are:

• The acquisition tool should read all digital data from the source and write them to a non-volatile

destination location.

• The tool must not allow data to be written to the source.

• The investigator needs to document all steps followed fully, including hardware and software

resources that it used to read the source data.

• If there are I/O errors while reading the source data, the tool must write a specified value to the

corresponding locations in the image and log the type and location of the error.

• If the destination of the data is larger than the source, the tool shall identify the start and end

locations of the source data within the destination.

• The tool should freeze the target system during the acquisition process to prevent memory

modification. The page table should also remain consistent.

• The tool should calculate one or more hash values of the data that are read from the source.

• If the destination of the data is smaller than the source, the investigator needs to either abort

the action, or copy as much data as possible into the destination. This may be rendered as

forensically unsound data (Carrier & Grand 2003:57).

Unfortunately, most techniques involve the introduction of an additional process into a system of already

running processes. To limit the interference of these processes with currently running processes, it is

necessary to shut down some of the currently running processes or services. These include:

• Antivirus programmes. Most antivirus programmes are set to update themselves or run scans

automatically, potentially interfering with the investigation.

• Task scheduler. Scheduled jobs may get in the way of the acquisition process should they start

during the investigation.

• Windows firewall. Depending on the configuration, the firewall may interfere with the Live

Forensic Acquisition and block some of the volatile information sources.

• Exchange/Internet Information Services (IIS). The system will continue to process email and web

pages during the acquisition if it is not disconnected (Carvey 2007:Internet).

Once the investigator terminated the unnecessary processes, he/she needs to select a software- or

hardware-based technique to initiate the Forensic Acquisition. The next paragraph looks at current software

techniques used to perform Live Forensic Acquisition.

5.3.1 Software Techniques to Perform Live Forensic Acquisition

Many incident responders run tools such as ps and netstat to collect obvious data. Linux uses ps tools to

look at the system’s internals, while Windows uses netstat to search for new files and services, high

execution times, the Address Resolution Protocol (ARP) table and new users (Vidas 2006:9). However,

these tools leave most of the system’s memory unanalysed (Carrier & Grand 2003:51).

A number of Live Forensic techniques involve the use of either proprietary or customised software packages.

In general, these methods acquire a system’s volatile memory using invasive techniques and typically

write back to memory or to the system’s hard disk (Carrier & Grand 2003:51). The main problem with these

intrusive methods is the overwriting of valid evidence. Every time an investigator creates a new file, the

system may overwrite un-reallocated clusters. Similarly, new processes may take up space in the RAM,

removing valid evidence from the cache (Vidas 2006:13).

Even though it is unlikely that any court will accept this evidence as forensically sound, it is still a good

idea to document all steps and tools used thoroughly. This may provide sufficient expert knowledge to

convince the judge of the forensic soundness of the evidence. The remainder of this section discusses

four software techniques: software agents, memory dump, NotMyFault and the Live Response Toolkit.

5.3.1.1 Software Technique 1: Software Agents

The current software best practice is to load a tiny forensic software agent in the kernel of the computer

to gain access remotely to the physical memory of the computer (see Paragraph 3.3.2). The intention is

that this evidence can be used, provided that the forensic investigator can give reasonable assurance

that the evidence was not substituted, contaminated, or tampered with (Casey 2007:49).

A number of forensic packages allow forensic investigators to use an agent or install a programme on the

suspect system to perform Live Forensic Acquisition. ProDiscover requires the installation of the

PDServer agent from a DVD or thumb drive. FTK Imager runs from a CD or thumb drive and writes the

image files to an external drive or an already-mapped share. EnCase Enterprise requires the installation

of a servlet on the suspect system (these tools are all discussed in more detail on the accompanying CD,

see Forensic tools).

Although investigators can prove that these techniques are forensically sound, experts recommend

consideration of Heisenberg's Uncertainty Principle (Carvey 2007:Internet). Paragraph 6.4 introduces this

principle. Many of the tools discussed in this section propose some variation on this best practice.

5.3.1.2 Software Technique 2: Memory Dump

A popular software-based technique is to perform a complete system memory dump (Vidas 2006:13). A

memory dump is a display or printout of the contents of a computer’s memory. When a programme abruptly

ends, an investigator can examine the memory dump to determine the status of the computer at the time

of the crash. The investigator looks into the buffers to see which data items caused the failure. Additionally,

the investigator can inspect the counters, variables, switches and flags (PC Magazine 2008:Internet).

A memory dump file records the smallest set of useful information that may help identify problems with

the computer. Generally, a memory dump file requires a paging file of at least 2 megabytes on the boot

volume. This dump file includes the following information:

• the stop message, its parameters and other data;

• a list of loaded drivers;

• the processor context for the processor that stopped;

• the process information and kernel context for the process that stopped;

• the process information and kernel context for the thread that stopped; and

• the kernel-mode call stack for the thread that stopped (Microsoft 2008a:Internet).

Figure 5-5 and Figure 5-6 shows the tabs investigators need to access in a Windows OS to create a

memory dump. A memory dump does not explicitly install a software package onto the suspect machine,

but rather reflects the software and its processes already existing on the machine. The next section

deals with NotMyFault, which involves the explicit installation of additional software.

5.3.1.3 Software Technique 3: NotMyFault

A more controversial technique used to crash a system is NotMyFault, developed by Mark Russinovich

of Sysinternals. NotMyFault can generate faults like High IRQL fault, Code Overwrite, Buffer Overflow

and Deadlock, which can crash Windows. This tool is very helpful in analysing memory dumps,

introduced in Paragraph 5.3.1.2 (Swatkat 2005:Internet).

Figure 5-5: Screenshot - Windows My Computer Properties

Figure 5-6: Screenshot - Windows My Computer Properties Advanced Properties

The NotMyFault system composes two parts, a driver and an application. The driver, MyFault.sys (less

than 7kb) must be loaded onto the suspect system, whilst the investigator uses the application

NotMyFault.exe (less than 50 kb) to issue calls to the driver loaded into the kernel. This crashes the

system on behalf of the user level in various ways (Vidas 2006:20). Figure 5-7 shows the NotMyFault

screenshot. It gives the user the option to choose a method to crash the system.

Figure 5-7: Screenshot - NotMyFault (Vidas 2006:20)

The NotMyFault system may be very useful and provide invaluable information to the forensic investigator.

However, research still needs to prove that this technique leaves the evidence forensically sound. This

technique is an advanced form of the traditional Forensic Acquisition, since the system forces the

suspect system to crash. The next section introduces a toolkit used specifically for Live Forensic Acquisition.

5.3.1.4 Software Technique 4: Live Response Toolkit

The Anti-Hacker toolkit, written by Shema and Johnson (2004:577), recommends the use of the Live

Response Toolkit. The response toolkit outputs the results of all the commands it runs directly to a

destination workstation for storage and analysis, preventing the output from destroying or overwriting

potential evidence on the suspect computer system.

According to Shema and Johnson (2004:577-592), the Live Response Toolkit consists of the following tools:

• fport. Investigators generally run this tool first when encountering a compromised machine.

This tool maps every open TCP and UDP port on the suspect machine to a running executable

on the system. It is useful to locate different types of backdoors that would allow an attacker an

easier entry into your system.

• cmd.exe. This tool is a trusted command shell, located on every Windows NT or 2000 system.

cmd.exe is a 32-bit command prompt that offers disk and file maintenance functions to your

computer as well as network functions (Uniblue 2007:Internet).

• Netstat. This tool is useful for checking your network configuration and activity. It displays the

listening and current connections’ network information for the suspect machine. This information

helps to identify disreputable activity and installed backdoors on a suspect machine. Unlike fport,

however, netstat tells only which ports are open, and not which processes are using them.

• Nbtstat (NETBIOS tool). This tool, automatically installed in the Windows OS, lists the NETBIOS

name cache within the suspect computer. It is designed to access resources such as network

drives or printers shared by Windows through the NetBIOS protocol (NetScanTools

2008:Internet). If there are machines on the list that should not be connected to the system, it

is easy to identify them.

• ARP. The ARP tables maps the physical machine addresses of the Ethernet cards to the

associated Internet Protocol (IP) addresses in the subnet. By using the ARP command, it is

possible to see which MAC address map to which IP address, identifying individuals who may

be busy with unlawful actions.

• Loggedon. This tool provides a list of all users using proper logging on procedures for a specific

machine. It does not show users in a backdoor of the system.

• Dump Event Log (dumpel). This tool is a command line utility that dumps event logs in a human-

readable format for offline analysis. The investigator can import this format into a spreadsheet,

and then use the utility to filter for certain event types and to filter out certain event types.

• Regdmp. The registry is a computer’s largest logging facility. It contains all the information about a

particular installation of Windows and other installed programmes. This information could be useful

to the investigator and could supply additional leads such as the last few places the machine

connected to with the telnet client, the last few most recently used documents for each programme

and the executables started when the machine is booted.

• PsList. This tool lists all rogue processes, such as backdoors, sniffers and password crackers

in the process table listing. The attacker may execute these processes on the system after its

compromise.

A forensic investigator can use any combination of these software tools to acquire the necessary evidence

from the system in question. Generally, the Live Response Toolkit is not a standard toolkit, but can

constitute any combination of the above tools.

5.3.1.5 Conclusion of Software Techniques

This section identified four techniques that forensic investigators can apply during a forensic investigation:

• software agents (Paragraph 5.3.1.1);

• memory dump (Paragraph 5.3.1.2);

• NotMyFault (Paragraph 5.3.1.3); and

• the Live Response Toolkit (Paragraph 5.3.1.4).

All four techniques are software-based and require the investigator to run a programme on the suspect

computer system. This may complicate the investigation on a legal foundation, since opposing counsel or

the court may argue that these programmes interfere with the data. It therefore may lead to a ruling of

inadmissible evidence. The next section looks at the hardware techniques currently used to perform Live

5.3.2 Hardware Techniques to Perform Live Forensic Acquisition

Hardware techniques to perform Forensic Acquisition are less common than software techniques. These

techniques, although proven highly successful by some investigators, are not as popular as their software

counterparts are. The remainder of this section discusses four hardware techniques:

• the Tribble device;

• PCI expansion card;

• Sparc OpenBoot; and

• COFEE (Computer Online Forensic Evidence Extractor).

5.3.2.1 Hardware Technique 1: Tribble Device

The Tribble device, developed by Carrier and Grand (2003:50), acquires computer memory with the push of

a button. This hardware-based procedure makes an accurate and reliable copy of volatile memory

contents for investigative examination. However, the forensic investigator needs to pre-install the device on

the suspect system prior to an incident (Casey 2007:49).

The Tribble device may prove to be very helpful in an investigation with the Code Red and SQL Slammer

worms. These worms reside only in volatile memory and do not write anything to disk. Accordingly, Dead

Forensic Acquisition may only find limited evidence in the swap and hibernation file. Investigators may also

find the memory contents interesting, due to the vast variety of information found there. It contains data

from running processes, unencrypted data, passwords, viruses and the state of user activity (Carrier &

Grand 2003:50,51).

One of the reasons why Live Forensic Acquisition is necessary is because data stored in volatile memory are

lost when the computer shuts down. The Tribble device, in contrast with the software techniques discussed

in Paragraph 5.3.1, does not involve untrusted software, nor is it invasive (Carrier & Grand 2003:57).

Figure 5-8 shows the environment in which the Tribble device functions.

Figure 5-8: The Tribble development environment (Carrier & Grand 2003:57)

The Tribble device employs a PCI expansion card, installed into the computer before an intrusion occurs.

This card dumps the exact contents of the volatile physical memory to an external, non-volatile storage

medium. When the PCI controller is installed for this reason, the person installing it generally disables it

after installation. The controller then purely serves as catalyst in the event of a criminal incident. The card

is only activated by the incident response team and will not respond to bus queries from the host system.

The theory is that the device only becomes visible once the incident response team enables it. Therefore,

the computer user should remain unaware of the additional card, unless he/she looks at the computer’s

hardware (Carrier & Grand 2003:57).

During a forensic investigation, the investigator plugs the Tribble card into the PCI bus. It is then possible

to read the system memory via the PCI interface, without modifying its contents. First, the Tribble device

accesses the volatile memory through the PCI controller. Then the Joint Test Action Group (JTAG) does a

boundary scan and tests the interface, before saving the content in the development platform. As visual

aid to the investigator, the content of the retrieved volatile memory displays on the debug console in both

ASCII and hexadecimal format (Carrier & Grand 2003:57).

In principle, the Tribble device works perfectly. However, it does present a number of problems. Firstly, the

device needs prior installation. Accordingly, this technique is viable for a high-risk environment where

the system administrator takes the necessary precautions, but is not viable in a random environment

where investigators need a search warrant for the investigation. The device has not been designed for

an Incident Response Team member to carry in his toolkit to install after an incident and needs to be

implemented as part of a forensic readiness plan. Systems with Plug-and-Play support pose another

problem. These systems may, upon enabling of the PCI controller, detect the new device and ask for a

driver. To prevent this, PCI controller’s original installer can install a dummy device driver that is loaded

when the card is enabled, but does not interact with the physical card (Carrier & Grand 2003:57).

Originally, Carrier and Grand developed this device to prove that system memory could be read via the

PCI interface without modifying its contents. The goal was to design and implement a procedure that can

make an accurate copy of volatile data, whilst minimising the amount of volatile and non-volatile data that

is modified on the suspect during the process (Carrier & Grand 2003:57). Therefore, forensic investigators

can now also use this system successfully, should it be proven forensically sound.

5.3.2.2 Hardware Technique 2: PCI Expansion Card

An alternative method is to install a PCI expansion card into a computer before an intrusion occurs. This

will dump the exact contents of volatile physical memory to an external, non-volatile storage medium.

The PCI controller is by default disabled, and only activated by the forensic team. Accordingly, the card

will not respond to bus queries from the host system. Neither will the device show visible connection to

the PCI bus (Carrier & Grand 2003:51).

When the incident response team activates the controller on the card, it takes control of the PCI bus.

The card first suspends the CPU, preventing an attacker from modifying memory contents while the

acquisition is in process. After that, the card uses Direct Memory Access (DMA) to copy the contents of

physical memory to an external non-volatile storage device. Once the investigator successfully copied

the physical memory to the non-volatile storage device, the CPU resumes and the OS continues to

execute (Carrier & Grand 2003:55).

5.3.2.3 Hardware Technique 3: Sparc OpenBoot

Similar to the memory dump, the OpenBoot firmware in a Sun system uses Sparc architecture to dump

the contents of physical memory to a storage device. This memory dump allows the investigator to suspend

any running processes within the system. By typing the sync command in the OpenBoot prompt, the

memory and register contents are dumped to a pre-configured device such as the swap space on a hard

drive (Carrier & Grand 2003:53). In essence, the sync command debugs the OS.

After writing the memory, the system reboots and copies the memory from the dump device to the file

system. By default, Sparc OpenBoot will only save the pages for kernel memory, but users can configure the

system to save all memory. The design is hardware-based and executes from ROM. It is designed in such

a way that attackers cannot modify the system. An added benefit is that the system suspends all activities

whilst a response team are busy with the acquisition (Carrier & Grand 2003:53). A disadvantage of this

technique is that it overwrites data in swap space. Additionally, it requires the system to reboot to copy the

memory contents from the swap space (Carrier & Grand 2003:53). This renders the acquired evidence

forensically unsound.

5.3.2.4 Hardware Technique 4: COFEE

One of Microsoft’s latest inventions is a small USB plug-in device that investigators can use to extract

forensic data quickly from computers. As part of its trial, Microsoft distributed a number of these devices

free of charge to Law Enforcement agencies in June 2007 (My Opera 2008:Internet). COFEE is a

framework for First Responders to acquire evidence quickly and accurately from a live computer system.

This framework can be used by Law Enforcement to leverage publicly available tools to access

information on a live Windows system operating from a USB storage device (Microsoft 2008b:Internet)

Originally developed by Anthony Fung in 2006 (Romano 2008:Internet), the device is perfect for Live

Forensic Acquisition. It can gather evidence on site by scanning the suspect computer with the device.

This tool provides investigators with a means to extract data from a suspect’s live computer at the crime

scene. It contains 150 commands to gather digital evidence and can decrypt passwords, analyse a

computer's Internet activity and analyse stored data in the computer memory (My Opera 2008:Internet).

COFEE is a preconfigured compilation of publicly available forensic tools (Romano 2008:Internet) and

plain text scripts. The creator did not intend to develop new forensic tools, but rather focus on the

automation of tools that are already accepted within the industry (Vamosi 2008:Internet). COFEE is an

automated tool (Cranton 2008:Internet) intended for use with a command line, but do allow an option for

GUI. It attempts to ensure forensic soundness by generating either a SH1 or an MD5 checksums to verify

the data’s integrity (Romano 2008:Internet).

COFEE decreases investigation time dramatically. Additionally, forensic investigators can customise

COFEE with additional tools and commands, should the forensic investigator require a specific functionality

not included by default (Romano 2008:Internet). Unfortunately, this tool only works on Windows.

5.3.2.5 Conclusion of Hardware Techniques

This section identified four hardware devices that forensic investigators can use during a forensic

investigation:

• the Tribble device (Paragraph 5.3.2.1);

• the PCI expansion card (Paragraph 5.3.2.2);

• SPARC OpenBoot (Paragraph 5.3.2.3); and

• COFEE (Paragraph 5.3.2.4).

All four devices are hardware-based and the first three require the investigator to install the device’s

driver beforehand on the suspect computer system. This may complicate the investigation on a legal

foundation, since opposing counsel may argue that these programmes interfere with the data. It

therefore may lead to a ruling of inadmissible evidence. However, in general hardware applications

make it more difficult for attackers to tamper with.

Although these solutions do require driver installation, it has two main advantages: it can access memory

without relying on the OS and it will not need to use system memory whilst running (Carrier & Grand

2003:53). The next section summarises the currently used software and hardware techniques for Live

Forensic Acquisitions.

5.3.3 Conclusion of Current Applied Techniques

The previous sections look at some of the software and hardware techniques currently applied to perform

Live Forensic Acquisition. This list is not comprehensive, but rather representative of the different types

of techniques applied at the time of writing. Table 5-1 present a summation of these techniques. None

of the techniques is completely forensically sound.

Table 5-1: Currently applied techniques for Live Forensic Acquisition (Own compilation)

SSooffttwwaarree tteecchhnniiqquueess HHaarrddwwaarree tteecchhnniiqquueess

Software agents Tribble device

Memory dump PCI Expansion Card

NotMyFault SPARC OpenBoot

Live Response Toolkit COFEE

The idea behind forensically sound evidence is to disturb the crime scene as little as possible. However,

it is very difficult to introduce a new process without leaving some traces of activity on the system. The basic

traces include the memory used, buffers and the pagefile (Carvey 2007:Internet). The next section

summarises the content of Chapter 5 and lists some of the drivers identified as valuable in the

development of the Liforac model.

5.4 Summary

Part 2 focuses on the practical aspects of Live Forensic Acquisition. Chapter 5 started with a brief

discussion on the different ways that organisations currently use globally to respond to a cyber attack,

and looked at the properties of digital evidence. It also looked at two important aspects of Live Forensic

Acquisition: a number of practical problems associated with Live Forensics and current techniques of

applying Live Forensics. Although these techniques may not all be scientifically validated, it gives the

reader an idea of the direction Live Forensic Acquisition is heading in. These techniques are divided into

software-based techniques and hardware-based techniques.

In summary, the six drivers identified from Chapter 5 to contribute to the development of the Liforac

• Electronic information is a valuable resource for any organisation and need to be protected. Although

this driver does not directly contribute to the development of the Liforac model, this knowledge

provides some motivation for the development of the model (Paragraph 5.1);

• Digital evidence has unique properties that set it apart from real world evidence. This driver has

a direct impact on the legal aspects of the proposed Liforac model (Paragraph 5.1);

• Organisations generally have three possible options to respond to a cyber attack, and accordingly,

a cyber investigation (Paragraph 5.1);

• Locard principle: “… when any two objects come into contact, there is always transference of

material from each object onto the other”. This driver has a direct impact on the problems Live

Forensics face regarding forensic soundness and modification of data (Paragraph 5.1);

• Five identified practical problems with Live Forensics (Paragraph 5.2, Figure 5-2):

− gaining access to the suspect system;

− acquisition dependant on OS;

− data modification during the acquisition process;

− demonstrate the authenticity of evidence;

− ensuring full acceptance of computer technology by the court.

These problems directly influence the Scope dimension of the Liforac model.

• Both software and hardware methods exist to perform Live Forensic Acquisition. These methods aid

the understanding and the application of Live Forensics and accordingly influence the development

of the Liforac model (Paragraph 5.3.1, Paragraph 5.3.2).

When considered individually, most of these drivers suggest a knowledge component. Depending on

the drivers identified in subsequent chapters, this theme may influence the identification of possible

dimensions for the Liforac model. The themes will be addressed in Chapter 9.

Chapter 6 will now consider the concept of forensic soundness. This chapter will address Objective C,

Identifying sound forensic techniques. Chapter 6’s information builds on the foundation of Live Forensics

set by Chapter 5, looking at sound forensic techniques in the Live Forensic discipline.

Chapter 6: Forensically Sound Live Acquisition Admissible in Court

“In this age of ‘CSI’ and forensic medicine it’s clear that with good old-fashioned police work…

We can put together a circumstantial case…

And we can make sure that justice, however delayed, is not denied.”

- Jeanine Pirro

Part 2 of this study focuses specifically on Live Forensics, its uses and applications within the cyber

environment and the possibility to admit associated data as evidence to court. Chapter 5 looked at the

practical problems with implementing Life Forensics, as well as the current application of Live Forensics

within the field of Digital Forensics. Chapter 6 is taking the study on Live Forensics a step further: in order

to identify which data are admissible in court, it is necessary to examine the idea of forensic soundness.

Chapter 6 involves a lot of in-depth and background research. It looks at court standards and requirements to

classify data as evidence that is admissible in court. This involves investigating the Frye and Daubert tests,

as well as the rules for electronic records and its legal admissibility. This chapter also compares Digital

Forensics and Physiological Forensics, and the possibility to apply Physiological Forensic principles to

ensure forensic soundness in Digital Forensics. This investigation links to the volatile nature of Digital

Forensics and which measures need to be taken to ensure the admissibility of evidentiary data to court.

Figure 6-1: Liforac model progress - Identify sound forensic techniques (Own compilation)

model. Chapter 6 fulfils Objective C, Identify sound forensic techniques (originally presented in Figure

2-2). Figure 6-1 shows that both Objective A and B have been addressed in previous chapters. The

following paragraph introduces the concept of forensic soundness and provides formal definitions for this

concept.

6.1 Introduction

Digital Forensics is a technical application of computer related knowledge, constricted by a number of

technical issues. In addition to these restrictions, numerous laws strictly bind forensic investigators to the

letter. The implementation of some of these laws is sometimes rather disdainful (Jones 2007:1).

According to Bejtlich (2006:Internet), a forensically sound copy of a hard drive is “… created by a method

that does not, in any way, alter any data on the drive being duplicated. A forensically sound duplicate

must contain a copy of every bit, byte and sector of the source drive, including unallocated empty space

and slack space, precisely as such data appears on the source drive relative to the other data on the

drive. Finally, a forensically-sound duplicate will not contain any data (except known filler characters)

other than which was copied from the source drive."

An alternative definition for a forensically sound copy of a drive is “… a complete and accurate representation

of the source evidence. A forensically sound duplicate is obtained in a manner that may inherently (due

to the acquisition tools, techniques and process) alter the source evidence, but does not explicitly alter the

source evidence. If data not directly contained in the source evidence is included in the duplicate, then

the introduced data must be distinguishable from the representation of the source evidence. The use of

the term complete refers to the components of the source evidence that are both relevant and reasonably

believed to be relevant" (Bejtlich 2006:Internet).

Since neither of these definitions of forensic soundness allows any leeway for live acquisitions, Mike Murr

redefined forensic soundness by adding “… the manner used to obtain the evidence must be documented,

and should be justified to the extent applicable” (Murr s.a.:Internet). The next section shows how these

definitions can be applied in the real crime environment. It shows two possible tests, the Frye and

Daubert tests, to determine whether evidence can be considered as admissible in court.

6.2 Evidence Admissible in Court

Evidence can either make or break an investigation. Therefore, it is crucial to ensure that all evidence is

admissible in court, according to the definitions presented in Paragraph 6.1. Should the court reject any

item of evidence, it can hurt the case. At the very least, this rejection can portray the investigators as

incompetent. Since the items of evidence first need to be submitted to court for approval of admission,

the correct terminology is “… artefacts of potential evidentiary value”, rather than evidence. An item can

only be formally considered evidence once the court accepts it (Brown 2005a:4).

Especially with Digital Forensics, where the court and/or opposing counsel may not be too familiar with

the topic, it is necessary to educate the audience. The educating witness teaches the audience about

the underlying scientific theory. This witness classifies as an expert witness and may elicit professional

opinions regarding the validity of a theory and the reliability of specific tools. A court may accredit a witness

as an expert witness if they have the necessary academic qualifications or specific forensic training.

Additionally, many jurisdictions require the theory used by an expert witness to meet certain qualifications

before being used in court.

Paragraph 6.2 presents an overview of when digital evidence (artefacts of potential evidentiary value) can

be expected to be successfully admitted to court. Many organisations and institutions set up their own

rules and regulations regarding this matter. In general, courts apply the Frye and Daubert tests to determine

the validity of the artefacts. These two tests are discussed in the following sub sections.

6.2.1 Frye Test

From 1923 to 1993, a heuristic known as the Frye test controlled the admissibility of expert evidence after a

District of Columbia Court of Appeals case. The Frye test held the expert scientific evidence admissible

only if the scientific community generally accepted the scientific principles upon which it was based (Ryan &

Shpantzer 2005:2).

In 1923, a Washington D.C. court found James Frye guilty of murder. This conviction based on a new lie-

detector test that indicated a person was lying if his/her systolic blood pressure elevated. Frye appealed

this conviction and the appeals court ruled that a new scientific principle or discovery can only be used

as evidence in a court of law if it is "… sufficiently established to have gained general acceptance in the

particular field in which it belongs" (Gardner 2000:Internet). The court ruled that the blood-pressure test

had not gained such acceptance. Accordingly, the appeals court reversed Frye’s conviction.

Interestingly, lie-detector tests only gained respect in the scientific community, and accordingly in courts,

during the 1970s and 1980s (Net Industries 2008:Internet).

The Frye test states that admissible scientific evidence must be a result of a theory that had general

acceptance in the scientific community. This test results in uniform decisions regarding admissibility.

Although no law forces courts to apply the Frye test, non-committing cases can easily be appealed (Gardner

2000:Internet). The Frye test proves to be helpful in many disputed court cases. However, with the new

development of Live Forensic Acquisition in Digital Forensics it may be problematic in some instances.

In the practical application of this standard, proponents of a particular scientific issue need to provide a

number of experts to speak to the validity of the science behind the issue in question. The downside of

this test is that it may not be flexible enough to adapt to truly new and novel scientific issues. In most

jurisdictions, the Daubert standard has superseded the Frye standard (Gardner 2000:Internet).

6.2.2 Daubert Test

In the late 1990s, the Daubert test officially took the place of the Frye test in controlling the admissibility

of expert evidence. A Daubert motion is raised before or during trial to exclude the presentation of

unqualified evidence to the jury. Counsel uses this technique to exclude the testimony of an expert

witness who has no specific expertise in the area or used questionable methods to obtain the information.

Generally, courts should only allow expert witnesses if their testimony is relevant to the case, with judges

having authority to exclude inappropriate testimony. Before Daubert, trial courts preferred to let juries hear

evidence offered by both sides. A Daubert motion excludes this evidence since it fails to meet the

relevancy and reliability standard (Daubert v. Merrell Dow Pharmaceuticals 1993:Internet).

The Daubert test arose out of the United States Supreme Court case Daubert v. Merrell Dow

Pharmaceuticals of 1993. Jason Daubert and Eric Schuller had been born with serious birth defects.

Jason Daubert was born in 1974 with only two fingers on his right hand and without a lower bone on his

right arm. His mother took Bendectin, an anti-nausea drug made by Merrell Dow, during her pregnancy

(Daubert v. Merrell Dow Pharmaceuticals 1993:Internet). Daubert, Schuller and their parents sued

Merrell Dow Pharmaceuticals Inc, claiming that the drug caused the birth defects.

Merrell Dow’s expert witness submitted documents showing that no published scientific study demonstrated

a link between Bendectin and birth defects. Daubert and Schuller submitted expert evidence suggesting

that Bendectin could cause birth defects, based on in vitro and in vivo animal studies, pharmacological

studies and re-analysis of other published studies. These methodologies had not yet gained acceptance

within the general scientific community, as required by the Frye test in Paragraph 6.2.1 (Daubert v. Merrell

Dow Pharmaceuticals 1993:Internet).

Daubert and Schuller argued that the Federal Rules of Evidence in 1975 withdrew Frye as the governing

standard for admitting scientific evidence in trials held in federal court. The Supreme Court agreed and

applied the rules governing expert testimony established by the Federal Rules of Evidence to the admission

of scientific evidence at trials conducted in federal courts. Under these rules, the judge determines

whether the evidence is scientifically valid and relevant to the case at hand. In addition, the jury uses

counsels’ cross-examination and the presentation of contrary evidence to determine whether the scientific

evidence is ultimately credible (Daubert v. Merrell Dow Pharmaceuticals 1993:Internet).

In Daubert, the court held that Rule 702 of the Federal Rules of Evidence succeeded Frye. Rule 702 provides

“… if scientific, technical or other specialised knowledge will assist the trier of fact to understand the

evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience,

training or education, may testify thereto in the form of an opinion or otherwise”. This implies that the

scientific evidence proposed possesses the scientific validity to be considered competent as evidence if it

is grounded in the methods and procedures of science (Ryan & Shpantzer 2005:2). Not all of the considerations

in Daubert have to be met for the evidence to be admitted. It is only necessary that the majority of the

tests be substantially complied with. The Daubert test requires four things:

• the theory is testable;

• the reliability and error rate;

• the extent of general acceptance by the scientific community; and

• the theory has been peer reviewed (Daubert v. Merrell Dow Pharmaceuticals 1993:Internet).

Eventually, Daubert presented a number of affidavits based solely on animal testing, claiming the existence

of a link between Bendectin and animal birth defects. The court dismissed the case on the basis that the

plaintiff’s evidence was “… not sufficiently established to have general acceptance in the field to which it

belongs". The court of law believes that the Daubert principles will result in a fair and rational resolution of

the scientific and technological issues that lie at the heart of product liability adjudication (Daubert v. Merrell

Dow Pharmaceuticals 1993:Internet).

In short, the Daubert ruling necessitates the judge to assess the scientific validity of a methodology or

technique invoked by an expert witness before the trial starts. The intention is to decide beforehand

whether the methodology can be applied to the facts in issue. To assist the judge in the ruling, he/she

can consider the following:

• Can and has the technique been tested?

• Has the technique been subjected to peer review and publication?

• Is the potential rate of error known?

• Are there any standards controlling the technique?

• Does the relevant scientific community accept this technique? (Amenya 2004:16).

Although the original plaintiffs of the Daubert v. Merrell Dow Pharmaceuticals of 1993 case lost the case,

it set a precedent for future cases involving scientific evidence. The following paragraph extends on this

scientific admissibility by examining the legal admissibility of specifically electronic records. This follows on

both principles from the Frye and Daubert tests.

6.2.3 Electronic Records and Legal Admissibility

The previous section looked at the tests used to determine whether evidence is admissible in court. This

section is an extension of this discussion, but focuses more specifically on the admissibility of electronic

records. Electronic records are particularly vulnerable to tampering since additions or deletions are not

necessarily apparent to the document viewer. Whilst it might be possible to identify the original or a copy

of a printed or photocopied document, it is a lot more difficult to identify the original from copies of an

electronic document (University of Edinburgh 2004:1).

What complicates matters even more is the increasing sophistication of electronic records. For example, a

record may embed a word-processed document with a dynamic link to a spreadsheet. This spreadsheet

allows automatic updates, making a paper audit trail tedious and an electronic trail impossible. During an

investigation, it would be a cumbersome process to recreate the electronic record in the exact form that

the user accessing the system saw it and accordingly to prove what information the user had access to

(University of Edinburgh 2004:3). This complexity complicates the defending argument to show beyond

a reasonable doubt that the user did/did not see a specific set of digital links.

Electronic Records

Electronic records and evidence are any form of data stored in digital format. In the simplest form, there

are two main types of electronic records:

• Records created electronically. This category includes word processor documents, e-mails,

spreadsheets and database records.

• Paper records copied to electronic media. This includes documents scanned into an electronic

filing system or database records that mimic paper documents (University of Edinburgh 2004:1).

Legal admissibility is the characteristic of a piece of evidence that determines whether a court of law will

accept it as evidence. This concept, however, is not at all straightforward. On the one hand, evidence

might be legally admitted to the court. On the other hand, opposing counsel often rely on placing doubt

on the evidential weight to diminish the efficacy of the legally admissible evidence. Counsel should be

able to prove that:

• the record has not been tampered with;

• the system the record is kept in is a secure system; and

• the system was secure throughout the lifetime of the record (University of Edinburgh 2004:1).

According to studies done by the University of Edinburgh (2004:1), there are no set rules for determining

the legal admissibility of an electronic document. However, it is possible to maximise the evidential

weight of a document by setting up authorised procedures and being able to demonstrate in court that

those procedures have been followed. The ECT Act includes a detailed section (Chapter III, Part 1) on the

legal admissibility of electronic records. Organisations and individuals complying with this practice should

be able to maximise the evidential weight of electronic records.

Evidential weight enables investigators to demonstrate the authenticity and reliability of electronic records.

There are two main elements to demonstrating the authenticity of these records:

• The possibility to freeze a record at a specific moment in time. This freezing literally brings the

contents of a specific file to a standstill, allowing no further changes to the file. This ensures that

no changes have been made to the file since it was frozen, proving authenticity.

• Maintaining a documented audit trail. An audit trail provides supporting information about the

records being stored, proving authenticity. The supporting information include:

− The name of the author;

− The date the record was created and stored;

− The names of people who accessed the document and the relevant dates; and

− Version information (University of Edinburgh 2004:3).

Once the court determined the evidential weight of electronic records, the evidence is in principle accepted

in courts. The previous section looked at the specific occasions in which these evidentiary artefacts are

allowed in court, providing guidelines on determining both the evidential weight and the admissibility.

6.2.4 Conclusion of Evidence Admissible in Court

The most important question in determining the admissibility of real artefacts, concerns the authenticity of

the data. If the data changed in any way, counsel will have a very hard time convincing the court to include

it as evidence (Brown 2005a:18). The next section compares the Digital Forensic discipline with

traditional Physiological Forensics. This section looks at both the similarities and the main differences

between these disciplines.

6.3 Comparing Digital Forensics with Traditional Forensics

According to the Mirriam-Webster online dictionary (2008:Internet), the word forensics dates back to

1659 and is from Latin origin. It consists of two root words: forensis, which means public, and forum,

which translates to debate. The general acceptance of this word relates to courts or judicature, public

discussions and debate. It is therefore a reasonable assumption that both Digital Forensics and traditional

forensics relates to the legality of matters, applying only to different types of matter. This section looks at

different ways in which Digital Forensics and Physiological Forensics can be altered and briefly motivates

why this alteration should be allowed in court cases.

Altering Physiological Forensic Evidence

Although the modification of evidentiary data remains a huge problem, it is not a new concept. Methods in

Physiological Forensics, such as Deoxyribonucleic Acid (DNA) analysis, also alter the original evidence.

However, courts still accept this evidence. When a traditional forensic investigator collects samples of

biological material, he/she needs to scrape or smear the original evidence. In many cases, DNA tests are

highly destructive.

Although investigators can extract information from the original evidence, investigators cannot present

the original blood sample or skin sample to the court as evidence. Despite the changes that occur during

preservation and processing, courts consider these methods as forensically sound. In fact, investigators

regularly submit DNA evidence as evidence (Casey 2007:49).

Altering Digital Forensic Evidence

Similarly, Digital Forensic investigators need to acquire data from a suspect system and analyse, examine

and alter its presentation to produce meaningful information to the courts. This meaningful information is

rarely in the same condition as when the investigator acquired the original data (similar to a traditional

forensic investigator obtaining a piece of fingernail and running DNA analysis to present in court).

When considering the use of traditional Digital Forensic measures, courts should allow the minor alteration

of original evidence, similar to the allowed minor alterations of original evidence in traditional Physiological

Forensics. However, investigators should still adhere to the basic Digital Forensic principles and not

alter evidence in such a way that the meaning thereof changes. The legal system therefore needs to be

updated to accept Digital Forensic analysis in a court of law, as long as the data still adhere to the definition

of forensic soundness presented in Paragraph 6.1. Investigators should focus on maintaining the reliability

and authenticity of the evidence (Casey 2007:49).

The Necessity of Altering Evidence

The growing number of attorneys and courts that rely on the results of digital examinations ignited a

global debate on the exact constitution of sound forensics. All parties involved agree that Forensic

Acquisitions should not alter the original evidence source in any way. However, forensic experts show

that the act of preserving certain digital sources in many cases require the alteration of the original

evidence item (Casey 2007:49).

For example, the common method of performing Live Forensic Acquisition requires that the investigator

load the acquisition tool into memory. This overwrites some of the system’s volatile data and is a distinct

alteration of the original data evidence source. Another example concerns the use of remote forensic

tools. These tools necessitate the investigator to establish a network connection, accordingly altering the

original evidence source. Even the use of hardware write blockers (discussed in Paragraph 3.4.3) in data

acquisition from an Integrated Development Environment (IDE) hard drive may temporarily reconfigure

evidentiary data to access the HPA (Casey 2007:49).

It is not practical to set an absolute standard that dictates the preservation of everything and the modification

of nothing. This excludes the viability and usability of both Cyber and Physiological Forensic methods, and

would send the entire legal system in disarray (Casey 2007:49). As discussed earlier, even the globally

accepted method of DNA analysis allows for some form of controlled alterations.

The next section introduces the uncertainty principle. This discussion on the volatile nature of Digital

Forensics emphasises that evidentiary data will be modified by the slightest action in a computer system.

This volatile nature illustrates that it is practically impossible to investigate a computer system without

changing some aspects of the system log or volatile memory. This forms an integral part of the model for

comprehensive, forensically sound Live Forensic Acquisition.

6.4 Volatile Nature of Digital Forensics

The previous section explained that both Physiological as well as Digital Forensics occasionally requires

controlled modifications to ensure the appropriate interpretation of the evidentiary artefacts. Although the

forensic discipline requires that no alterations be made to the evidentiary data, the volatile nature of

forensic evidence often requires just that.

In quantum physics, the Heisenberg uncertainty principle is the statement that locating a particle in a

small region of space makes the momentum of the particle uncertain. Additionally, measuring the

momentum of a particle exactly makes the position uncertain (Heisenberg 1930:Internet). This is very

similar to the concept of Live Forensic Acquisition: the mere action of collecting evidence can make the

environment unstable. This translates as rendering evidence forensically unsound.

According to Heisenberg, it is possible to measure the position of an atom with a photon. The

uncertainty principle states that, when the photon is introduced, it will change the momentum of the atom

by an uncertain amount that is inversely proportional to the accuracy of the position measurement. The

amount of uncertainty can never be reduced below the limit set by the principle, regardless of the

experimental setup. Similar to the uncertainty principle, is the observer effect. This principle refers to

changes that the physical act of observing will make on the observed phenomenon. The same example

applies to this principle. In order to see an electron, a photon must first interact with it. This interaction

will indefinably change the path of the electron (Heisenberg 1930:Internet).

The Heisenberg uncertainty principle and the observer effect explain the volatile nature of forensics, both

digital and traditional. These disciplines are so volatile that the simplest interaction can indefinitely

change the nature of the evidence, but not necessarily its meaning. The next section elaborates on this

volatile nature, explaining how the evidence can still be considered as forensically sound.

6.5 Ensuring Forensically Sound Acquisition

The key to forensic soundness is documentation. This links strongly with the concept of chain of custody

(see Paragraph 3.4.4). The acquisition process should change the original evidence as little as possible.

Investigators should document any changes whatsoever and assess it in the context of the final analytical

results (Casey 2007:50). Ensuring forensically sound acquisition relies on two aspects: authenticity and

reliability (introduced in Paragraph 3.3.2.2). The remainder of this chapter will focus on these aspects.

6.5.1 Authenticity

The authenticity of an object refers to its trustworthiness. With regard to ensuring the forensic soundness

of an object, authenticity implies that the witness can indicate to the court that the piece of evidence has

not been altered since its original collection. In addition, he/she needs to prove the location, date and

time of collection also. The general method to prove the authenticity of a piece of digital evidence is by

using standardised evidence handling procedures and chain of custody records (Amenya 2004:10).

In general, authenticity is closely related to proving the integrity of the data (Kruse II & Heiser 2002:13).

