Liforac - A Model For Live Forensic Acquisition
-
Upload
khangminh22 -
Category
Documents
-
view
2 -
download
0
Transcript of Liforac - A Model For Live Forensic Acquisition
Liforac - A Model For Live Forensic
Acquisition
Thesis
by
MMAARRTTHHAA MMAARRIIAA GGRROOBBLLEERR
MM..SScc ((CCoommppuutteerr SScciieennccee))
992200220000335544
Submitted in fulfilment of the requirements
for the degree
PPHHIILLOOSSOOPPHHIIAAEE DDOOCCTTOORR
in
CCOOMMPPUUTTEERR SSCCIIEENNCCEE
in the
Faculty of Science
at
UUNNIIVVEERRSSIITTYY OOFF JJOOHHAANNNNEESSBBUURRGG
Promoter: Prof. S.H. von Solms
Co-promoter: Prof. C.P. Louwrens
Johannesburg
October 2009
AAggoo ffoorreennssiiss ssuubbssttaannttiiaa::
Quis lex ought futurus distinctus ex quis lex est –
id est, onus of suggero res sileo super a vir per persona
auctorita decerno modus operandi scelestus.
Is est expertus ut, corpus delicti destituo digital detritus
actus reus ad infinitum.
Per curiam villa postulo testimonium futurus fundo exigo
ab origine, utriusque mortuus forensis et ago forensis,
demonstro actus reus.
Technologi postulo flagrante delicto quesitio,
no possible per ago forensis, indicia testimonium in situ.
Is sino satis clavis aurea demonstra theca in villa.
Mortui vivos docent - quieta non movere quod omnia
mutantur, nihil interit. Nemo est supra legis!
(The essence of Live Forensics: Laws are changing – authorities need to work hard to
prove the ways in which crimes are committed. It is inevitable that cyber criminals leave
permanent digital footprints of the crimes they commit. To prove these crimes, the court
of law requires that evidence should be copied exactly from the source, in both Dead
Forensics and Live Forensics. Technology requires the investigation technique of Live
Forensics, actively finding evidence in its original destination. This allows for sufficient
discovery of hidden data to prove the case in court. Let the dead teach the living -
don't modify data because this may affect your case. Nobody is above the law!)
* The translation is deemed to be indicative of the thesis content and is not an academic true translation of the Latin text.
Acknowledgements
Thank you…
My promoter Prof von Solms, for your guidance and incredible knowledge through all my
postgraduate studies. It has really been a pleasure to work with you.
My co-promoter Prof Louwrens, for your technical expertise and enthusiasm that originally got me
interested in Digital Forensics.
My husband PC, for your never ending love, support, motivation and creative ideas. You are my
inspiration.
My parents, for years of support and guiding me in my pursuit for academic excellence. Thank you
for the continuous advice and motivation.
My parents in law, for supporting my studies and keeping me motivated.
My brother, sister and their families, for your consistent motivation.
My colleagues at the CSIR: Danie Perold, Simon Nare, Jaco Robertson, Barend Taute, Erna
Meyer, Paul de Kock and Joey Jansen van Vuuren for forensic, technical, engineering and research
help, advice, examples and moral support.
Rudi Coetzee, for your expert knowledge and assistance with technical detail.
Elsa Volschenk from Spiraleye Studios for helping with the animation and graphical requirements.
Minette Lubbe and Modisana Hlomuka for assisting with the original ideas for the graphical interface.
Prof Ansie Lessing, professor in Educational Studies from UNISA for language editing.
Prof Casper Lessing, emeritus professor and Director: Library Services from Potchefstroom
University for Christian Higher Education for helping with the bibliography and references.
Mrs van den Berg from the Faculty of Science, for answering all my questions and double-checking
university policies and regulations.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler i 920200354
Table of Contents Table of Contents .............................................................................................................................................................. i
List of Figures ................................................................................................................................................................ ii
Tables ...............................................................................................................................................................iv
Table of Contents – Accompanying CD (AutoRun)..............................................................................................v
Acronyms ...............................................................................................................................................................vi
Terminology .............................................................................................................................................................viii
Chapter 1: Liforac – A Model For Live Forensic Acquisition........................................................................1
Part 1: Setting the Scene................................................................................................................................4
Chapter 2: Introduction..........................................................................................................................................5
Chapter 3: The Digital Forensic Discipline......................................................................................................17
Part 2: Live Forensic Acquisition...............................................................................................................48
Chapter 4: Forensic Tools ..................................................................................................................................51
Chapter 5: Current Application of Live Forensics.........................................................................................63
Chapter 6: Forensically Sound Live Acquisition Admissible in Court.....................................................86
Part 3: Digital Forensics and the Judicial System .................................................................................99
Chapter 7: Cyber Crime and Criminals..........................................................................................................101
Chapter 8: Cyber Crime Legal Aspects .........................................................................................................118
Part 4: The Possibility of Sound Live Forensic Acquisition .............................................................136
Chapter 9: Building a Model.............................................................................................................................139
Chapter 10: Laws and Regulations Dimension..............................................................................................151
Chapter 11: Timeline Dimension .......................................................................................................................170
Chapter 12: Knowledge Dimension..................................................................................................................202
Chapter 13: Scope Dimension ...........................................................................................................................212
Chapter 14: Presenting the Final Liforac model ............................................................................................231
Chapter 15: Closure..............................................................................................................................................241
References ............................................................................................................................................................248
Publications and Presentations................................................................................................................................264
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler ii 920200354
List of Figures Figure 1-1: Parts of the Liforac model development study.......................................................................... 3
Figure Part 1-1: Part 1 of the Liforac model development study................................................................. 4
Figure 2-1: The Liforac model interface ..................................................................................................... 8
Figure 2-2: Objectives of the study.............................................................................................................. 9
Figure 2-3: Liforac model progress............................................................................................................ 14
Figure 2-4: Liforac model development roadmap...................................................................................... 15
Figure 3-1: Liforac model progress - Digital Forensic discipline (a) .......................................................... 17
Figure 3-2: Dead Forensic Acquisition ...................................................................................................... 21
Figure 3-3: Live Forensic Acquisition ........................................................................................................ 26
Figure 3-4: Digital Forensic Acquisition Checklist ..................................................................................... 32
Figure 3-5: The generic Forensic Acquisition process .............................................................................. 33
Figure 3-6: Protecting a dead system from data modification................................................................... 36
Figure 3-7: Protecting a live system from data modification ..................................................................... 37
Figure 3-8: Chain of custody log................................................................................................................ 39
Figure Part 2-1: Part 2 of the Liforac model development study............................................................... 48
Figure 4-1: Liforac model progress - Digital Forensic discipline (b) .......................................................... 51
Figure 4-2: Operating System market share ............................................................................................. 52
Figure 4-3: Forensic investigation tools, toolkits and tool suites ............................................................... 53
Figure 5-1: Liforac model progress – Current Live Forensic techniques .................................................. 63
Figure 5-2: Practical problems associated with Live Forensics ................................................................ 67
Figure 5-3: Example image ....................................................................................................................... 70
Figure 5-4: Example slurred image ........................................................................................................... 70
Figure 5-5: Screenshot - Windows My Computer Properties.................................................................... 76
Figure 5-6: Screenshot - Windows My Computer Properties Advanced Properties ................................. 76
Figure 5-7: Screenshot – NotMyFault ..................................................................................................... 77
Figure 5-8: The Tribble development environment ................................................................................... 80
Figure 6-1: Liforac model progress - Identify sound forensic techniques ................................................. 86
Figure Part 3-1: Part 3 of the Liforac model development study.............................................................. 99
Figure 7-1: Liforac model progress - Crimes and criminals ................................................................... 101
Figure 8-1: Liforac model progress - Laws.............................................................................................. 118
Figure Part 4-1: Part 4 of the Liforac model development study............................................................. 136
Figure 9-1: Liforac model progress - Model development....................................................................... 139