This can be done by calculating a hash value, checksum or timestamp, or by using digital signatures

(these techniques have been discussed in Paragraph 5.2.4).

6.5.2 Reliability

In theory, courts should accept the forensic soundness of a piece of evidence if the supporting

documentation is sufficient. This documentation should report on the evidence’s origin and the way

investigators handled it since acquisition. Investigators need to preserve a complete and accurate

representation of the original data during the acquisition process, in such a way that courts can validate

its authenticity and integrity (Casey 2007:50).

There is no specific test to determine whether digital evidence possesses the required scientific validity.

When considering all the rulings made during the Daubert trial, Ryan and Shpantzer (2005:2) concludes

that Digital Forensic evidence proposed for admission in court should at the very least satisfy two

conditions. Firstly, the evidence should be relevant. Secondly, evidence must be “… derived by the

scientific method” and “… supported by appropriate validation”. Digital Forensics is very technical in

nature and therefore grounded in science. This includes computer science, mathematics and physics

(Ryan & Shpantzer 2005:3).

In order to ensure that digital evidence is in fact forensically sound, counsel need to investigate the

reliability thoroughly. When witnesses are involved, counsel need to investigate the testing and verification

of theories and techniques of Digital Forensics, peer review and existence of known error rates.

Additionally, counsel may investigate differences of opinion among Digital Forensic experts regarding the

validity and acceptance of specific tools and techniques (Ryan & Shpantzer 2005:3).

A number of techniques can be employed to ensure that the evidence acquired/to be acquired remains

forensically sound:

• Send a preservation of evidence letter. Information stored on computers changes every time a

user saves a file or loads a new programme. It is therefore critical to notify all relevant parties

in an overt operation that you will be acquiring electronic evidence through discovery. If the

relevant parties cooperate, the sooner the notice is sent the better to ensure that the suspect

system is used minimally to limit the distortion of evidence. The notice should identify the types

of information that needs preservation and identify the possible locations of this information

(Amenya 2004:4). It is not practical to send such a letter during a covert investigation.

• Maintain a comprehensive, detailed chain of custody, with accompanying notes. This should

include definitions, instructions and specific questions about electronic evidence in your written

discovery. This step should be continued beyond the acquisition, and record all action relevant

to the case (Amenya 2004:4).

• Adhere to a comprehensive checklist for electronic media examination. This checklist ensure

forensic investigators of all the steps that will build up to forensically sound case:

− assign a unique number to each piece of media;

− write-protect all media;

− virus check all media and record any retrieved viruses;

− print directory listings for each piece of media and mark appropriately;

− virus check the destination drive and ensure that this drive is forensically wiped;

− verify that all files on the directory listing appear in the restored copy; and

− secure the source media (Amenya 2004:8).

In conclusion, both authenticity and reliability plays a crucial part in determining whether artefacts of

evidentiary value can be considered as evidence or not. Without these two characteristics, chances are

that the court may dismiss the forensic data as forensically unsound.

6.6 Summary

Although intense research still needs to be done before Live Forensic Acquisition can formally be introduced

into Law Enforcement, the preliminary study in Chapter 6 shows that Live Forensic Acquisition measures

up to traditional Digital Forensics. When the volatile nature of forensics as a whole (including Live Forensics,

traditional Digital Forensics and traditional Physiological Forensics) is considered, the possibility of

forensic soundness becomes a reality. However, similar to Physiological Forensic practices minor (controlled)

modifications should be allowed, without rendering the Digital Forensic evidence inadmissible in court.

In summary, the 13 drivers identified from Chapter 6 to contribute to the development of the Liforac model

are as follow, with the originating paragraph between brackets:

• A complete definition of forensic soundness contributes directly to the understanding of the

Liforac model (Paragraph 6.1);

• Digital Forensics is a technical application of computer related knowledge. This fact has a direct

impact on the discipline of Live Forensics and can contribute to the Knowledge level of the

• Rejected forensic evidence can either hurt the case, or portray the investigators as incompetent.

These aspects have a practical influence on the Liforac model, since investigators will use the

model to enhance the current investigation process. This aspect has a direct influence on the

legal aspects of the Liforac model and the admissibility of evidence in court (Paragraph 6.2);

• Correct terminology is “… artefacts of potential evidentiary value” (Paragraph 6.2);

• An expert witness may elicit professional opinions regarding the validity of a theory and the reliability

of specific tools. This driver directly impacts the forensic soundness of evidence, the foundation

of the Liforac model (Paragraph 6.2);

• Well-known heuristics are needed to establish the admissibility of expert evidence. These heuristics

form an integral component of proving the forensic soundness of evidence (Paragraph 6.2);

• Legal admissibility is the characteristic of a piece of evidence that determines whether it will be

accepted in court. This driver has a direct influence on the Liforac model (Paragraph 6.2.3);

• To ensure the acceptance of digital evidence, forensic investigators should maximise the evidential

weight of a document by setting up authorised procedures and being able to demonstrate in

court that those procedures have been followed. This fact also has a direct impact on the Liforac

model (Paragraph 6.2.3);

• This chapter introduced two main elements to demonstrate the authenticity of electronic records.

Since authenticity is crucially important in admitting evidence to court, this driver is very important

to the development of the Liforac model (Paragraph 6.2.3);

• Chapter 6 gives some guideline on how to ensure admissibility. This links with many of the other

drivers and directly impacts on the success of the Liforac model (Paragraph 6.2.3);

• In both traditional and Digital Forensic measures, courts should allow the minor alteration of

original evidence, without altering evidence in such a way that the meaning thereof changes.

This practice is similar to the current practice in Physiological Forensic sciences and will enable

the full implementation of the Liforac model (Paragraph 6.3);

• The Heisenberg uncertainty principle and the observer effect explain the volatile nature of, both digital

and traditional forensics. These principles give better understanding in the working of forensics,

and can assist the forensic investigators in understanding the Liforac model (Paragraph 6.4);

• Both authenticity and reliability plays a crucial part in determining whether artefacts of evidentiary

value can be considered as evidence or not (Paragraph 6.5).

When considered individually, most of these drivers suggest a legal or regulatory component. More

than half of these drivers suggest a relation with knowledge. Depending on the drivers identified in

subsequent chapters, these themes may influence the identification of possible dimensions for the Liforac

model. The themes will be addressed in Chapter 9.

Chapter 6 fulfilled Objective C, Identify sound forensic techniques. This chapter gave some insight into

the history of admissibility in court and forensic soundness. It showed the differences between Digital

Forensic practices and Physiological Forensic practices. In addition, this chapter also looked at the

volatile nature of all forensic evidence and investigations. In general, all the aspects considered in

Chapter 6 links to some extent to the forensic soundness principle, or at least to admitting evidence to

court. Holistically, Chapter 6 provides sufficient information to be able to identify a number of sound

forensic principles.

Part 3 will next discuss Digital Forensics and the judicial system with Chapter 7 focusing specifically on

Cyber Crime and Cyber Criminals. This part follows on Part 2, building the knowledge on cyber crimes

as the reason for Digital Forensics.

Part 3: Digital Forensics and the Judicial System

This study, Liforac - A Model For Live Forensic Acquisition, divides into four distinct parts (originally

Part 3, Digital Forensics and the Judicial System, investigates the legalities of both cyber crime and Digital

Forensics. It comprises two chapters of the study.

Chapter 7, Cyber Crime and Criminals, looks at the classification of cyber crime and provides

background on the subject. Additionally, it investigates the different types of cyber crime addressed by

Live Forensic Acquisition, the reasons for cyber crime as well as the occurrence of cyber crime. Chapter

7 clearly defines the difference between cyber crime and crime committed in the real world.

Chapter 8, Cyber Crime Legal Aspects, identifies current global laws addressing cyber crime. This

chapter also identifies a cyber crime framework and identifies some legal challenges regarding Forensic

Acquisition. Chapter 8 draws some links between Digital Forensics and other related disciplines.

These two chapters focus on the external links between forensic technology and the judicial system, and

form an important part of proving the technology admissible in court. Chapter 7 will now introduce cyber

crime and cyber criminals.

Chapter 7: Cyber Crime and Criminals

“Cyber panic is all about the demonization of a new form of technology, where that technology is automatically perceived as a crime or a criminal instrument”

- Shamburg

Part 3, Digital Forensics and the Judicial System, forms an important part of this research study. Chapter 7

looks at the crimes committed that necessitate Live Forensic Acquisition - cyber crime. To illustrate the

role of laws and the legal system as an intricate part to the application of Live Forensic Acquisition, it is

necessary to investigate the term cyber crime in-depth.

Chapter 7 firstly defines cyber crime. It also looks at different types of cyber crime, cyber crime incidents

and the classification of cyber crime. The chapter looks at the occurrence of crime, reasons why people

commit cyber crimes, as well as famous court cases involving some form of cyber crime or Digital

Forensics.

model. Chapter 7 fulfils Objective D, Crimes and criminals (originally presented in Figure 2-2). Figure

7-1 indicates that the preceding chapters already addressed Objectives A, B and C.

Figure 7-1: Liforac model progress - Crimes and criminals (Own compilation)

The concept of cyber crime is two-fold. On the one hand, the criminal act plays a dominant part in this

chapter, but a crime is always committed either by an individual or by a group of people. This chapter will

look at both instances. Chapter 7 contributes indirectly to the Liforac model, by creating an understanding

of the environment in which cyber crimes take place.

7.1 Introduction

Originally, computer crime only constituted the theft of electronic money, and unauthorised access and

alteration of data. However, after the introduction of viruses and other malicious software in the early

1980s, a more rigid legislative opinion emerged regarding computer related crime (Maat 2004:7).

South African Jurisdiction

An additional complication associated with cyber crime is the fact that the relevant jurisdiction is difficult

to determine (Maat 2004:205). Generally, when a crime is committed outside the borders of the Republic

of South Africa, a South African court does not have jurisdiction to adjudicate the suspects. The ECT Act

of 2002 (Maat 2004:206) provides guidelines in accordance with the provisions of the Convention of

Cyber Crime. Section 90 of the Act states:

• “A court in the Republic trying an offence in terms of this Act has jurisdiction where

- The offence was committed in the Republic;

- Any act of preparation towards the offence or any part of the offence was committed in

the Republic, or where any result of the offence has had an effect in the Republic;

- The offence was committed by a South African citizen or a person with permanent

residence in the Republic or by a person carrying on business in the Republic; or

- The offence was committed on board any ship or aircraft registered in the Republic or on

a voyage or flight to or from the Republic at the time that the offence was committed”.

Sharp Increase in Cyber Crime

Whatever the situation might be regarding jurisdiction of cyber crime, this serious matter has shown a

rapid increase in the past few years. According to Berghel (2003:15), computer scientists have branded

August 2003 as the worst month recorded for Internet malware. He states that Carnegie Mellon’s

Computer Emergency Response Team (CERT) Coordination Centre detailed the number of reported

incidents rising from six in 1988 to 82,094 in 2002. In the first half of 2003, computer users reported an

additional 76,404 incidents. To worsen these figures, it is estimated that the costs associated with cyber

crimes rose annually from 2003 with about 300% (Kjaerland 2006:522).

Criminals tend to exploit the speed, convenience and anonymity of modern technology more and more to

commit a diverse range of crimes (Interpol 2007:1). Since cyber crime is in many instances a silent,

unseen crime committed by anyone with sufficient knowledge, it is very tricky to classify cyber criminals

appropriately. The original stereotype of hackers was smart social outcast males between the ages of

sixteen and thirty with poor social skills. These individuals take pleasure in writing and releasing software

exploits (Phair 2007:1). Following the trends of traditional crime, cyber crime can also involve well-

organised and hierarchical criminal syndicates.

The increase in cyber related crime is tremendous, and therefore it is crucial to find a forensic acquisition

technique that is fast, easy to use and admissible in a court of law. The next section provides a formal

definition of computer crime and introduces the reader to the different types of computer crime and the

classification thereof.

7.2 Definition

Cyber crime is the latest and one of the most complex problems facing the cyber realm. Although cyber

crime leans strongly towards conventional crime, it is much more complicated with a range of exceptions

that make every case a unique application of the law. Pati (2003:1) defines crime as “… a social and

economic phenomenon and is as old as human society… Crime or an offence is a legal wrong that can be

followed by criminal proceedings which may result into punishment.”

The definition for cyber crime is more extensive. The 10th United Nations Congress on the Prevention of

Crime and the Treatment of Offenders extends cyber crime as a misdemeanour including:

• unauthorised access;

• damage to computer data or programs;

• sabotage to hinder the functioning of a computer system or network;

• unauthorised interception of data to, from and within a system or network; and

• computer espionage (Shinder 2002:17).

The South African ECT Act 25 of 2002 adds the following instances to the definition of cyber crime:

• intentional and unauthorised access to, interception of or interference with data;

• computer related extortion, fraud and forgery; and

• attempting, aiding or abetting the above (South Africa 2002:Internet).

Cyber Crime Characteristics

According to Brenner (2004:9), real world crime possesses four characteristics: proximity, scale, physical

constraints and patterns. By looking at these characteristics, it is clear that real world crime and cyber

crime are quite different.

• Firstly, cyber crime does not require physical proximity between the victim and the

criminal. Cyber crime is completely unbound and the criminal only needs a computer linked to

the Internet to make his/her attack (Brenner 2004:15).

• Secondly, small scale is rarely applicable to cyber crime. Unlike real world crime, criminals

can automate cyber crime to commit thousands of crimes quickly and with little effort. One-to-

many victimisation is a realistic scenario for cyber crime, creating problems for Law Enforcement.

In the real world crime scenario, officers react to a crime by investigating, identifying and arresting

the perpetrator. This scenario assumes that crime is committed on a limited, manageable scale

and that Law Enforcement officers can react to individual crimes (Brenner 2004:14,15).

• Thirdly, cyber criminals avoid the physical constraints that govern real world crime. Cyber

crime can be committed instantaneously and more than one crime at a time. For example, a

real world bank robbery needs to be planned carefully and executed with extreme caution to not

attract the attention of security personnel. However, a cyber criminal can commit a virtual bank

robbery and deposit the funds into accounts in several countries before Law Enforcement

learns that a crime has been committed. Cyber criminals exploit Law Enforcement’s reactive

strategy that is considerably less effective in the virtual world than in the real world. The virtual

crime scene is further complicated since criminals are never physically present at the crime

scene. Cyber criminals can take advantage of anonymity or pseudonymity (Brenner 2004:16).

• Lastly, it is very difficult to identify offender-offence patterns comparable to those for real

world crime. As a result, it is very difficult to combat cyber crime effectively, partly because

investigators do not document it accurately. In addition, countries do not track cyber crime

properly when compared to real world crime. This is largely due to a lack of standardised

definitions and procedures of cyber crime (Brenner 2004:17).

Cyber Crime Differs from Traditional Crime

It is possible to define cyber crime broadly as criminal acts involving computers and networks. McConnell

International states that cyber crime differs in four distinct ways from crimes committed in the real world:

• it is easy to learn how to commit cyber crimes;

• cyber crimes require few resources relative to the potential damages caused;

• they can be committed in a jurisdiction without being physically present in it; and

• it is often not clearly illegal (Chizoba 2005:2).

To put the topic of cyber crime into perspective, the next section will discuss the different types of cyber

crimes that exist.

7.2.1 Types of Cyber Crime

Cyber crime is an all-rounded topic with a vast range of different types and classes. Not only is cyber crime

a mysterious phenomenon, but it is also ever expanding. Pati (2003:5) classifies cyber crime as follows:

• Stalkers use the cyber realm as medium. This crime involves following a person's movements

across the Internet. Stalkers either post hostile messages on bulletin boards or enter chat rooms

frequented by the victim. Additionally, they can subvert to harassment via e-mail (Pati 2003:7).

CyberAngels is an online safety education programme that serves as a virtual learning

community. One of its functions is to educate both parents and kids about the occurrence of

cyber stalkers. It also provides school programmes and online mentoring for victims of cyber

stalking (CyberAngels 2007:Internet).

• Stalkers use e-mails as medium for harassment. Harassment through e-mails and SMSes succeeds

harassment via letters. Although this type of crime may not cause physical harm, it can be a

source of emotional distress to the receiver (Pati 2003:7). In a recent case of cyber stalking,

Jack Jordan was convicted of second-degree aggravated harassment on actress Uma Thurman.

Jordan was sentenced to three years probation and was committed to a mental institution

(People’s Daily Online 2008:Internet).

• Criminals disseminate obscene material. This type of crime includes indecent exposure and child

pornography, and constitutes the use of computers for producing, downloading or distributing these

obscene materials (Pati 2003:7). Although conviction of this type of crime can lead to

imprisonment, courts also often require offenders to register as sex offenders. Related to this, is

cyber grooming. This crime involves actions deliberately undertaken with the aim of befriending

and establishing an emotional relation with a child, with the intention of sexual abuse.

• Criminals use the internet to defame other individuals. It is an act of implicating any person with

intent to lower the person in the estimation of the right-thinking members of society. This exposes

the victim to hatred, disrespect and ridicule. Cyber criminals may commit defamation by hacking

someone’s email account and sending mail from the account with malicious intent (Pati 2003:7).

There is a very fine line between freedom of speech and libel (written defamation) on the Internet.

http://theantimadonnaboard.yuku.com is an example of a website used to defame an individual.

• Criminals gain unauthorised control/access over computer systems. Generally referred to as hacking,

this crime involves gaining unauthorised access to computer mediums (Pati 2003:7). In what is

referred to as “… the biggest military computer hack of all times”, Gary McKinnon is accused by

the United States of causing more than R5 billion worth of damage by hacking into 97 American

military computers at the Pentagon and NASA combined. He is also charged with stealing 950

passwords and deleting files at Earle naval weapons station in New Jersey, and faces up to 70

years in prison (Harris 2008:Internet).

• E-mail spoofing. These e-mails misrepresent its origin and may fool the recipient in opening an

e-mail containing a virus or a Trojan (Pati 2003:7). Cyber criminals can spoof e-mails by tweaking

the settings on standard email clients, and can cause accepting recipient computers to be

infected with spambots.

• Criminals can vandalise computers. Vandalism means deliberately destroying or damaging property

of another. This crime includes any kind of physical harm done to the computer or its peripherals

of any person, as well as the theft of a computer, parts of a computer or peripherals attached to

the computer (Pati 2003:8).

• Criminals unlawfully trade with Intellectual Property (IP). This crime refers to any unlawful act that

deprives the rightful owner of the intellectual property completely or partially of his rights. This

includes software piracy, copyright infringement, trademark and service mark violation and theft

of computer source code (Pati 2003:8).

• Criminals can transmit viruses/worms. This includes the deliberate dissemination and distribution

of malicious software (Pati 2003:8). The creator of the well-known and highly destructive Melissa

virus, David Smith, has been sentenced to 20 months in prison, with a fine of almost R40 000

(Teather 2002:Internet). Before the enactment of the South African ECT Act of 2002, South

African could not charge virus creators with a cyber crime. Instead, in 2004, Berend Howard was

charged with malicious damage to Edcon property, after loading a virus onto the computers of

Edgars. This virus affected up to 700 stores, and cost the company R20 million in trading losses

and damage control (SABC News 2004:Internet).

• E-mail bombing. This crime refers to sending a large amount of e-mails to the victim, resulting in

interruption of the victim’s email account or mail servers (Seth 2007:5). This type of attack is

often referred to as a Distributed Denial of Service (DDoS) attack and involves the flooding of a

victim’s computer with more requests than it can handle, causing a system crash (Pati 2003:5).

• Criminals can commit cyber terrorism against the government. A cyber terrorist uses a computer

system as a means to put the public in fear. Their intention is often to adversely affect the harmony

between different religious, racial, language or regional groups, castes or communities. The

ultimate goal is to repress the government or to endanger the sovereignty and integrity of the

nation. Internet-based terrorist attacks include DDoS attacks, attacks on sensitive computer

networks, hate websites and hate emails. A formal definition of cyber terrorism is “… the

premeditated use of disruptive activities, or the threat thereof, in cyber space, with the intention

to further social, ideological, religious, political or similar objectives, or to intimidate any person in

furtherance of such objectives” (Pati 2003:9).

• Criminals illegally traffic with goods. Trafficking may refer to many different items, such as drugs,

human beings and weapons. In the cyber realm, trafficking often goes undetected since

pseudonyms are used. For example, traffickers refer to drugs as honey.

• Criminals resort to fraud, cheating and stealing information. Online fraud and cheating may assume

different forms, ranging from credit card crimes and contractual crimes, to offering illegitimate jobs

and identity theft (Pati 2003:9). In South Africa, a syndicate using high-tech spyware has

defrauded the KwaZulu-Natal government of more than R199 million over the past three years. In

response to this type of serious cyber fraud, the provincial government launched a project called

“Operation Unumbeza”, translated to “Operation Conscience” (Naidoo 2008:Internet).

• Salami attacks. These attacks relate primarily to the commission of financial crimes and involve

insignificant alterations to software. In individual cases, the change would go completely unnoticed,

for example, a bank employee inserts a programme into the bank’s servers that deducts a small

amount from every customer’s account. Salami attacks can extend to web jacking (Seth 2007:5).

Numerous variations exist in salami attacks. In 1993, four executives of a rental-car franchise in

Florida, United States of America, were charged with defrauding at least 47 000 customers. The

defendants allegedly modified a computer-billing programme to add five extra gallons to the actual

gas tank capacity of their vehicles. When customers returned their rental car without filling the petrol

tank, they ended up paying inflated rates for an inflated total of petrol (Kabay 2002:Internet).

• Criminals resort to web jacking. This crime derives its name from hi jacking. It is an offence in which

the hacker gains access and control over the web site of another, often mutilating or changing the

site’s information (Pati 2003:5). Web jacking are often associated with zombie networks, where a

group or an individual takes control of a number of individual computers to use as distribution

point for malicious code, or as zombies in attacks against other websites. This class of computer

crime links strongly to a DDoS.

• Criminals can diddle data. This crime involves altering raw data just before a computer processes

it. Once the processing completes, criminals change the data back (Pati 2003:5). For example,

when a person entering accounting data changes the input to show that an account is paid in full,

whilst the opposite is true. Based on court cases and criminal reports, it is estimated that

worldwide more than R6 300 million is lost yearly due to data diddling (Usborne 1996:Internet).

• Criminals create logic bombs. Criminals use software to do something only when a trigger event

occurs. For example, criminals may programme a system to crash on a specific date and time

(Pati 2003:5). A disgruntled employee may even programme a logic bomb to search for his/her

name in the employee record on a daily basis. Should the name not be found, the bomb would

figuratively explode, causing damage to the computer system.

Although there are quite a number of different cyber crimes, many of these crimes overlap. It is often

that two or more different cyber crimes go hand in hand. The next section looks more specifically at the

incidents of these cyber crimes.

7.2.2 Cyber Crime Incidents

The number of cyber crime incidents is rapidly increasing and is a major global concern. The Korean

National Police Agency (KNPA 2007:Internet) presents crime statistics in Table 7-1, according to crime

type. The KNPA compiled these statistics based on incidents from 2002 to 2006. With the exception of

illegal copying and sales, a steady rise in incidents is noticeable. Both Internet fraud and other types

show a sharp decrease in the 2005 and 2006 periods. Although this list is by no means exhaustive, it

lists the most common types of cyber crime.

Although all these security incident figures are official, the figures cannot be exact. Not all organisations

report security incidents (discussed in Paragraph 5.1). In fact, the director of the CERT Coordination

Centre estimates that as much as 80% of all actual security incidents go unreported (Kjaerland

2006:523). Therefore, the only concrete fact derived from these figures is that there were no less than

the mentioned incidents. The next section discussed the classification of the different cyber crimes.

Table 7-1: Cyber crime statistics by type (KNPA 2007:Internet)

YYeeaarr TToottaall HHaacckkiinngg,, vviirruuss

IInntteerrnneett ffrraauudd

CCyybbeerr vviioolleennccee

IIlllleeggaall wweebbssiitteess

PPiirraaccyy OOtthheerr

2002 41900 9707 19395 4726 862 1778 5432

2003 51722 8891 26875 4991 1719 677 8569

2004 63384 10993 30288 5816 2410 1244 12633

2005 72421 15874 33122 9227 1850 1233 11125

2006 70545 15979 26711 9436 7322 2284 8813

7.2.3 Classification of Cyber Crime

There is a significant difference between types of cyber crimes and the classification of cyber crimes.

Paragraph 7.2.1 listed different types of cyber crime. Each of these crime types further classifies

according to the victim group. Table 7-2 shows the different types of cyber crime. This table presents

and clusters the crimes according to the group affected by the crime.

Table 7-2: Cyber crime classification (Adapted from: Pati 2003:10, Seth 2007:5)

CCrriimmeess aaggaaiinnsstt iinnddiivviidduuaallss

CCrriimmeess aaggaaiinnsstt iinnddiivviidduuaall pprrooppeerrttyy

CCrriimmeess aaggaaiinnsstt oorrggaanniissaattiioonnss

CCrriimmeess aaggaaiinnsstt ssoocciieettyy

Information theft Information theft Information theft Information theft

Hacking Hacking Hacking Child pornography

Obscene material IP crimes Cyber terrorism Obscene material

Indecent exposure Computer vandalism Pirated material Financial crimes

Harassment via e-mails Netrespass E-mail bombing Sale of illegal articles

Defamation Internet time thefts Salami attacks Online gambling

Salami attacks Salami attacks Possession of unauthorised information Forgery

Email spoofing Transmitting viruses Data diddling Salami attacks

Cheating and fraud Logic bombs Trafficking

Cyber-stalking DOS attacks

A study done by the School of Information Systems Technology and Management at the University of

New South Wales, Australia, identifies a number of key issues concerning cyber crime in the current

Information Security environment:

• Jurisdiction is unclear. Difference in jurisdiction between state and federal legislation can create

confusion and loopholes aiding cyber criminals.

• Computer evidence presentation is difficult. Related to jurisdictional difficulty, legislation of

individual countries differs regarding presentation and admissibility of computer evidence

(Brungs & Jamieson 2005:59). Even worse, gaps in national criminal laws mean that cyber crime

is unpunished in many countries worldwide (Ticehurst 2000:Internet).

• Some cases require the presentation of original evidence. This scenario may cause many problems

in the event of an appeal situation, as the computer is no longer in its original state. This issue

reiterates the lack of a best practice guide for Digital Forensics (Brungs & Jamieson 2005:59).

• The legal sector is not computer literate enough. A low standard of computer literacy in the legal

sector could potentially have a negative impact on the Digital Forensic domain. This sector tends

to place unrealistic and incorrect demands upon electronic evidence.

• Records need to remain confidential. Evidence collection forms an important part of Digital

Forensics work. Appropriate legislative mechanisms should be in place to ensure that evidence

collection does not infringe on professional privilege rights.

• Criminal prosecution opposes civil trial. The study suggests that investigators should conduct

research into the differences between a criminal prosecution and a civil trial and the impact that

those differences have. The aim is to allow the progression of the Digital Forensic field away

from police and government regulators base. In many situations, companies are not looking to

prosecute an offender, but rather to stop the incident and prevent the occurrence from recurring.

• Information access and exchange needs to be controlled. This issue relates to the preservation

of clients’ privacy while gaining enough information to complete an investigation successfully.

• Privacy and workplace surveillance is an issue. The introduction of privacy legislation created

uncertainty in Digital Forensics with regard to what is permissible behaviour in collecting and

retrieving personal information, and what is an infringement of an individual’s right to privacy

(Brungs & Jamieson 2005:60).

• International agencies need to cooperate. International cooperation is essential for Digital Forensics

work since digital evidence collection often crosses national borders. The inability to work in real-

time intensifies this problem (Brungs & Jamieson 2005:61).

• Launching actions against unknown people in a civil trial is difficult. To subpoena information such

as the offender’s identity from communication companies, investigators need to launch a civil

case. However, it is not possible to launch a civil action against unknown persons. Civil action

requires that investigators name a person.

• Technical issues include the testing of tools and techniques. To ensure complete functionality

and validity, all forensic experts should conduct a third-party validation of tools and techniques.

This is to ensure that investigators apply a scientific methodology within the field to guarantee

repeatability and verification of techniques and findings.

• Qualifications include expert witness skills and techniques. Guidelines for defining an expert

witness should be defined, incorporating required skill sets, minimum working experience, and

formal qualifications such as a university degree or commercial certification (Brungs & Jamieson

2005:62).

This classification of cyber crimes is rather extensive and will be useful in the development of the Liforac

comprehensive, forensically sound model. Section 7.2 looked in detail at many different classifications

and views on cyber crime. Not only will this information aid the understanding of the forensic discipline,

but it also stresses the importance of Digital Forensics as an aid to combat cyber crime.

7.3 Occurrence of Cyber Crime

Computer-related crime is one of the fastest growing forms of crime worldwide. According to Wolfgang

Selzer, head of security at a South African Information Technology Solutions and Consulting Services

company, cyber crime had become a R703 billion business per year. It officially passed the value of the

international illegal drug trade (News24 2007:Internet). Nykodym et al. (2005:264) claim that the

reported total loss from cyber crime increased annually in 2000, 2001 and 2002 to R2,075 million,

R2,961 million and R3,525 million respectively. Unfortunately, the trend to have a completely paperless

office environment feeds the growth of cyber crime.

Although the first commercial computer only became available in 1950 (AC 2007:Internet), the first

recorded cyber crime already took place in 1820. Joseph-Marie Jacquard, a textile manufacturer in France,

produced the loom, a mechanical device that has holes punched in pasteboard. In essence, the loom was

the first machine to use punch cards to create the designs of textiles (Computer History Museum 2009:Internet). Jacquard's employees feared for retrenchment, should this new device be able to

replace them. They sabotaged Jacquard’s loom to discourage him from further use of the new

technology, committing the first recorded cyber crime type (Planet India 2001:Internet).

The Korean National Police Agency (KNPA 2007:Internet) did an in-depth study on cyber crime. Their

analysis shows that students commit 13.3% of cyber crimes, unemployed individuals commit 29.6%,

company workers 16.6% and self-employed individuals 17.9%. The remaining 22.4% are unclassified.

External Opportunity for Cyber Crime

Although the occurrence of cyber crime is increasing, it is very difficult to catch perpetrators. In part, the

application of the current legal system contributes to this. The principle of placing the criminal at the

scene falls away completely. In fact, the real perpetrator may have many alibis, but could still have

committed the crime - cyber crime does not require a physical presence of the perpetrator. This is

possible because many of the cyber crimes allow for some time delay (Nykodym et al. 2005:266).

Additionally, cyber crimes often go unnoticed at first. In conventional crimes involving money, the responsible

person will notice immediately the next time he/she counts the money. However, if the perpetrator steals

data, the responsible person might not notice it until the perpetrator uses or makes the stolen information

public. Considering this aspect, the original data may remain intact, whilst the perpetrator merely makes

an illegal copy of the data. In the same regard, cyber criminals can enter a system in more than one

way. They can steal data from the main server or the back up server, whilst the data are in transition

between two points or from a web page or application programme (Nykodym et al. 2005:266).

The increasing role of Internet sales, the massive amount of sensitive data transferred through the

computerised information systems and the overpowering storage abilities online all contribute to the

growing threat of cyber crime. In 2002, organisations reported more than R1,332 million of loss due to

theft of proprietary information, such as customer and product databases (Nykodym et al. 2005:264).

Recent statistics from the US Internet Crime Complaint Centre shows an increase in total losses from R3

230 million ($231 million, amount converted on 22 December 2008) in 2006 to R1,844 billion ($191

million, amount converted on 22 December 2008) in 2007 (McMillan 2008:Internet).

Adding to this existing problem, organisations put more value on their information. If the power is off and

employees cannot use their computers, many organisations come to a complete standstill. Employees

are hugely dependent on their electronic environment and the information stored within that environment.

Cyber criminals are aware of this matter and accordingly hit organisations where it hurts the most: their

information (Nykodym et al. 2005:264).

Insider Opportunity for Cyber Crime

Insider cyber crimes are a major component of cyber crime today. Employees commit these crimes

against their employing organisation, generally exploiting information only available to employees.

Research done by Nykodym et al. (2005:264) shows that cyber crimes committed by managers generally

account to greater amounts of money on average, although these types of cases are fewer. With

sufficient computer knowledge, authority and capabilities ensuring access to the system, organisation

insiders can easily hide their crimes. Nykodym suggests that insiders commit more than 70% of all

computer crime directed toward companies.

In Mumbai, India, more than 90% of reported cyber crime cases never make it to a court of law. Mukund

Pawar, senior investigator at the Cyber Crimes Investigation Cell, says, “… When the victim approaches

us with a complaint, he or she is unsure who might be behind the crime. But once they come to know

about the accused, they tend to withdraw their complaint thinking it would be embarrassing for them to

face people in society”. More often than not investigations prove neighbours, ex-lovers or jealous friends

to commit some kind of fraudulent act over the Internet. Complainants then prefer to settle the matter

privately (Shelar 2007:Internet).

Cyber crime has been occurring more regularly since the creation of the Internet. However, authorities

still do not address this problem properly, since international governments are imposing different and

often conflicting legislation to deal with this type of crime. The Council of Europe's Convention on Cyber

Crime has made some progress, and started working towards creating a treaty intended to establish

international standards for combating cyber crime (Nykodym et al. 2005:264). The next section looks at

the possible reasons for the high occurrence of cyber crime.

7.4 Reasons for Cyber Crime

There is no conclusive evidence that specific factors or conditions contribute pertinently to cyber crime.

If it were indeed possible to identify such factors, the occurrence of these crimes would have readily

been decreasing and not increasing.

Despite the rising numbers of cyber crimes, it is very difficult to pinpoint a specific factor as the reason for

its occurrence. As with real world crime, it is very difficult to isolate one or two factors as the overarching

reason for cyber crime. These motivators, combined with a number of convenience factors, ensure that

the occurrence of crimes skyrockets. Below is a list of possible reasons for cyber crime:

• Recognition. Generally, young individuals commit cyber crimes in an attempt to be noticed.

The youngsters’ intention is not to hurt anyone in particular.

• Easy money. These individuals are more ambitious and generally motivated by greed. They tend

to tamper with data on the Internet or computer system purely for economic and commercial

gain. They often commit fraud and swindle money off unsuspecting customers.

• Activism. This is the most dangerous of all the causes of cyber crime. Those involved believe

that they are fighting a just cause and do not mind who or what they destroy in their quest to

achieve their goals. These are often referred to as cyber terrorists (Chizoba 2005:3).

• Omnipresent Internet. The number of Internet users consistently grows by 10% a month. This

translates into tens of millions of people each month that are not familiar with cyber scams.

Accordingly, these newbies are prime targets. Crime has evolved to profit from the millions of

potential victims connected to one global network (Stiennon 2007:1).

• New vulnerabilities. The latest research predicted that the number of viruses will reach 1 million

by the end of 2008 (Pauli 2008:Internet). The amount and type of security vulnerabilities are

accordingly another omnipresent threat.

• Markets for identities and tools. Online trading sites for identities create a market for thieves to

sell to criminals that are more sophisticated. This drastically opened the playing field for

criminals: it is not a requirement for individuals to be an expert with coding, hacking, credit card

merchant accounts, eBay, wire transfers, counterfeiting and money laundering (Stiennon 2007:1).

In addition, there are companies that focus on security flaws and vulnerabilities that actually sell

details about software vulnerabilities to cyber criminals. The most notorious security flaw merchant

is WabiSabiLabi (Popa 2008:Internet).

Therefore, a combination of reasons contributes to the occurrence of cyber crime. However, the most

prominent reason by far is the endless possibilities that computers create for cyber criminals to act upon.

The next section looks at a number of famous court cases where computers, forensics or the Internet

was involved.

7.5 Famous Cyber Crime Cases

Cyber crime does not only happen to the average person. It is indeed something that can happen to,

and be committed by, famous people. This section looks at some prominent cyber crime incidents and

court cases in which the cyber realm or Digital Forensics played some part.

According to Susan Brenner (Coren 2005:Internet), "… digital evidence is becoming a feature of most criminal

cases". Digital Forensics contributed to many famous criminal cases in the past. Although many of the cases

do not necessarily involve high-tech computer resources, all cases do comply with the definition provided

in Paragraph 7.2. CNN also states that the use of digital evidence, such as emails, hard drives and

Internet files are becoming more common in crimes all over the world (Business Wire 2005:Internet).

Although many types of cyber crimes can eventually lead to the murder of someone, it is very rare for

police to classify an action as a cyber murder. According to Chizoba (2005:2), this rare phenomenon

occurred in the United States in the late 1990s. This incident involves the admission of an underworld

academic to hospital for minor surgeries. His rivals hired a computer expert to hack into the hospital’s

computer systems and alter his prescribed medicine. The nurse on duty unknowingly gave him a too

high dosage, initiating a lethal allergic reaction. Technically, authorities can also classify this incident as

gaining unauthorised access to a computer system.

The BTK Killer (Blind, Torture and Kill) pleaded guilty in 2005 to 10 murders in Kansas. The police used

EnCase (discussed on the accompanying CD, see Forensic tools) to investigate a floppy disk sent to

the local radio station. On this disk, the BTK Killer apparently gloated at the police’s inability to catch him

(Afentis s.a.:Internet). The police identified Dennis Rader as the author of the documents on the disk

and traced the letter back to the church computer where Rader served as president of the council (Taub

2006:Internet).

EnCase also played a part in convicting the American Scott Peterson of killing his pregnant wife in 2002.

Originally, Peterson was not a suspect. However, a change in his statement and his affair with Amber

Frey that surfaced later on, ruled him as chief suspect (Rocha 2006:2). Peterson’s Internet history

showed searches for websites detailing the tidal conditions in San Francisco Bay. This is the dumpsite

where police found his wife’s body (Taub 2006:Internet). The court sentenced Peterson to death in 2005

and he currently remains on death row. He later confessed to strangling his wife.

Digital Forensics played an important role in the investigation of murdered Holly Wells and Jessica

Chapman in 2002. Technical analysts examined one of the girls’ mobile phone accounts to identify its

location just before the murderer supposedly switched it off. Mobile phones store information on the

nearest network communication tower in the phone’s memory. The communication information maps the

signal coverage of the tower, and allows a narrowed down squared area where the phone was probably

located. Using this information, authorities had a rough estimate of where to start their search for the two

girls (Afentis s.a.:Internet). The court eventually convicted Ian Huntley for the murders to two life

sentences.

In 1996, Robert Glass brutally murdered Sharon Lopatka. Police found this lead by examining Lopatka’s

computer. They were able to recover almost 900 pages of e-mails between Lopatka and Glass, all

regarding death and torture fantasies. The police found Lopatka in a shallow grave, where Glass buried

her after strangling her and tying her hands and feet. Glass eventually pleaded guilty to manslaughter in

2000 (Gleason 2007:Internet).

The Enron case made worldwide headlines in 2001. Prosecutors arrived with a virtual mountain of digital

evidence, constituting more than 31 terabytes of data. The FBI gathered this evidence during a five-year

investigation. The FBI made use of the Greater Houston Regional Computer Forensics Laboratory to

assist with the forensic processing of the digital evidence. Combined, these entities processed data from

130 computers, thousands of e-mails, and more than 10 million pages of documents. This investigation

delivered evidence that helped to convict some of the company’s top executives (FBI 2007:Internet).

The large-scale document shredding that took place after the initial Enron whistle blowing sparked this

intense investigation (Wilding 2002:1).

In a very public trial in 2004, a jury found Martha Stewart guilty of conspiracy, obstruction of an agency

proceeding and making false statements to federal investigators. She was sentenced to serve a five-

month term in a federal correctional facility, five months of home confinement and a two-year period of

supervised release (Landon 2006:Internet). Digital evidence that contributed to her sentencing was

testimony of her assistant. She stated that Stewart altered an electronically recorded phone message from

her broker (Watson 2004:1). This message was incriminating evidence that Stewart received internal

information.

In South Africa, the most prominent recent cyber crime case involves the hacker Alistair Peterson.

Peterson is a Gauteng computer scientist that headed an elaborate online bank-hacking syndicate. When

he was caught in February 2008, he had already gathered R17 million by defrauding businesses, trust

funds and corporate accounts. Peterson entered a plea bargain with the Scorpions (former Directorate

of Special Operations in South Africa, a multi-disciplinary agency that investigated and prosecuted

organised crime and corruption), suspending majority of his sentence. Part of the plea bargain was that

he works with the CSIR to develop an anti-virus to prevent further attacks by Regger.W32, a virus

programme originally created by him. Although this crime was not solved by means of forensic practices,

Peterson confessed afterwards that he enjoyed the forensic part of computers, looking for holes in

systems that can be plugged by cyber crime fighters to prevent crooks from getting in (Rondganger

2008:Internet).

It is clear that cyber crimes are not only limited to incidents of hacking and identity theft. These real life

crimes range from first-degree murder to supreme fraud and white collar crimes. The next section

summarises the chapter on cyber crimes and criminals.