Figure 9-2: Generic Liforac model ........................................................................................................... 141
Figure 9-3: Relation between Liforac model building blocks................................................................... 143
Figure 10-1: Focusing on the Laws and regulations dimension.............................................................. 151
Figure 10-2: Laws and regulations dimension ........................................................................................ 152
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler iii 920200354
Figure 10-3: Laws and regulations sub dimensions and respective drivers presented within the Liforac
model ................................................................................................................................... 157
Figure 10-4: Drivers of the common crime laws...................................................................................... 159
Figure 10-5: Drivers of the specific cyber crime laws ............................................................................. 163
Figure 10-6: Drivers of the court cases and precedents ......................................................................... 165
Figure 10-7: Drivers of the definition of court admissibility ..................................................................... 167
Figure 11-1: Focusing on the Timeline dimension .................................................................................. 170
Figure 11-2: Timeline dimension ............................................................................................................. 171
Figure 11-3: Liforac model implied processes......................................................................................... 175
Figure 11-4: Liforac model explicit processes ........................................................................................ 178
Figure 11-5: Liforac model process flow ................................................................................................ 179
Figure 11-6: Liforac model process flow indicating timeframes .............................................................. 180
Figure 11-7: Before the Live Forensic Acquisition timeframe ................................................................ 181
Figure 11-8: During the Live Forensic Acquisition timeframe ................................................................ 188
Figure 11-9: After the Live Forensic Acquisition timeframe .................................................................... 194
Figure 11-10: Complete process flow of Live Forensic investigation ...................................................... 199
Figure 12-1: Focusing on the Knowledge dimension .............................................................................. 202
Figure 12-2: Knowledge dimension ......................................................................................................... 203
Figure 12-3: Knowledge components and important aspects regarding each component presented within
the Liforac model.................................................................................................................. 207
Figure 13-1: Focusing on the Scope dimension...................................................................................... 212
Figure 13-2: Scope dimension................................................................................................................. 213
Figure 13-3: Scope components and drivers presented within the Liforac model .................................. 216
Figure 13-4: Controls for accessing the machine ................................................................................... 219
Figure 13-5: Controls for OS dependency............................................................................................... 220
Figure 13-6: Controls for data modification ............................................................................................ 221
Figure 13-7: Controls for ensuring authenticity ....................................................................................... 227
Figure 13-8: Controls for OS dependency............................................................................................... 228
Figure 14-1: The Liforac model development study................................................................................ 231
Figure 14-2: Screenshot - Main menu of the Liforac study accompanying CD....................................... 232
Figure 14-3: Screenshot - Menu options for Study overview .................................................................. 233
Figure 14-4: Screenshot - Menu option for Forensic tools ...................................................................... 234
Figure 14-5: Screenshot - Menu option for WITSA report....................................................................... 234
Figure 14-6: Screenshot - Menu options for Legislation.......................................................................... 235
Figure 14-7: Screenshot - Menu option for Presenting evidence............................................................ 236
Figure 14-8: Screenshot - Menu option for Liforac model ....................................................................... 236
Figure 14-9: Screenshot - Menu options for Publications ....................................................................... 237
Figure 14-10: Screenshot - Menu options for Presentations................................................................... 238
Figure 14-11: Screenshot - Menu option for Glossary ............................................................................ 238
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler iv 920200354
Tables
Table 2-1: Project deliverables .................................................................................................................. 12
Table 3-1: Comparing Dead and Live Forensics....................................................................................... 30
Table 3-2: Handling and preservation guidelines for digital evidence media............................................ 41
Table 3-3: Storage guidelines for digital evidence media ........................................................................ 44
Table 4-1: Forensic abilities of investigation tools, toolkits and tool suites ............................................... 54
Table 5-1: Currently applied techniques for Live Forensic Acquisition ..................................................... 83
Table 7-1: Cyber crime statistics by type ............................................................................................... 108
Table 7-2: Cyber crime classification....................................................................................................... 108
Table 8-1: Comparison of activities in the discussed models ................................................................. 131
Table 8-2: Mapping Ciardhuáin’s processes on the Liforac processes................................................... 132
Table 9-1: Summary of identified drivers................................................................................................. 143
Table 10-1: Identified drivers on the Laws and regulations dimension ................................................... 153
Table 10-2: Drivers applicable to sub dimension 1 ................................................................................. 158
Table 10-3: Drivers applicable to sub dimension 2 ................................................................................. 160
Table 10-4: Drivers applicable to sub dimension 3 ................................................................................. 164
Table 10-5: Drivers applicable to sub dimension 4 ................................................................................. 166
Table 11-1: Summary of identified drivers on the Timeline dimension ................................................... 172
Table 11-2: Digital Forensic equipment needed during a Live Forensic investigation............................ 186
Table 11-3: Evidentiary artefacts to retrieve during Live Forensic investigation .................................... 192
Table 11-4: Guidelines for transporting evidence securely ..................................................................... 198
Table 12-1: Summary of identified drivers on the Knowledge dimension ............................................... 205
Table 13-1: Summary of identified drivers on the Scope dimension....................................................... 214
Table 15-1: Critical appraisal of the Liforac model development ............................................................ 242
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler v 920200354
Table of Contents – Accompanying CD (AutoRun)
1. Study overview
2. Forensic tools
3. WITSA report
4. Legislation
5. Presenting evidence
6. Liforac model
7. Publications
8. Presentations
9. Glossary
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler vi 920200354
Acronyms AFIS Automated Fingerprint Identification System
API Application Programming Interface
ARP Address Resolution Protocol
ATA Advanced Technology Attachment
BIOS Basic Input Output System
CERT Computer Emergency Response Team
CIO Chief Information Officers
CMOS Complimentary Metal Oxide Semiconductor
COFEE Computer Online Forensic Evidence Extractor
CSIR Council for Scientific and Industrial Research
CSIRT Computer Security Incident Response Team
DCO Device Configuration Overlay
DDoS Distributed Denial of Service
DFRWS Digital Forensics Research Workshop
DMA Direct Memory Access
DNA Deoxyribonucleic Acid
DoS Denial of Service
DSA Digital Signature Algorithm
ECPA Electronic Communications Privacy Act
ECT Electronic Communications and Transactions Act
FBI Federal Bureau of Investigation
FTK Forensic Toolkit
HIPAA Health Insurance Portability and Accountability Act
HPA Hardware Protected Areas
IDE Integrated Development Environment
IIP Information Infrastructure Protection
IIS Internet Information Services
IP Intellectual Property
IP Internet Protocol
IRC Internet Relay Chat
ISP Internet Service Provider
JTAG Joint Test Action Group
KFF Known File Filter
KNPA Korean National Police Agency
Liforac Live Forensic Acquisition
MAC Media Access Control
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler vii 920200354
NET No Electronic Theft Act
NIST National Institute of Standards and Technology
OS Operating System
PCMCIA Personal Computer Memory Card International Association
PGP Pretty Good Privacy
POTS Plain Old Telephone Service
RAID Rapid Action Imaging Device
RAID Redundant Array of Independent Disks
RIPA Regulation of Investigatory Powers Act
RSA Rivest-Shamir-Adleman
SOX Sarbanes-Oxley Act
UPS Uninterruptible power supply
VESDA Very Early Smoke Detection Alarm
VOIP Voice Over Internet Protocol
VPN Virtual Private Network
WITSA World Information Technology and Services Alliances
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler viii 920200354
Terminology acquisition Acquisition is the act of assuming possession of something or obtaining control of
an object. It is the means to bring outside information into an analysis system. In
this regard, forensic investigators take control of a suspect machine, attaining all
possible information about the system. The Acquisition process is an extension of
the Collection stage, including additional aspects such as the chain of custody,
transport and storage.
analysis Analysis is an investigation of the component parts of a whole and their relations in
making up the whole. When faced with a complex topic, analysis is a systematic
process of simplifying the topic to gain a better understanding of the topic. In the
forensic sense, an analysis breaks down a complex crime scene to simpler terms
where it is possible to identify the cyber criminals.
collection The verb collecting refers to seeking and locating items of interest. In the forensic
sense, the stage Collection is the search and seizure activity where forensic
investigators enter a crime scene, look for evidence and gather it.
Digital Forensics Digital Forensics is the process of copying and analysing data from a computer in
a forensic manner. This discipline includes all activities from gathering the hardware
that needs to be copied, examining and analysing the data, and presenting a report to
an authoritative board regarding the discoveries. Digital Forensics is an investigative
technique that applies scientific and analytical techniques to computer systems in
determining the potential for legal evidence (Mobley 2001:2). It enables organisations
to gather reliable evidence from a mass of organisational information.
investigation An investigation is an inquiry into unfamiliar or questionable activities, done in an
orderly way to ensure thoroughness. An investigation usually implies the transgression
of either a law or a procedure.
methodology A methodology refers to the systematic study of methods followed in a particular
discipline. It is generally a collection of methods, practices, procedures and rules
used and implemented by groups and individuals that work in the same field. The
methodology includes the methods, procedures and techniques used to collect and
analyse given information.
search and
seizure
Search and seizure is a legal procedure used in many civil and common law legal
systems. This grants police and First Responders the necessary authority to do a
search of a person’s property and confiscate any relevant evidence to this crime.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 1 of 268 Chapter 1
Chapter 1: Liforac – A Model For Live Forensic Acquisition 1{
“If we cannot reengineer our information infrastructure to be completely protected, then we need to address the problems of cyber crime and abuse after they occur: by investigation and corrective action, including application of remedial measures, as well as legal and administrative sanctions.”
- Eugene Spafford
This study discusses the development of a model for Live Forensic Acquisition - Liforac. The Liforac
model is a wide-ranging model that presents many of the most important aspects related to Live Forensic
Acquisition, suggesting ways in which such an acquisition should take place to ensure forensic soundness.
The study presents information on a relatively new field of expertise. The development of the Live
Forensic discipline and the Live Forensic Acquisition technique instigates the development of a method
that allows forensically sound acquisition to stand fast in a court of law. The development of this discipline
revolves around changes in technology, aimed at making it more difficult for criminals to hack into
systems and misuse information. These changes also make it more difficult to crack system passwords
or to retrieve data if accidentally overwritten (e.g. Windows Vista overwrites any deleted data, unlike
earlier operating systems (OS) that just overwrites the link to the data).
This study considers the Digital Forensic discipline, forensic tools, practical problems experienced during
acquisition, legal aspects and cyber crimes. It also looks at technology advances that eradicate the use
of Dead Forensic Acquisition and promote the use of Live Forensic Acquisition. The study finally
presents a comprehensive model for forensically sound Live Forensic Acquisition. By no means is this
model a comprehensive representation of the entire field, but only a depiction of some of the most
relevant aspects of this discipline. The Liforac model is not a flawless new invention, nor so technically
advanced that only technologically adept people can understand its intricacies. It presents a number of
technical and non-technical concepts that are already available within the Digital Forensic and Live
Forensic discipline, as a single easy-to-understand document. This model is not a mandate for forensic
investigators, but a guideline for best practice.
As is the case in many developing disciplines, there are not many scientific publications in the emerging
Digital Forensic field. Therefore, many of the references are either Internet-based or personal interviews.
Digital Forensics, and specifically the specialised Live Forensic discipline, is not as established in the
security field. Since the printed resources on this subject are very limited, most of the references cited in
this research are in the electronic realm and classifies as blogs or online newspaper articles. These
sources are some of the very limited available information and present opinions of individuals that have
experience with Digital Forensics, Live Forensics or cyber crime. Furthermore, many forensic practices
have already been adopted internationally, but are not currently used extensively in South Africa.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 2 of 268 Chapter 1
At the time of this research project, the author is employed at the Council for Scientific and Industrial
Research (CSIR) as Cyber Security Specialist. Her primary role is to investigate the Live Forensic
discipline as a potential research niche for her department. This research project evolved into the
development of the Liforac model. To achieve this role the author integrated research findings from the
literature, internet and personal interviews with knowledgeable and critical peers to inductively build the
model and present the results as a thesis. The author concurrently acted as a project manager with
regard to research on Live Forensics and the findings of this study.
The author acts as co-editor for the international standard ISO/IEC 27037: Guidelines for identification,
collection and/or acquisition and preservation of digital evidence. She applies knowledge gained through
research for this thesis as expert knowledge in the capacity of co-editor. Technical aspects from the
thesis contribute to the technical quality and capability of ISO 27037. The author also contributed
sections on the handling and preservation of digital evidence during the acquisition process and the
process flows of the acquisition, as researched for this thesis. The content of this standard overlaps with
the content of this thesis, and shows the importance of guidelines for forensic acquisition in the
international scope.
A compact disc, MMG PhD 2009, accompanies this research study. To keep the actual research
document compact and to the point, all the additional resources necessary to present a complete study
accompany the study on this CD. This CD also presents additional interesting information contributing to
further understanding, as well as a graphic display of the Liforac model. (This display can be seen under
Liforac model on the CD). The study produced a number of publications and presentations, listed at the end
of this document (see page 264, after the references). Three of these presentations featured at
international conferences. Live Forensic Acquisition as Alternative to Traditional Forensic Processes was
presented at the IT Management and IT Forensics conference in Mannheim, Germany; Modelling Live
Forensic Acquisition was presented at the Workshop on Digital Forensics & Incident Analysis in Piraeus,
Greece; and A Best Practice Approach to Live Forensic Acquisition was presented at ISSA 2009 in
Johannesburg, South Africa. This thesis also served as foundation for a keynote presentation, was
featured in the author’s researcher profile on the CSIR’s intraweb and made headlines in a local
newspaper. The accompanying CD shows these completed works.
This research encompasses four parts, each contributing in a direct manner to the final forensically sound
model. Figure 1-1 shows the four parts and the chronological order, from the bottom to the top. This
indicates that the parts should be completed in a sequential manner to ensure an accurate result.
• Part 1: Setting the Scene;
• Part 2: Live Forensic Acquisition;
• Part 3: Digital Forensics and the Judicial System; and
• Part 4: The Possibility of Sound Live Forensic Acquisition.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 3 of 268 Chapter 1
Parts 1 to 3 contribute drivers that are necessary to build the Liforac model. These drivers have no specific
definition to ensure its inclusion in the Liforac model, but constitute any definition, concept or detail that
may be of importance to the development of a comprehensive Live Forensic Acquisition model. At the
end of each chapter, a summary lists all the identified drivers before the next chapter starts. In Part 4,
these drivers will be refined and explained in more detail. The final model, presented in Part 4, has four
dimensions: Laws and regulations, Timeline, Knowledge and Scope.
Figure 1-1: Parts of the Liforac model development study (Own compilation)
At the time of writing, this Liforac model is the first document of this nature that could be found for
analysis. It serves as a foundation for future models that can refine the current proposed processes.
This study discusses both the technical and the legal aspects on a high level and are presented as the
interpretation of the author, not a mandate for Law Enforcement agencies or forensic investigators. This
study leaves room for further investigation into this field. Part 1, Setting the Scene, will now initiate the
study.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 4 of 268 Part 1
Part 1: Setting the Scene
This study, Liforac - A Model For Live Forensic Acquisition, divides into four distinct parts. Figure Part 1-1
presents these four parts with four cylinders, indicating succession and progress from the bottom of the
figure to the top (originally presented in Figure 1-1).
Figure Part 1-1: Part 1 of the Liforac model development study
Part 1, Setting the Scene, mainly comprises the literature study to familiarise the reader with the Digital
Forensic discipline. It comprises the first two chapters of the study.