7.6 Summary

Chapter 7 looked at the various aspects of cyber crimes: the definition, types and classification,

occurrence and reasons for these types of crimes. Additionally, the chapter also looked at some

prominent court cases involving cyber crime or digital evidence.

In summary, the eight drivers identified from Chapter 7 to contribute to the development of the Liforac

• Jurisdiction is difficult to determine when cyber crime is concerned. This global problem facing

cyber crime Law Enforcement contributes to Chapter 10 of the Liforac model (Paragraph 7.1);

• Criminals tend to exploit the speed, convenience and anonymity of modern technology more and

more to commit a diverse range of crimes. Although this aspect may not directly impact the

development of the Liforac model, this knowledge may aid the understanding of why the model is

necessary (Paragraph 7.1);

• The cyber crime definition influences in particular the dimension on laws and regulations of the

• Cyber crime differs from real world crime in four prominent aspects. Although this does not

contribute directly to the Liforac model, it may aid the forensic investigator in understanding the

Digital Forensic discipline better (Paragraph 7.2);

• Many different types of cyber crime exists, directly impacting the dimension on laws and

regulations of the Liforac model (Paragraph 7.2.1);

• The number of cyber crime incidents is rapidly increasing. This aspect may not directly have an

influence on the development of the Liforac model, it gives an indication of the urgency with

which cyber crime and Digital Forensics should be treated (Paragraph 7.2.2; Paragraph 7.3);

• Cyber crime types can be classified into four distinct groups. This classification contributes to the

forensic investigator’s understanding and need for Digital Forensics (Paragraph 7.2.3);

• There are some key issues concerning cyber crime in the current Information Security

environment. These aspects also contribute indirectly to the Liforac model (Paragraph 7.2.3).

When considered individually, all these drivers suggest a legal or regulatory component. Allowing for

the number of drivers related to this theme and the importance of this theme in relation with the proposed

Liforac model, this theme might influence the identification of possible dimensions for the Liforac model.

The themes will be addressed in Chapter 9.

Chapter 7 addressed Objective D of the study. It included a formal definition of cyber crime and looked

at different types of cyber crime, cyber crime incidents and the classification of cyber crime. This chapter

looked at the occurrence of crime, reasons why people commit cyber crimes and famous court cases

involving some form of cyber crime or Digital Forensics. As part of fulfilling Objective E, Laws, Chapter 8

will now look at existing legislation that covers cyber crime and forensics. This chapter extends Chapter

7’s discussion on cyber crime and ends Part 3 of the study.

Chapter 8: Cyber Crime Legal Aspects

“It is the smaller cases of hacking on normal people and businesses that don’t get given the same type of focus. If each and every cyber crime case was given the same amount of attention as this

one, then the world would be a safer place for us normal users.”

- Tom Newton

Whilst Chapter 7 focuses on cyber crimes and the cyber criminal, Chapter 8 looks at the legalities

regarding these cyber threats. To put current cyber crime legal aspects into perspective, it is necessary

to look at a range of contributing factors and disciplines. Chapter 8 first looks at the legal acceptance of

forensic evidence, then at how forensics fits into the current legal system. This discussion investigates

the relationship between forensics and computer science, forensic science, criminal investigation,

computer security and Information Security, system administrations and businesses.

Chapter 8 briefly looks at the current cyber legislations available. Chapter 8 also looks at global cyber

crime fighting agencies and examines a number of cyber crime frameworks that can contribute directly to

the Liforac model. This discussion on frameworks is extremely important to the study and will be referred

to in the development of the Liforac model in Part 4. It is important to note that Chapter 8 is not a legal

discussion, but rather a technical discussion of a law related subject. All legal references are therefore

from a non-legal, technical viewpoint.

Figure 8-1: Liforac model progress - Laws (Own compilation)

model. Chapter 8 fulfils Objective E, Laws (originally presented in Figure 2-2). Objective E is the last of

the objectives to be addressed by this study. Once this objective is addressed, the study will address the

physical development of the Liforac model.

8.1 Introduction

A vast number of technical issues can physically constrict Digital Forensics, being a technical application

of computer related knowledge. In addition to these limitations, numerous laws strictly bind forensic

investigators to the letter. The implementation of these laws can sometimes be rather complicated (Jones

2007:1).

In contrast to the advantage of the high pace of new technological advances, the same high-paced

development of the judiciary system and legislation can be highly detrimental. According to Pati (2003:14),

it is unlikely to eliminate cyber crime completely from cyber space. Authorities should rather aim to

minimise and control cyber crime by monitoring cyber crime, making people aware of their rights, their

duty to report crime and the application of laws to regulate cyber crime.

Implementation Problems

The problems regarding the legislation and Law Enforcement of cyber crime are two-fold. On the one

hand, there are simply not enough Law Enforcement officers with appropriate Digital Forensic and

computer crime investigative skills. In American Law Enforcement agencies, there is an average of

six months to a year backlog within the states and major cities. In general, there is limited legal support

training in Digital Forensics law. This leads to unqualified Forensic Acquisitions, which in turn results in

inadmissible evidence and non-prosecutable cases (Bhaskar 2006:81,82).

Globally, a serious shortage of knowledgeable Law Enforcement officers presents a major challenge to

any Cyber Security Response plan. A study done in America reveals that 49.2% of Law Enforcement

officers are assigned to investigate computer crimes. Of that percentage, only 12.3% have had formal

training in Digital Forensics, whilst only a further 6.8% of those have had formal computer science

training (Bhaskar 2006:82,83).

The South African Constitution, Schedule 6, strictly forbids the extension of current legislation to an analogy

to include cyber crimes. "Old order legislation that continues in force… does not have a wider

application, territorially or otherwise, than it had before the previous Constitution took effect unless

subsequently amended to have a wider application…" (Constitutional Court s.a.:Internet). This implies

for example, that any South African law prohibiting the forceful seizure of a vehicle in transit (hi jacking)

cannot be directly analogised to also prohibit the forceful seizure of an active webpage on the internet

(web jacking). This restriction adds to the implementation problems of laws to regulate cyber crime.

Concerning the South African Constitution, every accused person has the right to a fair trial (ICRC

2005:Internet). This includes the right “… not to be convicted for an act or omission that was not an

offence under either national or international law at the time it was committed or omitted” (Maat 2004:5).

The creators of the I love you virus caused significant damage by infecting more than 60 million computers

worldwide. However, due to the principle of nullum crimen sine lege (Latin, lit. "No crime, no punishment

without a previous penal law"), the perpetrators were not prosecuted (Maat 2004:7): “… A person shall

not be criminally responsible under this Statute unless the conduct in question constitutes, at the time it

takes place, a crime within the jurisdiction of the Court” (ICRC 2005:Internet).

There is also a fine line between jurisdictional mandate and privacy legislation; this can complicate the

implementation of a proper forensic system. Most organisations expect their employees to sign an

organisational equipment usage disclaimer on joining the organisation. This disclaimer generally states

that the employee will abide by all organisational policies, not misuse organisational equipment, as well

as an acknowledgement that the equipment remains the property of the organisation and that some

higher authority may have access to the equipment for inspection.

The implication of this disclaimer is that, in the event of a computer incident, the system administrator

may access the suspect machine or give access to the forensic investigator involved in the investigation.

This is also the mandate on which forensic investigators access machines without an explicit search

warrant (refer to Paragraph 5.2.1). Employees can argue that their reasonable expectation of privacy

has been violated.

Forensic investigators should be aware of the difference between these two states and ensure that their

actions are defendable in court. To further exacerbate the situation, research in the United States shows

that nearly 85% of the legal system’s current caseload involves some form of digital evidence (Taylor,

Endicott-Popovsky & Frincke 2007:101), yet cyber law is not addressed appropriately. In this regard,

legislation is not on par with reality.

Legal Problems

On the other hand, very few legal systems presently take the digital world into account and laws need

to be modified, edited or amended to fit the requirements of the cyber world (Baggili 2006:1). South

Africa has a hybrid legal system, composed of a number of distinct legal traditions: a civil law system

inherited from its Dutch colonisers, a common law system from its English colonisers, and an indigenous,

African customary law (Du Bois 2007:45). At that time, it was unthinkable that the emergence of new

technology could change the world as much as it did today. Accordingly, it did not take long before it

became difficult, if not impossible, for the legal system to cope with advanced technology (Maat 2004:4).

The computer is a magnificent invention that allows us to do so many things that would have otherwise

been completely impossible. However, it is separate from the legal system, complicating the merging of

human and computer. “… The question that arises is whether our criminal law, which evolved before the

space and electronic age…, is supple enough to meet the onslaught of the white collar criminal that

specialises in computer crime” (Maat 2004:5).

In the words of Jonathan Burchell: “… Before succumbing to the crime-control model of criminal justice

and developing new crimes to counter the ingenuity of the criminal mind, we need to answer two

questions: (a) has a thorough and creative examination been done to determine whether the existing

common or statutory law is inadequate to deal with the new or revived nefarious manifestation; and (b)

does the cost in human and financial terms warrant the intervention of legislation, diverting already

limited resources from the detection and prosecution of common-law crimes of violence to special and

costly forms of law enforcement and to defending potentially time-consuming constitutional challenges to

the legislation?” (Maat 2004:6).

According to the US-CERT (2005:2), recent legislation makes it possible to hold organisations liable in civil

or criminal court if they fail to protect customer data. This legislation includes the Health Insurance

Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX). Nowadays it is becoming

more important to prove that your organisation complies with computer security best practices. If there is

no proof that an organisation followed a sound security policy, it is potentially open to regulatory audits or

lawsuits (US-CERT 2005:3). The next section will formally introduce forensics into the legal system.

8.2 Legal Acceptance of Forensic Evidence

Digital Forensics is a relatively new discipline to the courts. Many of the existing laws used to prosecute

computer-related crimes do not adequately cover the proper adjudication of digital evidence (US-CERT

2005:3). Accordingly, very few forensic cases have been successfully trialled in South Africa.

Forensic Nature

According to the US-CERT (2005:1), the word forensics literally means “… to bring to the court” (refer to

Paragraph 6.3). This is a definite indication that Digital Forensics does have a place in the legal system.

Forensics deals primarily with the recovery and analysis of latent evidence: anything from fingerprints

and DNA to files on a hard drive. Four key factors in forensic software make the difference when it

comes to court acceptance (MD5 2008:Internet):

• Forensic software does not alter data. ProDiscover (see accompanying CD, see Forensic

tools) will not alter any data on the disk. ProDiscover accesses the suspect disk in a read-only

fashion at the disk sector level. The software does not allow writing to the disk. Most forensic

packages have similar features to prevent any unauthorised modification of evidentiary data

(refer to Paragraph 3.4.3).

• Forensic software provides maximum data access. Most forensic packages take raw data and

rebuild it into files using an internal file viewer so that you see all the data. This includes slack

space, meta files and alternate data streams (refer to Paragraph 5.2.4).

• Forensic software ensures proof of authenticity. All forensic packages generate a hash signature

for evidence gathered. Investigators can use these signatures at any time to prove that the data

is the same as the original evidence after its capture (refer to Paragraph 3.4.5.1).

• Scientific community verifies forensic software. Scientific communities constantly review software

packages to ensure its accuracy (refer to Paragraph 8.2.1).

Considering these four aspects, it is crucial for anyone overseeing network security to be aware of the

legal implications of forensic activity. To ensure the acceptance of forensic evidence in a legal context at

a later stage, security professionals should consider their policy decisions and technical actions in the

context of existing laws. This can be a matter as simple as getting authorisation first before monitoring

and collecting information regarding a computer intrusion (US-CERT 2005:3). Accordingly, it is clear that

any organisation with Digital Forensic capabilities will be at a distinct advantage should the case proceed

to a court of law (US-CERT 2005:4).

Relating Forensics to Law

Traditional investigation methods are ill equipped and inefficiently developed to deal with cyber crime.

These methods developed with the sole purpose to investigate physical crimes situated on physical

premises. However, criminals have advanced so significantly that investigators need to investigate both

physical and virtual crimes situated on both physical and virtual premises. Highly sophisticated technology

now allows cyber criminals to wreck havoc in virtually borderless information networks (Maat 2004:11).

Cyber crime directly resulted in the emergence of an alternative approach to traditional Law Enforcement,

now not purely enforced by the State, but rather by specialists of the environment in which the crime was

committed. Only with the co-operation between these entities is it possible to effectively deal with cyber

crime (Maat 2004:11). The ECT Act eliminated many of the discrepancies that existed in previous

legislative documentation regarding cyber crimes. For example, before this Act came into being, an

action such as hacking and Denial of Service (DoS) attacks where not classified as criminal acts (Maat

2004:i). The ECT Act also created new offences in our legal system to fill a previously identified gap. It

is important to remember that both technology and cyber crime are evolving disciplines and to rule out

the possibility of new types of cyber crime can be hazardous (Maat 2004:10). Cyber criminals, most

likely, will use more inventive and technologically advanced methods to commit cyber crimes.

Strict laws and regulations bind Digital Forensic investigators. When they do not precisely abide by these

laws, the court may dismiss the case, rendering the gathered data useless in a Law Enforcement

capacity. The court may classify the data as unconstitutionally obtained evidence, and will render the

trial unfair or detrimental to the administration of justice (Maat 2004:223).

Live Forensics and the Law

The judicial system does not accept all types of Digital Forensics, although the concept of forensics is

justified. For example, Dead Forensic Acquisition techniques are tested and, under normal circumstances,

allowed as evidence in court. The aspects of Live Forensic Acquisition and Network Forensics, however,

need more research done before it can be included, without a doubt, as evidence.

There are currently issues concerning authenticity, reliability, preservation, admissibility, tool testing and

verification that need to be addressed before Live Forensic evidence and Network Forensic evidence can

be accepted with a similar degree of confidence as Storage Media Forensics (Nikkel 2006:2). In general,

Law Enforcement can apply Digital Forensics in either a civil case or a criminal case:

• In civil cases, forensic copies of the computer hard drive are often produced on the suspected

crime scene, thus reducing downtime and leaving the original material in the possession of the

owner. The forensic investigators generally keep only a copy of the evidence for analysis and

treat this with maximum security.

• In criminal cases, forensic copies of the computer hard drive are produced and the forensic

investigators keep both the original drive and a copy for evidence. Both these drives are kept

securely, but all analysis is done on the copied image. The original drive serves as best

evidence (defined in Paragraph 3.3.3.3), and is kept by the investigator for the duration of the

case. In the event of a covert operation, the investigator does not physically remove the best

evidence from the site before criminal charges have been laid (Cyber Forensics 2007:Internet).

Many factors play a role in the relationship between forensics and the legal system. The following sections

look at computer science, forensic science, criminal investigations, computer security and Information

Security, system administrators and business. These aspects form part of the alternative approach to

traditional Law Enforcement, in which Live Forensics is applied in relation to a multiple of interrelated

disciplines.

8.2.1 Computer Science

Although computer science is a very wide topic, the necessity of it concerning Digital Forensics involves

the development of new software. This software may potentially have an impact on the analytical value

and evidential integrity of acquired data (Jones 2007:2).

Digital Forensic investigators have seen a drastic increase in the number and complexity of computer

crimes in recent years. As a result, both the field of Digital Forensics and the nature of computer crimes

advanced in complexity. In fact, the growing intricacy of cyber crimes demands more technically

advanced software and techniques that enables forensic investigators to obtain and analyse data more

efficiently. Computer crimes greatly assist computer science advances, by forcing developers to create

bigger and faster machines, and more sufficient, secure Forensic Acquisition packages that can navigate

a vast magnitude of data in a shorter time span (Rogers & Seigfried 2004:12,13).

The computer technology also did not remain dormant and bigger, faster computers were developed.

Originally, when Digital Forensic first surfaced as a scientific field, the majority of analysis done by

forensic experts where done on a single target computer and a single forensic computer. Nowadays it

might be necessary to span an OS over multiple machines in order to investigate it. Equally, cyber

criminals have pushed the boundaries for encryption schemes as well. This allows them to hide their

crimes, whilst forcing computer scientists to advance the forensic techniques associated with encryption

(Rogers & Seigfried 2004:12). The following section relates Digital Forensics to traditional forensics.

8.2.2 Physiological Forensic Science

The principles for Digital Forensics are the same as those for traditional Physiological Forensics (Jones

2007:2), except that these principles are applied to digital sources and not physical, biological sources.

Both of these disciplines focus on acquiring and preserving evidence to facilitate prosecution.

Traditional or Physiological Forensics developed from the practice of forensic medicine recognised as a

medical specialty at the end of the 18th century. Forensic science began during the early 1920s in United

States university laboratories, although the first official crime laboratories were only established in 1929

(Wang, Cannady & Rosenbluth 2005:120). Traditional Physiological Forensics applies to answer a limited

set of questions and to individualise an object. For example, forensic investigators need to compare

blood retrieved from a crime scene with a sample from a suspect’s blood to determine if the samples

correspond.

Although the foundation corresponds to Physiological Forensics, Digital Forensics is more complicated

on a core level. For example, to determine how a cyber criminal compromised a computer, the forensic

investigator needs to identify the access point into the compromised system. It is a rather intricate process

of searching for evidence, acquiring it and then analysing it (Carrier 2006:2). The Digital Forensic

science was created to address the specific and articulated needs of Law Enforcement to make the most

of this new form of electronic evidence. As discussed in Chapter 3, Digital Forensics is the science of

acquiring, preserving, retrieving and presenting data that has been processed electronically and stored

on computer media (Amenya 2004:3).

In Physiological Forensics, all evidence is relatively similar. For example, DNA from any source (whether

it is a blood sample, piece of hair or nail) is in generic form once it is cleared from contaminants and

reduced to its elemental form. Once this stage is reached, the protocols for forensic DNA analysis may be

applied similarly to all submissions. In Digital Forensic evidence, however, there is such a vast magnitude

of different types of evidence and each piece needs to be handled and investigated differently. Digital

Forensic evidence rarely gets the same elemental form of evidence, due to the difference in OSs, unique

applications programmes and the different storage methods.

Despite the obvious differences between the disciplines, there is some overlap. Both disciplines consider

evidence inadmissible if a forensically sound investigation has not been followed. The next section links

Digital Forensics with criminal investigations.

8.2.3 Criminal Investigations

As with any criminal investigation, it is important to determine the role that the computer plays in the

committed crime, before starting with the physical investigation. The computer may either be a tool of

the crime, or be subsidiary to the crime. This determination generally happens before the preparation of

the warrant to seize the computer and/or parts of the computer system.

In the first scenario, the computer plays an active role in committing the crime. For example, the criminal

uses the computer as a means to counterfeit certain documents. In the latter scenario, the criminal may

not actively use the computer during the committal of the crime, but rather as a repository of evidence

pertaining to the crime (Robbins 1994:7). A criminal might keep email communication in which he/she

refers to the committed crime. The nature of the computer’s role may be indicative to using either Dead

or Live Forensic Acquisition.

Before a forensic investigator or Law Enforcement agency can commence with the investigation, an

appropriate authority should issue a search warrant. If an organisation has well-defined policies in place,

the process is dramatically fast-forwarded. Investigators then automatically have permission to collect

evidence and analyse it (Laubscher, Olivier, Venter, Rabe & Eloff 2005:5).

Any advances in the field of Digital Forensics allow criminal investigators greater flexibility to conduct

enquiries and investigations (Jones 2007:2). On the other hand, the more success stories about

forensic-aided criminal investigations, the industry can recognise Digital Forensics as a full-fledge

discipline, leading to more technology advancing research. The next section links Digital Forensics with

the Computer Security and Information Security disciplines.

8.2.4 Computer Security / Information Security

Computer Security and Information Security are major issues within organisations. Not only can it be

rather tragic if an organisation’s highly paid-for research or a best-kept trade secret is stolen, but an

organisation can be sued for negligence in the event that clients’ personal information are stolen.

Two issues to consider are that of data protection and ISP liability:

• The organisation should protect data. Data that your employees or clients provide to you under

the auspice of confidentiality should remain confidential. The law requires organisations to ensure

the accuracy, relevancy and security of provided information, under all circumstances. Since this

information may include identity and contact information, financial information or performance

appraisals, it may cause a violation of trust in the event of a system breach. Worst-case scenario,

the cyber criminal may sell this confidential information to corrupt individuals or organisations,

leading to possible further crimes such as unauthorised withdrawals from bank accounts or

harassment. Not only will the original organisation be liable for any financial loss suffered by

employees or clients, but will also suffer a loss of reputation and organisational confidence.

• The ISP has a liability. If an organisation does not have the necessary notices and policies in place

to inform employees about the unauthorised use of organisational resources, it may lead to

Information Security problems. If an organisation does not have these measures in place, the

ISP may hold the organisation liable for illegal material hosted on its computers, including copied

music files, pornographic or defamatory material. An organisation may face prosecution, an in-

depth investigation of its IT infrastructure and a loss of reputation (JISC Legal 2005:2).

Proactive organisations can configure computer networks and systems for forensic readiness. Chief

Information Officers (CIO) has a list of actions to take to prepare a system effectively for easier forensic

investigation and maintenance, such as logging (Jones 2007:2). Such proactive actions may be very

handy in the event of sensitive data where Information Security should apply at all times.

A different kind of Information Security breach occurred recently. A researcher at the National Heart,

Lung and Blood Institute in Bethesda, Maryland had his laptop stolen from the trunk of his car. The

laptop contains medical records for 2500 study participants and a breach can expose seven years’ worth

of clinical trials (Hulme 2008:Internet). Another security breach occurred at the Binghamton University,

New York. The Coordinator of Undergraduate Advising for the School of Management accidentally

mailed a group of almost 300 students a list of the accounting students’ names, social security numbers

and grade point averages (Hill 2008:Internet).

This real life example shows that there is a clear relationship between Computer Security, Information

Security and Digital Forensics. The next section looks at the role that system administrators play in the

Digital Forensic discipline.

8.2.5 System Administrators

Although employees often expect a certain degree of privacy regarding their workstation, case law

demonstrates that courts examine the totality of circumstances. This is necessary to determine whether

this reasonable expectation of privacy applies, or whether an employer shares authority over the

employee's space (Robbins 1994:22). The generally accepted practice regards the employer-consent as

standing. It allows the employer to delegate some of these responsibilities to appointed experts, such as

the qualified system administrator.

The First Responders (defined in Paragraph 3.3.1) to a cyber crime scene are often the organisation’s

system administrators. In performing their daily duties and monitoring tasks, the system administrator

often notices suspicious network and system behaviour first. Therefore, they play a crucial role in

Forensic Acquisition. The entire process starts with them and, if they act in a forensically safe manner, it

is possible to collect evidence for possible future prosecutions (Jones 2007:2).

The role of the system administrator compares to that of the cyber inspector, except for the inspector’s

legal rights. System administrators can thus access employees’ files and folders and often leave no physical

clues of their actions. It remains the responsibility of the organisation to publish clear policies about privacy

on the network (refer to Paragraph 8.1). In addition, the organisation needs to explain to employees that

its network administrators have oversight responsibility and control (Robbins 1994:22,23).

By ensuring that the system administrator or forensic investigator sees to the system continually, an

organisation can ensure forensic readiness in the event of a cyber crime. “Although digital forensic

investigations are commonly employed as a post-event response to a serious Information Security or

criminal incident, when forensics is used to its potential, it can provide both pre- and post event benefits”

(Laubscher et al. 2005:5). Accordingly, system administrators can play a very big pro-active role in

Digital Forensics. However, few organisations take this pro-active stance. The next section looks at the

general relationship between Digital Forensics and businesses.

8.2.6 Business

Most businesses and organisations rely on computers to perform their day-to-day business functions.

People are dependant on their computer for communication, data records, transferring and sharing files,

information searches and data exchanging forums. Consequently, it is very easy for employees to

misuse organisational resources under the banner of day-to-day computer related tasks. In collaboration

with the Internet increasing the potential digital crime opportunities, businesses are more likely to

become either the victims or the unknowing participants in modern cyber crimes (Fei 2007:13).

Many organisations believe that time is money. It is thus understandable that organisations are not too

keen on calling in forensic experts, since the earlier, traditional Forensic Acquisition techniques took

hours to acquire a system image. It was common for an entire business to come to a standstill in order

for a forensic investigation to take place. Advances in Digital Forensics, which reduce the disruption

caused by an investigation, are highly beneficial and surrounds forensic investigations with less negative

perceptions (Jones 2007:2).

Cyber crime attacks can compromise both personal and business data stored on a central server. It is

thus important for all organisations, whatever their line of business, to be pro-forensics and to respond

quickly and efficiently to Computer Security incidents, on a daily basis. By doing this, organisations can

reap the following benefits:

• respond to incidents systematically so that the appropriate steps are taken;

• help personnel to recover quickly and efficiently from security incidents, minimising loss or theft

of information and disruption of services;

• use information gained during incident handling to prepare for better handling of future incidents

and to provide stronger protection for systems and data; and

• deal properly with legal issues that may arise during incidents (Grance, Kent & Kim 2004:18).

Business and organisational computers remain the main catchment area for Digital Forensic investigations.

Most people spend majority of their day at work and a large part of their time at work on the computer.

The data held on computer systems and networks can thus tell us a lot about an individual’s interests,

patterns of behaviour and even their whereabouts at a specific time (Fei 2007:14).

As computer systems, networks and other computing devices become more widely used and prevalent,

the chances of such computing devices and networks being involved in criminal activity also increase.

The next section looks at current legislation that deals with cyber crime and cyber investigations.

8.3 Legal Matters

Unfortunately, many countries’ laws do not clearly prohibit cyber crimes. Equally, existing laws against

physical acts of trespassing or breaking and entering often do not cover their virtual counterparts

(Ticehurst 2000:Internet). It is only in the last couple of years that countries realised the urgency of this

matter and started the development of cyber crime legislation. This lack of updated laws means that

cyber criminals around the world believe they their crimes will go unpunished. Earl Warren sums up the

legal overview quite appropriately. “Our legal system faces no theoretical dilemma but a single continuous

problem: how to apply to ever changing conditions the never changing principles of freedom” (Cheeseman

2005:341).

In a report published by the World Information Technology and Services Alliances (WITSA), shocking

statistics reveal that only nine of the 52 countries analysed in the report have extended their criminal laws

into cyberspace to cover most types of cyber crimes. Another nine countries have updated their laws to

prosecute against six or more types of cyber crime, while ten more countries have enacted legislation to

address five or fewer types of cyber crime. Thirty-three of the countries surveyed have not yet updated

their laws to address any type of cyber crimes. The conductor of the research said: "The long arm of the

law does not yet reach across the global internet. Organisations must rely on their own defences for now"

(Ticehurst 2000:Internet). The accompanying CD presents the full report, see WITSA report.

In 1978, Donn Parker created the first official law to deal with computer crime. Parker is one of the

pioneers on the subject of computer-related crime and played a key role in enacting Florida’s Computer

Crime Act of 1978 (Casey 2000:32). After intense research, Parker proposed the following four categories

of computer crime, the foundation for many Information Technology related legislation:

• A computer is the object of crime and the crime directly affects the computer; e.g., a criminal

steals or destroys the computer.

• A computer is the subject of a crime, or acts as the environment in which the crime is committed;

e.g., a criminal infects the computer with a virus to inconvenience the individuals who use it.

• A computer is the tool for conducting or planning a crime; e.g., a criminal uses the computer to forge

documents or break into other computers.

• A computer is the symbol to intimidate or deceive; e.g., a criminal uses the computer to lure

victims into doing something (Casey 2000:32).

Although accurate, Parker omitted the use of computers as sources of digital evidence. Computers are

often not actively used in the committal of a crime, but contains digital evidence that can prove that the

crime was committed, often also implicating the criminal. In 1995, Professor David Carter improved

Parker’s categorisation of computer-related crime, by employing his knowledge of Criminal Justice.

Carter added another category describing scenarios in which computers are incidental to other crimes

but hold related digital evidence (Casey 2000:33).

The following acts and laws are considered in the development of the Liforac model. This list is not

exhaustive, but constitutes some of the more prominent laws available to the general public, gathered

from a number of countries across the world:

• Information Technology Act of 2000, India;

• No Electronic Theft (NET) Act of 1997, United States of America;

• Information Infrastructure Protection (IIP) Act of 1996, United States of America;

• Telecommunications Act of 1996, United States of America;

• Computer Fraud and Abuse Act of 1986, United States of America;

• Electronic Communications Privacy Act (ECPA) of 1986, United States of America;

• Securing Adolescents From Exploitation-Online (SAFE) Act of 2007, United States of America;

• Computer Security and Critical Information Infrastructure Protection Bill of 2005, Nigeria;

• Electronic Communications and Transactions Act of 2002, South Africa.

Although the cyber legislation in itself is very important, it is also necessary to look at the agencies that

implement the law to ensure cyber security. One of these cyber crime-fighting agencies is the International

Association of Computer Investigative Specialists (IACIS), an international non-profit organisation

composed of Law Enforcement professionals that volunteer to fight cyber crime. These individuals are

dedicated to education in the field of Digital Forensics (IACIS 2007:Internet).

The following section looks at two existing frameworks for cyber crime. The examination of these

frameworks is crucial to the construction of the proposed model for Live Acquisition. The next section

will contribute directly to the development of the Liforac model in Chapter 9.

8.4 Cyber Crime Frameworks

The law constitutes rules to regulate the conduct of individuals, businesses and other organisations within

society. The intention is to protect people and their property against unwanted interference from others

(Cheeseman 2005:2). These laws are enforced by the implementation of cyber crime frameworks. This

section will look at a number of cyber crime frameworks. Since a good cyber crime model is necessary

before any investigation can start, this section plays an important role in the definition and development

of the framework for the proposed Liforac model.

The Liforac model should provide a conceptual reference framework, independent of organisational environment

or technology and a basis for common terminology to support discussion and sharing of expertise. Although

the model does not promote any single technology, it helps develop and apply methodologies to new

technologies as they emerge. A comprehensive cyber crime model includes the investigative process,

incorporating the gathering, analysing and presenting of evidence (refer to Paragraph 3.3 and Figure 3-5),

as well as the legislative aspects (refer to Paragraph 8.2). Such a comprehensive model can benefit IT

managers, security practitioners and auditors (Ciardhuáin 2004:1). The next section discusses a possible

model for investigation.

Ciardhuáin’s Extended Model of Cyber Crime Investigation

According to Ciardhuáin (2004:1), it is necessary to define an extensive model for the investigation of

cyber crime. He did a comparative study on four distinct cyber crime investigation models and found that

neither of these is comprehensive enough to ensure a complete acquisition. His intention of a cyber

crime investigation model is to create a platform for future forensic development.

The models used in Ciardhuáin’s study are Lee’s model of Scientific Crime Scene Investigation, Casey’s

model for processing and examining digital evidence, the Digital Forensics Research Workshop (DFRWS)

model and the Reith, Carr and Gunsch model (Ciardhuáin 2004:1). Processes and process flows form

the foundation for all of these models. This idea of processes is re-enforced by the continuous

references to the acquisition process throughout the thesis (see definition of Forensic Analysis in

Paragraphs 3.3.1 and 3.3.2, as well as the process flows presented in Figure 3-2, Figure 3-3 and Figure

3-5). The identification of a time related theme (see summary of Chapters 3, 4 and 8) also strongly

supports the use of processes in the final Liforac model.

Following on his study, Ciardhuáin (2004:5) proposed a model that combines and extends the elements

from all these models. He suggested processes that are more detailed and included additional process

flows in his model. Ciardhuáin’s model has 13 processes in total, listed in the first column of Table 8-1.

To show that his model was more comprehensive than the four original models, Ciardhuáin did a

mapping based on the identified processes. Table 8-1 presents this comparative mapping.

Table 8-1: Comparison of activities in the discussed models (Ciardhuáin 2004:10)

MMooddeell

PPrroocceessss LLeeee CCaasseeyy DDFFRRWWSS RReeiitthh,, CCaarrrr && GGuunnsscchh

CCiiaarrddhhuuááiinn

Awareness � �

Authorisation �

Planning � �

Notification �

Search/identify � � � � �

Collection � � � � �

Transport �

Storage �

Examination � � � � �

Hypothesis � � � �

Presentation � � � �

Proof/defence � �

Dissemination �

Although the first four models listed are Cyber Crime Investigation models, none of these is comprehensive

enough to apply directly to a forensic investigation. These models identify in general what processes

need to be performed in specific order, but neither of the models expressly states the information flow

between the processes. Although this might not seem a crucial point, an unclear process flow may have

a significant influence on the chain of custody of the evidence retrieved.

For the purpose of the Liforac model, Ciardhuáin’s model is simplified to eight processes. Ciardhuáin’s

original model is satisfactory for the most of the Digital Forensic process, but since the Liforac model

focuses only on acquisition of data, some of the latter activities are merged to create a simpler model.

These processes will play a crucial role in the model for Live Forensic Acquisition (presented in Chapter

11) and will be presented as the explicit processes associated with the Liforac model. Table 8-2

presents the merging of the processes and the mapping of Ciardhuáin’s model on the process flow of the

Liforac model.

Table 8-2: Mapping Ciardhuáin’s processes on the Liforac processes (Own compilation)

CCiiaarrddhhuuááiinn’’ss mmooddeell pprroocceesssseess LLiiffoorraacc mmooddeell pprroocceesssseess ((aaddoopptteedd

ffrroomm CCiiaarrddhhuuááiinn’’ss mmooddeell))

Awareness Awareness

Authorisation Authorisation

Planning Planning

Notification Notification

Search/identify

Collection Search/identify

Transport

Storage Preservation

Examination Examination

Hypothesis

Presentation

Proof/defence

Hypothesis

Dissemination Dissemination

Table 8-2 shows that Ciardhuáin’s search/identify, collection, transport and storage activities are all merged

and split into two separate activities in the Liforac model: search/identify and preservation. These four

activities identified by Ciardhuáin’s relates directly to forensic acquisition process discussed in Chapter 3.

To simplify the final Liforac model, these four activities can be simply referred to as search/identify, with the

implication that collection, transport and storage are inherent in this process. An additional activity, preservation,

is added at this stage to ensure that the forensic investigator keep the chain of custody up-to-date.

Ciardhuáin’s hypothesis, presentation and proof/defence are also merged into a single hypothesis activity

in the Liforac model. In a complete forensic analysis process, the hypothesis, presentation and proof/

defence would each constitute its own in-depth discussion. However, for the purpose of this study these

activities are merged because the study focuses on the acquisition aspect and only touches on the

remainder of the forensic cycle.

Based on Ciardhuáin’s model and further research on the Digital Forensic cycle, the Liforac model’s

process framework extends to nine processes (discussed extensively in Part 4). The next section looks

at some of the challenges that forensic investigators have to face when busy with Digital Forensics.

8.5 Legal challenges

The previous section provided a framework for process flows in the Liforac model. This section

orientates the reader again with regard to the difficulties that Digital Forensics faces in the legal aspects.

Although Digital Forensics proves to be a very valuable addition to fighting crime, there are many legal

challenges that the discipline needs to overcome first. Cohen (2006:70) identified a number of these

legal challenges:

• Jurisdiction. The global nature of IT makes definite jurisdiction difficult (see Paragraph 7.1). To

complicate this matter, email communications are not restricted to a single jurisdiction. In this

event, it is very difficult to determine which jurisdiction needs to take action, often resulting in

both (or more) countries sitting idle, expecting the other country to react. Once jurisdiction is

determined, it can be difficult to gather evidence internationally. Not only is it logistically very

difficult, but when the supposed crime is illegal in one country and legal in another, the country

allowing the actions may not cooperate with the investigating country.

• Case law. Currently there are very little Digital Forensic cases, providing very little precedent. In

the rare cases that case law does exist, the technology is constantly changing and accordingly

the case law may not apply fully anymore.

• Qualifications. No standard international qualifications exist for expert witnesses, making it

difficult for courts to be consistent in the approval of expert witnesses.

• Privacy. The balance between invasion of privacy and a proper Digital Forensic investigation still

needs to be determined.

• Search warrants and permission. It is difficult to specify exactly what needs to be covered in the

search warrants when the range of technologies is so wide.

• Privileges. Doctors, lawyers and clergy may store privileged data in digital format. There are

strict laws that prohibit Law Enforcement from accessing these records.

This section proves that Digital Forensics still have a lot of potential for further research before it can be

considered as fully accepted by the local courts of law. The next section summarises Chapter 8 and lists

the drivers identified in this chapter.

8.6 Summary

As was illustrated in the previous chapters, Live Forensics is a multi-faceted discipline. Chapter 8 looked

at the legal acceptance of forensic evidence and the relationship between forensics and the current legal

system. The most prominent aspects this chapter comprises are laws and legal requirements, and the

relationship between Digital Forensics and computer science, forensic science, computer and

Information Security, system administrators and business aspects.

In summary, the eight drivers identified from Chapter 8 to contribute to the development of the Liforac

• Legislation and Law Enforcement of cyber crime are facing two main problems with regard to

Digital Forensics. These problems have a direct impact on the development of the Liforac model

and will be addressed in Chapter 10 (Paragraph 8.1);

• The South African Constitution strictly forbids the extension of any current legislation to an

analogy to include cyber crimes. This fact allows many cyber criminals to go free, without any

punishment for their actions. The Liforac model will try and address this matter (Paragraph 8.1);

• Traditional investigation methods are ill equipped and inefficiently developed to deal with cyber

crime. Chapter 10 of the development of the Liforac model looks at how traditional investigation

methods can adapt to be more forensic-oriented (Paragraph 8.2);

• The judicial system does not accept all types of forensic evidence, while the concept of forensics

is justified. The Liforac model addresses this matter in the development process (Paragraph 8.2);

• Digital Forensics has a strong relationship with a number of wide-ranging disciplines. These

relationships contribute to the understanding of Digital Forensics and therefore directly impacts

the development of the Liforac model (Paragraph 8.2);

• Many countries do not have legislation that covers cyber crime. This matter is addressed on the

accompanying CD, see Legislation (Paragraph 8.3);

• Chapter 8 proposes a framework with nine processes that are incorporated as explicit processes

in the timeframe of the Liforac model (Paragraph 8.4);

• Many legal challenges exist that makes the acceptance of Digital Forensics in the judicial system

very difficult. Some of these challenges may contribute directly to the development of the Liforac

model and the general understanding of the Digital Forensic discipline (Paragraph 8.5).

When considered individually, most of these identified drivers suggest a legal or regulatory component.

In addition, another prominent driver strongly hints at the time aspect of the model. Allowing for the

number of drivers related to these themes and the importance of these themes in relation with the proposed

Liforac model, this theme might influence the identification of possible dimensions for the Liforac model.

The themes will be addressed in Chapter 9.

Chapter 8 briefly looked at currently available cyber legislations and cyber crime fighting agencies to fulfil

Objective E, Laws. This chapter looked in general at how Digital Forensics fits into the legal system, and

presented a Live Forensic Acquisition specific process model with all the processes necessary to

produce forensically sound evidence. This chapter builds on Chapter 7, focusing on cyber criminals, and

brings Digital Forensics more into the legal perspective. Chapter 8 is the last chapter in Part 3.

Part 4 will now commence with Chapter 9, summarising all the drivers identified from Parts 1 to 3. Once

this summary is presented, Part 4 will continue with the development of the Liforac model as method to

present forensically sound Live Forensic Acquisition. Chapter 9 is the first of five chapters that addresses

the specifics of the development process.

Part 4: The Possibility of Sound Live Forensic

Acquisition This study, Liforac - A Model For Live Forensic Acquisition, divides into four distinct parts (originally

Part 4, The Possibility of Sound Live Forensic Acquisition, proposes the Liforac model and presents the

model dimension by dimension in Chapters 10 to 13. These chapters introduce each of these dimensions

by further breaking it down into components. This part investigates the legalities of both cyber crime and

Digital Forensics. It comprises seven chapters, including the conclusion of the study.

Chapter 9, Building a Model, presents the framework for the planned model for Live Forensic Acquisition.

This chapter defines a model and presents a visual representation of the generic model of this study.

Chapter 9 is the basis for the remainder of the chapters, acting as a bridge between Parts 1, 2 and 3 (the

literature rich chapters) and Part 4 (the empirical construction of the Liforac model). This chapter shows

the process involved in composing a model from the information gathered in Parts 1 to 3 to represent a

comprehensive, forensically sound model. The themes originally identified in the summaries of Chapters

3 to 8 evolve to four dimensions: Laws and Regulations, Timeline, Knowledge and Scope. Chapter 9

presents all the drivers gathered from Chapters 3 to 8 and maps it against an appropriate Liforac

dimension.

Chapter 10, Laws and Regulations Dimension, looks in more detail at the dimension concerning laws

and regulations relevant to Digital Forensics. Chapter 10 graphically portrays the Laws and regulations

dimension as the foundation of the Liforac model, the basis of all the other dimensions. It needs to be

adhered with to ensure that the other three dimensions have a solid foundation. This chapter visually

shows the segregation of this dimension into a number of components: Common crime laws applicable to

cyber crime, Specific cyber laws, Court cases and precedents and Definition of court admissibility. It also

indicates which of the original drivers apply to this dimension and maps these drivers back to their

original chapters. This dimension builds largely on Chapter 8.