Chapter 2, Introduction, provides background knowledge to the study and lays out the objectives. This
chapter discusses the research methodology used to investigate Live Forensic Acquisition techniques
and introduces the objectives and limitations of the study. Chapter 2 is an introductory chapter, directing
the administrative aspects of the study.
Chapter 3, The Digital Forensic Discipline, presents insight into the Digital Forensic discipline. This
chapter introduces the traditional Dead Forensic Acquisition and the Live Forensic Acquisition techniques,
and compares these techniques. Additionally, Chapter 3 explains the principles of Digital Forensics. This
chapter is necessary to introduce the basic forensic principles to the reader and to ensure a basic level of
Digital Forensic understanding.
The two chapters in Part 1 combine to introduce a number of aspects relevant to Digital Forensics. It
serves as a concise introduction to the field of Digital Forensics and introduces important concepts that
are necessary for the development of a comprehensive Liforac model in Part 4 of this study. Once the
reader is comfortable with Part 1’s context, the in-depth analysis of forensically sound Live Forensic
Acquisition can start in Part 2. Chapter 2 will now formally introduce the study with background information
on the Digital Forensic discipline.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 5 of 268 Chapter 2
Chapter 2: Introduction 1
“The modern thief can steal more with a computer than with a gun. Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.”
- National Research Council
The human dependency on computers allows the infiltration of computer technology in almost all aspects of
human life. Computer technology has become synonymous with our fast moving lives, penetrating facets
of both home and work life (Sharma 2008:Internet).
Moore’s law predicts that computing power doubles every 18 months (French 2008:Internet). This ever-
increasing power enables humans to undertake tasks that are more complex and resource intensive. The
intention of this technology advances is to make human lives easier and more fulfilling: hand biometric
applications can ensure that only authorised people can operate guns; online social communities such as
Facebook and MXit can globally connect people; and iris recognition can lead to a keyless environment.
Computers enable humans to an inconceivable amount of power. However, not all humans can suitably
handle power.
A large number of science fiction movies give a glimpse into what can happen when computers and
ethically challenged people combine power: the Matrix and Hackers trilogies, and the Terminator movies
are some examples. The 1957 movie Desk Set is probably one of the first movies that portray the danger
in fully computerising one’s world. Minority Report is also a prime example of what can happen if artificial
intelligence and computerised biometrics take over the world (IMDB 2008:Internet). Even the social
communities can become addictive, and in some cases vindictive and a playground for cyber predators
(Williams 2006:Internet).
Real life examples where criminals use technology for misdoings include a computer attack on the
Australian sewage system (Clarke 2004:Internet), the Estonian Cyber War (Traynor 2007:Internet), the
Chinese hacks into the Pentagon (Sevastopulo 2007:Internet) and the Russian cyber attacks against the
Pentagon (Fishel & Griffin 2008:Internet). These examples indicate that technological advances and the
Internet not only aided worldwide communication and commerce, but also sparked the growth of electronic
crime. Criminals are exploiting the same technological advances that have helped Law Enforcement to
progress (ACPO 2007:8). In fact, the increased availability of broadband connections to homes directly
affected the number of computer systems compromised by attackers and infected with malware (Carvey
2005:10).
Criminals make use of computers on a daily basis to assist with and to commit crimes. This, combined
with the pervasiveness and complexity of modern OSs, makes cyber crime a real and active threat. To act
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 6 of 268 Chapter 2
against these electronic offenders, scientists developed the Digital Forensic discipline to retrieve evidence
from computers (Brungs & Jamieson 2005:57). This discipline has two main approaches relevant to this
study: Dead Forensic Acquisition and Live Forensic Acquisition.
The current forensic acquisition approach, Dead Forensic Acquisition, is to unplug a machine to acquire an
image of the hard drive. This approach can cause data corruption, system downtime and revenue loss for
businesses. Paragraph 3.3.1 introduces Dead Forensic Acquisition in more detail. A newer approach, Live
Forensic Acquisition, emerged to counteract problems caused by technology advancement and restrictions
of the Dead Forensic Acquisition approach. Live Forensic Acquisition refers to the acquisition of a forensically
sound system image from a live machine, i.e. a machine that is still running. This approach makes use of a
small window of opportunity provided by a live connection to acquire the necessary data from a suspect
computer. Paragraph 3.3.2 introduces this acquisition approach in more detail.
Irrespective of the acquisition approach, investigators present the evidence to court in due course. If the data
are admissible in court, cyber investigators refer to it as forensically sound. However, very few South African
courts currently accept Live Forensic Acquisition as forensically sound evidence (Nare 2008:Interview). The
main reasons for the occasional inadmissibility of Live Forensics is firstly the lack of court precedence,
and secondly criminals’ liking to exploit new technology in an innovative manner.
2.1 Research Problem
The nature of incidents and attacks has changed. The pervasive nature of computer systems and applications
make them subject to attack and compromise on an increasingly regular basis (Carvey 2005:21). In many
instances, the combination of innovative criminal techniques and advanced technology limits the
applicability and success of Dead Forensic Acquisition. A number of OSs and encryption techniques can
only be investigated with a Live Forensic Acquisition approach. Live Forensics is thus not a luxury
acquisition approach anymore, but rather a necessity to acquire digital evidence. Investigations
need real time, admissible digital evidence such as volatile evidence, swap files and network processes
to determine the root cause of an incident and prosecute the cyber criminals (Grobler & Louwrens
2009:1).
On the one hand, criminals are constantly pushing the boundaries of technology. They are now using
computers to extend the range of activities they can perform and create new ways of hiding cyber tracks
(Jones 2007:1). Accordingly, new types of crimes surfaced in the virtual world, whilst traditional crimes
are committed using advanced technology (Maat 2004:i). The development of new crime types leaves Law
Enforcement techniques outdated, occasionally providing no safety against new criminal techniques.
On the other hand, advances in technology have effectively negated the success of traditional Dead
Forensics. Law Enforcement incorporated traditional Dead Forensic Acquisition in an attempt to keep up
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 7 of 268 Chapter 2
with cyber crime, allowing forensic investigators to retrieve enough relevant data for the average case.
However, in some instances investigators need to recover additional data only retrievable from live
suspect systems, such as the existence of a running Trojan horse on the suspect machine.
New OSs have made the user interface so powerful and password encryption keys so secure, that it is
virtually impossible for criminals and forensic investigators alike to access a shut down system. For
example, it would take forensic investigators days and high volumes of computer power to crack a whole
disk encryption password, such as Pretty Good Privacy (PGP) Whole Disk Encryption or TrueCrypt (Nare
2008:Interview). However, if this password can be intercepted in a live system, acquisition can
commence immediately. Accordingly, crimes and investigations have become more real time,
necessitating the Live Forensic Acquisition approach.
Research Problem:
The development of Live Forensic Acquisition, albeit a remedy for the problems introduced by Dead
Forensic Acquisition, introduces a variety of additional difficulties, unique to the Live Forensic Acquisition
approach. These difficulties affect the forensic soundness of Live Forensic Acquisition.
At present, forensic investigators cannot be certain that a court of law will consider Live Forensic
Acquisition techniques to be forensically sound (Nare 2008:Interview). Neither can forensic investigators be
certain that evidence acquired with Live Forensic Acquisition techniques are adequately comprehensive,
compared with evidence acquired with Dead Forensic Acquisition techniques, until further research have
been done.
2.2 Research Objectives
This thesis aims to address the research problem and to develop a model that underwrites comprehensive
forensically sound Live Forensic Acquisition. The main premise of the thesis is to advise regarding the
viability of Live Forensic Acquisition as an alternative acquisition technique to traditional Digital Forensic
Acquisition. It is necessary to establish a method that allows forensically sound acquisition to stand fast
in a court of law before it can be used to its full potential. It is important that the forensic investigator also
consider his/her jurisdiction when partaking in an acquisition.