Chapter 11, Timeline Dimension, looks in more detail at the sequential order in which investigators need

to perform actions to ensure sound Live Forensic Acquisition. This dimension is an extension of the

Laws and regulations dimension (shown in Figure 9-2). Chapter 11 visually shows the segregation of the

Timeline dimension into a number of components and discusses these components in more detail. The

two main components portrayed in this chapter are implied and explicit processes, discussed in detail

and presented visually. It also indicates which of the original drivers apply to this dimension and maps

these drivers back to their original chapter.

Chapter 12, Knowledge Dimension, looks in more detail at the people involved in successful Live

Forensic Acquisition: who they are and what training and skills they should have. This dimension is an

extension of the Laws and regulations dimension (shown in Figure 9-2). Chapter 12 visually shows the

segregation of the Knowledge dimension into a number of components and discusses these components

in more detail. The six main components portrayed in this chapter are Law, Forensic Sciences, Social

Sciences, Information Systems, World Security Trends and Events and Computer Science, all based on

new technology. This chapter discusses these components in detail and present them visually. It also

indicates which of the original drivers apply to this dimension and maps these drivers back to their

original chapter.

Chapter 13, Scope Dimension, looks in more detail at the problems associated with Live Forensic

Acquisition, identified earlier in the research. This chapter visually shows the segregation of this dimension

into five components and discusses these components in more detail. These components are Gaining

access to the suspect machine, Dependency on the operating system, Data modification, Authenticity

and Court acceptance. Although Chapter 5 already identified these problems, Chapter 13 addresses the

solutions to these problems. This dimension is an extension of the Laws and regulations dimension (shown

in Figure 9-2).

Chapter 14, Presenting the Final Liforac model, presents the final model for complete, forensically

sound Live Forensic Acquisition. Chapter 14 presents a complete model, consisting of the four dimensions

discussed in the previous chapters. The model is in its final stage, ready to be applied by forensic

investigators.

Chapter 15, Closure, concludes the study and justifies the development of the Liforac model for

These seven chapters form the crux of the study and present a comprehensive, forensically sound model

for Live Forensic Acquisition. Chapter 9 will now summarise all the drivers identified in Parts 1 to 3,

before Chapter 10 proceeds with the refinement of the Liforac model.

Chapter 9: Building a Model

“Neither the Internet nor cyberspace will ever be a safe haven for individuals who attempt this type

of cyber crime. The Secret Service, along with our law enforcement partners,

will hunt you down, keystroke by keystroke.”

- Brian Marr

Paragraph 2.2 states that this thesis aims to develop a model that underwrites full forensically sound Live

Forensic Acquisition. Chapters 2 to 8 have been building the reader’s knowledge base to such an extent that

it is now possible to start constructing the model’s framework. Chapter 9 will incorporate the important

aspects discussed previously to present a basic model for forensically sound Live Forensic Acquisition.

Part 4, The Possibility of Sound Live Forensic Acquisition, forms the general foundation of this research

study. Chapter 9, more specifically, brings together many of the important aspects of the proposed

forensically sound Live Forensic Acquisition model. This chapter defines what the author understood

from the term model and combines all the drivers identified in previous chapters to present the reader

with a full progress report on the development of the Liforac model. This chapter lays the foundation for

the Liforac model, constructed in Chapters 10 to 13 and presented in totality in Chapter 14.

model. All five the objectives have been addressed in preceding chapters, whilst Chapter 9 now expands

purposely on the development of the Liforac model. Figure 9-1 is the last in the series of Liforac model

progress figures.

Figure 9-1: Liforac model progress - Model development (Own compilation)

9.1 Introduction

To ensure a successful investigation, investigators are required to deliver verifiable and repeatable results.

Therefore, forensic investigators are responsible for technical insight, knowledge of the law and complete

objectivity during investigations. Then investigators can present direct evidence of suspected misconduct

or potential exoneration (Stimmel 2008:1). The best way to ensure verifiable and repeatable results is by

creating an acquisition model that investigators can apply consistently. This chapter unites all the drivers

identified in the previous chapters to ensure a strong foundation for the Liforac model.

What is a model?

Research shows that it is often much easier to solve complex problems by using a model that is based

on real situations. A model is in general a simplified version of the problem and solution combination (Nova

2006:Internet). As a result, this chapter focuses on building a model to guide forensic investigators to

According to WordNet (2008:Internet), a model is “… a hypothetical description of a complex entity or

process”. A conceptual model, as is the proposed model, is a theoretical construct that represents an

idea, with a set of variables and logical and quantitative relationships between the variables (Wikipedia

2008:Internet). The model generally presents a road map that shows the sequence of related events, to

ensure the desired outcomes (NMS Foundation 2007:Internet). The conceptual model is developed in

such a way to lead to insight into the final system (Ehrlich 2002:Internet).

Generally, a model is of exemplary value and serves as a basis for imitation. The proposed model for

comprehensive forensically sound Live Forensic Acquisition is similar to a best practice document,

compiled by industry experts from the best techniques and methods. The aim of the model is to assist

other individuals and organisations to implement a specific idea as smooth as possible (WordNet 2008:

Internet) to ensure the best possible output. In this specific event, the best practice or model would focus

on ensuring forensically sound Live Forensic Acquisition.

The next section presents the generic Liforac model framework, based on Ciardhuáin’s adapted model

(see Paragraph 8.4). Both the Ciardhuáin and Liforac models allow for standardisation, consistency of

terminology and the identification of research and development areas. Such a model can also prove

useful to explain the work of cyber crime investigators to non-specialists. This can be especially supportive

when presenting digital evidence in a court of law (Ciardhuáin 2004:11).

9.2 Generic Liforac model Framework

To develop a useful model, it is necessary to include a number of wide-ranging components to cover all

aspects relevant to Live Forensic Acquisition. Although the idea of this model is not to present a rigid or

restrictive set of steps to follow, the intention is to develop a comprehensive set of guidelines that can

assist a forensic investigator throughout the Live Forensic Acquisition process, should the investigator

require assistance.

Figure 9-2 presents the proposed generic Liforac model. This model comprises four distinct dimensions:

Laws and regulations, Timeline, Knowledge and Scope, derived from the drivers identified in the study.

These four dimensions were developed throughout this study, as a number of drivers have been

identified and listed at the end of Chapters 3 to 8. The respective summaries of Chapters 3 to 8 not only

provided the drivers but also proposed a number of potential themes derived from the listed drivers. The

discussion and grouping of drivers into logical related groups culminated into four different themes

indicating four applicable dimensions of the model. The drivers and themes accordingly strongly directed

the decision to divide the model into these four specific dimensions.

The remainder of the study focused on expanding these four dimensions to develop a comprehensive

framework with four distinctly developed dimensions. Each of these dimensions further divides into

components to present a fully comprehensive model for Live Forensic Acquisition. Chapters 10 to 13

present these components in detailed discussion and relate the components back to the drivers identified

at the end of Chapters 3 to 8.

Figure 9-2: Generic Liforac model (Own compilation)

The Laws and regulations dimension is the foundation of the entire model. It affects all three the other

dimensions and forms the basis on which these dimensions rest (discussed in Chapter 10). The Timeline

dimension focuses more on the process view of the model, indicating the sequence in which investigators

need to execute processes (discussed in Chapter 11).

This chapter largely borrows from Ciardhuáin’s model, identified and adapted in Paragraph 8.4. The

Knowledge dimension indicates the different stages of awareness and understanding investigators need to

acquire to perform sound Live Forensics (discussed in Chapter 12). Lastly, the Scope dimension addresses

the practical problems related to Live Forensics identified in Chapter 5 (discussed in Chapter 13).

In this chapter as well as the next five chapters, specific terms are going to be used to describe certain

aspects of the proposed Liforac model. These terms/building blocks are defined below, whilst Figure 9-3

illustrates the relation between these building blocks.

• Dimension. The magnitude of something or the construct whereby objects

can be distinguished (WordNet 2009a:Internet). A dimension often relates

independently to other dimensions, giving the specific object a unique identity.

A dimension often presents specific measurable features that can link with

other measurable dimensions to present a bigger integrated object. For

example, this study presents the Laws and Regulations, Timeline, Knowledge

and Scope aspects as independent dimensions of the Liforac model.

• Sub dimension. A sub dimension is a smaller version of the dimension, also

presented as an independent entity with measurable features. A sub

dimension forms a logic smaller section of a dimension, but is more distinct

than a component. For example, this study presents Common crime laws,

Specific cyber laws, Court cases and precedents, and Definition of court

admissibility as logic sub dimension of the Laws and regulations dimension.

• Component. The smallest identifiable part that can be used to compose another

entity. Generally, a component has no function when considered in isolation,

but adds to the symbiotic meaning of a bigger entity. For example, the Scope

dimension has five components listed in this study: Access to the machine,

Dependency on the OS, Data Modification, Authenticity and Court Acceptance.

• Driver. This term can be seen as the driving force behind a specific action. For

example, at the end of Chapters 3 to 8, a list of drivers from that particular chapter

is identified and its inclusion into the Liforac model motivated. These drivers

form the driving force behind many of concepts build into the Liforac model.

The next section combines all the drivers identified in earlier chapters and maps it in a comprehensive

table onto its source chapter.

9.3 Presenting the Drivers

Chapters 3 to 8 all concluded with a summary of the drivers identified from that specific chapter. These

summaries also identified preliminary themes that evolved into dimensions. Table 9-1 unites all these

previously identified drivers. It also indicates the originating chapter of the respective drivers, as well

as the Liforac model dimension to which the driver applies. These drivers are accordingly duplicates of

the drivers already seen at the end of Chapters 3 to 8, but is presented in a single comprehensive list of

drivers.

Figure 9-3: Relation between Liforac model building blocks (Own compilation)

Table 9-1 below should not be memorised, but seen purely as a grouping of all the drivers identified in

the development of the Liforac model up-to-date. The next four chapters split this table into four smaller

tables, indicating only the drivers relevant to a specific dimension. These identified drivers will be

discussed and its inclusion to a specific dimension motivated in the respective chapters.

Table 9-1: Summary of identified drivers (Own compilation)

IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr LLiiffoorraacc ddiimmeennssiioonn

Digital Forensic definition Paragraph 3.1 Knowledge

Retrospective profiling nature of Digital Forensics Paragraph 3.2 Laws and regulations

A crime scene contaminated by the investigator renders the evidence inadmissible in court Paragraph 3.2 Laws and regulations,

Knowledge

Current forensic methods: pulling the plug or doing a live analysis Paragraph 3.3 Knowledge

Digital Forensic methodology consists of three key steps:

• acquire evidence without altering the original;

• analyse the data without modifying it

Paragraph 3.3 Knowledge, Timeline

Digital Forensic process consists of four steps:

• collection;

• examination;

• analysis; and

• reporting

Paragraph 3.3.1, Paragraph 4.2, Table 4-1

Knowledge, Timeline

The First Responder has a very definite role in the Live Forensic process Paragraph 3.3.1 Knowledge,

Timeline

Comparison between Dead and Live Forensics Paragraph 3.3.3, Table 3-1

Knowledge, Scope

Forensics has a volatile and unpredictable field setting Paragraph 3.4 Knowledge, Scope

The generic Forensic Acquisition process applies to both Dead and Live Forensic Acquisition

Paragraph 3.4, Figure 3-5

Knowledge, Timeline

Chain of custody plays an important role in forensics Paragraph 3.4.4 Laws and regulations, Timeline

The integrity of the evidence should be protected at all times Paragraph 3.4.4 Timeline,

A thorough Digital Forensic Acquisition and analysis can be done with supporting software packages and applications Paragraph 4.1

Laws and regulations, Timeline, Knowledge, Scope

Different forensic suites exist for Windows, Mac, Linux and DOS Paragraph 4.1

Specific tools can be applied in specific stages of the forensics process

Paragraph 4.2, Table 4-1

Many traditional forensic suites also cater for Live Forensic Acquisition

The accuracy of results and the integrity of digital evidence need to be maintained at all times Paragraph 4.2.1 Laws and regulations,

Forensic toolkits have three main limitations:

• the problem of acquisition, imaging a live system,

• tools adapt poorly to large-scale investigations,

• difficult to view large evidence files holistically

Paragraph 4.2.6 Laws and regulations

Electronic information is a valuable resource Paragraph 5.1 Knowledge

Organisations generally have three possible options to respond to a cyber attack:

• do nothing;

• perform an internal investigation; or

• perform a detailed analysis with the intention to prosecute the cyber criminal

Paragraph 5.1 Laws and regulations, Knowledge

Digital evidence has some unique properties Paragraph 5.1 Laws and regulations, Knowledge

Locard’s exchange principle applies to all crime scenes Paragraph 5.1 Knowledge

Live Forensics has five identified practical problems:

• gaining access to the suspect system;

• acquisition dependant on OS;

• data modification during the acquisition process;

• demonstrate the authenticity of evidence;

• ensuring full acceptance by the court

Paragraph 5.2, Figure 5-2 Scope

Several methods exist to perform Live Forensic Acquisition:

• software applications

− software agents;

− memory dump;

− NotMyFault; and

− Live Response Toolkit

• hardware devices

− the Tribble device;

− the PCI expansion card;

− SPARC OpenBoot; and

− COFEE

Paragraph 5.3 Knowledge

Digital Forensics is a technical application of computer related knowledge Paragraph 6.1 Knowledge

Forensic soundness is the foundation of court admissibility of evidence Paragraph 6.1 Laws and regulations,

Knowledge

Rejected forensic evidence can hurt the case, or portray the investigators as incompetent Paragraph 6.2 Laws and regulations

Evidence should be referred to as “… artefacts of potential evidentiary value” Paragraph 6.2 Laws and regulations

An expert witness may elicit professional opinions about the validity of a theory and the reliability of specific tools Paragraph 6.2 Knowledge

A well-known heuristic is needed to determine the admissibility of expert evidence:

• Frye test; and

• Daubert test

Paragraph 6.2 Laws and regulations

Legal admissibility is the characteristic of a piece of evidence that determines whether it will be accepted by a court of law

To ensure the acceptance of digital evidence, forensic investigators should maximise the evidential weight of a document

Paragraph 6.2.3 Laws and regulations, Knowledge

There are two main elements to demonstrate the authenticity of electronic records:

• freeze a record at a specific moment in time;

• maintaining a documented audit trail

Paragraph 6.2.3 Laws and regulations, Knowledge

To ensure admissibility, counsel should prove that:

• the system the record is kept in is secure; and

• the system was secure throughout the record lifetime

In both traditional and Digital Forensic measures, courts should allow the minor alteration of original evidence, without altering evidence in such a way that the meaning thereof changes

The Heisenberg uncertainty principle and the observer effect explains the volatile nature of forensics Paragraph 6.4 Knowledge

Both authenticity and reliability plays a crucial part in determining whether artefacts of evidentiary value can be considered as evidence or not

Jurisdiction of cyber crime is difficult to determine Paragraph 7.1 Laws and regulations

Criminals tend to exploit anonymity, convenience and speed and of modern technology to commit crimes Paragraph 7.1 Laws and regulations

Cyber crime definition Paragraph 7.2 Laws and regulations

Unlike real world crime, cyber crime does not have:

• physical proximity;

• small scale;

• physical constraints; or

• offender-offence patterns

Many different types of cyber crime exists Paragraph 7.2.1 Laws and regulations

The number of cyber crime incidents are rapidly increasing Paragraph 7.2.2, Paragraph 7.3 Laws and regulations

Cyber crime types can be classified according to:

• crimes against individuals;

• crimes against individual property;

• crimes against organisations; and

• crimes against society

There are some key issues concerning cyber crime in the current Information Security environment Paragraph 7.2.3 Laws and regulations

Legislation and Law Enforcement of cyber crime has two main problems:

• too few Law Enforcement officers have appropriate computer forensics and computer crime investigative skills;

• very few legal systems presently take the digital world into account

The South African Constitution strictly forbids the extension of current legislation to an analogy to include cyber crimes Paragraph 8.1 Laws and regulations

The rapid development of new criminal techniques leaves Law Enforcement techniques outdated and ineffective Paragraph 8.1 Laws and regulations

Traditional investigation methods are ill equipped and inefficiently developed to deal with cyber crime Paragraph 8.2 Laws and regulations

The judicial system does not accept all types of Digital Forensics, although the concept of forensics is justified Paragraph 8.2 Laws and regulations

There is a strong relationship between Digital Forensics and:

• computer science;

• forensic science;

• criminal investigations;

• computer security and Information Security;

• business; and

• system administrators

Digital Forensics ensures that investigators can identify and prosecute criminals that commit crimes involving the confidentiality, integrity and availability of electronic resources

Digital Forensic Governance recently evolved from the other Governance disciplines to include the governance

and management of Digital Forensics

In support of the security policies and technologies, Digital Forensics provides the means of investigation when these plans are compromised in some way

Many countries do not have cyber legislation Paragraph 8.3 Laws and regulations

Four possible solutions exist to the problem of data changing during Live Forensic Acquisition. Paragraph 8.3 Scope

Ciardhuáin’s cyber crime investigation model is modified to contribute to the Liforac model Paragraph 8.4 Laws and regulations

Legal challenges makes the acceptance of Digital Forensics in the judicial system very difficult Paragraph 8.5 Laws and regulations

The last column indicates a Liforac dimension that is based on the opinion of the author. Although this is

only the first version of the Liforac model, the following are proposed as read from Table 9-1:

• Laws and regulations dimension consists of at least 41 drivers;

• Timeline dimension consists of at least 10 drivers;

• Knowledge dimension consists of at least 26 drivers; and

• Scope dimension consists of at least 10 drivers.

Of the study done so far, many drivers identified relates to the Laws and regulations aspect of the proposed

Liforac model (discussed in Chapter 10). The Knowledge dimension (discussed in Chapter 12) has the

second most drivers related to it, considering that Digital Forensics is a very complex discipline and

investigators need thorough training and preparation to handle these investigations. Both the Timeline

(discussed in Chapter 11) and the Scope (discussed in Chapter 13) dimensions have only 10 drivers.

However, these identified drivers are very labour intensive and requires a lot of attention.

Each of these dimensions gives origin to a number of components (presented in Figure 9-3), based on

the drivers identified in the chapters preceding the dimension discussion. The chapters succeeding this

generic model discussion will discuss these components in more detail.

9.4 Summary

Chapter 9 initiated Part 4 as a bridge between the literature rich chapters (Parts 1 to 3) and the construction

of the Liforac model (Part 4). This chapter discussed and defined the concept of a model as understood

within the bounds of this study. The chapter also presented a visual representation of the framework

proposed for the Liforac model.

Table 9-1 unites all the previously identified drivers that can contribute to the development of the model.

This table is a comprehensive view of the most important aspects discovered in the study so far. The

final Liforac model incorporates these concepts to ensure full coverage of all aspects in the presentation

of the comprehensive model. Table 9-1 divides into four separate tables in the next four chapters,

showing only those drivers relevant to a specific dimension.

Chapter 9 played a very important role in summarising the study up-to-date and introducing the next

chapters that focuses on specific levels and specific components. Chapter 10 will now discuss the Laws

and regulations dimension in more detail and show how this dimension fits into the Liforac framework.

Chapter 10: Laws and Regulations Dimension

“Law and justice are not always the same.”

- Gloria Steinem

Chapter 10 looks at the previously identified drivers (presented in Table 9-1) that map specifically onto the

Laws and regulations dimension. This chapter also considers in detail what the forensic investigator needs

to know and do concerning related laws and regulations to remain within the legal bounds of the discipline.

This chapter looks at a number of legalities and procedures that may have an impact on the Digital Forensic

discipline. However, this discussion is the opinion and observation of the author and is not a legally

binding document. The legal dimension is a technical discussion of a legal subject and only provides a

high-level abstraction of the topic.

Chapter 10 is now the first of four chapters that focuses specifically on the construction of the Liforac model.

Figure 10-1 shows the proposed layout of the Liforac model, with the Laws and regulations dimension

forming the foundation of the model. Figure 10-1 presents this dimension as the physical base of the model.

Figure 10-1: Focusing on the Laws and regulations dimension (Own compilation)

Chapter 10 extends the generic framework for the Liforac model by extending the Laws and regulations

dimension into four distinct sub dimensions. At this point, it is important to note that the dimension discussed

in Chapter 10 divides into sub dimensions, whilst the dimensions discussed in Chapters 11, 12 and 13

divides into components (refer to Figure 9-3 for an explanation of the difference between sub dimensions

and components).

The reasoning behind this division is that the Laws and regulations dimension in Chapter 10 is the foundation

for the three other dimensions and their corresponding components. By dividing this dimension into sub

dimensions, the figure constellation (Figure 10-1) is sturdier and the foundation reinforced with additional

sub dimensions. The sub dimensions ensure that the Laws and regulations dimension are distinct from the

other dimensions and stands out as the foundation of the model. This chapter will look in more detail at

these sub dimensions, as well as how the drivers identified in earlier chapters map to these sub dimensions.

10.1 Introduction

Laws and regulations as a dimension are crucially important and form the foundation for all the other

dimensions. Figure 10-2 shows four sub dimensions identified as relevant to this dimension. These sub

dimensions were identified through in-depth discussions with forensic knowledgeable colleagues (Nare

2008:Interview; Perold 2008:Interview) as the four most prominent points of contact between legal and

regulatory aspects and Forensic Sciences. Although the value of these points is not yet scientifically

established, it seems as if these sub dimensions contribute largely to Digital Forensics specifically.

Sub dimension 3:Court cases

and precedents

Sub dimension 4:Definition of

court admissibility

Sub dimension 1:Common crime laws applicable to cyber crime

Sub dimension 2:Specific

cyber laws

Sub dimension 3:Court cases

and precedents

Sub dimension 4:Definition of

court admissibility

Sub dimension 1:Common crime laws applicable to cyber crime

Sub dimension 2:Specific

cyber laws

Figure 10-2: Laws and regulations dimension (Own compilation)

The inclusion of these four sub dimensions is motivated as follow:

• Sub dimension 1. Common crime laws applicable to cyber crime refer to already existing

legislations created with only traditional crimes in mind. The interpretation of these laws can

allow the extension to cyber crimes as well.

• Sub dimension 2. Specific cyber laws refer to laws created specifically with cyber crime in

mind. Chapter 8 looked at some of the existing cyber laws already in place.

• Sub dimension 3. Court cases and precedents are crucial in the acceptance of any new

technology in court. Examples of these precedents are the Frye and Daubert tests described in

Paragraph 6.2.

• Sub dimension 4. Definition of court admissibility largely determines whether the court would

allow Live Forensic Acquisition. This definition and its implementation have a big impact on the

Live Forensic Acquisition discipline.

A combination of these four sub dimensions covers the extent of the Laws and regulations dimension

identified by the Liforac model. The next section maps the drivers identified in Table 9-1 onto the four

sub dimensions listed above.

10.2 Mapping the drivers to the dimension

Table 9-1 showed a comprehensive list of all the drivers identified in the first eight chapters. Table 10-1

now shows a sub section of that table, with only those drivers applicable to Laws and regulations. This

table should not be memorised, but seen purely as a grouping of all the drivers identified in the

development of the Liforac model, applicable to the Laws and regulations dimension. The last column

maps the specific driver to one of the four sub dimensions shown in Figure 10-2.

Table 10-1: Identified drivers on the Laws and regulations dimension (Own compilation)

IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr

SSuubb ddiimmeennssiioonn wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr

Retrospective profiling nature of Digital Forensics Paragraph 3.2 Specific cyber laws (2)

A crime scene contaminated by the investigator renders the evidence inadmissible in court Paragraph 3.2 Definition of court

admissibility (4)

Chain of custody plays an important role in forensics Paragraph 3.4.4 Definition of court admissibility (4)

A thorough Digital Forensic Acquisition and analysis can be done with supporting software packages and applications

Paragraph 4.1 Court cases and precedents (3)

Different forensic suites exist for Windows, Mac, Linux and DOS Paragraph 4.1 Court cases and

precedents (3)

Court cases and precedents (3)

Definition of court admissibility (4)

The accuracy of results and the integrity of digital evidence need to be maintained at all times Paragraph 4.2.1 Definition of court

admissibility (4)

Forensic toolkits have three main limitations:

• the problem of acquisition, imaging a live system,

• tools adapt poorly to large-scale investigations,

• difficult to view large evidence files holistically

Paragraph 4.2.6 Specific cyber laws (2)

• do nothing;

• perform an internal investigation; or

• perform a detailed analysis with the intention to prosecute the cyber criminal

Paragraph 5.1 Specific cyber laws (2)

Digital evidence has some unique properties Paragraph 5.1 Specific cyber laws (2)

Forensic soundness is the foundation of court admissibility of evidence Paragraph 6.1 Definition of court

admissibility (4)

Rejected forensic evidence can hurt the case, or portray the investigators as incompetent Paragraph 6.2 Definition of court

admissibility (4)

Evidence should be referred to as “… artefacts of potential evidentiary value” Paragraph 6.2 Specific cyber laws (2)

A well-known heuristic is needed to determine the admissibility of expert evidence:

• Frye test; and

• Daubert test

Paragraph 6.2 Court cases and precedents (3)

Legal admissibility is the characteristic of a piece of evidence that determines whether it will be accepted by a court of law

Paragraph 6.2.3 Definition of court admissibility (4)

To ensure the acceptance of digital evidence, forensic investigators should maximise its evidential weight Paragraph 6.2.3 Definition of court

admissibility (4)

To ensure admissibility, counsel should prove that:

• the system the record is kept in is secure; and

• the system was secure throughout the record lifetime

Paragraph 6.3

Common crime laws applicable to cyber crime (1),

Specific cyber laws (2), Court cases and precedents (3),

Definition of court admissibility (4)

Both authenticity and reliability plays a crucial part in Paragraph 6.5 Definition of court

determining whether artefacts of evidentiary value can be considered as evidence or not

admissibility (4)

Jurisdiction of cyber crime is difficult to determine Paragraph 7.1

Specific cyber laws (2)

Criminals tend to exploit anonymity, convenience and speed and of modern technology to commit crimes Paragraph 7.1 Specific cyber laws (2)

Cyber crime definition Paragraph 7.2 Specific cyber laws (2)

Unlike real world crime, cyber crime does not have:

• physical proximity;

• small scale;

• physical constraints; or

• offender-offence patterns

Many different types of cyber crime exists Paragraph 7.2.1 Specific cyber laws (2)

The number of cyber crime incidents are rapidly increasing

Paragraph 7.2.2, Paragraph 7.3

Specific cyber laws (2),

• crimes against individuals;

• crimes against individual property;

• crimes against organisations; and

• crimes against society

Paragraph 7.2.3 Specific cyber laws (2)

There are some key issues concerning cyber crime in the current Information Security environment Paragraph 7.2.3 Specific cyber laws (2)

The South African Constitution strictly forbids the extension of current legislation to an analogy to include cyber crimes

Paragraph 8.1 Common crime laws applicable to cyber crime (1)

• too few Law Enforcement officers have appropriate computer forensics and computer crime investigative skills;

• very few legal systems presently take the digital world into account

Traditional investigation methods are ill equipped and inefficiently developed to deal with cyber crime Paragraph 8.2

Common crime laws applicable to cyber crime (1)

The judicial system does not accept all types of Digital Paragraph 8.2 Common crime laws applicable to cyber

Forensics, although the concept of forensics is justified crime (1),

Specific cyber laws (2)

• computer science;

• forensic science;

• criminal investigations;

• computer security and Information Security;

• business; and

• system administrators

Paragraph 8.2

Many countries do not have cyber legislation Paragraph 8.3 Common crime laws applicable to cyber crime (1)

Ciardhuáin’s cyber crime investigation model is modified to contribute to the Liforac model (nine activities) Paragraph 8.4

Many legal challenges exist that makes the acceptance of Digital Forensics in the judicial system very difficult Paragraph 8.5

The rapid development of new criminal techniques leaves Law Enforcement techniques outdated and ineffective Paragraph 8.1

Common crime laws applicable to cyber crime (1)

Digital Forensics ensures that investigators can identify and prosecute criminals that commit crimes involving the confidentiality, integrity and availability of electronic resources

In support of the security policies and various security technologies, Digital Forensics provides the means of investigation when these plans are compromised in some way

Paragraph 8.2 Specific cyber laws (2),

Digital Forensic Governance recently evolved from the other Governance disciplines to include the governance and management of Digital Forensics

Paragraph 8.2 Specific cyber laws (2),

Table 10-1 shows the interpretational mapping of the four sub dimensions of the Laws and regulations

dimension onto the drivers already identified in this study. Some of these identified drivers overlap and

can be merged at a later stage.

Figure 10-3 presents the Laws and regulations sub dimensions within the boundaries of the Liforac model.

This figure indicates the Laws and regulations dimension, the four sub dimensions specific to the Laws and

regulations dimension (Common crime laws, Specific cyber laws, Court cases and precedents and Definition

of court admissibility), as well as the drivers in relation with these sub dimensions. Table 10-1 presents

these drivers. The remainder of this chapter is devoted to discussions on the four main sub dimensions

of the Laws and regulations dimension.

Figure 10-3: Laws and regulations sub dimensions and respective drivers presented within the Liforac model (Own compilation)

10.3 Developing the Laws and regulations dimension

With the emerging cyber crime rates and hike in cyber crime incidents, the Laws and regulations

dimension is a very important part of the Liforac model for comprehensive Live Forensic Acquisition. Not

only is it necessary to pay attention to all aspects of cyber crime in order to do this, but these crimes need

to relate to the legal discipline. The next four sections address the four sub dimensions linking cyber

crime, Live Forensics and the justice system.

10.3.1 Sub dimension 1: Common crime laws

Common crime laws, generally referred to as penal law, involve the “… prosecution by the government of a

person for an act that has been classified as a crime. It is the body of statutory and common law that deals

with crime and the legal punishment of criminal offenses…” Although many different definitions exist for crime

(refer to Paragraph 7.2), it can in general be described as any act, or omission of an act, in violation of

public law either forbidding or specifically commanding the act in question (HG.org 2008:Internet).

Accordingly, common crime laws applicable to cyber crime refer to already existing legislations created

with only traditional crimes in mind. The applicable stakeholders wrote the laws in such a manner that

interpretation within given circumstances can include the legal punishment of acts related to computers,

digital evidence and cyber issues (Nare 2008:Interview). Table 10-1 indicates that there are eight drivers

identified in earlier chapters that may contribute to the sub dimension Common crime laws applicable to

cyber crime. Table 10-2 presents these eight drivers.

Table 10-2: Drivers applicable to sub dimension 1 (Own compilation)

SSuubb ddiimmeennssiioonn 11:: DDrriivveerrss aapppplliiccaabbllee ttoo ccoommmmoonn ccrriimmee llaawwss aapppplliiccaabbllee ttoo ccyybbeerr ccrriimmee

Driver 1 In both traditional and Digital Forensic measures, courts should allow the minor alteration of original evidence, without altering evidence in such a way that the meaning thereof changes.

Driver 2 Jurisdiction is difficult to determine when cyber crime is concerned.

Driver 3 The South African Constitution strictly forbids the extension of current legislation to an analogy to include cyber crimes.

Driver 4 Traditional investigation methods are ill equipped and inefficiently developed to deal with cyber crime.

Driver 5 The judicial system does not accept all types of Digital Forensics, although the concept of forensics is justified.

Driver 6

There is a strong relationship between Digital Forensics and

• computer science; • forensic science; • criminal investigations; • computer security and Information Security; • business; and • system administrators.

Driver 7 Many countries do not have legislation that covers cyber crime.

Driver 8 Owing to the rapid development of new criminal techniques, Law Enforcement techniques are equally outdated and ranged ineffective against criminal techniques.

The application of these drivers in the Liforac model depends largely on whether the implementing country

has its own legislation that applies to forensic sciences. If the country does not have its own legislation,

it is advisable to use these drivers as a basis for legal and regulatory aspects to ensure some level of

court acceptance based on legislation from other countries. Some of the laws and regulations that fall

into this generic category, but can be interpreted in relation to digital evidence, include:

• Telecommunications Act no 103 of 1996 (South Africa);

• ICASA Act of 2002 (South Africa);

• RICA Act of 2002 (South Africa);

• Trade Secrets Act (United States);

• The Act of Extortion and threats (United States); and

• Forgery and Counterfeiting Act of 1981 (United Kingdom).

Figure 10-4 presents the Laws and regulations dimension, sub dimension Common laws applicable to

cyber crime. This figure evolves from Figure 9-2. The ideal circumstances for fully employing the Liforac

model relies on the assumption that Digital Forensic evidence, similar to Physiological Forensic

evidence, allows minor alterations to the original evidence without altering the meaning of the evidence

(refer to Paragraph 6.3). Although Parliament has not approved this regulation yet, it will make a number

of additional common laws applicable to Digital Forensics. This regulation will mitigate the current urgent

problem that many countries do not have specific cyber laws (refer to Chapter 8).

Figure 10-4: Drivers of the common crime laws (Own compilation)

Whether the implementing country allows the extension of current crime laws to apply to cyber crimes or

not, criminal laws can still be a source of valuable information for forensic investigators. Regardless of

its direct applicability, a sound knowledge of these legislations will definitely give forensic investigators a

competitive advantage in relating cyber crimes to real world scenarios. Currently, the South African

Constitution does not allow the extension of current legislation to include an analogy applicable to cyber

crime. These additional legislations are automatically excluded, unless the law can be interpreted beyond

reasonable doubt as applicable to a cyber crime case.

An additional complication concerning cyber crimes is the difficulty of determining the applicable jurisdiction.

Once again, many of the current common criminal laws might help to determine the specific jurisdiction to

some extent. However, should a country have both specific cyber laws and common criminal laws that

apply to cyber crimes, the first will determine jurisdiction in all events. In a similar analogy, the close

relationship between Digital Forensics and other disciplines (Computer Science, Forensic Science, Criminal

investigations, Computer and Information Security, Business and System administration, all discussed in

Paragraph 8.2) might allow forensic investigators to adopt some legal aspects regarding these disciplines

from common laws that might not be specifically addressed in specific cyber laws.

Yet another reason why it is crucial to include common crime laws into the Liforac model is that the drastic

development trends regarding computer technology leave many Law Enforcement techniques outdated.

Not only is it time consuming to develop new countermeasures for cyber crimes, but it is also costly when

all Law Enforcement officers need to attend training on the new techniques and new legislations.

Additionally, writing and adopting new laws and regulations is a very time consuming process – it might be

outdated even before its formal adoption. Therefore, some of the common laws allow for a more generic

description that a court of law can interpret accordingly as soon as new criminal techniques evolve.

Although investigators still need to be trained, this application avoids the waiting period before a law can

be adopted. The other alternative regarding current legislation is laws created and adopted specifically

for cyber issues and electronic related aspects. The next section investigates these types of laws.

10.3.2 Sub dimension 2: Specific cyber laws

Specific cyber laws refer to laws created specifically with cyber crime in mind. These laws address

current issues related to cyber space, computers and electronic media or communication. Although

Paragraph 10.3.1 relates that in certain circumstances it may be beneficial to have common criminal laws

that apply to cyber crime, specific cyber laws are much more specific and worth more in the event of a

legal interpretation dispute. These laws are occasionally referred to as netlitigation.

Table 10-1 indicates that there are 22 drivers identified in earlier chapters that may contribute to the sub

dimension Specific cyber laws applicable to cyber crime. Table 10-3 presents these 22 drivers.

SSuubb ddiimmeennssiioonn 22:: DDrriivveerrss aapppplliiccaabbllee ttoo ssppeecciiffiicc ccyybbeerr llaawwss aapppplliiccaabbllee ttoo ccyybbeerr ccrriimmee

Driver 1 Retrospective profiling nature of Digital Forensics.

Driver 2

There are three main limitations concerning forensic toolkits:

• the problem of acquisition and imaging on a live system, • tools adapt poorly to large-scale investigations, and • difficult to view large evidence files holistically.

Driver 3

• do nothing; • perform an internal investigation; or • perform a detailed analysis with the intention to prosecute the cyber

criminal.

Driver 4 Digital evidence has some unique properties.

Driver 5 Correct terminology is “… artefacts of potential evidentiary value”.

Driver 7 Jurisdiction is difficult to determine when cyber crime is concerned.

Driver 8 Criminals tend to exploit the speed, convenience and anonymity of modern technology to commit a diverse range of crimes.

Driver 9 Cyber crime definition.

Driver 10

Cyber crime differs from real world crime in that is does not have:

• physical proximity; • small scale; • physical constraints; or • offender-offence patterns.

Driver 11 Many different types of cyber crime exist.

Driver 12 The number of cyber crime incidents is rapidly increasing.

Driver 13

• crimes against individuals; • crimes against individual property; • crimes against organisations; and • crimes against society.

Driver 14 There are some key issues concerning cyber crime in the current Information Security environment.

Driver 15

• there are not enough Law Enforcement officers with appropriate computer forensics and computer crime investigative skills;

• very few legal systems presently consider the digital world.

Driver 16 The judicial system does not accept all types of Digital Forensics, although the concept of forensics is justified.

Driver 17

Driver 18 Ciardhuáin’s Cyber Crime Investigation model is modified to contribute to the Liforac model (nine activities).

Driver 19 Many legal challenges exist that makes the acceptance of Digital Forensics in the judicial system very difficult.

Driver 20 Digital Forensics ensures that investigators can identify and prosecute criminals that commit crimes involving the confidentiality, integrity and availability of electronic resources.

Driver 21 Digital Forensic Governance has only recently evolved from the other Corporate Governance disciplines and involves the governance and management of Digital Forensics.

Driver 22 In support of the security policies and various security technologies, Digital Forensics provides the means of investigation when these plans are compromised in some way.

Some of the laws and regulations that falls into this category include:

• Electronic Communications and Transactions Act of 2002 (South Africa);

• Information Technology Act 2000 (India);

• Computer Misuse Act of 1990 (United Kingdom);

• Cybercrime Act of 2001 (Australia);

• No Electronic Theft Act of 1997 (United States);

• Information Infrastructure Protection (IIP) Act of 1996 (United States);

• Computer Fraud and Abuse Act of 1984 (United States);

• Electronic Communications Privacy Act of 1986 (United States);

• Securing Adolescents from Exploitation-Online Act of 2007 (United States);

• Computer Crimes Act of 1997 (Malaysia);

• Cybercrime Bill of 2007 (Botswana);

• Computer Security and Critical Information Infrastructure Protection Bill of 2005 (Nigeria); and

• Electronic Communications and Transactions Act of 2002 (South Africa).

Figure 10-5 (on page 163) presents the Laws and regulations dimension, sub dimension Specific cyber

crime laws. This figure evolves from Figure 9-2. Unfortunately, the forensic toolkits available to forensic

investigators are not all updated regularly and not immune to the constant onslaught of new cyber crime

techniques. As a result, many of the cyber crime specific laws do not address specific forensic

packages, but rather discuss general guidelines to which forensic toolkits need to adhere.

This generic discussion ensures that laws are not regularly outdated, but it can lengthen the process when

a new forensic toolkit is made available. Courts first need to scrutinise and certify a specific toolkit before

cyber crime laws can apply to the toolkit. However, specific cyber crime laws help organisations to prepare

their systems for faster recovery in a cyber event and educate users on preserving electronic evidence.

Although there are numerous overlaps between Digital Forensics and traditional overlaps, the technical

details make it a much-specialised discipline. Lawyers need to be able to comprehend the technical

details of these specific cyber laws, as well as interpret it with regard to the legal discipline. At present,

very few lawyers can merge these two disciplines successfully. This matter, as well as non-technical

judges, presents numerous limitations in the legal system. Ideally, this sub dimension should include

legislation relevant to Digital Forensic Governance, a newly evolving discipline. At the time of research,

no legislation regarding this topic was available for public viewing.

Figure 10-5: Drivers of the specific cyber crime laws (Own compilation)

The third sub dimension of the Laws and regulations dimension of the Liforac model is previous court

cases and precedents. In the event that a court case involves a new phenomenon – whether it is a new

type of crime or a new investigative method – and a court makes a specific ruling regarding the available

evidence, this court case may have a significant impact on similar future cases. The next section

investigates these types of occurrences and precedents.

10.3.3 Sub dimension 3: Court cases and precedents

Court cases and precedents are crucial in the acceptance of any new technology in court. Lectric Law

Library defines a court precedent as a “… legal principle, created by a court decision, which provides an

example or authority for judges deciding similar issues later”. These precedents are also referred to as

case law. Generally, decisions made by higher courts are binding on lower courts, but not the other way

round (Lectric Law Library 2005:Internet). Precedents in court cases establish a principle or rule that

another court needs to adopt when deciding cases with similar issues or facts. Table 10-1 indicates that

there are eleven drivers identified in earlier chapters that may contribute to the sub dimension Court

cases and precedents. Table 10-4 presents these eleven drivers.