The proposed model for comprehensive forensically sound Live Forensic Acquisition, Liforac, will include
an overview of popular forensic tools (Chapter 4). It will also include current and applied Live Forensic
methods and techniques (Chapters 5 and 6), cyber crime and criminals (Chapter 7) and legal aspects
relevant to cyber crime (Chapter 8). Chapter 14 presents the final model, as constructed from research
and figures presented in Chapters 9 to 13. In addition to the thesis, the accompanying CD includes a
number of supplementary information. Figure 2-1 shows the contents of the CD.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 8 of 268 Chapter 2
Figure 2-1: The Liforac model interface (Own compilation)
Objective:
The main objective of the study is to develop a model that comprehensively presents aspects related to
Live Forensic Acquisition. This model, Liforac, will guide forensic investigators in suggesting ways in
which a Live Forensic Acquisition should take place to ensure forensic soundness.
To realise this objective, it is necessary to focus on the process of comprehensive forensically sound Live
Forensic Acquisition. The research approach builds on the investigation of the possibility of forensically
sound Live Forensic Acquisition and the associated judicial implications. The following sub objectives
(presented in Figure 2-2, page 9) supports the main objective and builds up to the proposed model:
• Sub objective A: Investigate the Digital Forensic discipline. A comprehensive literature
study on the topic of Digital Forensics introduces the discipline. In fulfilling this objective, it is
possible to identify some important components of the proposed Liforac model at this stage.
• Sub objective B: Identify current Live Forensic practice. By looking at the techniques currently
applied to perform both Dead and Live Forensic Acquisition, it is possible to identify potential
forensically sound Live Forensic Acquisition techniques.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 9 of 268 Chapter 2
Figure 2-2: Objectives of the study (Own compilation)
• Sub objective C: Identify sound forensic techniques. This sub objective defines forensic
soundness and evaluates some of the identified components based on these criteria.
• Sub objective D: Investigate cyber crime. Cyber crimes are far-ranging and a study of it can
assist in some aspects of the Live Forensic Acquisition model. Since both cyber criminals and
cyber crime are constantly evolving, the Liforac model needs to link directly to the progression of
cyber crimes.
• Sub objective E: Investigate the legal aspects of Digital Forensics. By producing a number of
cyber crime legal requirements, it should be possible to develop a model for Live Forensic
Acquisition. These legal requirements determine which acts classify as cyber crimes, as well as
the processes and responsibilities during the cyber crime investigation. Each country has its own
legal application and jurisdiction. Accordingly, forensic investigators need to be abreast of his/her
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 10 of 268 Chapter 2
country’s legislation, as well as the application thereof. The legal requirements will make a direct
contribution to the model.
These five sub objectives guide the research done in Parts 1 to 3. Combined, these sub objectives produce a
number of deliverables (Table 2-1 on page 12 maps these sub objectives to the relevant deliverables) to
create a single comprehensive, forensically sound Live Forensic Acquisition model - the Liforac model.
Chapter 14 in Part 4 will present this model in its final form.
The objectives set out for this study are to acquire the skills and practical expertise necessary to understand
the Live Forensic Acquisition approach. The completed research will not simply be a process of
knowledge gathering, but will also make an original contribution to the subject of Digital Forensics. This
study may lead to supplementary future research.
2.3 Research Plan
The focal point of this study is the field of Digital Forensics. The research will focus on developing a
model that represents aspects related to Live Forensic Acquisition, as well as a suggested way in which a
Live Forensic Acquisition should take place. The underlying idea is to establish whether Live Forensic
Acquisition can stand fast in a court of law. This study divides into four distinct parts and fifteen chapters.
Part 1: Setting the Scene
Part 1 investigates the current Digital Forensic environment. It comprises two chapters of the study,
combining to introduce a number of aspects relevant to Digital Forensics. Once the reader is
comfortable with Part 1’s context, the in-depth analysis of forensically sound Live Forensic Acquisition
can start.
• Chapter 2, Introduction, provides the reader with background knowledge to the study. It also
lays out the research problem, objectives, deliverables, research approach and limitations.
• Chapter 3, The Digital Forensic Discipline, presents the reader with insight into the Digital
Forensic discipline. This chapter introduces the Dead and Live Forensic Acquisition techniques
and explains the Digital Forensic principles relevant to both techniques. Chapter 3 discusses
both disciplines’ advantages and disadvantages, and compares the two techniques. This chapter
explains the Forensic Acquisition process step-by-step.
Part 2: Live Forensic Acquisition
Part 2 focuses more on the internal workings of the Live Forensic technology. It comprises three chapters of
this study. These chapters introduce the possibilities of forensically sound Live Forensic Acquisition. Part
2 theoretically builds a framework of the positive application of Live Forensic Acquisition within the
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 11 of 268 Chapter 2
Information Security environment. It builds on the knowledge gained in Part 1 and are justified by the
chapters in Part 3. The majority of this part involves the investigation of practical, real world application
of Digital Forensics.
• Chapter 4, Forensic Tools, presents a comparison of a number of popular Digital Forensic tools.
The list of tools is not exhaustive, but provides the reader with sufficient background knowledge
to understand the processes depicted in Part 2. The tool discussion gives the reader a basic
understanding of how Digital Forensics works and ways in which forensic tools can assist
investigators. Additional information regarding the Digital Forensic tools is available on the
accompanying CD (see Forensic tools).
• Chapter 5, Current Application of Live Forensics, provides background knowledge on the
developing technology. This chapter looks at the advances Live Forensic Acquisition has made in
the areas in which traditional Forensic Acquisition lacks. It also focuses on the practical problems
that arise with the application of Live Forensics. Chapter 5 concludes with a discussion on the
current software and hardware techniques applied in Live Forensic Acquisition.
• Chapter 6, Forensically Sound Live Forensic Acquisition Admissible in Court, focuses on the term
forensic soundness and measures different kinds of evidence retrieved through Live Forensics
according to its definition. This chapter focuses on the volatile nature of Digital Forensics.
Part 3: Digital Forensics and the Judicial System
Part 3 forms an important section of this investigation. This part comprises two chapters of the study,
and provides technical information to ensure that forensic investigators understand the subject.
• Chapter 7, Cyber Crime and Criminals, provides the reader with background on the subject. It looks
at the different types and classification of cyber crime. It addresses cyber crime incidents and
occurrence, the reasons for cyber crime, as well as famous court cases in which cyber crime
played a major role. Related to this chapter, the accompanying CD presents the WITSA (World
Information Technology and Services Alliances) Report on Cyber Crime (see WITSA report).
• Chapter 8, Cyber Crime Legal Aspects, discusses the legal acceptance of Digital Forensic evidence
and identifies current laws addressing cyber crime. These laws are discussed in more detail on the
accompanying CD (see Legislation). This chapter also identifies a cyber crime framework, as
well as some legal challenges facing the successful acceptance of Live Forensic Acquisition.
This cyber crime framework is crucial in the successful development of the Liforac model in
Part 4.
Part 4: The Possibility of Sound Live Forensic Acquisition
Part 4 forms the crux of this investigation. This part comprises seven chapters of the study and presents
the climax and conclusions of the study. Part 4 links the entire research study together, presenting the
Liforac model for Live Forensic Acquisition founded on the first three parts of the document.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 12 of 268 Chapter 2
• Chapter 9, Building A Model, presents the climax of the study. This chapter shows the process
involved in composing a model from the information gathered in Parts 1 to 3, to represent a
comprehensive, forensically sound model consisting of four dimensions. Chapters 10 to 13 discuss
each of these dimensions in detail.
• Chapter 10, Laws and Regulations Dimension, looks in more detail at the dimension relating to
laws and regulations relevant to Digital Forensics. Largely, this dimension builds on Chapter 8.
• Chapter 11, Timeline Dimension, looks in more detail at the sequential order in which
investigators should perform specific actions to ensure sound Live Forensic Acquisition. This
chapter looks at process flows and activities that need to be performed in a specific order.
• Chapter 12, Knowledge Dimension, looks in more detail at the people involved in successful
Live Forensic Acquisition: who they are and what training and skills they should possess. Both
pertinent and inherent knowledge play a part in the development of the Liforac model.
• Chapter 13, Scope Dimension, looks in more detail at the problems associated with Live
Forensic, earlier identified in Chapter 5 of this study. This chapter gives some guidelines on
how to handle these problems.
• Chapter 14, Presenting the Final Liforac model, presents the final model for comprehensive,
forensically sound Live Forensic Acquisition. The accompanying CD also presents this final
model graphically. Chapter 15, Closure, concludes the study and justifies the development of the
Liforac model for comprehensive, forensically sound Live Forensic Acquisition.
Research deliverables
Table 2-1 summarises the previously discussed research plan and shows the deliverables relevant to
each chapter. These fifteen chapters work together to present a comprehensive model for Live Forensic
Acquisition, presented in Chapter 14. This table also maps the five sub objectives (introduced in Figure
2-2) to deliverables in a specific chapter.
Table 2-1: Project deliverables (Own compilation)
PPaarrtt CChhaapptteerr DDeelliivveerraabbllee
Chapter 2 1
Setting the Scene Chapter 3
− Forensic definition and glossary
• Maps to sub objective A: Digital Forensic discipline
Chapter 4 − Forensic tool overview
• Maps to sub objective A: Digital Forensic discipline 2
Live Forensic Acquisition Chapter 5
− Current Live Forensic methods and techniques
• Maps to sub objective B: Current Live Forensic techniques
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 13 of 268 Chapter 2
PPaarrtt CChhaapptteerr DDeelliivveerraabbllee
2
(continued) Chapter 6
− Extended forensic definition and glossary
• Maps to sub objective C: Identify sound forensic techniques
Chapter 7 − Cyber crime background
• Maps to sub objective D: Crimes and criminals 3
Digital Forensics and the Judicial
System Chapter 8 − Cyber crime legislation and investigation framework
• Maps to sub objective E: Laws
Chapter 9 − Generic Liforac model
Chapter 10 − Laws and Regulations
Chapter 11 − Timeline
Chapter 12 − Knowledge
Chapter 13 − Scope
Chapter 14 − Liforac graphical display
4
Sound Live Forensic
Acquisition
Chapter 15 − Closure
The chapters indicated in Table 2-1 present most of these deliverables, whilst the accompanying CD
presents the rest of deliverables in more detail. The next section introduces the research approach for
this project.
2.4 Research Approach
The main research methodology that will apply to this particular study is explorative and developmental,
using both existing and new data. The first section of the research focuses on a broad literature survey:
Digital Forensics in general, Dead and Live Forensic Acquisition, forensic tools, current forensic
techniques and practices, and legislation relevant to Digital Forensics. From this literature survey, it is
possible to identify a number of building blocks that can contribute to the development of the Liforac
model.
Most of these building blocks need further investigation, either because it is purely a theoretical statement,
or because the discipline is still relatively new and unexplored. The study will therefore progress from a
very broad discussion of the Digital Forensic field in Part 1, to a proposed model as a solution to the
problems identified related to Live Forensics in Part 4.
Figure 2-3 presents the basic research approach for this study. This figure maps directly onto Figure 2-2,
with sub objectives A to E leading to the development of the Liforac model. Figure 2-3 presents the
research approach as a pyramid, with each completed sub objective laying the foundation for the next
sub objective. The pyramid suggests that each sub objective addresses a more specialised area that
Liforac model
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 14 of 268 Chapter 2
can be used in the Liforac model. This representation enforces the idea that the acquired data from the
literature survey is building blocks used to assemble a model for comprehensive, forensically sound Live
Forensic Acquisition.
Throughout the study, figures similar to Figure 2-3 will depict the development process of the model.
These figures will graphically show the reader the data already gathered that are necessary before the
development of the actual Liforac model can start.
Figure 2-3: Liforac model progress (Own compilation)
Since Live Forensic Acquisition is relatively new and unexplored, it is difficult to identify appropriate
measurement instruments beforehand. However, future research will measure and validate the proposed
model in a live Digital Forensic environment. The result of the study will pose a qualitative contribution to
the Digital Forensic environment, extending the current minimal capacity of Live Forensic Acquisition.
The proposed research study tackles a new, relatively unknown problem.
Based on the information presented in Chapter 2, it is possible to create a roadmap for the development of
the Liforac model. Figure 2-4 shows this roadmap in its generic form. Each of the subsequent chapters
will be introduced with a version of the roadmap, indicating the progress on the figure.
2.5 Limitations
At the time of writing, the literature available on Live Forensics is rather limited and not very scientific in
nature. The direction of this study will definitely contribute to an expanding discipline and aims to
advance the acceptance of Live Forensic Acquisition in the judicial system.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 15 of 268 Chapter 2
Figure 2-4: Liforac model development roadmap
2.6 Summary
Chapter 2 is an orientation to the planned research. It provides background information to the research
problem and states the objectives of the study. Chapter 2 lays out the platform for the proposed study
and provides figures and tables to visualise the research plan and the extent of the study.
Chapter 3 will now provide a detailed literature study on Digital Forensics. This literature study is crucial
to the reader’s understanding of the discipline and contributes to the motivation of the necessity of a
model for comprehensive Life Forensic Acquisition. Chapter 3 addresses the first sub objective, The
Digital Forensic Discipline. This involves a brief overview of Digital Forensic history, a graphical
depiction of the Dead and Live Forensic Acquisition processes, as well as the graphical depiction of the
generic forensic process diagram. Chapter 3 is also the first chapter to list a number of drivers that can
be used in the Liforac model development.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 17 of 268 Chapter 3
Chapter 3: The Digital Forensic Discipline
“There’s a lot of interest in these growing fields of forensic science… It is designed to appeal to those who are interested in criminal justice. If you want to ferret out crime and evidence, it all
come together right here.”
- Lamar Jordan
Part 1 focuses on setting the scene for Digital Forensic analysis. The previous chapter introduced the
study holistically and proposed a research approach to follow in order to develop a comprehensive model
for forensically sound Live Forensic Acquisition. Chapter 3 now formally starts the literature study by
introducing the field of Digital Forensics.
Figure 3-1 shows that the Digital Forensic discipline forms the focus of Chapter 3. This objective lays the
foundation for all further research to develop the Liforac model. It introduces the term Digital Forensics
and presents a brief history of the discipline. Chapter 3 further introduces both Dead and Live Forensics
as separate disciplines, investigating both the positive aspects and the limitations, and compares the
disciplines through diagrams. Lastly, Chapter 3 lists and explains the steps involved in the Forensic
Acquisition process, applicable to both Dead and Live Digital Forensics.
Figure 3-1: Liforac model progress - Digital Forensic discipline (a) (Own compilation)
This chapter will also establish a knowledge foundation based on different Digital Forensic Acquisition
approaches and introduce a number of terms unique to this discipline (see Glossary on the accompanying
CD for a formal presentation of these terms).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 18 of 268 Chapter 3
3.1 Introduction
Digital Forensics forms the foundation of this study. Although this chapter investigates the entire
discipline, the study will mainly focus on Digital Forensic Acquisition and its related activities. Many of the
terms encountered in Chapter 3 are introduced and defined at the beginning of the study (page viii).
The basic understanding of the Digital Forensic discipline is that it combines elements of both law and
computer science to collect and analyse data from computer systems, networks and storage devices in a
way that is admissible as evidence in a court of law (US-CERT 2005:1). It involves “… the exploration
and application of scientifically proven methods… to gather, process, interpret and utilise digital evidence in
order to provide a conclusive description of all cyber-attack activities” (Giordano & Maciag 2002:3).