SSuubb ddiimmeennssiioonn 33:: DDrriivveerrss aapppplliiccaabbllee ttoo ccoouurrtt ccaasseess aanndd pprreecceeddeennttss

Driver 1 A thorough Digital Forensic Acquisition and analysis can be done with supporting software packages and applications

Driver 2 Different forensic suites exist for Windows, Mac, Linux and DOS

Driver 3 Summary of the tools and the stages in which they can be applied.

Driver 4 A well-known heuristic is needed to determine the admissibility of expert evidence:

• Frye test; and • Daubert test

Driver 6 The number of cyber crime incidents is rapidly increasing.

Driver 7

Driver 8 Ciardhuáin’s Cyber Crime Investigation model modifies to add to the Liforac model.

Driver 9 Many legal challenges exist that makes the acceptance of Digital Forensics in the judicial system very difficult.

Driver 10 Digital Forensic Governance recently evolved from the other Governance disciplines to include the governance and management of Digital Forensics

Driver 11 In support of the security policies and various security technologies, Digital Forensics provides the means of investigation when these plans are compromised in some way.

Figure 10-6 presents the Laws and regulations dimension, sub dimension Court cases and precedents.

This figure evolves from Figure 9-2. One of the most important precedents in cyber crime cases is the

use and acceptance of forensic toolkits. Evidence produced by some toolkits are more readily accepted

by courts, while less common and less often used toolkits are subjected to more intense scrutiny during a

cyber trial. In the same manner, some toolkits are more readily accepted on specific OSs.

Another important court precedent is the acceptance of a specific knowledge or experience level for

expert witnesses. Forensic experts that appear regularly in court as witnesses will spend less time per

trial giving evidence if the judge is acquainted with him/her on a professional basis (Wood

2008:Presentation). The first couple of times as witness are a time consuming process during which the

court first need to establish whether the prospective witness can be regarded as a trustworthy, reliable

witness with sufficient discipline knowledge and experience. However, in later trials this timeous process

may be shortened since the witness reliability has already been established.

Figure 10-6: Drivers of the court cases and precedents (Own compilation)

The occurrences of cyber crime are drastically increasing. This provides the opportunity for previous court

cases and precedents to learn from. However, with the large number of new types of crime, many trials are

a first of a kind and the presiding judge have difficulty in finding guidance regarding the case.

A similar situation exists with cyber trials related to the new area, Digital Forensic Governance. In some

cases, it might be possible to relate some of the evidence to precedents in disciplines that have a strong

relation with Digital Forensics. The Ciardhuáin’s Cyber Crime Investigation model is also a great help in

this regard, serving as a guideline for solutions for many of the existing problems in the cyber crime

investigations.

The fourth sub dimension of the Laws and regulations dimension of the Liforac model is the formal definition

of court admissibility. Although this is the smallest of the four sub dimensions, it is probably the most

important of the sub dimensions: if the data does not adhere to this definition, it may not be provided as

evidence in the court. The next section investigates this definition.

10.3.4 Sub dimension 4: Definition of court admissibility

The definition of court admissibility largely determines whether the court would allow Live Forensic

Acquisition. This definition, and the implementation thereof, has a big impact on the Live Forensic Acquisition

discipline and is in many cases the most important aspect to consider during the lifetime of a forensic

investigation.

Admissibility depends on a number of things, but the most crucial factor is the manner in which the evidence

was collected. In many cases, this is the main reason why evidence can be rendered inadmissible.

Table 10-1 indicates that there are twelve drivers identified in earlier chapters that may contribute to the

sub dimension Definition of court admissibility. Table 10-5 presents these twelve drivers.

SSuubb ddiimmeennssiioonn 44:: DDrriivveerrss aapppplliiccaabbllee ttoo ddeeffiinniittiioonn ooff ccoouurrtt aaddmmiissssiibbiilliittyy

Driver 1 A crime scene contaminated by the investigator renders the evidence inadmissible in court.

Driver 2 Chain of custody definition.

Driver 3 Many traditional forensic suites also cater for Live Forensic Acquisition.

Driver 4 The accuracy of results and the integrity of digital evidence need to be maintained at all times.

Driver 5 Complete definition of forensic soundness.

Driver 6 Rejected forensic evidence can hurt the case, or portray the investigators as incompetent.

Driver 7 Legal admissibility is the characteristic of a piece of evidence that determines whether it will be accepted by a court of law.

Driver 8 To ensure the acceptance of digital evidence, forensic investigators should maximise the evidential weight of a document by setting up authorised procedures and being able to demonstrate in court that those procedures have been followed.

Driver 9 There are two main elements to demonstrate the authenticity of electronic records:

• freeze a record at a specific moment in time; • maintaining a documented audit trail.

Driver 10

To ensure admissibility, counsel should be able to prove that:

• the record has not been tampered with; • the system the record is kept in is a secure system; and • the system was secure throughout the record lifetime.

Driver 12 Both authenticity and reliability plays a crucial part in determining whether artefacts of evidentiary value can be considered as evidence or not.

Figure 10-7 presents the Laws and regulations dimension, sub dimension Definition of court admissibility.

This figure evolves from Figure 9-2. Court admissibility is the most important aspect of the Laws and

regulations dimension. This sub dimension forms the basis of the Liforac model – to develop an inclusive

Live Forensic Acquisition model to ensure the admissibility of forensic evidence in court.

Figure 10-7: Drivers of the definition of court admissibility (Own compilation)

To ensure that evidence can be admitted in court, the forensic investigator needs to ensure and maintain

the accuracy, reliability and authenticity of the evidence at all times. The easiest way to accomplish this is

by maintaining a proper chain of custody. Many countries have guidelines regarding these chains of custody,

ensuring the minimum requirements needed for admissibility. The process of maintaining integrity is

theoretically straight forward, but the implementation of all the guidelines prove to be complicated at times.

At the moment, no evidence is allowed in court if it has been modified the slightest bit. Due to the nature of

electronic data, this renders a large number of potential evidence as inadmissible. Should the definition

of court admissibility, however, change to include data modified in a controlled manner in which the

meaning of the evidence does not change, forensic applications will be made much easier.

Equally, the manner in which evidence are retrieved has left a number of high profile South African cases

with little or no admissible data. All four sub dimensions of the Laws and regulations dimension of the

Liforac model have been discussed and presented visually in relation to the Liforac model.

10.4 Summary

Chapter 10 showed in more detail what the Laws and regulations dimension of the Liforac model entails.

This chapter focused solely on the Laws and regulations dimension, as highlighted in Figure 10-1.

Discussions with Forensic knowledgeable colleagues resulted in a basic separation of the dimension into

four distinct sub dimensions: Common crime laws applicable to cyber crime, Specific cyber laws, Court

cases and precedents and Definition of court admissibility.

These four sub dimensions are developed in the remainder of the chapter. Each sub dimension is

presented visually in relation with the dimension, showing all the drivers applicable to the specific sub

dimension. These sub dimensions are also discussed and examples presented to motivate its inclusion

in the Laws and regulations dimension.

Chapter 11 will now focus on the Timeline dimension of this model. The chapter proceeds similarly than

Chapter 10, by highlighting the specific dimension in relation to the Liforac model, identifying its components

and mapping previously identified drivers on the relevant components. Chapter 11 is the second chapter

focusing on a specific dimension and will be presented as part of the complete model in Chapter 14.

Chapter 11: Timeline Dimension

“A little help at the right time is better than a lot of help at the wrong time.”

- Anonymous

Chapter 11 looks at the previously identified drivers (presented in Table 9-1) that map specifically onto

the Timeline dimension. This chapter considers in detail what processes forensic investigators need to

follow to ensure a forensically sound investigation. Chapter 11 divides all investigation processes into

two process types: implied and explicit processes. Additionally, these processes split amongst three

timeframes: Before the acquisition, During the acquisition and After the acquisition.

Figure 9-1 showed the last step in the Liforac model progress - the study reached the physical construction

of the Liforac model. Chapter 11 now builds on the Laws and regulations dimension presented in Chapter

10 and is the second of four chapters that focuses specifically on this construction. Figure 11-1 shows

the proposed layout of the Liforac model, with the Timeline dimension forming one of the diagonal

sections of the model, connected to all three the other dimensions.

Figure 11-1: Focusing on the Timeline dimension (Own compilation)

Chapter 11 extends the generic framework for the Liforac model by extending this dimension into two

distinct types of processes and three timeframes. This chapter will look in more detail at these components

and indicate how the drivers identified in earlier chapters map to them. Due to the significant importance

and intricate nature of the timeline during a Live Forensic Acquisition, this chapter is rather lengthy.

Case studies and detailed figures are included to provide additional explanation.

11.1 Introduction

During any process, a proper established timeline can prove to be very helpful. Not only does a timeline

present a chronological outline of events, but also in the case of forensic investigations can a proper

timeline ensure admissibility of the acquired evidence in court. Ultimately, a properly established timeline

can lead to the identification and prosecution of a cyber criminal. Figure 11-2 shows the two types of

processes identified for the development of the Liforac model (based on Hertzberg’s motivation/hygiene

theory discussed in Paragraph 11.3)) as Component 1 and 2, as well as three chronological timeframes

that each incorporates both process types as Timeframe 1, 2 and 3.

Figure 11-2: Timeline dimension (Own compilation)

The inclusion of these components and timeframes is motivated as follow:

• Component 1 (C1): Implied processes. These processes refer to specific processes that may

not necessarily contribute directly to the successful completion of the Timeline dimension, but

the absence of these processes may render the timeline unsuccessfully completed.

• Component 2 (C2): Explicit processes. These processes refer to specific processes that

contribute directly to the successful completion of the Timeline dimension.

• Timeframe 1 (T1): Timeframe before the acquisition. The timeframe before the acquisition

ensures full coverage of all possible processes involved before the actual acquisition starts.

This ensures a solid planning and foundation stage.

• Timeframe 2 (T2): Timeframe during the acquisition. The timeframe during the acquisition

ensures full coverage of all possible processes for the duration of the acquisition. This ensures that

investigators collect all the necessary evidence in a manner that will lead to the admission

thereof in a court of law.

• Timeframe 3 (T3): Timeframe after the acquisition. The timeframe after the acquisition ensures

full coverage of all possible processes involved after the actual acquisition ends. This ensures

that the chain of custody remains intact and the evidence are stored and returned safely after

the investigation.

These two types of processes and the three timeframes form the Timeline dimension of the Liforac model.

The next section maps the drivers identified in Table 9-1 onto the components listed above.

Table 9-1 united all the drivers identified in the first eight chapters. Table 11-1 shows a sub section of

that table, with only those drivers applicable specifically to the Timeline dimension. The last column maps

the specific driver to one of the components shown in Figure 11-2.

Table 11-1: Summary of identified drivers on the Timeline dimension (Own compilation)

IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr CCoommppoonneenntt wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr

Digital Forensic methodology consists of three steps:

Paragraph 3.3

Implied process (C1);

Timeframe before acquisition (T1); Timeframe during acquisition (T2);

Timeframe after acquisition (T3)

• collection; • examination; • analysis; and • reporting

Explicit process (C2);

Timeframe before acquisition (T1);

Timeframe during acquisition (T2);

The First Responder has a very definite role in the Live Forensic process Paragraph 3.3.1

Implied process (C1);

Timeframe before acquisition (T1)

Generic Forensic Acquisition process applies to both Dead and Live Forensic Acquisition and consists of the following steps:

• accusation or incident alert;

• approach computer;

• protect the system from evidence modification;

• make a copy of the system;

Paragraph 3.4, Figure 3-5

• document chain of custody; and

• transport and store evidence media

Chain of custody plays an important role in forensics Paragraph 3.4.4 Implied process (C1);

Timeframe during acquisition (T2)

The integrity of the evidence should be protected at all times Paragraph 3.4.4

Implied process (C1); Timeframe during acquisition (T2)

Paragraph 4.1

Different forensic suites exist for Windows, Mac, Linux and DOS Paragraph 4.1

Explicit process (C2); Timeframe during acquisition (T2);

Timeframe during acquisition (T2); Timeframe after acquisition (T3)

Timeframe during acquisition (T2)

Table 11-1 shows the interpretational mapping of the five identified components onto the drivers already

identified in this study. Some of these identified drivers overlap and can be merged. The remainder of this

chapter is devoted to discussions on the two types of processes (Components 1 and 2) and the three

timeframes (Timeframes 1, 2 and 3).

11.3 Developing the Timeline dimension

A timeline presents a visualisation of a sequence of events to show the relationship between the entities.

The Timeline dimension presents all processes performed by forensic investigators, and presents it visually

in the sequence it should be executed to ensure sound forensic practices. In essence, this specific

timeline representation consists of implied and explicit processes.

Fredrick Hertzberg’s motivation/hygiene theory puts the implied and explicit processes into perspective.

Hertzberg based his theory on factors determining whether employees feel good or not about their work.

On the one hand, there are motivators or satisfiers. Motivators contribute to a sense of achievement and

a sense of recognition for work done. These factors make employees feel better about their work and

environment (Newell 2005:131).

On the other hand are the hygiene factors or dissatisfiers. These factors include things like company

policies, relationships with supervisors and peers, salary, personal factors and status. These factors are

environmental in nature and their loss associates with bad feelings. Accordingly, hygiene factors do not

necessarily contribute to happier employees, but the absence thereof may spark unhappiness with them

(Newell 2005:131).

In the context of the Timeline dimension, the implied processes compare to the hygiene factors (discussed

in the next section). These processes may not play a very pertinent role in the timeline, but their absence

may cause dissatisfaction or eventually lead to the inadmissibility of evidence in court. The explicit

processes (discussed in Paragraph 11.3.2) compares to the motivators. These processes form a crucial

part in the successful completion of the timeline. The next paragraph introduces the implied processes.

11.3.1 Component 1: Implied processes

The idea for implied processes developed from the notion that some processes are inherent to ensuring

the forensic soundness of digital evidence. These processes are not once-off actions, but should be

maintained throughout the entire acquisition approach. In this sense, the implied processes are similar

to the hygiene factors in Hertzberg’s motivation/hygiene theory. These processes may not necessarily

contribute directly to the successful completion of the Timeline dimension, but the absence of these

processes may render the timeline unsuccessfully completed.

According to Haggerty and Taylor (2006:14), a Digital Forensic policy needs to include guidance on how to

conduct computer forensic investigations. These guidance processes are hygiene factors that do not

necessarily contribute directly to the successful investigation, but its absence may cause problems later

on in the process (an investigation can be considered successful if the evidence retrieved are acceptable

in court, irrespective of whether the guilty party has been found or not). By putting down these guidelines

and ensuring the organisation’s compliance with these guidelines, the integrity of the investigation and

the data obtained can be maintained. They suggest that the policy should include guidance on:

• how to secure potential evidence Secure

evidenceSecure

evidence;

• how to preserve the integrity of the original data PreserveintegrityPreserveintegrity

• how to record actions taken if the original data has to be examined

RecordactionsRecordactions

• the production of an audit trail covering all aspects of a forensic examination

Audit trailAudit trail;

• how to analyse the collected data and information Sound

analysisSound

analysis;

• the establishment of a responsibilities matrix for staff involved in the examination

Responsibilitymatrix

Figure 11-3 shows the incorporation of Haggerty and Taylor’s (2006:14) suggestions included into the

proposed Liforac model as implied processes. Although these blocks will form part of the model, it will not

be included as part of the physical Live Forensic process, but rather as separate building blocks. These

six identified guidance aspects are implied processes, or hygiene factors that need to be present

during the full duration of the timeline. These building blocks need to influence all the individual processes

to ensure a successful forensic investigation.

Implied process

Legend:

Audit trail

Secureevidence

Preserveintegrity

Soundanalysis

Recordactions

Implied process

Legend:

Audit trail

Secureevidence

Preserveintegrity

Soundanalysis

Recordactions

Implied process

Legend:

Implied processImplied process

Legend:

Audit trail

Secureevidence

Preserveintegrity

Soundanalysis

Recordactions

Figure 11-3: Liforac model implied processes (Adapted from: Haggerty & Taylor 2006:14)

Paragraph 3.3 introduced the Digital Forensic process, showing the similarities and differences between Dead

Forensic Acquisition and Live Forensic Acquisition. For both these approaches, it is necessary to ensure

that the evidence remains forensically sound, regardless of the processes involved in the acquisition.

The implied processes (presented in Figure 11-3) ensure that evidence remains forensically sound. It may

not necessarily be distinct processes, but it does affect the successful completion of the investigation.

For example, the existence of a responsibility matrix will not ensure a successful forensic investigation.

However, the absence of such a matrix may complicate the investigation process dramatically. The next

section introduces the explicit processes, similar to Hertzberg’s motivators.

11.3.2 Component 2: Explicit processes

The Liforac model’s process framework builds largely on Ciardhuáin’s model (refer to Paragraph 8.4).

Table 8-2 originally presented the mapping of his model onto the generic cyber crime model, resulting in

a more compact model with only eight processes. Although Ciardhuáin’s model applies in its entirety to

the Digital Forensic investigation approach, some of the model’s processes merged to present a model

wholly applicable to the Digital Forensic Acquisition process. An additional process, Preservation, is also

included for completeness. According to this mapping, the Liforac model constitutes nine processes:

1. Awareness. Events external to the organisation typically create

awareness: someone reports a crime to the police or requests an

auditor to perform an audit (Ciardhuáin 2004:5). This process

also incorporates the accusations and incident alerts introduced

in Paragraph 3.4.1 (Casey 2004a:102).

2. Authorisation. Investigators need to have authorisation before

starting an investigation. Without the necessary authorisation,

courts of law can dismiss evidence from trial. ;

3. Planning. Information from both inside and outside the

investigating organisation influences the planning stage. Outside

the organisation, regulations and legislation set the context of the

investigation. Investigators may also collect information from

other external sources. From within the organisation, the

organisation’s own strategies, policies and previous

investigations’ case studies can influence the investigation.

4. Notification. Notification refers to informing the subject of an

investigation or other concerned parties that the investigation is

taking place. On some occasions, the intention is to perform a

covert investigation and the respective parties should not be

notified (Ciardhuáin 2004:6).

5. Search and identify evidence. This process represents the

traditional search and seizure, collection of the evidence and the

transport and storage of the evidence. This also includes the

Live Forensic Acquisition process. ;

6. Preservation. To ensure that digital evidence can be used in

future court cases and disciplinary hearings, it is necessary to

preserve the data against inevitable decay, damage or spoilage.

This process ensures the maintenance of the evidence integrity. ;

7. Examination of evidence. The manual and automatic

investigation of the acquired data to find information that can be

used in a court of law. This examination includes feature

extraction and file system parsing. ;

8. Hypothesis. Investigators need to present the hypothesis of the

investigation and then either prove or defend it. Investigators

have to prove the validity of their hypothesis and defend it

against criticism and challenge. ;

9. Dissemination of information. Once investigators gathered

enough information to assist in Law Enforcement, it is necessary

to disseminate this information to the relevant parties. The

easiest way to do this is by using an intelligent computer

software system. In essence, such a system can substantially

improve crime and terrorism detection (Orbitron 2007:Internet).

The drivers identified as applicable to the explicit processes (refer to Table 11-1) overlap and further enforce

the nine processes listed above. Half of the identified drivers refer to specific processes that need to be

followed, whilst the remainder of the processes focus on the use of forensic toolkits to perform the

processes. These nine processes are explicit in nature and can be considered as the motivation

factors to be addressed in the acquisition process.

Figure 11-4 shows the incorporation of the Live Forensic explicit processes into the proposed Liforac

model. These blocks form the basis of the Timeline dimension of the Liforac model. The integration of

the implied processes with these explicit processes will be discussed in Paragraph 11.3.3. All the

processes in Figure 11-4 have already been discussed above. However, the dissemination of information

requires more in-depth discussion. There are many different ways of disseminating information. In the

forensic investigation process all the collected information need to be used for the case itself, referred to

as secrecy. Although the information may not necessarily remain secret, the investigator generally prefers

a certain dimension of secrecy until the information is presented in either court or the organisation’s

disciplinary hearing.

This type of information dissemination is the main reason for the information collection in the first place,

and officially ends the forensic investigation. Another optional way to disseminate information after an

investigation is use the information as input to a case study. This also serves as an educational means

to further the understanding of the discipline. Using this kind of information in case studies may be either

anonymous or public. The next section integrates the implied and explicit processes and shows the

relation between these process groups.

11.3.3 Integrating the Timeline Components

The previous sections presented the process flows within the Liforac model. The generic framework

consists of implied (Paragraph 11.3.1) and explicit (Paragraph 11.3.2) processes, the timeframe before the

acquisition (Paragraph 11.3.4.1), the timeframe during the acquisition (Paragraph 11.3.4.2) and the

timeframe after the acquisition (Paragraph 11.3.4.3). Figure 11-5 (on page 179) shows the integration of

the implied and explicit process flows of the Liforac model.

Figure 11-4: Liforac model explicit processes (Own compilation)

Each of the implied processes has a very important role to play in the explicit process flow. Figure 11-5

shows a basic mapping of which of the implied processes map onto which specific explicit processes,

briefly listed below:

• Securing evidence is a crucial part of Examination, Search and identify, as well as Information

dissemination.

• Preserving integrity plays a part in Planning, Examination, Search and identify and Information

dissemination.

• Recording actions plays a vital role in the chain of custody. Accordingly, these indirectly affect

Awareness, Authorisation, Planning, Notification, Search and identify, Examination, Hypothesis and

Information dissemination.

• Keeping an audit trail relates to the chain of custody, but refers more to formal documentation

that will be included in the final case report. This is specifically relevant to Planning, Notification

and Examination.

• Sound analysis is similar to preserving the integrity of the information. Although it only implies

on the Examination process, it forms a very crucial aspect of it.

• A responsibility matrix is probably the most important of the implied processes, and applies to

all of the explicit processes: Awareness, Authorisation, Planning, Notification, Search and identify,

Examination, Hypothesis and Information dissemination. Although it is possible that a complete

forensic team will be doing the investigation, it is necessary that a single person be responsible

for at least the progress reports of these processes.

Figure 11-5: Liforac model process flow (Own compilation)

The next section looks at the sub process flows present within the process blocks depicted in Figure

11-5. This section considers these data flows within the constraints of the Live Forensic process timeline.

11.3.4 Timeline for the Live Forensic Process

The timeline for the Live Forensic process roughly divides into three timeframes: before, during and after

the acquisition. These timeframes will form the discussion themes presented in the next sections.

Figure 11-6 shows the proposed Liforac model process flows with the new timeframes indicated.

• Timeframe 1: Before the Live Forensic Acquisition involves Awareness, Authorisation and Planning

(discussed in Paragraph 11.3.4.1).

• Timeframe 2: During the Live Forensic Acquisition involves Notification, Search and identify, and

Preservation (discussed in Paragraph 11.3.4.2).

• Timeframe 3: After the Live Forensic Acquisition involves Examination, Hypothesis and Information

dissemination (discussed in Paragraph 11.3.4.3).

Figure 11-6: Liforac model process flow indicating timeframes (Own compilation)

Figure 3-3 presented a rough timeline of events when investigators apply Live Forensic Acquisition. After

the additional research done in the preceding chapters, Chapter 11 now presents a more complete timeline

with a detailed discussion of the individual timeframes. The next sections discuss the three timeframes

in detail.

11.3.4.1 Timeframe 1: Before the Live Forensic Acquisition

Before the Forensic Acquisition is a very crucial time. Not only is it necessary to prepare all the people

on the case involved, but a solid foundation might help the case in court. Before the Forensic Acquisition

consists of three main processes: Awareness, Authorisation and Planning. Of these three processes,

Planning is the most crucial, presented as the overarching Planning process at the bottom of the figure

and mapped to many of the other sub processes.

A detailed process flow for the timeframe Before the Live Forensic Acquisition, incorporates information

gathered throughout the study. Figure 11-7 presents this updated process flow model, specifically for the

timeframe before the Live Forensic Acquisition.

Figure 11-7: Before the Live Forensic Acquisition timeframe (Own compilation)

This figure also extends to include the implied process mapping introduced in Figure 11-5 and to

introduce the explicit process mapping onto specific processes (noted with 1, 2 and 3). The updated

process flow model, however, still builds on the original model presented in Figure 3-3. Case study 1

gives an example interpretation of Figure 11-7 in a real-life forensic investigation example.

Case study 1: Before the Live Forensic Acquisition timeframe (see Figure 11-7)

Organisation ABC’s system administrator noticed unusual network activity after working hours for the

past three days. With specialised network software, the administrator is able to track the specific IP

address of the offending computer and determine the location of the office and the employee linked to

that office. The administrator has a close working relationship with Organisation ABC’s trained forensic

support services. He logs an incident alert through the specified organisational channels to notify the

forensic support service staff member on duty about the unusual activity, citing the office and employee

identified.

The forensic support service staff member (further referred to as forensic

investigator) receives the incident alert and contacts the organisation’s security

services to arrange for a security guard with the master key to the office in

question to accompany him on a site inspection of the physical location of the

office specified by the system administrator.

The forensic investigator and the security guard (accompanying the forensic

investigator as independent witness) proceed to the office in question. From

the end of the corridor, the forensic investigator notes and documents that the

office door in question is open and the office lights switched on. The forensic

investigator and security guard decides to walk pass the open door, without

communicating with any individuals that might be in the office. This is an

indirect way of approaching the computer.

Whilst passing the open office door, the forensic investigator notes that there is

a Caucasian male in his late twenties sitting at the desk, evidently working on

the computer located on the office desk. Taking into account that the computer

is switched on, the forensic investigator decides to proceed with Live Forensic

Acquisition.

The man sitting behind the computer did look up when the two individuals (one

wearing formal office wear and the other Organisation ABC’s prescribed security

dress) passed the office, but did not appear to perceive the walk-by as a site

inspection. As a result, the forensic investigator decides to proceed with a covert

investigation from his forensic laboratory. The forensic investigator returns to the

forensic laboratory and makes comprehensive notes on all his observations, as

well as sketching a rough map of the layout of the office in question, as viewed

through the open door. The security guard returns to the security head quarters.

There are specific processes that need to be in place in the event of a covert

investigation. The forensic investigator previously installed EnCase Enterprise

on all the organisation’s registered computers. He now activates the secure

VPN from the EnCase server.

Isolation is not practical during a covert investigation. Accordingly, the forensic

investigator activates approved network monitoring software to constantly

monitor any activity on the machine in question. Should the network monitoring

software indicate that the activity on the computer seized, the forensic

investigator needs to contact the security guard with the master key again. The

security guard would then have to return to the suspect site, unlock the office

and serve as independent witness whilst the forensic investigator connects a

Mouse Jiggler to the system to maintain its active state. The security guard

knows about this possibility and remains on standby.

A covert investigation automatically suggests a network acquisition. The forensic

investigator now checks the activity throughout the entire organisation’s network.

The available bandwidth should be adequate to allow a network acquisition in

the least amount of time.

The forensic investigator checks the suspect system’s BIOS and check basic

system information as recorded in the system administrator’s logs. He checks the

size of the suspect drive and checks the destination drive for sufficient space.

The forensic investigator checks location data send by the system administrator

in the incident alert with his own notes made about the site visit. According to

the system administrator’s logs, the employee linked to the office in question is

supposed to be Susan Brown, a middle-aged Caucasian female. Checking

Human Resource records, the forensic investigator notes that Susan Brown has

been on extended sick leave for the past two weeks due to major back surgery.

Since this incident alert came through after hours and there is only one forensic

investigator on duty, no case briefing is required at this time.

As the only active member of the team at this specific point of time, the on duty

forensic investigator needs to assess his own competency regarding the

prospective case. He has practical experience in similar cases, and decides to

proceed with the investigation.

According to the system administrator’s logs, all the computers run Windows XP.

Regarding technical aspects, the forensic investigator decides that no additional

expert advice is necessary. However, he may need to involve additional people

to identify the man sitting behind the desk and to determine how he got access

to Susan Brown’s computer.

The forensic investigator knows that one of the organisational policies requires

that all employees should sign the standard electronic device disclaimer before

a computer is issued for their use. This disclaimer states that the organisation’s

electronic devices remain the property of Organisation ABC, and that the

employee can use the devices whilst in the employ of the organisation.

The disclaimer explicitly states that the system administrator may periodically

conduct searches on the electronic devices, and that the employees only have

a reasonable claim to privacy. Based on this knowledge, the forensic

investigator contacts the system administrator and gets written permission to

access the computer in question. This diminishes the forensic investigator’s

liability in the event of a legal rebuttal.

Once all these information are duly noted and documented, the forensic

investigator has successfully completed the processes necessary before the

Forensic Acquisition can commence. These processes include Awareness,

Authorisation and Planning.

* Throughout the entire process, the implied processes should be adhered to.

Figure 11-7 extends the information presented in Figure 11-6, focusing only on the three processes related

to the Before timeframe. Awareness, Authorisation and Planning extend to include in order:

• determining the current power status of the computer and computer system;

• selecting the investigation mode (overt or covert);

• isolating the system in question and secure it promptly;

• selecting the analysis mode (local or remote); and

• comprehensive pre-acquisition planning.

Each of these processes is now discussed in relation to Figure 11-7.

1 Awareness

It is essential that all personnel involved in the investigation, especially in the search and seizure, should

be adequately briefed beforehand. All participating investigators should be aware of any special

circumstances surrounding the particular investigation, as well as newest trends and legalities relevant to

the case. This briefing can either take the form of a written document, or a formal meeting where all the

people involved are verbally briefed by a superior, and should cover aspects regarding the suspect’s

intelligence, the crime scene’s information and logistics, as well as specifics regarding the computers

involved (ACPO 2007:21).

On a timeous basis, personnel should also be reminded of the basic rules and procedures involved with

computer-based electronic evidence. Briefings should make specific mention, where available, of any

specialist support that exists and how these specialists may be summoned (ACPO 2007:21). Generally,

these briefings are aimed at First Responders (introduced in Paragraph 3.3.1) who are the first people to

be sent out to the crime scene. At this stage, investigators may wish to consider the use of covert entry

and property interference in more serious cases (ACPO 2007:21).

Figure 11-7 presents Awareness as part of the overarching Planning process at the bottom of the figure.

Awareness includes:

• obtaining data regarding the computer system;

• obtaining data regarding the location; and

• case briefing.

The next process in the Before the Live Forensic Acquisition timeframe is authorisation, discussed next.

2 Authorisation

Anything done during an investigation needs to be authorised beforehand. In the event that it was not

authorised beforehand, the investigating team might encounter legal problems at a later stage.

The most important people involved in a Forensic Acquisition, is the First Responders. These individuals

receive specialised training to deal with these situations. They require a supervisor to brief him/her and

organise a search warrant, should the investigation require it. If the briefing reveals that there will be

special/unknown circumstances surrounding the computers present at the subject premises, services of

specialised staff should be contracted in before the acquisition commences. In rare circumstances, the

case officer may feel it necessary to secure the services of an independent consulting witness to attend

the scene of a search and subsequent examination (ACPO 2007:22).

Should external specialists or expert witnesses be required as part of the search and seizure, the name

of the person in question should be included in the wording of the search warrant. Due to a number of

restrictions and prerequisites, these specialists should be carefully selected before any involvement in an

investigation (ACPO 2007:33). More information on how to select expert witnesses can be found on the

accompanying CD, see Presenting evidence.

Figure 11-7 (on page 181) presents Authorisation as part of the overarching Planning process at the

bottom of the figure, as well as in some of the main processes. Authorisation includes

• identify necessity of expert advice;

• get necessary authorisation; and

• isolating the system (refer to Paragraph 3.4.2).

To ensure that a Live Forensic Acquisition goes according to plan, and results in forensically sound

evidentiary artefacts, preliminary planning is essential. If it is at all possible, as much information as

possible should be obtained beforehand about the type, location and connection of any computer

systems. Planning, discussed next, extends to include both Awareness and Authorisation.

3 Planning

A plan of action, the people involved and the tools needed for the investigation should be decided on

before the investigation commences, minimising the opportunity of unexpected surprises. For example,

single computers with an internet connection are those most commonly found and investigators with a

basic level of training in digital evidence recovery can usually seize these. However, when medium or large

network systems are involved, investigators need to call in relevant expert advice before proceeding.

If possible, the IT literacy of the suspect and the known intelligence should be determined to decide

whether specialist assistance should be considered for the investigation (ACPO 2007:21). It is very

important that a forensic investigation follow all of the above processes diligently and in order. Neither

investigators nor company staff members should be allowed to search the system and disturb evidence.

Only forensically qualified staff should enter the system with the necessary authorisation, since additional

activity may disturb the timeline of the files needed in the investigation.

Part of the Planning process is to ensure that the forensic investigation team has all the necessary

equipment (both hardware and software) readily available. To be fully prepared for any crime scenario,

the investigators need to take an extended list of equipment to the crime scene. The tools can be useful

in the proper dismantling of computer systems, as well as during packaging and removal. This will

ensure that the team is prepared for any system configuration. Table 11-2 presents a list of suggested

equipment needed to ensure full preparedness.

Table 11-2: Digital Forensic equipment needed during a Live Forensic investigation (Adapted from: ACPO 2007:21,22; DIBS USA Inc 2008:Internet)

DDiiggiittaall FFoorreennssiicc eeqquuiippmmeenntt nneeeeddeedd

property register

exhibit labels (tie-on and adhesive)

labels and tape to mark component parts of the system, including leads and sockets

tools such as screw drivers (flathead and crosshead), pliers, wire cutters for removal of cable ties

a range of packaging and evidential bags fit for the purpose of securing and sealing heavy items such as computers and smaller items such as PDAs and mobile phone handsets

cable ties for securing cables

flat pack assembly boxes - consider using original packaging if available

DDiiggiittaall FFoorreennssiicc eeqquuiippmmeenntt nneeeeddeedd

coloured marker pens to code and identify removed items

camera and/or video to photograph scene in situ and any on-screen displays

mobile telephone for obtaining advice, not to be used in the proximity of computer equipment

latex gloves

crime scene bandages

tweezers

mobile forensic workstation with appropriate forensically sound software already installed

Rapid Action Imaging Device (RAID)

This toolkit suggests only a number of basic tools, but can be extended as deemed necessary by the

investigator. Figure 11-7 (on page 181) presents Planning as the overarching process at the bottom of

the figure, as well as in most of the main processes. Planning includes:

• components of both the Awareness (1) and Authorisation (2) processes;

• selecting investigating mode and specific processes;

• selecting acquisition mode; and

• identifying the necessity of expert advice.

The implied processes relevant to this timeframe (refer to Paragraph 11.3.3) are Recording actions and

Keeping an audit trail. Both these processes are crucial during any planning process and involve a lot of

administration. The third implied process is the Responsibility matrix. This ensures that each member of

the investigating team knows exactly what is expected of him/her. Once the forensic investigator did all

the necessary pre-acquisition planning, he/she can proceed to the next timeframe - During the Live

11.3.4.2 Timeframe 2: During the Live Forensic Acquisition

Although the planning before the actual acquisition is very crucial, the physical process of acquisition is

the main aspect of a forensic case. Opposing counsel often questions the integrity of this acquisition process

and occasionally proves an inadequate chain of custody that lead to the exclusion of crucial evidentiary

artefacts from the proceeding. This is often based on methods and techniques used during the

acquisition process. During the Live Forensic Acquisition timeframe is the most crucial time in which

forensic soundness of the evidentiary artefacts can be assured.

A detailed process flow for the timeframe During the Live Forensic Acquisition incorporates information

gathered throughout the study. Figure 11-8 presents this updated process flow model, specifically for the

timeframe During the Live Forensic Acquisition.

Figure 11-8: During the Live Forensic Acquisition timeframe (Own compilation)

This figure also extends the implied process mapping introduced in Figure 11-5 and introduces the

mapping of the explicit processes (noted with a 4, 5 and 6). The updated process flow model, however,

still builds on the original model presented in Figure 3-3. Case study 2 gives an example interpretation of

Figure 11-8 in a real-life forensic investigation example.

Case study 2: During the Live Forensic Acquisition timeframe (see Figure 11-8)

Organisation ABC’s on duty forensic investigator has duly prepared for a covert Live Forensic Acquisition.

He created awareness through observation, got the necessary authorisation from the system administrator

and planned the network acquisition (refer to Case study 1). He now proceeds with the forensic acquisition.

The forensic investigator includes a number of sketches and maps in the case

documentation: a blue print layout of the organisation’s floor plan (if available) and a

map made during the site inspection. In this case study, the forensic investigator

never entered the office in question. Accordingly, he includes the sketch he

made when glimpsing through the open office door. The forensic investigator

contacts the system administrator to get a copy of the most up-to-date network

map to identify the location of the hubs and routers that may be relevant to the

investigation.

The forensic investigator notes and documents everybody present at the suspected

crime scene, and involved with the case in either a direct on indirect manner. This

would include himself, the system administrator, the after hours receptionist

answering the phone at security headquarters, the security guard with the master

key, the man sitting behind the computer and any other individuals encountered

during the site visit. It may be worthy to note Susan Brown – although she may not

be present, her assets are involved in the investigation.

Since the forensic investigator has not been able to interact with the physical

computer yet, he needs to note all the details recorded in the system administrator’s

log: type, operating system and service packs, size of hardware, etc. With

specialised network monitoring and probing software, the forensic investigator can

extend this list to open ports, actively running processes, the Windows registry,

open files, possible passwords, etc.

During this covert operation, the forensic investigator has not approached the

computer user. Accordingly, he provided no information to benefit the investigation.

All actions performed by the forensic investigator should be duly noted in the case

documentation. Any additional information that may be retrieved through network

monitoring and forensic software from the suspect compute, should be noted as it

is retrieved. The forensic investigator should also notify his supervisor and the

system administrator that the forensic investigation will commence.

If it is possible to log into the suspect machine through remote login, the forensic

investigator should note all details of the computer’s display.

If it is possible to determine which peripherals are connected to the computer in

question, the forensic investigator should note these in the case documentation.

Once all the necessary actions are documented and the necessary individuals

notified, the forensic investigator activates the Servlet on the suspect computer.

This Servlet is pre-installed on all computers of ABC Organisation, and acts

similar to a rootkit, without notifying the computer user (in this case, the

unidentified Caucasian male using Susan Brown’s office computer) of its

existence. The Servlet identifies relevant information that may have evidentiary

value. This information will be used at a later stage during the analysis process.

The Servlet activates the incident response process, also known as a

Snapshot, to retrieve deep volatile data from the suspect machine. The

Snapshot enables the forensic investigator to see all accounts currently logged

into the computer, as well as all accounts that have been used prior to the

incident to log into the computer as well. The currently logged in account

belongs to Susan Brown.

The Servlet enables the forensic investigator to determine the existence of any

virtual machine software, and to interpret and analyse these formats. The Servlet

on Susan Brown’s machine does not indicate the presence of such software.

The forensic investigator makes notes of all evidence acquired and noted

throughout the investigation. Although the computer itself has not been seized

during the investigation, the forensic investigator should complete a chain of

custody log (refer to Figure 3-8).

Once this information is duly noted and documented, the forensic investigator

has successfully completed the processes required during the Forensic Acquisition.

These processes include Notification, Search and identify, and Preservation.

Figure 11-8 extends the information presented in Figure 11-6, focusing only on the three processes

specified as related to the timeframe During the Live Forensic Acquisition. Notification, Search and identify,

and Preservation extends to include in order:

• collect technical and non-technical information regarding the suspect system;

• activate the pre-installed software forensic agent on the suspect machine;

• identify logged on account and administrative rights;

• identify the nature of the logged on system (real or virtual); and

• maintain the chain of command and preserve digital evidence.

The next section focuses on detailing this timeframe’s main processes: Notification, Search and identify,

and Examination.

4 Notification

Once the investigator performed all the necessary processes in Timeframe 1, he/she needs to notify the

success status of the current investigation to the person in charge. This is part of the chain of custody

process. The chain of custody (see Paragraph 3.3.3.3) is a very important aspect of a successful

investigation. To ensure a complete chain of custody, it is recommended that the investigator documents

all the processes performed at the scene of a search, preferably in a pre-designed form that can be

completed during the investigation.

All the people involved in the discovery and notification of the incident needs to provide a written report

documenting their observations and actions. These reports, as part of the chain of custody, will notify all

the relevant parties of the actions and decisions involved in the investigation. The next process is

Search and identify.

5 Search and Identify

The next process in the forensic investigation approach is Search and identify, or Search and seizure.

From the first moment that the physical searching begins, it is necessary to document all actions in the

chain of custody. This ensures that investigators document all actions fully and that these actions

comply with the extended definition of forensic soundness (discussed in Paragraph 6.1). Before the

investigator physically starts acquiring data, he/she needs to note some crucial aspects about the system

that will form the foundation for the chain of custody.

As far as possible, forensic investigators need to get appropriate information from bystanders, computer

system users and system administrators. Investigators need to record this information appropriately in

the chain of custody documentation. The investigators may invite trained personnel or independent

specialists to be present during an interview with a person detained in connection with offences relating

to computer-based electronic evidence. However, should any individual be part of the investigation

process, he/she may not be considered as an independent witness anymore (ACPO 2007:22).

During a Live Forensic Acquisition, it is necessary to gain access to the suspect system. In order to do

this, a forensic software agent needs to be installed on the system before the incident occurs (refer to

Paragraph 3.3.2). Once the incident occurred and the software agent has been activated, the forensic

investigator can gain access to the machine either locally or over the network.

The tools necessary to the Live Forensic Acquisition may be run from a forensically sound bootable

floppy disk, DVD, CD-ROM or USB flash drive. The most preferred (and recommended) hardware is the

flash drive, except when the suspect system runs on a Windows 9x platform. Most computers have a

USB port that enables easy installation of the necessary software. This device also has the added

benefit that the results/image can be written back to the same device, limiting the number of introduced

processes to the system. An additional factor is the possible size of a memory dump. A USB flash drive

can allow for a sizeable image. Whichever hardware is introduced to the system, it should be stopped

and safely removed after the analysis, before the investigator shuts the suspect computer off with

standard power-off forensic procedures (ACPO 2007:18).

Introducing any tools or processes to a compromised computer/system may lead to further inconsistency.

The forensic investigator is accordingly recommended to follow a prescribed set of rules using a number

of basic trusted tools. He/she first needs to perform a risk assessment of the situation: in a hacker’s

attempt to hide his/her criminal activity, a potential Trojan defence may hamper the viability of collecting

volatile evidence in a Live Forensic Acquisition.

Paragraph 5.3 suggested that investigators kill certain known applications to limit the interference of the

forensic procedures with currently running processes. These processes include the antivirus programme,

task scheduler, the firewall and IIS (Carvey 2007:Internet). This practice is discouraged unless specific

expert knowledge is held about the evidential consequences of doing so. For example, closing Microsoft

Internet Explorer will dump data to the hard drive. In essence, this preserves some of the volatile data.

If it is safe to perform a forensically sound investigation, the investigator needs to install a volatile data-

capturing device using a USB flash drive or a similar device. The associated volatile data collection script

needs to run, and be stopped safely to limit potential data loss (ACPO 2007:19). During a Live Forensic

Acquisition, he/she needs to retrieve the evidentiary artefacts presented in Table 11-3.

Table 11-3: Evidentiary artefacts to retrieve during Live Forensic investigation (Adapted from: ACPO 2007:18; Amenya 2004:6)

EEvviiddeennttiiaarryy aarrtteeffaaccttss ttoo rreettrriieevvee

process listings

service listings

system information

logged on and registered users

network information including listening ports, open ports, closing ports

ARP cache

auto-start information

registry information

a binary dump of memory

running processes

network connections

− open network ports

− closing network ports

EEvviiddeennttiiaarryy aarrtteeffaaccttss ttoo rreettrriieevvee

data stored in memory

− decrypted applications (useful if encryption software is installed)

− passwords

backup tapes

removable media

The rule of thumb is to seize computers and associated media only if it is necessary. The person in

charge of the search must make a conscious decision to remove property and there must be justifiable

reasons for doing so (ACPO 2007:22). Investigators can retrieve deleted data from a number of areas in

a filesystem. They can also identify data deliberately hidden by cyber criminals.

Before the Live Forensic Acquisition can be considered complete, the forensic investigator needs to check

the software installed on the suspect machine. This may give an indication if all possible data have been

acquired and what the suspect machine’s user has been doing in the days prior to the incident. The

forensic investigator needs to check:

• Websites, forum postings and blogs. Evidence relating to a crime may reside in the internet

history of the computer, or as a post in a forum or blog. It is essential to capture these images

as soon as possible after the alleged crime, since internet content is updated regularly. This

may introduce difficulties to prove that a specific image is exactly what the suspect saw.

• E-mail, web mail and Internet Protocol Address account information. Investigators might

be able to get additional subscriber information relating to e-mail, web mail or Internet

connections from the machine user’s ISP. The Regulation of Investigatory Powers Act (RIPA)

2000 regulates these information requests (ACPO 2007:13).

The forensic acquisition should adhere to sound and established forensic principles at all times,

documenting all actions taken fully. This documentation can be made available to opposing counsel who

may conduct a further examination to validate the actions (ACPO 2007:24). The next focus is preservation.

6 Preservation

To ensure that the acquired evidence can be used either in court or during organisational disciplinary

hearings, the forensic investigators need to take extra care to correctly preserve the evidence (refer to

Paragraph 3.4.5.1). Accordingly, the investigators need to know the preservation techniques for all the

involved digital media before the data is acquired.

The implied processes relevant to this timeframe (refer to Paragraph 11.2.3) are Securing evidence,

Preserving evidence, Keeping an audit trail and Sound analysis. All four these processes are necessary

to ensure admissibility in the court. Recording actions and the Responsibility matrix ensure that each

member of the investigating team knows exactly what is expected of him/her. Once the preservation is

secured, the forensic investigation can proceed to the After Live Forensic Acquisition timeframe.

11.3.4.3 Timeframe 3: After the Live Forensic Acquisition

Although the timeframe directly after the physical acquisition does not legitimately fall in the acquisition

category, this timeframe is very important in ensuring that the acquired data remains forensically sound

and admissible in court. Once the investigators gathered all the information, the formal part of Live

Forensic Acquisition is complete. The investigator should immediately follow with the standard power-off

procedure, to ensure that no data modification can occur accidentally.

Once the investigator acquired the evidence, he/she needs to follow the rest of the forensic lifecycle:

examination, analysis and reporting (see Paragraph 3.3.1). A detailed process flow for the timeframe

After the Live Forensic Acquisition incorporates information gathered throughout the study. Figure 11-9

presents this updated process flow model, specifically for the timeframe After the Live Forensic Acquisition.

Figure 11-9: After the Live Forensic Acquisition timeframe (Own compilation)

This figure also extends the implied process mapping introduced in Figure 11-5 and introduces the

mapping of the explicit processes (noted as 7, 8 and 9). The updated process flow model, however, still

builds on the original model presented in Figure 3-3 as well as the generic forensic process in Figure 3-5.

Case study 3 gives an example interpretation of Figure 11-9 in a real-life forensic investigation example.

Case study 3: After the Live Forensic Acquisition timeframe (see Figure 11-9)

Organisation ABC’s on duty forensic investigator has duly prepared for a covert Live Forensic Acquisition

on Susan Brown’ computer. He followed the correct procedures in notifying all relevant parties, activating

the EnCase Enterprise Servlet pre-installed on the computer, searching the computer in question and

identifying potential evidence, as well as preserving the evidence by maintaining the chain of custody

(refer to Case study 2).

The forensic investigator already checked that there is sufficient hard drive

space to make a complete bit-by-bit copy of the hard drive (refer to Case study

1). He now uses the EnCase interface to create an .E01 image of the drive.

Once the copy is complete, another exact copy should be made to be stored as

best evidence.

The forensic investigator documents responsibilities regarding the case. Currently,

he is still the only forensic investigator on duty, and therefore documents himself

as the sole person responsible for the image and the investigation up-to-date.

The Servlet has a built in write protector that prevents any unauthorised

interference with the data on the suspect’s computer. The forensic investigator

needs to practice basic safety measures: maintain physical security of the

forensic laboratory, and never leave the laboratory unlocked and unattended.

The forensic investigator fills in the evidence-tracking log:

• responsible investigator: the forensic investigator on duty;

• the evidence image was created and completed at 21:07 on

Wednesday 8 September 2009, GMT;

• case number: 2009090821071

• acquisition location: Forensic laboratory 2C ABC Organisation,

imaged over the network from office F227 Building 16A;

• suspect: unidentified Caucasian male in his late twenties;

• evidence type: hard drive image and network monitoring reports;

• acquired evidence’s media-specific description: type, manufacturer,

serial numbers and/or volume names, etc.

• tools used: EnCase Enterprise version 6.8

As the investigation progresses, this evidence tracking log should be maintained

to include who, when and why evidence are removed from and returned to

storage, as well as the final fate of the evidence (destruction, secure deletion

or returned to owner).

The forensic investigator performed a covert acquisition within the secured

forensic laboratory premises and made the necessary backups. Once the

acquisition is complete, he will commence directly with the examination and

analysis. Accordingly, there is no need to secure the working copy of the hard

drive image. The forensic investigator should, however, seal the best evidence

copy in anti-static package and properly label this package with the case number

and as best evidence copy.

The forensic investigator performed a covert acquisition within the secured

forensic laboratory premises. There is no need to transport the evidence.

The forensic investigator should lock the best evidence copy securely in the

forensic hard drive safe.

The forensic investigator uses the information retrieved in earlier processes as

input to the EnCase software package to examine the content of the hard drive

fully. This examination is beyond the content of this research.

The forensic investigator uses the information from the examination process as

input to the EnCase software package to analyse the content of the hard drive

fully. This analysis is beyond the content of this research.

EnCase allows the automatic generation of fully detailed reports. These

automated reports show a wealth of information depending on the type being

generated (e.g. listing of all files and folders in a case, detailed listing of all

URLs and corresponding dates and times that websites were visited, document

incident report that helps create the required documentation relevant during the

incident response process, and detailed hard drive information about physical

and logical partitions).

Once all these information are duly noted and documented, the forensic

investigator has successfully completed the processes required after the Forensic

Acquisition. These processes include Examination, Hypothesis and Information

dissemination.

Figure 11-9 extends the information presented in Figure 11-6, focusing only on the three processes

specified as related to the after timeframe. Examination, Hypothesis and Information dissemination extend

to include in order:

• update the chain of command;

• securely seal all packages to avoid any evidence tampering;

• transport evidence securely to a forensic laboratory;

• store evidence securely in a forensically approved storage facility;

• examine the evidence with forensically sound software;

• analyse the evidence with forensically sound software and techniques;

• all people involved in the discovery and notification of the incident needs to provide a written

report documenting their observations and actions.

The next section focuses on detailing this timeframe’s main processes: Examination, Hypothesis and

Information dissemination.

7 Examination

The examination involves a close inspection of the suspect machine. This generally occurs when the

investigator is looking for specific data on the suspect machine. Once the investigator is sure that he/she

acquired all the possible evidence located in the computer system, he/she then needs to verify the data

output on a separate forensic investigation machine (ACPO 2007:19).

8 Hypothesis

Once all the necessary processes in the investigation completes, the investigator may present evidence

in court. It is customary that the first hearing at a magistrate’s court will not involve the production of the

forensically acquired disk, although this practice is dictated by local Law Enforcement practices. During

subsequent hearings, the parties involved need to view the images on disk. The investigator will retain

control of the disk during these times. After the hearing, the investigator will return the disk to the

appropriate storage facility and sign it back in as before (ACPO 2007:31).

9 Information dissemination

Transporting evidence securely is crucial. Table 11-4 presents some guidelines on how to transport some

types of hardware to minimise any possible damage to the evidence. This is an extension of Table 3-2.

Table 11-4: Guidelines for transporting evidence securely (Adapted from: ACPO 2007:11,12)

TTrraannssppoorrttiinngg gguuiiddeelliinneess

PDAs, electronic organisers and palmtops

Protect from magnetic fields. Prevent from transmitting or receiving data.

Computer unit Keep upright to minimise serious physical shocks.

Keep away from magnetic sources (loudspeakers, heated seats and windows and police radios).

Hard disks

Protect from magnetic fields.

Place in anti-static bags or in tough paper bags or wrap in paper and place in aerated plastic bags.

Floppy Disks, Jaz and Zip cartridges and USBs

Protect from magnetic fields.

Do not fold or bend.

Do not place labels directly onto floppy disks.

Keyboards, leads, mouse and modems

Place in plastic bag.

Do not place under heavy objects.

After the seizure, the evidence needs to be stored in a secured environment, preferably close to the

forensic laboratory. The storage facility needs to be at normal room temperature, without the extremes

of humidity. It should also be free from magnetic influences such as radio receivers (ACPO 2007:12).

With the conclusion of the investigation, there should be information flows to disseminate the results. These

flows are subject to certain controls, for example, in the event that names or technical details need to

remain secret. The information produced by the investigators may influence internal policies of the

organisation, or become input to future investigations. It may pass through an organisation’s information

distribution function to become available to other investigators outside the organisation. This can take

the form of a published case study used for training investigators, or a security advisory to system

administrators (Ciardhuáin 2004:9).

The implied processes relevant to this timeframe (refer to Paragraph 11.2.3) are Securing evidence and

Preserving evidence. Both processes are necessary to ensure admissibility in the court. Recording actions

and the Responsibility matrix ensure that each member of the investigating team knows exactly what is

expected of him/her.

The timeframe After the Forensic Acquisition can become very involved and complicated. Although this

is necessary as part of the Live Forensic process, it is not of such relevance to this study on Live

Forensic Acquisition. The accompanying CD presents guidelines that are more detailed on how to

present evidence in court, see Presenting evidence.

11.3.4.4 Summary of the Process Flows

The previous paragraphs of this section presented process flows for the entire process of Live Forensic

Acquisition: Before, During and After the Forensic Acquisition. Figure 11-10 amalgamates the process

flows shown in Figure 11-7, Figure 11-8 and Figure 11-9. Figure 11-10 shows all the different processes

needed in a complete Live Forensic Acquisition.

This figure also shows a mapping of the implied processes onto the explicit processes. The previous

sections gave more information detailing these processes.

Figure 11-10: Complete process flow of Live Forensic investigation (Own compilation)

11.4 Summary

Chapter 11 showed in more detail what the Timeline dimension of the Liforac model entails. This is similar

to a complete process flow and shows all the processes involved in ensuring a successful and complete

forensically sound Live Forensic Acquisition. The dimension splits into two types of processes: implied

and explicit. Additionally, these process types span over three separate timeframes: Before the

acquisition, During the acquisition and After the acquisition.

The majority of Chapter 11 develops timelines according to the set criteria. The chapter presents these

timelines graphically and incorporates the mapping of the implied processes on both the explicit

processes and the specific timeframes. Chapter 12 will now focus on the Knowledge dimension of this

model. The chapter proceeds similarly to Chapter 10 and Chapter 11, by highlighting the specific

dimension in relation to the Liforac model, identifying its components and mapping previously identified

drivers on the relevant components. Chapter 12 is the third chapter focusing on a specific dimension,

and will be presented as part of the complete model in Chapter 14.

Chapter 12: Knowledge Dimension

“No man’s knowledge here can go beyond his experience.”

- John Locke

the Knowledge dimension. This chapter looks in detail at the people involved in successful Live Forensic

Acquisition: who they are and what training and skills they should possess. Chapter 12 divides the

Digital Forensic discipline into six main components of which a forensic investigator needs to have

sufficient knowledge and one component that relates to all six the main components.

of the Liforac model. Chapter 12 now builds on the Laws and regulations dimension presented in Chapter

10 and the Timeline dimension presented in Chapter 11. This chapter is the third of four chapters that

focuses specifically on this construction. Figure 12-1 shows the proposed layout of the Liforac model,

with the Knowledge dimension forming one of the diagonal sections of the model, connected to all three

the other dimensions.

Figure 12-1: Focusing on the Knowledge dimension (Own compilation)

Chapter 12 extends the generic Liforac model by dividing this dimension into a further seven components.

These components were identified from research done for developing this dimension. These components

are generic and allows for extension in future updates of the Liforac model. This chapter will look in

more detail at these components, as well as how the drivers identified in earlier chapters map to these

components.

12.1 Introduction

Knowledge roughly defines as cognitive perception, reasoning, expertise and skills that an individual

acquire through either direct or indirect learning. Figure 12-2 shows the seven components identified as

relevant to this dimension. This study borrowed and adapted these components from Broucek and Turner’s

(2002:2) suggested framework to raise awareness of forensic issues amongst system administrators.

Figure 12-2: Knowledge dimension (Adapted from: Broucek & Turner 2002:2)

The Knowledge dimension presents all the topics that forensic investigators need to be familiar with to

ensure a sound Forensic Acquisition. This dimension presents all the subjects that combine to present a

comprehensive foundation needed by forensic investigators. The matter of constant knowledge building

has already been touched on in Paragraph 5.2.

These seven components are not the only possible components that may influence the Knowledge

dimension. However, from research done for this study, these seven components are received as some

of the more prominent components, covering the basic concepts of forensic knowledge. The Liforac

model allows for additions to this list at a later stage. The inclusion of these seven components is

motivated as follow:

• Component 1. The formal definition of Digital Forensics in Paragraph 3.1 already established

a link between computer science and forensics. Paragraph 8.2.1 further explored this relationship.

• Component 2. World security trends and events have a persistent influence on Digital Forensic

knowledge. Forensic investigators need to update their knowledge on new trends in cyber

crime and the combating of these crimes constantly.

• Component 3. Information Systems are the organised collection, storage and presentation of

information and related knowledge for decision-making. Since there is a direct relationship

between computers and information, this component is necessary in the Knowledge dimension.

• Component 4. Social sciences can play a role in Digital Forensics due to the discipline’s

profiling nature. People tend to react in specific ways under certain circumstances, which may

have an affect on the way the investigation is run.

• Component 5. Forensic sciences are the core of Digital Forensic investigations. Digital Forensics

borrows many principles from Physiological Forensics, as investigated in Chapter 8.

• Component 6. Forensic investigators should have a wide knowledge of relevant legislation and

policies, procedures, codes of practice and guidelines for investigating electronic evidence. It is

necessary to have a firm understanding of the relevant legislation and organisational

requirements regarding race, diversity and human rights, with respect to the country of the

investigation (Forte 2008b:18). Two complete chapters are dedicated to law and its relationship

to Digital Forensics. Chapter 8 and 10 explored the necessity of this relationship in detail.

• Component 7. New technology, similar to world security trends and events, has a persistent

influence on Digital Forensic knowledge. Forensic investigators need to update their knowledge

on new technology constantly to ensure their own forensic readiness.

These seven components form the foundation of the Knowledge dimension. The next section maps the

drivers identified in Table 9-1 onto the seven components listed above.

shows a sub section of that table, with only those drivers applicable to the Knowledge dimension. The

last column maps the specific driver to one of the seven components shown in Figure 12-2.

Table 12-1: Summary of identified drivers on the Knowledge dimension (Own compilation)

Digital Forensic definition Paragraph 3.1 Forensic sciences (5)

A crime scene contaminated by the investigator renders the evidence inadmissible in court Paragraph 3.2 Law (6)

Current forensic methods: pulling the plug or doing a live analysis Paragraph 3.3 Computer science (1)

Digital Forensic methodology consists of three key steps:

Paragraph 3.3 Forensic sciences (5)

• collection;

• examination;

• analysis; and

• reporting

Forensic sciences (5)

The First Responder has a very definite role in the Live Forensic process Paragraph 3.3.1 Law (6)

Comparison between Dead and Live Forensics Paragraph 3.3.3, Table 3-1 Computer science (1)

Forensics has a volatile and unpredictable field setting Paragraph 3.4 World security trends and events (2)

Generic Forensic Acquisition process applies to both Dead and Live Forensic Acquisition

Paragraph 3.4, Figure 3-5 Forensic sciences (5)

Paragraph 4.1 World security trends and events (2)

Different forensic suites exist for Windows, Mac, Linux and DOS Paragraph 4.1 Information systems (3)

World security trends and events (2)

Electronic information is a valuable resource Paragraph 5.1 Information systems (3)

Organisations generally have three possible options to respond to a cyber attack Paragraph 5.1 Social sciences (4)

Digital evidence has some unique properties Paragraph 5.1 Information systems (3)

Locard’s exchange principle applies to all crime scenes Paragraph 5.1 Forensic sciences (5)

Several methods exist to perform Live Forensic Acquisition:

• software applications

• hardware devices

Paragraph 5.3 New technology (7)

Digital Forensics is a technical application of computer related knowledge Paragraph 6.1 Computer science (1)

Forensic soundness is the foundation of court admissibility of evidence Paragraph 6.1 Law (6)

An expert witness may elicit professional opinions regarding the validity of a theory and the reliability of specific tools

Paragraph 6.2 Law (6)

To ensure the acceptance of digital evidence, forensic investigators should maximise the evidential weight of a document

Paragraph 6.2.3 Law (6)

Paragraph 6.2.3 Computer science (1)

Paragraph 6.3 Forensic sciences (5)

The Heisenberg uncertainty principle and the observer effect explains the volatile nature of forensics, both digital and traditional

Paragraph 6.4 Computer science (1)

There is a strong relationship between Digital Forensics and other disciplines Paragraph 8.2 World security trends and

events (2)

Table 12-1 shows the interpretational mapping of the seven components of the Knowledge dimension onto

the drivers already identified in this study. Some of these identified drivers overlap and can be merged.

Figure 12-3 (on page 207) presents the Knowledge components within the boundaries of the Liforac model.

This figure indicates the Knowledge dimension, its seven sub components Computer science, World

security trends and events, Information systems, Social sciences, Forensic sciences, Law and New

technology, as well as the respective drivers in relation with these components. These drivers can be

found in Table 12-1. The remainder of this chapter is devoted to discussions on the seven main

components of the Knowledge dimension.

Figure 12-3: Knowledge components and important aspects regarding each component presented within the Liforac model (Own compilation)

12.3 Developing the Knowledge dimension

With ever-changing technologies, tools and techniques, forensic investigators need to stay abreast and

updated with all new developments. To ensure that investigators are fully prepared for any type of forensic

investigation, they need to ensure that their knowledge is always up to standard to allow for any eventualities.

The next seven sub sections address the seven main components related to the Knowledge dimension.

12.3.1 Component 1: Computer science

Computer science is a very wide discipline, containing a wide range of topics. For the purpose of being a

forensic investigator, it is highly recommended that the individual have a proper computer science

foundation and background. Although a degree in computer science is not enforceable, it may help the

investigator in the understanding of basic concepts.

Some of the suggested knowledge topics are:

• Discrete structures focuses on the understanding of functions, relations and the theory behind

graphs and tree structures;

• Programming fundamentals teaches fundamental programming constructs, algorithms and

problem-solving;

• Architecture and computer organisation teaches machine level representation of data, binary

logic, as well as the functional organisation of computers;

• Operating systems explains OS principles, concurrency, scheduling and memory management;

• Net-centric computing focuses on communication and networking;

• Information management shows the principles of database systems and data modelling;

• Software engineering looks at software design, tools and environments, as well as software

requirements and validations (SIGCSE 2001:Internet); and

• File structures gives investigators sufficient background on file types and file behaviours – this

aspect is very important in a forensic investigation.

The knowledge gained from these specialised topics may prove to be helpful in certain forensic investigations.

In some cases, this computer science knowledge may be applied directly, whilst in others it just ensures

that the investigators are more familiar with the specific scenario found at the crime scene. A solid

computer science foundation is highly recommended for any forensic investigator.

12.3.2 Component 2: World security trends and events

World security trends and events can have a dramatic impact on technology and technological trends. In

this case, it may prove to be very helpful for forensic investigators to work in conjunction with the local

Computer Security Incident Response Team (CSIRT). These organisations work closely with CERTs/

CSIRTs in other countries and can draw up statistics regarding technological attack trends. For

example, once a specific worm hits a specific country, it might take an average of 48 hours before the

same worm generally hits South Africa. Cyber investigators can benefit from these statistics.

In the same manner, one type of cyber crime attack launched somewhere in the world might be repeated

in a different continent. If the first case’s forensic investigators make their strategy available, it might

save a lot of time and effort for investigators looking at subsequent cases. To utilise this knowledge

network properly, forensic investigators need to be networking with global colleagues, building a thorough

knowledge network.

According to an article in The New York Times (Markoff 2008:Internet), “… cyberweapons are now

routinely used during political and military conflicts, as in Estonia in 2007 during a political fight with

Russia, and the Georgian-Russian war…” If cyber investigators are aware of these events, it may be

easier to address some of the cases that they come across.

12.3.3 Component 3: Information systems

An information system can be defined as a collection of practices, algorithms and methodologies that

transforms data into information and knowledge that is useful for individuals or groups of people (UMBC

2008:Internet). According to this definition, there is a close relationship between information systems

and knowledge.

“… Information Systems, on the other hand, focuses on the entire system of information, knowledge,

delivery and use, taking an external, human-based perspective on technology – its focus is on how

technology can be implemented to serve the informational needs of people and organisations.” Compared

with computer science, information systems focus a lot more on the human aspect of computers and the

human-computer interaction (UMBC 2008:Internet). Accordingly, a proper foundation of information

system knowledge can aid a forensic investigator in the understanding of certain forensic principles and

the interaction between the cyber criminal and his/her computer.

12.3.4 Component 4: Social sciences

Social sciences link with information systems to the human aspect of computer science. The profiling

nature of Digital Forensics clearly benefits from any social science background that the forensic

investigator may have. Not only do investigators then understand the hardware and software aspects of

the suspect machine, but he/she may try to think like the person operating the suspect machine. He/she

may psychologically step into the suspect’s footsteps and think where the suspect may have hidden

evidentiary files and folders.

Social science purely focuses on society and the associated human behaviour. This discipline is

definitely not a prerequisite for forensic investigations, but may make the investigator’s task easier when

the behavioural aspect is also considered.

12.3.5 Component 5: Forensic science

Forensic science literally means the application of science to law. However, when considering the

Physiological Forensic science, a basic understanding of this discipline definitely contributes to a better

understanding of Digital Forensics. Many of the investigatory principles remain the same, although the

physical application of the techniques and the tools differ drastically. However, a very general

understanding of this discipline may be beneficial (see Paragraph 6.3).

12.3.6 Component 6: Law

Digital Forensics cannot stand separate from the law. Any forensic investigator needs to have updated

knowledge on current and pending legislation that may have an impact on the way forensic investigations

are done. This aspect is so important that forensic investigators should not be allowed to enter the crime

scene without sufficient knowledge for fear that they might contaminate the crime scene. Chapters 8 and

10 already discussed the importance of law and its relationship with Digital Forensics.

12.3.7 Component 7: New technology

Every time new technology becomes publicly available, or an upgrade of software or a hardware component

is on the shelves, investigators need to be trained on this. The chances are very good that investigators

may encounter these new technologies in an investigation. If they do not know how to handle these

upgrades properly, investigators may encounter problems that may have a negative effect on the

investigation.

For example, Windows Vista has a built-in full hard drive encrypter, BitLocker. Should the forensic

investigator be unaware of this technology, he/she may attempt to do a Dead Forensic analysis on the

computer image - this new technology only allows Live Forensic analysis and decrypts the computer image

if the computer is not logged on.

12.3.8 Summary of Knowledge dimension components

All seven components of the Knowledge dimension of the Liforac model have been discussed and its

inclusion into the Liforac model motivated. This section motivated why each of these seven components

have been included in the Knowledge dimension.

12.4 Summary

Chapter 12 focused solely on the Knowledge dimension, as highlighted in Figure 12-1. Seven specific

disciplines are identified as important to the proposed model, borrowed and adapted from Broucek and

Turner’s (2002:2) suggested framework to raise awareness of forensic issues amongst systems

administrators. These components are Computer science, World security trends and events, Information

systems, Social sciences, Forensic sciences, Law and New technology. The remainder of the chapter

developed these components, with a brief discussion and a motivation on whether it is recommended

knowledge or a subsistent pre-requisite of being a forensic investigator.

Chapter 12 is the fourth chapter focusing on a specific dimension, and will be presented as part of the

complete model in Chapter 14. Chapter 13 will now focus on the Scope dimension of this model. The

chapter proceeds similarly to the previous three chapters, by highlighting the specific dimension in

relation to the Liforac model, identifying its components and mapping previously identified drivers on the

relevant components.

Chapter 13: Scope Dimension

“Every problem is just an opportunity waiting to be made use of.”

- Anonymous

the Scope dimension. This chapter looks in detail at the problems associated with Live Forensic

Acquisition, identified earlier in Chapter 5. Chapter 13 divides the dimension into five main scope related

components and proposes a solution to each of these.

of the Liforac model. Chapter 13 now builds on the Laws and regulations dimension presented in

Chapter 10, the Timeline dimension presented in Chapter 11 and the Knowledge dimension presented in

Chapter 12. This chapter is the last of four chapters that focuses specifically on this construction. Figure

13-1 shows the proposed layout of the Liforac model, with the Scope dimension forming one of the

diagonal sections of the model, connected to all three the other dimensions.

Figure 13-1: Focusing on the Scope dimension (Own compilation)

13.1 Introduction

In computer programming, scope is an enclosing context where values and expressions are associated

with the boundaries of the project. Generally, the type of scope determines what kind of entities it can

contain and how it affects them. Scope is the sum total of a project’s products, its requirements and

features.

From these definitions, it is clear that the scope of Digital Forensics can be wide-ranging. For the purpose

of developing the Liforac model, the scope is understood to be the boundaries of the investigation, from

the time that the investigator tries to access the machine, right up to the time that the evidence are

presented in court. In this context, the scope is limited to five main components: the five practical

problems identified earlier in Paragraph 5.2. Figure 13-2 shows these five components.

Figure 13-2: Scope dimension (Own compilation)

The inclusion of these five components is motivated as follow:

• Component 1. The difficulty of gaining access to a computer has been discussed in Paragraph

5.2.1. Some investigations are covert, whilst others are overt. Both types bring about their own

complications.

• Component 2. The current forensic practices require the forensic investigation to interact with

the suspect machine’s OS. Each OS needs to be treated differently during a forensic investigation

and accordingly can pose a major practical problem.

• Component 3. Any process can modify computer data during acquisition, from user applications

to the OS itself. With current legislations, any data modification can render the evidence

inadmissible in court.

• Component 4. All potential data of evidentiary value need to be properly authenticated before

a court of law can accept it as legitimate evidence.

• Component 5. Computer technology and digital evidence have not always been accepted by

the judicial system. Without the court’s extensive knowledge of new technological developments,

forensic investigators may have some trouble to introduce digital evidence.

The next section maps the drivers identified in Table 9-1 onto the five components listed above. This

mapping is similar to the mappings done in Paragraph 10.2, 11.2 and 12.2.

now shows a sub section of that table, with only those drivers applicable to Scope. This table should not

be memorised, but seen purely as a grouping of all the drivers identified in the development of the Liforac

model, applicable to the Scope dimension. The last column maps the specific driver to one of the five

components shown in Figure 13-2.

Table 13-1: Summary of identified drivers on the Scope dimension (Own compilation)

IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr SSuubb ddiimmeennssiioonn wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr

Comparison between Dead and Live Forensics Paragraph 3.3.3, Table 3-1

Access to the machine (1), Dependency on OS (2)

Forensics has a volatile and unpredictable field setting Paragraph 3.4 Access to the machine (1),

Dependency on OS (2)

The integrity of the evidence should be protected at all times Paragraph 3.4.4

Data modification (3), Authenticity (4), Court acceptance (5)

Paragraph 4.1 Dependency on OS (2), Court acceptance (5)

Different forensic suites exist for Windows, Mac, Linux and DOS Paragraph 4.1 Court acceptance (5)

Dependency on OS (2), Data modification (3)

Data modification (3), Court acceptance (5)

The accuracy of results and the integrity of digital evidence need to be maintained at all times Paragraph 4.2.1 Authenticity (4),

Court acceptance (5)

Live Forensics has five identified practical problems: Paragraph 5.2, Access to the machine (1), Dependency on OS (2),

IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr SSuubb ddiimmeennssiioonn wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr

• gaining access to the suspect system;

• acquisition dependant on OS;

• data modification during the acquisition process;

• demonstrate the authenticity of evidence;

• ensuring full acceptance by the court

Figure 5-2 Data modification (3), Authenticity (4), Court acceptance (5)

Four possible solutions exist to the problem of data changing during Live Forensic Acquisition:

• the investigator can freeze the current state of the computer;

• investigators can swap hard disks for forensic hardware;

• investigators can kill unnecessary programmes; and

• imaging with write command policing

Paragraph 8.3 Data modification (3)

Table 13-1 shows the interpretational mapping of the five components of the Scope dimension onto the

drivers already identified in this study. Some of these identified drivers overlap and can be merged. The

remainder of this chapter is devoted to discussions on the five components of the Scope dimension.

Figure 13-3 (on page 216) presents the Scope components within the boundaries of the Liforac model.

This figure indicates the five components specific to the Scope dimension (Access to the machine,

Dependency on OS, Data modification, Authenticity and Court acceptance), as well as the drivers in

relation with these components. Table 13-1 presented these drivers. The next section develops the

Scope dimension, building on the information presented in Chapter 5.

13.3 Developing the Scope dimension

The concept of Live Forensic Acquisition is very viable, but the identified practical problems drastically

limit the scope and boundaries of the dimension’s applicability. This study identified five components, or

practical problems, that define the scope of the Live Forensic discipline. At the moment, these components

still pose serious problems to the successful admission of evidence to court, but the Liforac model will

provide some guidelines on handling these problems.

The next five sub sections address the five main components linking Live Forensics and the practical

application of the discipline. These sections are not as detailed, since these problems have also been

addressed in Chapter 5.

Figure 13-3: Scope components and drivers presented within the Liforac model (Own compilation)

13.3.1 Component 1: Access to the machine

Paragraph 5.2.1 already introduced the problem associated with accessing a suspect system. Generally,

investigators can access the suspect computer either overtly or covertly. Both access methods pose its

own problems and the investigator needs to be aware of this. The next paragraphs discuss possible

controls.

13.3.1.1 Control 1: Legitimate search warrant

For both overt and covert investigations, an investigator can save a lot of time by having a legitimate

search warrant before the investigation starts. This document gives the investigator the necessary legal

backing to ensure that most suspects cooperate during an investigation. This document also limits any

potential lawsuit against the investigator after the investigation completes.

13.3.1.2 Control 2: Get cooperation from suspect

During an overt investigation, forensic investigators follow the normal approach of search and seizure, as

well as doing on-site interviews with the machine’s owner, user and user’s colleagues. Generally, these

investigations are straightforward and the investigators can focus on acquiring all the necessary

evidence to present a solid case in court. However, if the investigator can get the cooperation from the

machine’s user, he/she may save a lot of time by obtaining the password and possible file locations

directly from the suspect. This will save the investigator time in searching or logically cracking the

passwords, as well as save time for the searching of the hard drive.

13.3.1.3 Control 3: Get cooperation from the system administrator

During a covert investigation, forensic investigators follow the normal approach of search and seizure,

but this normally occurs after hours and under cover. To ensure that the acquisition proceeds according

to plan, the investigator needs to do a lot of planning before the physical acquisition can start (see

Paragraph 11.3.4.1). He/she needs to organise the appropriate individual at the organisation to organise

access to the building, as well as unhindered access to the suspect computers.

It is common that these types of investigations occur with the permission of the owner of the machine,

but not with the user. This is in the event where a senior employee or the system administrator gives

permission to the forensic team to investigate a suspect individual using an organisation’s work machine.

Should the machine’s owner not comply with the investigation or the organisation’s policies not allow the owner

to waive the user’s privacy rights, the forensic investigator may face charges of violation of privacy and

trespassing.

In general, this scenario makes it much harder for the forensic team to investigate the machine, since

there is no cooperation from the user. The investigator needs to acquire all evidence electronically and

the user cannot assist by providing passwords or email accounts. If key escrow is in place, forensic

investigators can easily access the suspect machine without breaking any laws. Escrow is a written

agreement delivered to an authorised third party to be fulfilled in specific conditions (WordNet

2009b:Internet). In this example, an escrow agreement may be drawn up between the employee and the

employer that a third party (e.g. the system administrator or organisation’s lawyer) may provide

investigators with the necessary password and encryption keys in the event of an investigation.

13.3.1.4 Control 4: Reasonable discovery

An additional complicating factor is reasonable discovery, which allows investigators to search suspect

machines without the possession of a search warrant. Generally, a search warrant needs to be complete

with all the necessary details, also giving probable cause as to why the search warrant is needed.

However, in extreme cases it is possible to get a search warrant without all these additional information.

For example, in a episode of the series Shark (DSTV 2008:Television), the investigator gets a search

warrant with no physical evidence linking the suspect to the crime. This warrant was granted on the

basis that the suspect intended to wash his car (the suspected crime scene) shortly after the

investigators questioned him regarding it, potentially intending to discard of any bloodstains or DNA

evidence left in the car.

Search warrants related to computers need to be very specific in what need to be searched for and

where it can be found. These warrants generally include the emails located on a specific computer, but

exclude all documents found on the desk on which the computers are located. Any additional

information seized from the desk or anywhere else from the room in question can result in the revoking of

all the seized evidence. The accompanying CD presents a example search warrant (see Legislation),

detailing exactly what needs to be included for a legal warrant.

Should an investigator find a password scribbled on a piece of paper stuck under the keyboard, for

example, this is believed to be reasonable discovery. Although this password was technically found on

the desk excluded from the search warrant, the password is considered included in the warrant since the

investigator needs it to access the computer. Therefore, it is a reasonable assumption that any

passwords found in the nearby vicinity of the computer are a valid discovery.

Generally, reasonable discovery is implied within a search warrant. This complicates search and seizure

matters, since reasonable discovery depends on the judge’s interpretation of the crime scene. All these

exceptions on the basic rules can complicate access to the computer. The forensic investigator needs to

know all these technicalities to ensure successful access.

13.3.1.5 Summary of Component 1

Accessing a suspect machine poses a debilitating problem for Forensic Acquisition. This section looked

at the practicality of this problem, and presented four possible controls to ensure that the investigator can

access the machine. Figure 13-4 (on page 219) presents these controls graphically.

Once the investigator has considered how he/she will access the machine, the next potential

chronological problem is the OS run on the suspect system. The next section looks at the dependency

of the computer on the OS and the influence that this relationship can have on a forensic investigation.

13.3.2 Component 2: Dependency on operating system

The foundation for Live Forensic Acquisition lies on the suspect machine’s OS. Investigators perform Live

Forensic Acquisition by running programmes in user space, communicating with forensic software agents

running on top of the suspect system’s OS (refer to Figure 3-7). In order to perform acquisitions, it is

Component 1:

Access to the machine

Legit search warrant

Cooperation from suspect

Cooperation from system administrator

Reasonable discovery

Component 1:

Figure 13-4: Controls for accessing the machine (Own compilation)

necessary for the forensic investigator to request information from the OS via its Application Programming

Interface (API). This can potentially render evidence forensically unsound (Jones 2007:4,5).

13.3.2.1 Control 1: Thorough OS knowledge

Different types of OSs present different problems and opportunities. For example, Windows Vista includes

built-in encryption, backup and system protection features. BitLocker, the built-in encryption feature, is a

data protection feature that prevents a thief from viewing the protected files offline (Hargreaves & Chivers

2007:1,4).

Unfortunately, this feature also prevents Digital Forensic investigators from viewing the protected files,

unallocated space, pagefile and temporary folders offline. This feature prevents all access to temporary

decrypted data, keys and passwords necessary for a digital investigation. If the investigator has a

thorough, up-to-date knowledge of all technological advances with regard to OSs, he/she can recognise

a specific OS and adapt the acquisition plan to accommodate that specific OS.

An OS is the crux of a computer and can determine whether a Live Forensic Acquisition can be

completed successfully or not. Unfortunately, this problem has only one identified control – to be up-to-

date with all OS features and developments. Figure 13-5 presents this control graphically.

Component 2:

Dependency on OS

Thorough related knowledge

Component 2:

Dependency on OS

Thorough related knowledge

Figure 13-5: Controls for OS dependency (Own compilation)

Once the investigator has gained access to the OS, the next potential chronological problem is any

possible data modification during the extent of acquisition. The next section looks at data modification

and its negative influence on a forensic investigation.

13.3.3 Component 3: Data modification

Any process can modify computer data during acquisition, from user applications to the OS itself. During

a forensic investigation, this may prove to be very detrimental in any circumstance and can potentially

lead to the dismissal of evidence from being used during a trial.

Unfortunately, this component is the most crucial and the most difficult to control. This section identifies

two controls, but neither addresses the most critical aspect of data modification as an absolute solution:

slurred images.

13.3.3.1 Control 1: Thorough forensic training

To prevent accidental data modification by forensic investigators, it is important to ensure that only

trained and qualified investigators accesses suspect machines. This training is not a once-off

occurrence, but should be redone every time a major new hardware or software development is

released. Training may not be a solution to the problem of data modification, but at least it provides

some mitigation in controlling most of the occurrences.

13.3.3.2 Control 2: Up-to-date research

There are two aspects of data modification that can benefit from current up-to-date research: slurred

images and anti-forensic packages. Slurred images are probably one of the most critical problems facing

forensic investigators. At the time of writing, there was no solution to this problem. The other major point

is anti-forensic packages (discussed in Paragraphs 2.3.2.2 and 4.2.3). Criminals are constantly busy

with new ideas to counter legitimate forensic investigations. As long as computers will form an integral

part of everyday life, researchers need to look into ways how to identify and mitigate the use of anti-

forensic packages.