Louwrens (2009a:2) provides a more comprehensive definition: “Digital Forensics are (sic) the analytical
and investigative techniques used for the preservation, identification, extraction, documentation, analysis
and interpretation of computer media which is digitally stored or encoded for evidentiary and/or root
cause analysis”. For the purpose of this study, acquisition does not include the interpretation of the
acquired data, but involves the transportation of the data from the crime scene to a safe location, as well
as its safe storage.
There are a number of definitions available, varying with regard to the extent of the forensic process.
However, all of the definitions agree that Digital Forensics includes the investigation of digital data. To
understand the complexity of the discipline, it is necessary to look at the origin. The next paragraph
discusses the history of Digital Forensics.
3.2 Digital Forensic History
The profiling of criminals dates back to the 15th century. Although these investigators did not always
document their techniques accurately or performed it according to standard, their early work contributed
to the development of Digital Forensics (Nykodym, Taylor & Vilela 2005:261). In the late 1800s, Alphonse
Bertillon developed one of the first scientific systems of personal identification. This system laid the
groundwork for research by Edmond Locard, the acclaimed father of forensics (Gallo 2008:4), and the
Locard Exchange principle (refer to Paragraph 5.1).
Despite these early beginnings, the American Federal Bureau of Investigation (FBI) only started to formally
employ Digital Forensics in 1984 and it only emerged as an identifiably independent field in 1992 (Fei
2007:24; Spafford 2006:4). Modern criminal identification systems can be traced back to the case of
Jack the Ripper in the late 19th century. Dr Thomas Bond, a famous profiler, investigated this case, far
surpassing his era by applying psychology to profile the perpetrator and assess the scene. Nowadays’
criminal profiling process takes two approaches:
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 19 of 268 Chapter 3
• Prospective profiling creates a template of a specific type of offender, based on the in-depth study
of characteristics of previous offenders. Profilers constantly re-evaluate these profiles in a
process to narrow down and predict who will commit these specific types of offences.
• Retrospective profiling follows an investigation and is normally case specific. This technique
uses clues left behind by the specific criminal. Digital Forensics is of the retrospective profiling
type, used often by the FBI and other Law Enforcement agencies (Nykodym et al. 2005:261).
Since Digital Forensics applies post-incident, the process that investigators follow needs to be accurate.
If the investigator contaminates the crime scene, the evidence will likely not be usable in court. The
following section introduces the basic Digital Forensic process, with the different stages.
3.3 Digital Forensic Process
Heated discussions exist in the world of Digital Forensics. The two most prominent arguments are regarding
pulling the plug or doing the acquisition on a live, running system. In order to investigate the action of
Live Forensic Acquisition (the foundation of this research study), it is necessary to look at and explain
both acquisition approaches. Whichever of the approaches are applied, the basic Digital Forensic
methodology consists of three important steps:
• acquire the evidence without altering or damaging the original;
• authenticate that the recovered evidence is the same as the originally seized data; and
• analyse the data without modifying it (Kruse II & Heiser 2002:3).
The complete Digital Forensic methodology needs to address all three of the abovementioned aspects.
For the purpose of this study, only the first step, acquire the evidence without altering or damaging the
original, is under investigation. The following sections discuss the two different Digital Forensic
Acquisition approaches. It identifies and explains the shortcomings of both Dead Forensic Acquisition
and Live Forensic Acquisition.
3.3.1 Dead Forensic Acquisition
The first of the two Digital Forensic Acquisition approaches is Dead Forensic Acquisition. Investigators often
refer to this method as the traditional Digital Forensic approach. Dead Forensic Acquisition involves pulling
the plug on a suspect system, or shutting the system down through normal administrative procedures.
This method avoids any malicious process from running on the system, potentially deleting data from the
system. It allows the investigator access to create a snapshot of the swap files and system information
as it was last running (Stimmel 2008:2). This section briefly introduces this acquisition approach by
defining the terminology and explaining the role of the First Responder, before looking at the positive
aspects and limitations of the method.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 20 of 268 Chapter 3
Definition
A formal definition of Dead Forensic Analysis is “… analysis done on a powered off computer” (Jones
2007:2,3). Usually there are four stages to traditional Dead Forensic Analysis. Paragraph 4.2 elaborates
more on these stages, but the list below briefly introduces them:
• Collection is the first stage and entails the process on location: search and seizure, acquisition of the
information and data sources in a forensically sound manner. First Responders (defined below) often
are responsible for the Collection stage. The main action of this stage is the forensic disk duplication.
• Examination composes both a manual and an automatic assessment of the acquired data. This
stage aims to identify and extract data relevant to the specific case. The main action is the feature
extraction, involving file system parsing and extracting mailboxes.
• Analysis (filtering) is the process of using the identified data to prove that one or more specific
individual did the actions on the computer. This stage involves browsing, querying and correlating
existing data (Alink, Bhoedjang, Boncz & De Vries 2006:50) and general data reduction.
• Reporting is the last stage in which the forensic investigator reports the information gathered
(Jones 2007:2,3). This can take a written, oral or electronic form (Pollitt & Whitledge 2006:4).
For the purpose of this study, all four of the abovementioned stages will be regarded (Section 4.2
discusses these stages in more detail). The first stage, Collection, will be covered in additional detail
since it forms the foundation of the study. The remainder of the study will refer to the Collection stage
as the Forensic Acquisition process. The other three stages will be discussed in less detail: acquisition
rarely occurs in isolation without at least some form of reporting done by the forensic investigator. The
next section looks at the roles and responsibilities of the First Responder, as crucial elements of the
Forensic Acquisition process.
First Responder
According to the South African Police Services (SAPS 2007:29), a First Responder is “… a confident
individual that can correctly handle 80% of cyber crime scenes and cyber evidence acquisitions”. These
individuals often arrive first at the crime scene. They are responsible for the legal seizure of items
suspected to be involved in a crime and the basic acquisition of data images of the suspect system. First
Responders are generally involved with both the collection and the acquisition processes during search
and seizure operations.
The forensic copying process is not straightforward, but with sufficient training and the correct forensic
software packages, First Responders are qualified to copy the hard drive image, complete with
unallocated sectors, slack space and file metadata. First Responders can accomplish this by copying
the seized hard drive bit by bit (Jones 2007:3).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 21 of 268 Chapter 3
Figure 3-2 illustrates the First Responder’s actions chronologically. The First Responder (or a forensic
investigator fulfilling the role of First Responder) needs to approach the computer and determine its power
status. If the computer’s power is on, he/she turns it off by either pulling out the power plug or following
the proper shut down procedure. Once the power is off, the forensic investigator physically removes the
hard drive from the system, attaches it as an external drive to a forensic system and copies its content. The
investigator takes the necessary precautions to ensure that no data modification takes place on the
external drive. Depending on the specific situation, the investigator may either return the hard drive to
the original system or bag it as evidence. This entire process should be documented in the chain of
custody.
Figure 3-2: Dead Forensic Acquisition (Adapted from: Jones 2007:3)
Dead Forensic Acquisition allows investigators to acquire a range of digital data, but it mainly retrieves
static data or data at rest (Forte 2008a:13). This refers to data stored to secondary storage, including:
• file system, networked computers, storage arrays;
• disks, memory, tapes, optical media, cameras;
• smart cards, dongles, biometric scanners;
• PC boards, PCMCIA (Personal Computer Memory Card International Association) cards;
• PDAs, cell phones, USBs, pen recorders;
• servers and clients;
• RAM, swap file and hibernation file;
• VOIP (Voice Over Internet Protocol), POTS (Plain Old Telephone Service);
• VPN (Virtual Private Network) and encrypted data;
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 22 of 268 Chapter 3
• Internet Relay Chat (IRC) sessions;
• radios, cell systems and satellites;
• printers, answering machines, watches; and
• stagnant data on remote places of the hard drive (Cohen 2006:7,8).