For a relatively new discipline, such as Digital Forensics, it is always beneficial to keep up-to-date with

new developments and research. Although this may not be a proper solution, it does provide some

manner of control for data modification.

Problems regarding data modification during acquisition make it difficult for investigators if they cannot

prove its legitimacy and demonstrate the authenticity of the evidence. This can limit the investigator’s

ability to prove the integrity and security of data in court, ensuring full acceptance of computer technology

by the judicial system and to establish a proper chain of custody (Amenya 2004:17). Figure 13-6

presents these controls graphically.

Component 3:

Data modification

Up-to-date research

Thorough forensic training

Component 3:

Data modification

Up-to-date research

Thorough forensic training

Figure 13-6: Controls for data modification (Own compilation)

Once the investigator acquired all the necessary evidence from the suspect computer, he/she needs to prove

the acquired evidence’s authenticity in a court of law. The next section looks at proving authenticity.

13.3.4 Component 4: Authenticity

One of the pillars of Information Security is authentication. Courts globally need to be sure that evidence

can be authenticated properly, before this evidence can be accepted in court. Traditional paper

documents have signatures or other identifying marks to demonstrate authenticity, whereas a typical e-

mail or electronic record needs to be authenticated in a different manner.

13.4.4.1 Control 1: Testimony of witness with knowledge

When an organisation suffers some form of computer incident, the forensic investigator may be required

to perform the investigation and to testify as expert witness for the prosecution. It is the expert witness’

function to collect evidence, examine it and present it to court. Accordingly, the expert witness needs to

understand his/her discipline thoroughly and have a good grasp of the nature of evidence. Additionally,

he/she should be aware of the various types of evidence and understand the conditions under which it

may be ruled inadmissible (Jones 2004:273).

The expert witness must “… provide factual specificity about the process by which the electronically

stored information is created, acquired, maintained and preserved without alteration or change or the

process by which it is produced of a system or process that does so” (LexisNexis 2007:3). Most witnesses

realise that their evidence can be crucial to the outcome of a trial. As a result, presentation of evidence

in court is an important element in the judicial decision making process.

The manner in which investigators give evidence, as well as their performance under cross-examination,

play a major role in establishing the adequacy and integrity of the evidence (Stockdale & Gresham 1995:1).

Witnesses should take the following elements into consideration when preparing for a court appearance

(the accompanying CD, see Presenting evidence, provides additional information on these elements):

• Personal presentation – looks and composure;

• Cross-examination;

• Written notes;

• Proper procedural preparation;

• Proper court preparation; and

• Training.

The expert witness needs to help the court to reach a decision based on the evidence placed before it,

and not necessarily to secure a conviction. The role of the expert witness is purely to explain, as clear and

concise as possible, what he/she has seen, heard, recorded or done, honestly, impartially and without

exaggeration, in order to help the jury or magistrate to reach a decision (Stockdale & Gresham 1995:32).

13.4.4.2 Control 2: Comparison by the expert witness with a prior authenticated specimen

As discussed in Paragraph 13.4.4.1, expert witnesses generally have high credibility to be accepted in

court. Once this credibility has been accepted in court, the expert witness can attest to anything within

his/her specialised field. Therefore, the expert witness need not necessarily be part of the investigation

team, but can also give a credible opinion regarding evidence presented in the court.

This control links to the discussion of precedents in Paragraph 10.3.3. If an expert witness’ resume is

sufficient and accepted in court, he/she can provide an expert opinion based on similar cases. In the

event of prior authenticated specimens (for example, a printed email proven to be authentic), the expert

witness can give an expert opinion regarding the authenticity of the specimen.

13.4.4.3 Control 3: Circumstantial evidence of the evidence itself

This rule is the most frequently used to authenticate email, as the content of what the email says can

often authenticate it. People frequently use descriptive language in emails. It is often easy to determine

the authenticity of an email when it is read within context, especially if the email message has been

replied to several times.

For example, people may refer to ‘tonight’s movie’ or ‘a specific event happening next week’. People may

also refer to individuals or groups within the emails, allowing further authentication with minimal further

investigation. Especially with emails of a personal nature, people can often determine whether the

corresponding individual is who he/she claims to be by the manner in which the email is written (use of

emoticons and slang, language, reference to people/events both individuals have knowledge of).

Alternatively, the use of hashing (unique identifier attached to electronic information) can provide

distinguishing information about the evidence.

13.4.4.4 Control 4: Public records

This rule applies when the proponent of the evidence can show that the office from which the electronic

records were taken is the legal custodian of the records. In this event, the authenticity goes to the weight

of the evidence rather than admissibility.

An example of this control may be a fraudulent Curriculum Vitae investigation. Investigators can prove

that academic records in the suspect’s possession are either authentic or fraudulent by contacting the

academic institution involved to obtain the academic records they have on their books. It is generally

accepted that public organisations (such as academic institutions, telecommunication companies, ISPs

and solicitors) are the legal custodians of the records in their possession.

13.4.4.5 Control 5: Evidence produced as a result of an accurate process or system

This control bases on the assumption that an accurate process or system will repeatedly present the

same results. In the e-discovery context, this rule is satisfied by “… evidence describing the process or

system used to achieve a result and demonstration that the result is accurate” (LexisNexis 2007:4).

If a process or system consistently presents the same results after a repetitive process, the evidence can

be considered authentic. An example of such a process is the fingerprinting process, accepted

universally as accurate and consistent. If a fingerprint retrieved at the crime scene matches the

fingerprint of a suspect stored in the Automated Fingerprint Identification System (AFIS), and both the

fingerprint at the crime scene and the AFIS fingerprint was recorded according to the accepted

fingerprinting procedures, it can be accepted that the fingerprint match are authentic and accurate.

13.4.4.6 Control 6: Evidential weight

In the event that a court considers an electronic document admissible, its evidential weight needs to be

determined. This is the value a court will place on the information presented to it, in conjunction with

corroborative evidence that can convince it that a document is what it claims to be. By planning for the

inclusion of this supporting evidence, companies need to ensure that they capture, store and manage

electronic records in such a way as to maximise their evidential weight.

Firstly, the system should be able to freeze a record at a specific moment in time. In this sense, freezing

prohibits any further changes to the contents of a file, from a specific moment in time. Secondly, the

investigator needs to maintain a fully documented audit trail at all times. This audit trail provides supporting

information about the records that are being stored. The supporting information should also include:

• the author's name,

• the date the document/record was stored,

• the names of anyone who has accessed or made changes to the document,

• details of the changes made to the document and version control,

• details of movement of the document from medium to medium and from format to format,

• evidence of the controlled operation of the system in which the document is stored, and

• the authentication measures used when the file is moved (Information Age 2006:Internet).

13.4.4.7 Control 7: Digital Signatures

Digital signatures are in essence the signatures used to sign electronic documents, a secure method of

binding the identity of the signer with digital data integrity methods (Hosmer 2002:2). This signature is

generally a piece of code attached to an electronically transmitted message with the sole purpose of

establishing identity. Accordingly, it is possible to use digital signatures to establish legal responsibility

and the complete authenticity of the host document.

A digital signature performs a function similar to that of a tamper-proof seal on a physical evidence bag

(Interactive Advertising Bureau 2008:Internet). It uses a public key crypto-system where the signer uses

a secret key to generate a digital signature. By using the published public key certificate of the signer,

anyone can validate the signature generated by comparing the resulting number. This number is

generally between 512 and 4096 bits. Some of the most popular digital signature techniques are RSA

(Rivest-Shamir-Adleman), DSA (Digital Signature Algorithm) and PGP (Hosmer 2002:2).

One of the prominent advantages of using a digital signature is that it binds the identity of the object to

the integrity operation. It also prevents unauthorised regeneration of the signature without compromising

the private key. Disadvantages are the slow process and the effort needed to protect the private key

(Hosmer 2002:2). In addition, digital signatures cannot show any time related information: e.g., it cannot

show that a record has not been altered since a specific point in time (Klaff 2008:Internet).

13.4.4.8 Control 8: Hashing Techniques

Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that

represents the original string. Hashing can be applied to either index or retrieve items in a database,

since it presents much faster in comparison with the original key (Information Provider Technologies

2003:Internet). It is a form of security, taking digital fingerprints to validate the authenticity of data. When

a document is securely hashed, the hashing value can legitimately determine whether a record has been

altered (Klaff 2008:Internet). The hashing method produces a fixed length large integer value, ranging

from 80 to 240 bits. This number represents the digital data. It is complicated to forge a hash value,

since it is difficult to construct new data resulting in the same hash (Hosmer 2002:2).

Some of the hashing techniques are SHA-1, MD5, MD4 and MD2. Hashing techniques are easy to use

and can detect both random errors and malicious alterations. On the other hand, it is necessary to

maintain secure storage of hash values. In addition, hashing techniques do not bind the object identity or

the time value with the hash value (Hosmer 2002:2).

13.4.4.9 Control 9: Timestamps

Timestamps address the time aspect of authenticity by binding a time value to electronic records.

However, there are a number of drawbacks associated with this system. Digital timestamping can be

employed to work in an organisation’s background to seal electronic records, making them resistant to

later tampering or alterations. Timestamps are secure, and can prove that electronic records are stored

in their original condition. Bodies such as the American National Standards Institute (ANSI) (Klaff

2008:Internet) regulate this.

According to Klaff (2008:Internet), the only solution available to address authenticity adequately whilst

remaining independent for any bias or compromise is digital timestamping using the hash-chain-link

method. These methods affixes a file-agnostic hash value (a hash value that is not directly associated

with the file extension) and secure timestamp to a digital record and then combine the hash, timestamp

and other traceable information to create a timestamp token. This token is then affixed to the record and

archived on a secure third-party server to ensure that the token is removed from any potential bias or

internal force.

An additional layer of security and independence is added by linking the token of each electronic record

to a hash chain created from an unbroken chain of electronic files. This hash chain is then widely

published to guarantee that any third party, such as a judge, can validate the authenticity of the token

and confirm its integrity. The publication ensures that not even the individuals with access to the tokens

can alter the hash chain. The use of trusted timestamping largely eliminates the costly and lengthy

process of proving authenticity during a trial (Klaff 2008:Internet).

The ideal situation is to create a timestamp that is resistant to manipulation. These timestamps should

be able to bind securely to specific digital evidence and be verified by a third party. This process, however,

can become quite complex, considering the following:

• the binding of time with digital data must occur within a trusted computing environment;

• the clock used as source for time stamping should be accurately calibrated;

• the calibration of the local clock used as the source for time stamping must be auditable;

• the validation of the resulting timestamps must be verifiable by the issuer as well as by any third

party verifier (Hosmer 2002:4).

13.4.4.10 Control 10: Checksums

Checksums are an easy method of checking for errors in digital data. It involves applying a 16- or 32-bit

polynomial to each byte of digital data that requires protection. This results in a small integer value

(either 16 or 32 bits in length) that represents the concatenation of the data. This integer value must be

securely saved, and can be used at any future time to determine the integrity of the protected data. If the

results match, some level of integrity exists (Hosmer 2002:2).

In general, checksums are easy and fast to compute. It requires very little storage space and can

identify random errors. However, it presents low assurance against malicious attacks. Checksums are

simple to forge and requires diligent maintenance. As with the hashing algorithms, checksums do not

bind the identity or timestamp to the protected data (Hosmer 2002:2).

Ensuring the authenticity of any evidence can be a very tiresome duty. This section looked at some

controls that may help investigators to prove authenticity. Figure 13-7 presents these controls graphically.

Once the investigator has considered how he/she will prove the evidence’s authenticity, the final problem

that can be encountered is the court’s reluctance to accept digital or electronic evidence. The next

section looks at court acceptance.

Component 4:

Authenticity

Checksums

Timestamps

Hashing techniques

Digital signatures

Evidential weight

Evidence produced as resultof accurate process or system

Public records

Circumstantial evidence

Comparison by expert witnesswith prior authenticated specimen

Expert witness testimony

Component 4:

Authenticity

Checksums

Timestamps

Hashing techniques

Digital signatures

Evidential weight

Evidence produced as resultof accurate process or system

Public records

Circumstantial evidence

Comparison by expert witnesswith prior authenticated specimen

Expert witness testimony

Figure 13-7: Controls for ensuring authenticity (Own compilation)

13.3.5 Component 5: Court acceptance

Computer technology and digital evidence have not always been accepted by the judicial system. Some

of the first electronic evidence was introduced to court in the early 1980s, although this practice only

became widely accepted in the 1990s (Gahtan 2005:Internet). With the technology changing constantly,

court officials need to stay up-to-date with new techniques and new technology practices. Without an

extensive knowledge of these developments, forensic investigators may have some trouble to introduce

digital evidence.

An investigator needs to possess a number of different core competencies in the Information Technology

field. Even within the smaller Digital Forensic discipline, the investigator needs to have a very extensive

knowledge to be regarded as an expert. In this context, it can be problematic when the judicial system,

expected to be experts on the legal aspects and processes, needs to be comfortable with the computer

technology as well.

It would be highly unlikely for the judges and lawyers to be experts on both legal aspects and computer

technology. However, they should be comfortable with the basic concepts, such as the range of OSs and

the most popular software applications (Janes 2000:44). In addition, expert witnesses need to be

competent enough to introduce new computer related concepts to the court and ensure that they accept

new and unfamiliar technologies.

13.3.5.1 Control 1: Awareness and education

In theory the easiest way to control the acceptance of new technological advances in court, is by properly

making the court and the judicial officers aware of the technology. The easiest way to do this is by

training them in the basic disciplines. Unfortunately, many judges and lawyers are very focused on the

law and the application thereof, with no sufficient knowledge of computers and the overlap between IT

and law. As a result, courts do not readily accept any technological advances.

To ensure that courts stay up-to-date with technological advances, academic institutions and legal

organisations need to ensure intermittent awareness campaigns to ensure that their students/employees

are aware of new technological developments. On a more active level, legal organisations should ensure

that employees all have a basic understanding of technology, and preferably attend a number of multi-

disciplinary courses.

If the courts do not accept the electronic evidence, the Live Forensic Acquisition process has been done

in vain. Figure 13-8 presents this control graphically.

Component 5:

Court acceptance

Awareness and education

Component 5:

Court acceptance

Awareness and education

Figure 13-8: Controls for OS dependency (Own compilation)

All five components of the Scope dimension of the Liforac model have been discussed and presented

visually in relation to the Liforac model.

13.4 Summary

Chapter 13 showed in more detail what the Scope dimension of the Liforac model entails. This chapter

focused solely on the possible practical problems that may be encountered, as highlighted in Figure

13-2. From preliminary research and the literature study presented in Chapter 5, the Scope dimension of

the Liforac model divides into five prominent practical problems: Gaining access to a suspect system,

Dependency on an operating system, Possible data modification, Proving authenticity and Ensuring

acceptance in court. These five components are developed in the remainder of the chapter. Each

component is presented visually in relation with the dimension, showing possible controls for each of the

identified problems.

Chapter 13 was the last of the dimension specific chapters. Chapter 14 will now present a completed

Liforac model. The chapter will combine the information presented in Chapters 10, 11, 12 and 13 to

present the completed Liforac model.

Chapter 14: Presenting the Final Liforac model

“The purpose of science is not to analyse or describe but to make useful models of the world. A model is useful if it allows us to get use out of it.”

- Edward de Bono

This study, Liforac - A Model For Live Forensic Acquisition, divides into four distinct parts. Figure 1-1

presents these four parts with four cylinders, indicating succession and progress from the bottom of the

figure to the top. In Chapter 14, the progression of the Liforac model proceeds to the final compilation of

the model at the end of Part 4: Possibility of Sound Live Acquisition. Figure 14-1 presents the same

figure presented as Figure Part 4-1. This figure shows that the development of the Liforac model is

nearly complete.

Figure 14-1: The Liforac model development study (Own compilation)

The final model, presented in Part 4, has four dimensions: Laws and regulations (Chapter 10), Timeline

(Chapter 11), Knowledge (Chapter 12) and Scope (Chapter 13). The first three parts contribute drivers

that are necessary to build the Liforac model. Chapter 14 will now present the complete Liforac model as

a single guideline framework.

14.1 Introduction

This research study addressed the research problem first mentioned in Paragraph 2.1. “… At present,

forensic investigators cannot be certain that a court of law will consider Live Forensic Acquisition

techniques to be forensically sound. Neither can forensic investigators be certain that the evidence

acquired with Live Forensic Acquisition techniques are adequately comprehensive, compared with

evidence acquired with Dead Forensic Acquisition techniques, until further research have been done.”

The study progressed through four distinct parts and 13 chapters to present a single comprehensive,

forensically sound Live Forensic Acquisition model - the Liforac model. Chapter 14 will now present this

model in its final form.

14.2 Constructing the Liforac model

This interactive display can be seen on the accompanying AutoRun CD, MMG PhD 2009. The display

consists of nine buttons that link to a number of additional research works or information supplementing

the Liforac study. Figure 14-2 shows the main menu of the accompanying CD.

Figure 14-2: Screenshot - Main menu of the Liforac study accompanying CD

The Study overview button (indicated by an arrow in Figure 14-3) links to a new page that provides a

brief synopsis of the Liforac study. This menu offers four process flow animations, to indicate the flow of

action or information in the objectives of the study, the Dead Forensic Acquisition process, the Live

Forensic Acquisition process, as well as the generic Forensic Acquisition process. These animations do

not contribute new information to the study, but rather animate figures that were already presented in

earlier chapters of this study.

Figure 14-3: Screenshot - Menu options for Study overview

The Forensic tools button (indicated by an arrow in Figure 14-5 on page 234) links to an article that gives

more insight and details on the forensic tools discussed in Chapter 4 of the Liforac study. This article

addresses the increasing number of Digital Forensic tools available on the market and provides a basic

analysis of these tools to assist cyber investigator in selecting specific tools for their specific needs.

This article introduces a number of Digital Forensic investigative tools suitable for the Windows, Mac,

Linux and DOS platforms. It provides a brief overview of all the different platforms, and briefly compared

the abilities of forensic tools on these different platforms.

The WITSA report button (indicated by an arrow in Figure 14-5 on page 234) presents the full WITSA

report as compiled by McConnell International. This report contributes a number of astonishing statistics

in Chapters 7 and 8, and provides interesting reading material regarding cyber crime and cyber

legislation. This report analyses the state of the law in 52 countries around the world.

Figure 14-4: Screenshot - Menu option for Forensic tools

Figure 14-5: Screenshot - Menu option for WITSA report

The Legislation button (indicated by an arrow in Figure 14-6) gives some background on cyber crime

legislation. It addresses the growing use of computers and Information Technology that necessitates

legislation to control crimes emerging from these circumstances. It also links to a sample search warrant,

as referred to in Chapter 13. This sample is a Kansas District Court search warrant of the Kansas criminal

division, indicating variable data with yellow highlights. It should give a clear indication of what information

are required in a search warrant. The sample search warrant is a lengthy document, emphasising the

importance of a complete document.

Figure 14-6: Screenshot - Menu options for Legislation

The Presenting evidence button (indicated by an arrow in Figure 14-7 on page 236) links to an article

that provides guidelines for forensic investigators that need to present evidence in court. Although this

article is written specifically for forensic investigators, many of these guidelines can also be applied to

other investigators that need to present evidence in court. This article has been submitted for review to

be published in an international business management journal.

The Liforac model button (indicated by an arrow in Figure 14-8 on page 236) links to the interactive part

of the study. This section demonstrates the Liforac model, with its four dimensions and briefly discusses

each dimension with its respective drivers. This button is the main graphical display often referred to

throughout the study.

Figure 14-7: Screenshot - Menu option for Presenting evidence

Figure 14-8: Screenshot - Menu option for Liforac model

The Publications button (indicated by an arrow in Figure 14-9) links to a number of published papers and

conference proceedings generated from the Liforac model research. Since Live Forensics is a relatively

new discipline globally, and Digital Forensics itself has not yet proven itself suitably in South Africa, there

are numerous opportunities to publish and present information on this topic. This button links directly

with the next button, presented in Figure 14-10.

Figure 14-9: Screenshot - Menu options for Publications

The Presentations button (indicated by an arrow in Figure 14-10 on page 238) links to a number of

conference presentations, keynote addresses and media reports related to this study. Within the South

African context, both forensic scientists and the general public are keen to learn more about this

emerging criminal investigation methodology. All of these publications and presentations have been

published on the CSIR’s research space.

The Glossary button (indicated by an arrow in Figure 14-11 on page 238) links to the webpage designed

for the glossary of the study. This glossary can be viewed by selecting an alphabet number at the top of

the screen. The glossary is composed of words and terms originating from the Liforac study. It largely

consists of forensic related words and terms, but some ambiguous terms encountered in the study are

also included.

Figure 14-10: Screenshot - Menu options for Presentations

Figure 14-11: Screenshot - Menu option for Glossary

14.3 Summary

Part 4 forms the crux of this investigation and brings together all the different aspects of the study. This

part comprises seven chapters of the study and presents the climax and conclusions of the study. Part 4

links the entire research study together, presenting the Liforac model for Live Forensic Acquisition

founded on the first three parts of the document. Chapter 14 wraps up the research aspects of the

Liforac model and presents the study as in interactive CD display.

Chapter 15 is the final chapter of the study, and concludes with the lessons learned and way forward.

This chapter also critical appraises the work done in the study, and states whether all the objectives set

out to do in Chapter 2 have been complied with.

Chapter 15: Closure

“Searching for traces is not, as much as one could believe it, an innovation of modern criminal jurists. It is an occupation probably as old as humanity. The principle is this one. Any action of an individual, and obviously, the violent action constituting a crime, cannot occur without leaving a mark. What is admirable is the variety of these marks. Sometimes they will be prints, sometimes

simple traces, and sometimes stains.”

- Dr. Edmond Locard

This study, Liforac – A Model For Live Forensic Acquisition, focused on the further development of the

Live Forensic discipline. The motivation of this study is based on the hypothesis that allows forensically

sound acquisition to stand fast in a court of law. This study showed that Live Forensic Acquisition is as

comprehensive as Dead Forensic Acquisition.

Chapter 2 argued that criminals are constantly pushing the boundaries of technology. They are now

using computers to extend the range of activities they can perform and create new innovative ways of

using technology. Accordingly, new types of crime surfaced in the virtual world, whilst traditional crimes

are committed using advanced technology. Both these phenomena lead to a dire need for advanced

cyber crime fighting techniques – Live Forensic Acquisition, as addressed by this research study.

15.1 Introduction

The research problem, introduced in Paragraph 2.1, states that the development of Live Forensic

Acquisition, albeit a remedy for the problems introduced by Dead Forensic Acquisition, introduces a

variety of additional difficulties, unique to the instance of Live Forensic Acquisition. These difficulties

affect the forensic soundness of Live Forensic Acquisition.

This research study discussed the development of a model for Live Forensic Acquisition - Liforac. The

Liforac model is a comprehensive model that presents all aspects related to Live Forensic Acquisition,

suggesting ways in which a Live Forensic Acquisition should take place to ensure forensic soundness

and address the research problem. The study is divided into four distinct parts, each part contributing

directly to the forensically sound Liforac model. The four parts of the study (originally presented in figure

1-1) in chronological order is:

• Part 1: Setting the Scene;

• Part 2: Live Forensic Acquisition;

• Part 3: Digital Forensics and the Judicial System; and

• Part 4: The Possibility of Sound Live Forensic Acquisition.

These four parts are designed to help with the development of the final forensically sound model,

presented in Chapter 14. The first three parts contributed drivers necessary to build the model, whilst the

last part focused on the actual development and construction of the model. The next section discusses

each of the 15 chapters to determine whether the study reached its goals and objectives.

15.2 Discussion of the Research Study

At present, forensic investigators cannot be certain that a court of law will consider Live Forensic Acquisition

techniques to be forensically sound. Neither can forensic investigators be certain that the evidence

acquired with Live Forensic Acquisition techniques are adequately comprehensive, compared with

evidence acquired with Dead Forensic Acquisition techniques, until further research have been done.

In view of that, this thesis developed a model that underwrites comprehensive forensically sound Live

Forensic Acquisition. Table 15-1 shows the four parts and 15 chapters of the study, with their respective

critical assessment.

Table 15-1: Critical appraisal of the Liforac model development (Own compilation)

PPaarrtt//CChhaapptteerr CCoonntteennttss AAsssseessssmmeenntt

Chapter 1

Liforac - A Model

For Live Forensic

Acquisition

− introduces the study

Part 1

Setting the Scene − concise introduction to the field of Digital Forensics

− introduces important forensic concepts

Chapter 2

Introduction

− provides background knowledge

− lays out the objectives

− research methodology

− objectives and limitations

− Deliverable:

• Glossary

− Lists sub objectives

− Lists research problem

Chapter 3

The Digital

Forensic

Discipline

− introduces traditional and the Live Forensic Acquisition techniques

− comparison between techniques

− Digital Forensic principles

− step-by-step Forensic Acquisition process

− Deliverable:

• Glossary

− Links to sub objective A

− Addresses research problem

Part 2

Live Forensic

Acquisition

− focuses on the internal workings of the Live Forensic technology

− lay foundation of the application of Live Forensic Acquisition as sound practice

− familiarises the reader with the concept of forensic soundness and inadmissibility in a court of law

Chapter 4

Forensic Tools

− literature survey of some of the popular Digital Forensic tools

− basic understanding of how Digital Forensics work and ways in which forensic tools can assist investigators

− identify current limitations in the Live Forensic discipline

− Deliverable:

• forensic tool assessment (CD)

− Links to sub objective A

Chapter 5

Current

Application of Live

Forensics

− provides background knowledge on the developing Live Forensic technology

− looks at advances of Live Forensic Acquisition

− focuses on the problems that arise with the application of Live Forensics

− introduces forensic concepts such as evidential weight and validity of digital evidence

− discussion on currently applied software and hardware Live Forensic techniques

− Deliverables:

• current Live Forensic methods/techniques

• glossary

− Links to sub objective B

Chapter 6

Forensically Sound

Live Forensic

Acquisition

Admissible in

− focuses on the term forensic soundness

− measures different kinds of evidence retrieved through Live Forensic techniques

− identifies potential problems that may render digital evidence inadmissible in court

− compares Digital Forensics with Physiological Forensics

− discusses volatile nature of Digital Forensics

− Deliverable:

• Glossary

− Links to sub objective C

Part 3

Digital Forensics

and the Judicial

System

− investigates the legalities of cyber crime and Digital Forensics

Chapter 7

Cyber Crime and

Criminals

− looks at the classification of cyber crime

− investigates the reasons for cyber crime

− investigates the occurrence of cyber crime

− defines the difference between cyber crime and crime committed in the real world

− lists famous court cases in which cyber crime played a major role

− Deliverable:

• cyber crime definition

− Links to sub objective D

Chapter 8

Cyber Crime Legal

Aspects

− identifies current global laws addressing cyber crime

− Deliverable:

• cyber crime

Chapter 8

Cyber Crime Legal

Aspects

(continued)

− identifies a cyber crime framework

− identifies legal challenges regarding Forensic Acquisition

− discusses the legal acceptance of Digital Forensic evidence

legislation

• cyber crime framework

− Links to sub objective E

Part 4

The Possibility of

Sound Live

Forensic Acquisition

− proposes the Liforac model

− presents the model dimension by dimension

Chapter 9

Building a Model

− presents the framework for the planned model for Live Forensic Acquisition

− defines a model and presents a visual representation of the generic model of this study

− Deliverable:

• model framework

Chapter 10

Laws and

Regulations

Dimension

− looks in detail at the dimension concerning laws and regulations relevant to Digital Forensics

− shows the segregation of this dimension into:

• Common crime laws applicable to cyber crime

• Specific cyber laws

• Court cases and precedents

• Definition of court admissibility

− Deliverable:

• model dimension

Chapter 11

Timeline

Dimension

− looks in detail at the sequential order in which investigators need to perform actions to ensure sound Live Forensic Acquisition

− shows the segregation of the Timeline

dimension into:

• implied and explicit processes

• three related timeframes

− Deliverable:

• model dimension

Chapter 12

Knowledge

Dimension

− looks in detail at the training and skills needed by people involved in Live Forensic Acquisition

− shows the segregation of the Knowledge

dimension into:

• Law

• Forensic Sciences

• Social Sciences

• Information Systems

• World Security Trends and Events

• Computer Science

• New technology

− Deliverable:

• model dimension

Chapter 13

Scope Dimension

− looks in detail at the problems associated with Live Forensic Acquisition

− shows the segregation of this dimension:

• Gaining access to the suspect machine

• Dependency on the OS

• Data modification

• Authenticity

• Court acceptance

− Deliverable:

• model dimension

Chapter 14

Presenting the

Final Liforac model

− presents the final model for complete, forensically sound Live Forensic Acquisition

− Deliverable:

• Liforac model

Chapter 15

Closure

− concludes the study

− justifies the development of the Liforac

model for comprehensive, forensically

sound Live Forensic Acquisition

The original research objective (refer to Paragraph 2.2) is to develop a model that comprehensively

presents aspects related to Live Forensic Acquisition. This Liforac model is developed in such a way to

provide guidance to forensic investigators on four distinct levels (the four domains identified in the Liforac

model). The model suggests ways in which a Live Forensic Acquisition should take place to ensure

forensic soundness. From the information presented in Table 15-1, the conclusion is that this research

study completed the tasks set out in Chapter 2. Table 15-1 also clearly indicates which chapters

addressed the sub objectives specified in Figure 2-2.

The most important deliverable of this study is the Liforac model, although the accompanying CD also

presents a number of additional information sources that can be used by forensic investigators. The next

section looks at some of the problems encountered during this study.

15.3 Problems Encountered

Although the study addressed all the necessary issues to be regarded as a success in the development

of the Live Forensic discipline, a number of obstacles limited the study. Many of these limitations were

envisioned at the start of the study, whilst some were only realised during the research and development

stages.

Due to the nature of the field of study, the majority of the references are Internet-based. Digital Forensics,

and specifically the specialised Live Forensic discipline, is not as established in the security field. The

printed resources on this subject are very limited. Available resources are limited to either product fact

sheets or blogs maintained by so-called cyber experts. The fact sheets focus on selling the products and

often present a more optimistic image than the real life products do. Blogs, on the other hand, presents

vivid real life encounters of Live Forensics, but are often opinionated and not scientific in nature.

Another source of information is personal interviews. However, the number of skilled South African

scientists available for interviews is very limited. By attending and presenting a paper at an international

forensic conference in Germany in September 2008, it was possible to set up a small network of contact

with some international forensic scientists. Most of these scientists are based in Germany and their

expertise in the field of forensics (especially Live Forensics) is far beyond the current South African

abilities and knowledge network.

The cost of software and training makes it near impossible to do a proper comparison between the

forensic tool suites. Most forensic organisations are equipped with only one, occasionally two, forensic

suites. The cost per person for specialised training, combined with the initial cost of the software, the

annual license fees and the maintenance of the forensic workstation makes a thorough forensic education

and practice near impossible. To counter this specific limitation, software-developing organisations in

Italy have developed OpenSource forensic tools (Forte 2008c:Presentation). However, at the time of

writing the functionality of these packages has not been tested thoroughly in comparison with

commercially available forensic suites.

Another problem encountered during this study was my lack of practical experience. Although I learned

a lot about both the theoretical and practical side of Digital Forensics, the actual practical application of

the research is very limited. Due to the sensitive nature of forensic investigations, it is not always

possible to observe real acquisitions and investigations. In the original planning of this study, I intended

to follow a number of court cases involving Digital Forensic evidence closely. The plan included developing

a case study and observing the court procedures. However, very few public cases involving Digital

Forensic evidence made it to South African courts during the research period.

These listed problems and limitations made for a very challenging study. Despite these problems, the

information gathered and the model developed is of great academic value. The next section looks at the

way forward with regard to research in the Live Forensic discipline and the Liforac model.

15.4 The Way Forward

The human dependency on computers allows the infiltration of computer technology in almost all aspects

of human life. Accordingly, where computers are involved, there will always be room for further research

and development.

This study presented information on a relatively new field of expertise. Accordingly, many of the topics

covered by this study can be further investigated in more depth. Not only will this study then serve as the

starting point of a more extensive forensically sound Live Forensic Acquisition model, but it can also be

seen as a pioneering step in developing the Digital Forensic discipline. Compared to many international

countries, South African forensic scientists lack in knowledge and experience regarding both Digital

Forensics and Live Forensics.

Since the Live Forensic Acquisition technique is relatively new and unexplored, it is difficult to identify

appropriate measurement instruments beforehand. Possible future work can look at identifying these

measurement instruments. Chapter 8 of this study touched on Digital Forensic Governance, another

new area that needs more in-depth investigation.

One of the main problems encountered during the Live Forensic process, is slurred images (discussed in

Paragraph 5.2.3). The research done to develop the Liforac model did not result in a solution for this

problem. Future research into this aspect can greatly enhance the efficiency of the discipline.

The links made between Digital Forensics and Heisenberg’s uncertainty principle, as well as Digital

Forensics and Hertzberg’s motivation/hygiene theory also warrant further research. This thesis briefly

touched on both relationships, but the additional research may prove vital to the further development of

the discipline.

This study developed the Liforac model within the context of the South African environment and

legislation. Further research may be done to establish the applicability of this model in an international

context.

Despite a number of limitations and practical problems, the study allows for future research topics. The

Digital Forensic discipline still has a number of aspects that can be investigated and researched.

15.5 Summary

The development of the Live Forensic discipline and the Live Forensic Acquisition technique instigated

the development of a method that allows forensically sound acquisition to stand fast in a court of law.

This study showed that Live Forensic Acquisition is as comprehensive as Dead Forensic Acquisition, by

considering the general Digital Forensic discipline, forensic tools, practical problems experienced during

acquisition, legal aspects and cyber crimes.

Considering the study as a whole, it successfully completed all the objectives set out to present a

forensically sound Live Forensic Acquisition model. This study concludes with the observation that Digital

Forensics allows individuals to analyse data from the past - not only is this a great opportunity for forensic

scientists, but it is a serious responsibility that needs to be handled with sufficient respect and awe.

Martha Maria Grobler 248 of 268 References

References

AC see ASSOCIATED CONTENTS ASSOCIATION (AC)

ACPO see ASSOCIATION OF CHIEF POLICE OFFICERS (ACPO)

AFENTIS. Information Insurance. s.a. Digital evidence case preparation. URL: http://www.afentis.

com/digital_ evidence_case_prep_part2.html Date of access: 17 March 2008.

ALINK, W., BHOEDJANG, R.A.F., BONCZ, P.A. & DE VRIES, A.P. 2006. XIRAF - XML-based

indexing and querying for digital forensics. Digital investigation, 3, Suppl. 1:50-58.

AMENYA, M. 2004. Recovering, examining and presenting computer forensic evidence in court. URL:

www.csam.montclair.edu/~robila/SECURITY/F2004_P/P6/finalcomputerforensics.doc Date of access:

9 June 2008.

ASSOCIATED CONTENTS ASSOCIATION. 2007. The Univac was the first commercial computer

circa 1950. Associated content - the people’s media company. URL: http://www. Associated

content.com/article/380960/the_univac_was_the_first_commercial.html Date of access: 4 April 2008.

ASSOCIATION OF CHIEF POLICE OFFICERS. 2007. Good practice guide for computer-based electronic

evidence. London: 7Safe.

AUSTRALIAN GOVERNMENT. 2008. How do I protect and handle magnetic media? URL: http://www.

naa.gov.au/records-management/secure-and-store/physical-preservation/faq/magnetic-tape.aspx Date of

access: 25 February 2008.

BAGGILI, I. 2006. Search and seizure from a digital perspective: a reflection on Kerr’s Harvard Law -

review article. URL: http://www.forensicfocus.com/downloads/ReflectionOnKerr.pdf Date of access: 22

August 2008.

BATTISTONI, R., DI PIETRO, R., DI BIAGIO, A., FORMICA, M. & MANCINI, L.V. 2008. A live digital

forensic system for windows networks. IFIP-SEC 2008. URL: http://www.slideshare.net/rbattistoni/live-

digital-forensic-foxp Date of access: 31 July 2009.

BEDFORD, M. 2005. Methods of discovery and exploitation of host protected areas on IDE storage

devices that conform to ATAPI-4. Digital investigation, 2(4):268-275.

BEJTLICH, R. 2006. Forensically sound evidence. Tao security. URL: http://taosecurity.blogspot.com/

2006/08/forensically-sound-evidence.html Date of access: 20 March 2008.

BERGHEL, H. 2003. Malware month. Digital village, 46(12):15-19.

BHASKAR, R. 2006. State and local law enforcement is not ready for a Cyber Katrina.

Communications of the ACM, 49(2):81-84.

BRENNER, S.W. 2004. Toward a criminal law for cyberspace: product liability and other issues.

Journal of technology law and policy, 5, Art. 1:9-17.

BRIGHTFORENSICS. 2009. Helix 3 enterprise. URL: http://www.brightforensics.com/h3e.php Date of

access: 30 July 2009.

BROUCEK, V. & TURNER, P. 2002. Bridging the divide: rising awareness of forensic issues amongst

systems administrators. 3rd International System Administration and Networking Conference, May 27-

31, Maastricht, The Netherlands. p. 42-49.

BROWN, C.L.T. 2005a. Computer evidence: collection and preservation. Charles River Media. URL:

http://www.charlesriver.com/resrcs/chapters/1584504056_1stChap.pdf Date of access: 18 April 2008.

BROWN, C.L.T. 2005b. Benefits and techniques for live investigations. HTCIA International. URL:

http://toorcon.techpathways.com/uploads/HTCIA2005-LiveInvestigations.pdf Date of access: 17 August 2008.

BRUNGS, A. & JAMIESON, R. 2005. Identification of legal issues for computer forensics. Information

systems management, 22(2):57-66.

BUSINESS WIRE. 2005. Experts available to discuss increased use of digital evidence in courts. URL:

http://findarticles.com/p/articles/mi_m0EIN/is_2005_Jan_31/ai_n9491984 Date of access: 18 March 2008.

CARRIER, B.D. & GRAND, J. 2003. A hardware-based memory acquisition procedure for digital

investigations. Digital investigation, 1(1):50-60.

CARRIER, B.D. 2006. Basic digital forensic investigation concepts. URL: http://www.digital-evidence.

org/di_basics.htm Date of access: 16 January 2008.

CARVEY, H. 2005. Windows forensics and incident recovery. Cape Town: Addison-Wesley.

CARVEY, H. 2007. Thoughts on live forensic acquisition. URL: http://windowsir.blogspot.com/2007/

06/thoughts-on-live-acquisition.html Date of access: 10 January 2008.

CASEY, E. 2000. Digital evidence and computer crime: forensic science, computers and the internet.

San Diego: Academic Press.

CASEY, E. 2004a. Digital evidence and computer crime: forensic science, computers and the internet.

2nd ed. San Diego: Academic Press.

CASEY, E. 2004b. Tool review: remote forensic preservation and examination tools. Digital investigation,

1:274-297.

CASEY, E. 2007. What does “forensically sound” really mean? Digital investigation, 4(2):49-50.

CHEESEMAN, H.R. 2005. Contemporary business and online commerce law. 5th ed. Reihe: Prentice

CHIZOBA, O.M. 2005. Cyber crime. URL: www.takingitglobal.org/action/projects/download.html/

4926/CYBER%20CRIME%20ABUJA.doc Date of access: 4 April 2008.

CHURCH, C.A. 2007. Long term hard drive storage and data integrity. URL: http://photo.net/bboard/q-

and-a-fetch-msg?msg_id=00NXpz Date of access: 25 February 2008.

CIARDHUÁIN, S.O. 2004. An extended model of cybercrime investigations. International journal of

digital evidence, 3(1):1-22.

CLARKE, R. 2004. Maroochy sewage cyber-terrorism. URL: http://mailman.anu.edu.au/pipermail/link/

2004-April/056025.html Date of access: 14 July 2009.

COETZEE, R. 2009. Personal interview on 13 August 2009. (Senior manager: Digital Forensic

Support Services.)

COHEN, F. 2006. Challenges to digital forensic evidence. Cyber Crime Summit. URL: http://all.net/

Talks/CyberCrimeSummit06.pdf Date of access: 28 August 2008.

COMPUTER FORENSICS TOOLKIT. 2005. Computer forensics checklists. URL: http://computer-

forensics.privacyresources.org/forensic-checklists.htm Date of access: 26 February 2008.

COMPUTER HISTORY MUSEUM. 2009. First data storage mechanism. URL: http://www.coe.uh.edu/

courses/cuin7317/students/museum/slong.html Date of access: 18 August 2009.

COMPUTER NETWORK DEFENCE. 2007. Anti-forensic tools. URL: http://www.networkintrusion.co.uk

/foranti.htm Date of access: 20 June 2008.

CONSTITUTIONAL COURT. s.a. The Constitution – Constitution of the Republic of South Africa. URL:

http://www.constitutionalcourt.org.za/site/constitution/english-web/schedules.html#s6 Date of access: 11

February 2010.

COREN, M. 2005. Digital evidence: today’s fingerprints. CNN. URL: http://www.cnn.com/2005/LAW/

01/28/digital.evidence/index.html Date of access: 17 March 2008.

CRANTON, T. 2008. Microsoft calls on global public-private partnerships to help in the fight against

cybercrime. URL: http://www.microsoft.com/presspass/features/2008/apr08/04-28crantonqa.mspx Date

of access: 2 June 2008.

CYBER FORENSICS. 2007. Cyber forensics investigation. URL: http://www.cyber-forensics.ltd.uk/

Date of access: 2 June 2008.

CYBERANGELS. 2007. A program of guardian angels. URL: http://www.cyberangels.org Date of

access: 25 June 2008.

DANIEL, L. 2006. Digital forensics. URL: http://www.aoc.state.nc.us/www/ids/Defender%20Training/

2006%20Investigators%20Conference/Computer%20Forensics%20Prsentation.pdf Date of access:

17 March 2008.

DAUBERT v. MERRELL DOW PHARMACEUTICALS, Inc. 1993. 509 U.S. 579, 589. URL: http://caselaw.

lp.findlaw.com/scripts/getcase.pl?court=US&vol=509&invol=579 Date of access: 18 August 2009.

DIBS USA Inc. 2008. Computer forensic equipment. URL: http://www.dibsusa.com/products/

products.asp Date of access: 5 June 2008.

DSTV. 2008. Shark episode 15: One hit wonder. Originally aired on 13 May 2008 on CBS. Aired in

South Africa on 12 December 2008 at 19:30 on MNET.

DU BOIS, F. 2007. Wille's principles of South African law. 9th ed. Cape Town: Juta & Co.

EHRLICH, D. 2002. Instructional design, 2. URL: http://www.neiu.edu/~dbehrlic/hrd408/glossary.htm

Date of access: 23 April 2008.

FBI see FEDERAL BUREAU OF INVESTIGATION

FEDERAL BUREAU OF INVESTIGATION (FBI). 2007. Digital forensics: it’s a bull market. URL:

http://www.fbi.gov/page2/ may07/rcfl050707.htm Date of access: 18 March 2008.

FEI, B.K.L. 2007. Data visualisation in digital forensics. Pretoria: University of Pretoria. URL:

http://upetd.up.ac.za/thesis/submitted/etd-03072007-153241/unrestricted/dissertation.pdf Date of

access: 17 January 2008.

FISHEL, J. & GRIFFIN, J. 2008. Military looking abroad for source of cyber attack on Pentagon. URL:

http://www.foxnews.com/politics/2008/11/21/source-cyber-attack-pentagon-come-china/ Date of access:

28 November 2008.

FORTE, D.V. 2008a. Volatile data vs. data at rest: the requirements of digital forensics. Network

security, 6:13-15.

FORTE, D.V. 2008b. Computer forensics: are you qualified? Computer fraud & security, 1:18-20.

FORTE, D.V. 2008c. Advances in digital investigations: research, open source and commercial tools.

(ISSA Conference 2008, 7-9 July 2008. Johannesburg, South Africa. p. 1.)

FRENCH, E. 2008. Will technology take over the world? URL: http://www.helium.com/items/609726-

will-technology-take-over-the-world Date of access: 28 November 2008.

FROWEN, A. 2009. Cloud computing and computer forensics. URL: http://www.articlesnatch.com/

Article/Cloud-Computing-And-Computer-Forensics/663389 Date of access: 10 February 2010.

GAHTAN, A.M. 2005. Computer technology invades litigation practice. URL: http://www.gahtan.com/

alan/articles/ctechlit.htm Date of access: 30 June 2008.

GALLO, V. 2008. Stand clear of the computer! DeticaForensics. URL: http://www.deticaforensics.com/

images/pdfs/LivePresentation.pdf Date of access: 30 July 2009.

GARDNER, R. 2000. Notification of judgement: Kilgore v. Boyd (U.S.). URL: http://www.fact.on.ca/

Info/pas/pasnote.htm Date of access: 26 March 2008.

GHELANI, S. 2006. Chain of custody: a suspect’s chargesheet. URL: http://www.niiconsulting.com/

checkmate/2006/02/chain-of-custody-a-suspects-chargesheet/ Date of access: 25 February 2008.

GIORDANO, J. & MACIAG, C. 2002. Cyber forensics: a military operations perspective. International

journal of digital evidence, 1(2):1-13.

GLEASON, B.J. 2007. Digital evidence and computer crime. URL: http://thinairlabs.com/ifsm498x/

ifsm498x_01_p9.pdf Date of access: 8 September 2009.

GRANCE, T., KENT, K. & KIM, B. 2004. Computer security incident handling guide: Recommendations

of the National Institute of Standards and Technology. National Institute of Standards and Technology.

Special Publication 800-61. Technology Administration. U.S. Department of Commerce. URL:

http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf Date of access: 17 January 2008.

GROBLER, C.P. & LOUWRENS, C.P. 2009. High-level integrated view of digital forensics. (ISSA 2009

Conference, 6-8 July 2009, University of Johannesburg, South Africa. p. 1.)

HAGGERTY, J. & TAYLOR, M. 2006. Managing corporate computer forensics. Computer fraud &

security, 6:14-16.

HALDERMAN, J.A., SCHOEN, S.D., HENINGER, N.A., CLARKSON, W., PAUL, W., CALANDRINO,

J.A., FELDMAN, A.J., APPELBAUM, J. & FELTEN, E.W. 2008. Lest we remember: cold boot attacks

on encryption keys. (Proceedings 2008 USENIX Security Symposium. 16 p.)

HARGREAVES, C. & CHIVERS, H. 2007. Potential impacts of Windows Vista on digital investigations.

ForensicFocus. URL: http://www.forensicfocus.com/downloads/potential-impact-windows-vista.pdf Date

of access: 25 August 2008.

HARRIS, G. 2008. US accuses Gary McKinnon of hacking crime. Times online. URL: technology.

timesonline.co.uk/tol/news/tech_and_web/article4186428.ece Date of access: 25 June 2008.

HEISENBERG, W. 1930. Physikalische Prinzipien der Quantentheorie. Leipzig: Hirzel. English

translation: The physical principles of quantum theory. Chicago, Ill.: University of Chicago Press.

HG.ORG. Worldwide Legal Directories. 2008. Criminal law: penal law. URL: http://www.hg.org/

crime.html Date of access: 30 October 2008.

HILL, J. 2008. Some BU students’ social security info e-mailed to others. Pressconnects.com. URL:

http://www.pressconnects.com/apps/pbcs.dll/article?AID=/20080317/NEWS01/803170361 Date of access:

25 March 2008.

HILLEY, S. 2007. Anti-forensics with a small army of exploits. Digital investigation, 4(1):13-15.

HOSMER, C. 2002. Proving the integrity of digital evidence with time. International journal of digital

evidence, 1(1):1-7. URL: http://www.utica.edu/academic/institutes/ecii/publications/articles/9C4EBC25-

B4A3- 6584-C38C511467A6B862.pdf Date of access: 25 March 2008.

HULME, G. 2008. Medical records for 2500 study participants are stolen. Information week. URL:

http://www.informationweek.com/blog/main/archives/2008/03/medical_records.html Date of access: 25

March 2008.

IACIS see INTERNATIONAL ASSOCIATION OF COMPUTER INVESTIGATIVE SPECIALISTS (IACIS)

ICRC see INTERNATIONAL COMMITTEE OF THE RED CROSS (ICRC)

IMDB see INTERNET MOVIE DATABASE (IMDB)

INFORMATION AGE. 2006. Court is in session. URL: http://www.information-age.com/articles/

284751/court-is-in-session.thtml Date of access: 23 June 2008.

INFORMATION PROVIDER TECHNOLOGIES. 2003. Ask the deacon. URL: http://www.infoprovider.

com/infobase/h.html Date of access: 30 June 2008.

INTERACTIVE ADVERTISING BUREAU. 2008. Glossary. URL: http://www.iab.net/resources/

glossary_d.asp Date of access: 24 June 2008.

INTERNATIONAL ASSOCIATION OF COMPUTER INVESTIGATIVE SPECIALISTS. 2007. IACIS, The

International Association of Computer Investigative Specialists. URL: http://www.cops.org/ Date of

access: 11 August 2008.

INTERNATIONAL COMMITTEE OF THE RED CROSS. 2005. International Humanitarian Law: Treaties

and documents. URL: http://www.icrc.org/ihl.nsf/WebART/585-22?OpenDocument Date of access: 15

January 2008.

INTERNATIONAL STANDARDS ORGANISATION. 2009. ISO/IEC JTC 1/SC 27 N7570. Text for ISO/IEC

1st WD 27037: Guidelines for identification, collection and/or acquisition and preservation of digital evidence.

Working draft.

INTERNET MOVIE DATABASE. 2008. Internet movie database. URL: www.imdb.com Date of

access: 28 November 2008.

INTERPOL. 2007. Cyber-crime. URL: http://www.interpol.int/Public/ICPO/FactSheets/FHT02.pdf Date

of access: 17 January 2008.

ISO see INTERNATIONAL STANDARDS ORGANISATION

JANES, S. 2000. The role of technology in computer forensic investigations. Information security

technical report, 5(2):43-50.

JISC LEGAL. 2005. IT law for FE and HE senior management. JISC Legal. URL: www.jisclegal.ac.

uk/pdfs/itlawforseniorman.pdf Date of access: 10 January 2008.

JONES, R. 2004. Your day in court: the role of the expert witness. Digital investigation,1(4):273-278.

JONES, R. 2007. Safer Live Forensic acquisition. University of Kent at Canterbury. URL: http://www.cs.

kent.ac.uk/pubs/ug/2007/co620-projects/forensic/report.pdf Date of access: 11 January 2008.

JONES, S. & FOX, S. 2009. Generations online in 2009. Pew Internet & American Life Project. URL:

http://www.pewinternet.org/~/media//Files/Reports/2009/PIP_Generations_2009.pdf Date of access: 17

August 2009.

KABAY, M.E. 2002. Salami fraud. Network World Fusion. URL: http://www.networkworld.com/

newsletters/sec/2002/01467137.html Date of access: 25 June 2008.

KJAERLAND, M. 2006. A taxonomy and comparison of computer security incidents from the commercial

and government sectors. Computers & security, 25(7):522-538.

KLAFF, T. 2008. An authentic challenge. Computer technology review. URL: http://www.wwpi.com/index.

php?option=com_content&task=view&id=4092&Itemid=44 Date of access: 23 June 2008.

KNPA see KOREAN NATIONAL POLICE AGENCY

KOREAN NATIONAL POLICE AGENCY. 2007. Criminal investigation. Korean National Police Agency.

URL: http://www.police.go.kr/KNPA/statistics/st_investingation_02.jsp Date of access: 1 April 2008.

KRUSE II, W.G. & HEISER, J.G. 2002. Computer forensics: incident response essentials. Boston,

Mass.: Addison-Wesley.

LANDON, T. 2006. The broker who fell to earth. New York Times. URL: http://www.nytimes.com/

2006/10/13/business/13martha.html?_r=1 Date of access: 18 August 2009.

LAUBSCHER, R., OLIVIER, M.S., VENTER, H.S., RABE, D.J. & ELOFF, J.H.P. 2005. Computer

forensics for computer-based assessment: the preparation phase. Pretoria: University of Pretoria. URL:

http://icsa.cs.up.ac.za/issa/2005/Proceedings/Research/100_Article.pdf Date of access: 16 January

LECTRIC LAW LIBRARY. 2005. The Lectric Law Library’s Lexicon on Precedent. URL: http://www.

lectlaw.com/def2/p069.htm Date of access: 30 October 2008.

LEIGLAND, R. & KRINGS, A.W. 2004. A formalisation of digital forensics. International journal of

digital evidence, 3(2):1-32.

LEXISNEXIS. 2007. Lorraine v. Markel: Electronic evidence 101. URL: http://lexisnexis.com/applied

discovery/LawLibrary/whitePapers/ADI_WP_LorraineVMarkel.pdf Date of access: 23 June 2008.

LEXISNEXIS. 2008. Preserving chain of custody in e-discovery. URL: http://www.lexisnexis.com/

applieddiscovery/clientResources/techTips9.asp Date of access: 25 February 2008.

LOUWRENS, C.P. 2009a. Introduction to computer forensics. Johannesburg: University of

Johannesburg. (Lecture notes: IT00027 Electronic Commerce A.)

LOUWRENS, C.P. 2009b. Forensic methodology. Personal interview on 22 July 2009. (Group Risk

Services.)

MAAT, S.M. 2004. Cyber crime: a comparative law analysis. Pretoria: University of South Africa. URL:

http://etd.unisa.ac.za/ETD-db/theses/available/etd-08172005-103637/unrestricted/00front.pdf Date of access:

14 January 2008.

MANDIA, K., PROSISE, C. & PEPE, M. 2003. Incident response & computer forensics. 2nd ed. New

York: McGraw-Hill.

MARKET SHARE. 2009. Operating system market share. URL: http://marketshare.hitslink.com/

operating-system-market-share.aspx?qprid=8&qptimeframe=Y&qpsp=2009&qpmr=100&qpdt=1&qpct=3

Date of access: 14 August 2009.

MARKOFF, J. 2008. Internet attacks grow more potent. New York Times. URL: http://www.

nytimes.com/2008/11/10/technology/internet/10attacks.html?_r=2&th=&oref=slogin&emc=th&pagewante

d=print&oref=slogin Date of access: 10 November 2008.

McMILLAN, R. 2008. Internet fraud dupes men more often than women. IDG News Service. URL:

http://www.pcworld.com/article/id,144129-page,1/article.html Date of access: 9 April 2008.

MD5. Computer forensic solutions. 2008. ProDiscover. URL: http://www.md5.uk.com/?page=

ProDiscover Date of access: 21 January 2008.

MICROSOFT. 2008a. How to read the small memory dump files that Windows creates for debugging.

URL: http://support.microsoft.com/kb/315263 Date of access: 2 April 2008.

MICROSOFT. 2008b. FAQ: Computer Online Forensic Evidence Extractor (COFEE). URL:

http://www. microsoft.com/industry/government/news/cofee_faq.mspx Date of access: 2 June 2008.

MICROSOFT DEVELOPER NETWORK. 2009. How to detect install is running on a VM? URL:

http://social.msdn.microsoft.com/Forums/en-US/winformssetup/thread/55bbcf5d-9396-4904-bc03-

b1c2d4647657 Date of access: 20 September 2009.

MIRRIAM-WEBSTER. 2008. Forensic. Merriam-Webster Online Dictionary. URL: http://www.

merriam-webster.com/dictionary/forensic Date of access: 4 September 2008).

MOBLEY, P.T. 2001. Computer forensics: the investigator’s perspective. (Black Hat Conference, Las

Vegas.) URL: http://www.blackhat.com/presentations/win-usa-01/Mobley/bh-win-01-mobley.ppt Date of

MSDN see Microsoft Developer Network

MURR, M. s.a. Windows incident response: What is “forensically sound”? URL: http://windowsir.

blogspot.com/2006/08/what-is-forensically-sound.html Date of access: 4 August 2008.

MY OPERA. 2008. Microsoft device helps police pluck evidence from cyberscene of crime. URL:

http://my.opera.com/cwbywz/blog/show.dml/2062359 Date of access: 2 June 2008.

NAIDOO, N. 2008. Govt move on cyber fraud. URL: http://www.witness.co.za/?showcontent&global[_id]=

8853 Date of access: 25 June 2008.

NARE, S. 2008. Forensic methodology. Personal interview on 10 September 2008. (Cyber security

specialist.)

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST). 2003a. Hardware Write Blocker

Device (HWB) specification. National Institute of Standards and Technology. URL:

http://www.cftt.nist.gov/HWB-posted.pdf Date of access: 26 February 2008.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST). 2003b. Software write block

tool specification & test plan. National Institute of Standards and Technology. URL:

http://www.cftt.nist.gov/documents/SWB-STP-V3_1a.pdf Date of access: 26 February 2008.

NET INDUSTRIES. 2008. Frye v. United States. URL: http://law.jrank.org/pages/12871/ Frye-v-United-

States.html Date of access: 17 April 2007.

NETSCANTOOLS. 2008. NetBIOS info: basic tool description. URL: http://www.netscantools.com/

nstpro_netbios_info_basic.html Date of access: 3 April 2008.

NEWELL, M.W. 2005. Preparing for the Project Management professional certification exam. 3rd ed.

New York: American Management Association.

NEWS24. 2007. Huge growth in cyber crime. URL: http://www.news24.com/News24/South_Africa/

News/0,,2-7-1442_2220842,00.html Date of access: 7 April 2009.

NIKKEL, J. 2006. Improving evidence acquisition from live network sources. Digital forensics, 3(2):89-96.

NIST see NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

NMS FOUNDATION. 2007. Education project evaluation. URL: http://sanctuaries.noaa.gov/education/

evaluation/glossary.html Date of access: 23 April 2008.

NOVA. 2006. Glossary. Australian Academy of Science. URL: http://www.science.org.au/nova/092/

092glo.htm Date of access: 23 April 2008.

NYKODYM, N., TAYLOR, R. & VILELA, J. 2005. Criminal profiling and insider cyber crime. Digital

investigation, 2(4):261-267.

O’NEAL, M. 1997. GIMP plug-ins: blur and randomize. URL: http://www.rru.com/~meo/gimp/

randomize.html Date of access: 20 June 2008.

ORBITRON. 2007. New intelligent computer software that substantially improves crime and terrorism

detection. URL: http://www.orbitrontech.com/coplink.html Date of access: 17 March 2008.

PARALAN. 2007. Computer forensic protection: SCSI write blocker - models SR14A and SR15A.

SCSI forensics. URL: http://www.paralan.com/sr14.html Date of access: 26 February 2008.

PATI, P. 2003. Cyber crime. URL: http://www.naavi.org/pati/pati_cybercrimes_dec03.htm Date of

PATRIOT MEMORY. 2009. Solid State Drives (SSD). Warp series SSD v2. URL: http://www.patriot

memory.com/products/groupdetailp.jsp?prodgroupid=83&prodline=8&group=Warp%20Series%20SSD

%20v2&catid=21 Date of access: 28 July 2009.

PAULI, D. 2008. Number of viruses to top 1 million by 2009. ComputerWorld Malaysia. URL:

http://computerworld.com.my/ShowPage.aspx?pagetype=2&articleid=7995&pubid=4&issueid=133

PC MAGAZINE. 2008. Definition of: memory dump. URL: http://www.pcmag.com/encyclopedia_term/

0,2542,t=memory+dump&i=46770,00.asp Date of access: 2 April 2008.

PEOPLE’S DAILY ONLINE. 2008. Uma Thurman stalker convicted of harassment. URL: http://english.

peopledaily.com.cn/90001/90782/6405835.html Date of access: 25 June 2008.

PEROLD, D. 2008. Methodology of building a model. Personal interview on 12 June 2008. (Principle

project manager.)

PHAIR, N. 2007. Behind the mask. URL: http://smallbusiness.smh.com.au/starting/legal/behind-the-

mask-901523903.html Date of access: 28 January 2008.

PLANET INDIA. 2001. Introduction to cyber crime. URL: http://cybercrime.planetindia.net/intro.htm

PMI EVIDENCE TRACKER. s.a. PMI Evidence Tracker. URL: http://www.evtracker.com Date of

access: 25 February 2008.

POLICEONE.COM. 2008. Volatility of digital evidence. http://www.evtracker.com: http://www.policeone.

com/police-products/investigation/tips/1655664-Volatility-of-digital-evidence/ Date of access: 27 July 2009.

POLLITT, M. & WHITLEDGE, A. 2006. Exploring big haystacks. (In Olivier, M. & Shenoi, S., eds.

International Federation for Information Processing: Advances in digital forensics, v. 2. New York:

Springer. p. 4.)

POPA, B. 2008. Arrested security flaw merchant comes back online - Roberto Preatoni brings

WabiSabiLabi back in the spotlights. URL: http://news.softpedia.com/news/Arrested-Security-Flaw-

Merchant-Comes-Back-Online-83142.shtml Date of access: 26 June 2008.

PRESERVATION101. 2006. Deterioration of film and electronic media. URL: http://www.

preservation101.org/session3/expl_iv_op-substrate.asp Date of access: 28 July 2009.

REDHAT. 2009. LINUX 9. Chapter 3. Redundant Array of Independent Disks (RAID). URL:

http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/ch-raid-intro.html Date of access:

29 July 2009.

ROBBINS, J. 1994. Federal guidelines for searching and seizing computers. The Bureau of National

Affairs Publication. Criminal law reports, 56(12), December 21. US Department of Justice. Criminal

Division. Office of Professional Development and Training.

ROCHA, S. 2006. For Laci. New York: Crown.

ROGERS, M.K. & SEIGFRIED, K. 2004. The future of computer forensics: a needs analysis survey.

Computers and security, 23(1):12-16.

ROMANO, BJ. 2008. Looking for answers on Microsoft’s COFEE device. Seattle Times. URL:

http://blog.seattletimes.nwsource.com/techtracks/2008/04/looking_for_answers_on_microsofts_cofee

_device.html Date of access: 2 June 2008.

RONDGANGER, L. 2008. Hacker with a conscience. URL: http://www.iol.co.za/index.php?from=

rss_Top%20Stories&set_id=1&click_id=13&art_id=vn20080703061212942C901462 Date of access: 23

January 2009.

RYAN, D.J. & SHPANTZER, G. 2005. Legal aspects of digital forensics. URL: http://www.sabcnews.

com/south_africa/crime1justice/0,2172,79940,00.html Date of access: 25 June 2008.

SABC NEWS. 2004. Joburg man found guilty of Edgars computer crash virus. URL:

http://www.forensics-intl.com/safeback.html Date of access: 22 January 2008.

SANETT, S. & PARK, E. 2002. Authenticity as a requirement of preserving digital data and records.

IASSIST quarterly, Winter. URL: http://iassistdata.org/publications/iq/iq24/iqvol241sanett.pdf Date of

access: 23 June 2008.

SAPS see SOUTH AFRICAN POLICE SERVICES

SCALET, S.D. 2005. How to keep a digital chain of custody. URL: http://www.csoonline.com/read/

120105/ht_custody.html Date of access: 25 February 2008.

SETH, K. 2007. Cyber crimes and the arm of law: an Indian perspective. URL: http://www.Seth

associates.com/pdfs/Presentation-cyst%202007-final.ppt#257, 1, Cyber security and threats- CyST’2007

Date of access: 28 January 2008.

SEVASTOPULO, D. 2007. Chinese hacked into Pentagon. URL: http://www.ft.com/cms/s/

0/9dba9ba2-5a3b-11dc-9bcd-0000779fd2ac.html?nclick_check=1 Date of access: 28 November 2008.

SHARMA, S. 2008. Will technology take over the world? Available from: http://www.helium.com/

items/270830-will-technology-take-over-the-world Date of access: 28 November 2008.

SHELAR, J. 2007. Cyber crime cases prove a virtual waste. Daily news analysis. URL: http://www.

dnaindia.com/report.asp?newsid=1141488 Date of access: 17 January 2008.

SHELTON, D.E. 2006. Technology, popular culture, and the court system: strange bedfellows? In

National Center for State Courts. Future trends in State Courts. p. 63-66.

SHEMA, M. & JOHNSON, B.C. 2004. Anti-hacker toolkit. 2nd ed. New York: McGraw-Hill.

SHINDER, D.L. 2002. Scene of the cybercrime: computer forensics handbook. Rockland, Mass.:

Syngress Media.

SIGCSE see SPECIAL INTEREST GROUP ON COMPUTER SCIENCE EDUCATION (SIGCSE)

SOUTH AFRICA. 2002. Electronic Communications and Transactions Act, No. 25 of 2002.

Government Gazette URL: http://www.info.gov.za/view/DownloadFileAction?id=68060 Date of access:

11 August 2009.

SOUTH AFRICAN POLICE SERVICES (SAPS). 2007. Learning programme - division training:

investing in human capital. Module 1: Cyber forensic first responder learner guide. Pretoria: SAPS.

SPAFFORD, E. 2006. Some challenges in digital forensics. (In Olivier, M. & Shenoi, S., eds.

International federation for information processing: advances in digital forensics, 2. New York: Springer.

p. 4.)

SPECIAL INTEREST GROUP ON COMPUTER SCIENCE EDUCATION (SIGCSE). 2001. Overview of

the CS body of knowledge. ACM Special Interest Group on Computer Science Education. URL:

http://www.sigcse.org/cc2001/cs-overview-bok.html Date of access: 10 November 2008.

STEVENS, M.W. 2004. Unification of relative time frames for digital forensics. Digital investigation,

1(3):225-239.

STIENNON, R. 2007. What’s driving cyber crime? URL: http://www.esecurityplanet.com/article.

php/3664861 Date of access: 8 April 2009.

STIMMEL, C.L. 2008. Best practices for computer forensics in the field. URL: http://ezinearticles.com/?

Best-Practices-for-Computer-Forensics-in-the-Field&id=124243 Date of access: 10 January 2008.

STOCKDALE, J.E. & GRESHAM, P.J. 1995. The presentation of police evidence in court. Home Office

Police Research Group. London: Crown. (Police Research Series, paper 15.)

SWATKAT. 2005. Swatkat’s rants. URL: http://swatrant.blogspot.com/2005/12/notmyfault-fault-maker.

html Date of access: 2 April 2008.

TAUB, E.A. 2006. Deleting may be easy, but your hard drive still tells all. New York Times News

Service. URL: http://www.theglobeandmail.com/servlet/story/RTGAM.20060406.gtforensicapr6/BNStory/

Technology/ERIC+A.+TAUB Date of access: 17 March 2008.

TAYLOR, C., ENDICOTT-POPOVSKY, B. & FRINCKE, D.A. 2007. Specifying digital forensics: a

forensics policy approach. Digital investigation, 4, Suppl. 1:101-104.

TEATHER, D. 2002. Melissa virus creator jailed. URL: http://www.guardian.co.uk/technology/2002/

may/02/viruses.security Date of access: 25 June 2008.

TICEHURST, J. 2000. Cyber criminals are getting away with it. URL: http://www.vnunet.com/vnunet/

news/ 2114242/cybercriminals-getting-away Date of access: 7 April 2008.

TRAYNOR, I. 2007. Russia accused of unleashing cyberwar to disable Estonia. URL: http://www.

guardian.co.uk/world/2007/may/17/topstories3.russia Date of access: 28 November 2008.

TRENCH, R.L. 1994. Chain of custody: keeping track of property and evidence. International association

for property and evidence, Inc. Evidence Log, 94(4).

UMBC see UNIVERSITY OF MARYLAND. Baltimore County.

UNIBLUE. 2007. cmd.exe - cmd - process information. URL: http://www.liutilities.com/products/wintasks

pro/processlibrary/cmd/ Date of access: 3 April 2008.

UNITED STATES COMPUTER EMERGENCY RESPONSE TEAM (US-CERT). 2005. Computer forensics.

URL: http://www.us-cert.gov/reading_room/forensics.pdf Date of access: 20 March 2008.

UNITED STATES COMPUTER EMERGENCY RESPONSE TEAM (US-CERT). 2007. Quarterly trends

and analysis report. URL: http://www.us-cert.gov/press_room/trendsandanalysisQ107.pdf Date of

UNIVERSITY OF EDINBURGH. 2004. Electronic records and legal admissibility. URL: http://www.

recordsmanagement.ed.ac.uk/InfoStaff/RMstaff/LegalAdmiss/legaladmiss.htm Date of access: 23 June

UNIVERSITY OF MARYLAND. Baltimore County (UMBC). 2008. What is an Information System (IS).

University of Maryland, Baltimore County. URL: http://www.is.umbc.edu/aboutIS.asp Date of access:

10 November 2008.

USBORNE, D. 1996. US takes on the ‘cyber-terrorists’. BNET Business Network. URL:

http://findarticles.com/ p/articles/mi_qn4158/is_19960607/ai_n14048381 Date of access: 26 June 2008.

US-CERT see UNITED STATES COMPUTER EMERGENCY RESPONSE TEAM (US-CERT)

VAMOSI, R. 2008. Microsoft serves law enforcement free COFEE. URL: http://news.cnet.com/ 8301-

10789_3-9932600-57.html Date of access: 2 June 2008.

VIDAS, T. 2006. Forensic Analysis of Volatile Data Stores. CERT Conference. URL: http://www.

certconf.org/presentations/2006/files/RB3.pdf Date of access: 27 March 2008.

WANG, Y., CANNADY, J. & ROSENBLUTH, J. 2005. Foundations of computer forensics: a technology

for the fight against computer crime. Computer law & security report, 21:119-127.

WATSON, L.M. 2004. Anticipating electronic discovery in commercial cases: a guide for corporate and

in-house counsel. Michigan bar journal, May. URL: http://www.michbar.org/journal/pdf/pdf4article702.pdf

Date of access: 18 March 2008.

WEISE, J. & POWELL, B. 2005. Using computer forensics when investigating system attacks. URL:

http://www.sun.com/blueprints Date of access: 27 February 2008.

WHITE, S. 2005. A brief history of computing: operating systems. URL: http://trillian.randomstuff.

org.uk/~stephen/history/timeline-OS.html Date of access: 14 August 2009.

WIKIPEDIA. 2008. Abstract model. Wikipedia, the free encyclopaedia. URL: http://en.wikipedia.

org/wiki/Model_ (Abstract.) Date of access: 23 April 2008.

WIKIRANK. 2009. Optical media preservation. URL: http://wikirank.com/en/Optical_media_ preservation

Date of access: 28 July 2009.

WIKTIONARY. 2008. Rootkit. URL: http://en.wiktionary.org/wiki/rootkit Date of access: 30 July 2009.

WILDING, E. 2002. Caught red handed: you can shred but you can’t hide. Computer fraud & security.

2002(8):4-5.

WILLIAMS, P. 2006. MySpace, Facebook attract online predators: experts say be careful what you

post online – somebody is always watching. Nightly News. URL: http://www.msnbc.msn.com/

id/11165576/ Date of access: 15 December 2008.

WOOD, S.W. 2008. A forensic computing framework to fit any legal system. (4th International

Conference on IT Incident Management & IT Forensics, 23-25 September 2008. Mannheim, Germany.)

WORDNET. 2008. Model. URL: http://wordnet.princeton.edu/perl/webwn Date of access: 23 April

WORDNET. 2009a. Dimension. URL: http://wordnetweb.princeton.edu/perl/webwn?s=dimension Date

of access: 6 January 2009.

WORDNET. 2009b. Escrow. URL: http://wordnetweb.princeton.edu/perl/webwn?s=escrow Date of

Martha Maria Grobler 264 of 268 Publications and Presentations

Publications and Presentations

Goodbye Columbo, hallo cyber cops....

Author(s): Barry Bateman (Photo: Etienne Creux)

Date: 27 August 2008

Type: Pretoria News article, p2

http://hdl.handle.net/10204/2761

ISBN: 9771016365001

Abstract: Council for Scientific and Industrial Research cyber security researcher Marthie

Lessing1 explains in her doctoral paper the difference between “dead” and “live”

forensics.

Live Forensic Acquisition as Alternative to Traditional Forensic Processes

Author(s): Marthie Lessing (presenter), Basie von Solms

Date: 23 – 25 September 2008

Type: Conference

Mannheim, Germany: IT Management and IT Forensics (Refereed and Published).

Presentation (TOdB Pub number: CSIR/DPSS/S&S/EXP/2008/0036/A)

ISBN: 978-3-88579-234-5

Abstract: The development of live forensic acquisition in general presents a remedy for some

of the problems introduced by traditional forensic acquisition. However, this live

forensic acquisition introduces a variety of additional problems, unique to this

discipline. This paper presents current research with regard to the forensic

soundness of evidence retrieved through live forensic acquisition. The research is

based on work done for a PhD Computer Science at the University of Johannesburg.

Using the dead to create a live model: digital forensics in comparison

Author(s): Marthie Lessing (presenter), Prof SH von Solms

Date: 14 October 2008

Type: Project Day

Auckland Park, South Africa: University of Johannesburg Information Technology

Project Day

Poster (TOdB Pub number: CSIR/DPSS/S&S/EXP/2008/0403/A)

1 The author’s maiden name is Lessing, changed in March 2009 to Grobler

Die voordeel van gekoppelde verkryging van forensiese digitale data bo die tradisionele

ontkoppelde verkryging van forensiese digitale data

Author(s): MM Lessing (presenter)

Date: 31 October 2008

Type: Simposium

Auckland Park, Johannesburg: Die Suid-Afrikaanse Akademie vir Wetenskap en

Kuns, Studentesimposium 2008

Presentation (TOdB Pub number: CSIR/DPSS/S&S/EXP/2008/0404/A)

Abstract: Digitale Forensika behels spesialistegnieke om forensiese data van een rekenaar

na ‘n ander te kopieer, sodat dit as getuienis in 'n hof voorgelê kan word.

Deskundiges stel twee moontlikhede voor: ontkoppelde forensiese en gekoppelde

forensiese metodes.

Ontkoppelde forensiese metodes fokus op die verkryging van elektroniese bewys-

stukke van 'n ontkoppelde rekenaar. Hierdie tegniek verseker dat die ondersoek-

beampte 'n volledige kopie van die hardeskyf kan maak, sonder die moontlikheid

van dataveranderings. Gekoppelde forensiese metodes is 'n nuwer, kontroversiële

tegniek wat behels dat die ondersoekbeampte fisies op 'n aangeskakelde rekenaar

werk. Die ondersoekbeampte kan die rekenaar se lees-skryf-geheue (RAM)

kopieer, maar dit stel die moontlikheid daar vir onwillekeurige dataveranderings.

Gekoppelde forensies is oorspronklik ontwikkel om die probleme wat ontkoppelde

forensies mee bring, te oorbrug. Alhoewel hierdie tegniek baie moeiliker is om

suksesvol toe te pas, is die elektroniese bewysstukke baie meer omvangryk.

Voorlopige navorsing blyk positief te wees teenoor die bevordering van gekoppelde

forensies.

Between life and death: problems with live forensics between life and death

Author(s): Marthie Lessing (presenter)

Date: 12 - 13 November 2008

Type: Keynote address

Johannesburg, South Africa: Practicing Innovation in Digital Forensics Management

Keynote address (TOdB Pub number: CSIR/DPSS/S&S/EXP/2008/0413/A)

Modelling Live Forensic Acquisition

Author(s): MM Grobler (presenter), SH von Solms

Date: 25 – 26 June 2009

Type: Conference

University of Piraeus, Greece: Workshop on Digital Forensics & Incident Analysis –

WDFIA 2009 (Refereed and Published)

Presentation (TOdB Pub number: CSIR/DPSS/CCIW/EXP/2009/0015/A)

ISBN: 978-1-84102-230-7

Abstract: This paper discusses the development of a South African model for Live Forensic

Acquisition - Liforac. The Liforac model is a comprehensive model that presents a

range of aspects related to Live Forensic Acquisition. The model provides forensic

investigators with guidelines on how to proceed during an investigation. It provides

forensic investigators with a robust foundation to understand what needs to happen

during an investigation, the order in which these actions need to take place and the

reasoning behind these actions. It supports forensic soundness.

A Best Practice Approach to Live Forensic Acquisition

Author(s): MM Grobler (presenter), SH von Solms

Date: 6 – 8 July 2009

Type: Conference

Johannesburg, South Africa: ISSA (Refereed and Published)

Presentation (TOdB Pub number: CSIR/DPSS/CCIW/EXP/2009/0016/A)

ISBN: 978-1-84102-230-7

Abstract: The development of the Live Forensic discipline instigates the development of a

method that allows forensically sound acquisition to stand fast in a court of law. The

study presents the development of a comprehensive model for forensically sound

Live Forensic Acquisition, the Liforac model.

The Liforac model presents a number of concepts that are already available within

the Cyber Forensics discipline, combined as a single document. It composes four

distinct dimensions: Laws and regulations, Timeline, Knowledge and Scope. These

dimensions combine to present a wide-ranging model to guide First Responders

and forensic investigators in acquiring forensically sound digital evidence. The

dimensions were identified as part of an intense research study on the current

application of Live Forensics and the associated problems and suggested controls.

The Liforac model is an inclusive model that presents all aspects related to Live

Forensic Acquisition, suggesting ways in which a Live Forensic Acquisition should

take place to ensure forensic soundness. At the time of writing, this Liforac model is

the first document of this nature that could be found for analysis. It serves as a

foundation for future models that can refine the current processes.

ISO/IEC 27037: Guidelines for identification, collection and/or acquisition and preservation of

digital evidence

Co-editor(s): Marthie Grobler and Sivanathan Subramaniam

Date: Planned publication in 2011

Type: International standard still under development

http://www.iso.org/iso/ catalogue_detail.htm? csnumber=44381

Version: ISO/IEC JTC 1/SC 27/WG 4 N47570

Abstract: In responding to serious information security incidents, a post-event response is

required to investigate the incidents. The process of the investigation emphasizes

the integrity of the digital evidence and the right procedure in obtaining the digital

evidence to ensure its admissibility in meeting its purposes.

Due to fragility of the digital evidence, a proper procedure needs to be carried out with

due care to ensure the integrity of evidentiary value is preserved. Key components

that give credibility in the investigation are the methodology applied during the process

and individuals who are qualified in performing the tasks using the methodology.

There should be a proper procedure used to ensure the practice is credible, and

that the individuals performing the tasks have met a certain certification criteria.

It becomes a great concern to many when incidents occurred involved cross-border

jurisdictions. This has prompted for this International Standard to be developed to be

used not only for legal proceedings, but also for disciplinary procedures and other

related purposes in handling digital evidence.

This International Standard provides guidance for individuals; digital evidence first

responders who perform required tasks in the investigation including identifying,

collecting and/or acquiring and preserving of digital evidence. This International

Standard is relevant to ensure digital evidence is managed in accordance with

acceptable and practical ways that are acceptable worldwide with the objective to

preserve its integrity.

This standard should not replace specific legal requirements of a particular

jurisdiction. Instead, this standard may serve as a practical guideline for Digital

Evidence First Responder in investigations involving digital evidence and may

facilitate exchange of digital evidence between jurisdictions.

The International standard will not mandate the use of particular tools or methods. It

does not also include matters pertaining to analysis of digital evidence, or weight,

admissibility, relevance, and other judicially-controlled limitations on the use of digital

evidence in courts of law.

This proposed standard complements ISO/IEC 27001 and ISO/IEC 27002, and in

particular the control requirements concerning digital evidence acquisition by

providing additional implementation guidance. In addition, the standard will have

applications in contexts independent of ISO/IEC 27001 and ISO/IEC 27002.

9 Fusing business, science and law: presenting digital evidence in court

Author(s): MM Grobler, SH Von Solms

Date: November 2009

Type: Journal

Source: Journal of Contemporary Management, Vol. 6

Pages: 375-389

ISSN: 1815 7440

Index: Sabinet Online

Abstract: With the explosion of digital crime, science becomes more frequently applied in

court. Criminals are exploiting the same technological advances that have helped

Law Enforcement to progress; these exploits are often at the expense of

businesses. The purpose of the article is to make business managers aware of

the intricate relationship between business, science and the law.

Businesses are regularly the target of digital crime and should be proactive in

their forensic readiness. Scientists often present the evidence themselves, and

need to be comfortable explaining technical principles to non-technical

individuals. The legal system need to fairly arbitrate crime and presented

evidence, integrating both business and scientific principles to ensure a fair

ruling. It is necessary to bridge the gap between these disciplines to ensure the

successful presentation of digital evidence in court.

Digital Forensics is a contemporary management issue that should be embraced as

vantage point within the business world. It is not only IT specialists that can be

called to testify on digital incidents in a court of law, but any manager or senior

employee and these individuals should be adequately prepared for this. Business,

science and law should therefore find a compromise to ensure that the presentation

of digital evidence in court benefits all the disciplines involved.

Liforac - A Model For Live Forensic Acquisition

Documents

Transcript of Liforac - A Model For Live Forensic Acquisition

Read Naturally Live

Forensic entomology: Applications and limitations

Qualitative and Quantitative Measures for Assessing Student Acquisition of Knowledge and Skills in a Forensic Anthropology Field School

LIVE de.MOVIE - NSE

PROSPECTUS - Euronext live

FORENSIC ACCOUNTING Fraud Prevention & Detection

Live with Walkman

EVALUATING MENTAL RETARDATION FOR FORENSIC ...

Forensic geomorphology

wrrH - Live Law

FORENSIC SCIENCE AND FORENSIC MEDICINE Unit-I

Corporate Fitness Live

Marine Seismic Acquisition .

Places People Live

TEXAS FORENSIC SCIENCE COMMISSION

Anti-forensic resilient memory acquisition Digital Investigation

Crime Scene Investigation - Forensic events

COMPUTER FORENSIC EXAMINATION REPORT

Charlatanry in forensic speech science:

3D forensic science - UCL Discovery