For many years, Dead Forensic Acquisition has been the only means to perform forensic acquisitions. It
is a simple procedure to follow and straightforward steps have been tried and tested to perform these
actions. However, a lot of time has passed and many new technological advances have been made that
have either a direct or indirect impact on Forensic Acquisitions. As a result, Dead Forensic Acquisition
has both advantages and disadvantages. The following sections present the advantages and
disadvantages of Dead Forensic Acquisition.
3.3.1.1 Positive Aspects of Dead Forensic Acquisition
The forensic discipline in itself brings about a number of advantages that supports the process of cyber
investigations and prosecutions. The list below shows some of the more prominent advantages:
1. One of the main advantages of forensics, both Dead and Live Forensics, is the ability to retrieve
hidden and deleted data. This retrieved data can be applied in a number of ways, including
inter-organisational disciplinary investigations and jurisdictional court cases.
2. Under normal circumstances, there is no fear of forensic investigators overwriting or modifying
evidentiary data obtained from a forensic acquisition. Generally, sufficient precautions are in
place to ensure that the forensic software allows no modification during the copying process to
either the original or the copied image of the original hard disk (Jones 2007:3). Dead Forensic
Acquisition is a clear-cut process that presents evidence that is admissible in court, when
performed correctly.
3. A distinguishing characteristic between Dead and Live Forensics is that Dead Forensics rarely
acquires live, volatile data. Once the computer is unplugged, the machine loses most of the
volatile memory in the RAM. A little known fact is that most modern RAMs retain their contents
for several seconds after power is lost. The system does not immediately erase the volatile
memory, but its content becomes less reliable when not refreshed regularly. A forensic
investigator that is aware of this can make use of this small window of opportunity to do a
forensic acquisition (Halderman, Schoen, Heninger, Clarkson, Paul, Calandrino, Feldman,
Appelbaum & Felten 2008:12). The technical aspects of this specialised technique are beyond
the scope of this study.
For many years, investigators only had the Dead Forensic approach to do any kind of acquisition on
digital systems. However, with evolving technology and digital techniques, Dead Forensic Acquisition
steadily became inadequate to successfully address modern cyber attacks and adhere to current
legislation. The next section addresses the limitations of Dead Forensic Acquisition.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 23 of 268 Chapter 3
3.3.1.2 Limitations of Dead Forensic Acquisition
There are a number of limitations and difficulties associated with Dead Forensic Acquisition. Some
limitations are more serious than others are, but it is necessary to look at all instances.
1. Many unique practical and legal constraints make the application of Digital Forensics both
interesting and defiantly complex. An example of a practical constraint would be if the suspect
system were a public machine in an internet café with the owner claiming a possible loss of income
for the duration of the forensic investigation. An example of a legal constraint is the restriction of
the methods in which forensic investigators can obtain data.
2. A lack of standardised procedures leads to uncertainties about the effectiveness of current
investigation techniques. In turn, this has led to the suboptimal use of resources. In some
instances, investigators gather worthless data that take unnecessary time. In addition, this data
have to be stored and take up valuable space (Leigland & Krings 2004:3).
3. To comply with traditional forensic requirements, all data must be gathered and analysed for
evidence. However, modern computers consist of terabytes of data (Leigland & Krings 2004:2).
These advanced technologies, coupled with cyber crimes becoming more complex, lead to more
complex and time-consuming digital investigations. It is increasingly difficult to locate vital evidence
within the massive volumes of data. Log files also tend to increase in size and dimension,
complicating a Digital Forensic investigation even further (Fei 2007:15).
4. In response to the efficiency of Dead Forensic Acquisition, criminals have resorted to the
widespread use of cryptography. Now, even though forensic investigators have a complete bit
for bit hard drive image of the suspect system, it is encrypted and of no practical value. In this
scenario, users can only decrypt the drive with a unique password. Since investigators cannot
always rely on a suspect’s cooperation in supplying this password, the method of acquisition
needs adjustment. By acquiring this encrypted disk with Live Forensic Acquisition techniques,
investigators may have a bigger chance of accessing the disk’s decrypted contents. This whole-
disk encryption is not only limited to criminals, but is now also a default feature of some OSs.
5. Investigators need passwords to access the system. Since the system is not active nor logged
on when a Dead Forensic Acquisition occurs, the investigators need passwords to access all
encrypted files and file systems. The general modus operandi is to run a password cracker on
these files and file systems. However, newer OSs require stronger passwords. This measure was
put in place to protect the computer user, but it inadvertently made it practically impossible for
forensic investigators to crack the passwords within a reasonable amount of time and with
reasonable resources.
6. If forensic investigators do not follow these restrictions to the dot, data acquired in certain ways may
be inadmissible in court and not allowed as intelligence (Jones 2007:1). This negates the criminal
investigation completely. For this reason, it is important that forensic investigators are equipped
with tools and mechanisms that can result in the acquisition of forensically sound system images.
Only when this is possible, can data be seen as evidence and be admissible in a court of law.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 24 of 268 Chapter 3
7. Dead Forensic Acquisition can be highly disruptive if a mission or business critical machine
needs to be shut down for acquisition. In many cases, it is impractical to shut down servers that
need to monitor some type of activity constantly. For example, should a cell phone billing server
be shut down but the network itself remains online, customers would still be able to phone
without the cell phone company having any record(s) of the call(s) to bill the client correctly.
Similarly, if the computer in question belongs to an organisation that outsources its mail or file
server, or the computer belongs to an ISP (Internet Service Provider), other clients using the
same server or ISP will be disrupted. The server in question may host multiple systems from
separate and unrelated enterprises containing various levels of data and program resources.
This may result in unproductive time in which the system users (both directly and indirectly
involved with the computer under investigation, as well as bystanders using the same
outsourced service) cannot access necessary documents.
8. Data retrieved from different disks of a Redundant Array of Independent Disks (RAID) system
need to be puzzled together before it can be considered as evidence. A RAID system is the
combination of multiple small, inexpensive disk drives, based on redundancy to maximise the
ability to recover from hard disk crashes. Data on a RAID system is distributed across each of
the drives in a consistent manner. To enable this, the data must be broken into equal-sized
pieces (usually 32K or 64K in size) and written to a hard drive in the RAID system. When the
data is read, the process is reversed to give the impression that the multiple drives are actually
one large drive (RedHat 2009:Internet). If the machine is switched off and an acquisition done,
the data will be split randomly across all the drives.
9. Another limitation of Dead Forensic Acquisition has surfaced in the light of network data. The
need for acquiring network related data (such as currently available ports) grew dramatically.
This type of information is volatile and is lost in the event that the computer powers down – the
foundation of Dead Forensic Acquisition (Jones 2007:3). All links to remote server/drive
connections will also be lost in a Dead Forensic Acquisition, thus Dead Forensics is not the
optimal method to acquire live, volatile data. Although modern RAMs allow a couple of seconds
grace period in which the volatile data is not erased, this time is often too little to do a proper
acquisition (refer to Section 3.3.1.1). Related to the network data limitation is the impact that
cloud computing has on Digital Forensics. Cloud computing distributes software applications by
moving it away from individual computers and offering access to the applications via the internet.
If an application is accessed via the cloud, registry entries and temporary files are stored within
the virtual environment and lost when the user exits. This makes evidence traditionally stored on
the hard drive potentially unrecoverable (Frowen 2009:Internet).
10. Trojan defence cannot be argued. Owners of suspect systems often claim that a third party
hacked into their system and committed some offence as if from their computer, i.e. a hidden
Trojan on their system. With Dead Forensic Acquisition, forensic investigators may be able to
find traces of a Trojan on the suspect system, but it is not always possible to prove whether this
Trojan was active and could have enabled the offence from a remote location.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 25 of 268 Chapter 3
Due to the many limitations of traditional Dead Forensic Acquisition and the advances in technology,
forensic investigators in theory prefer Live Forensic Acquisition. Live Forensic Acquisition involves the
gathering of data from a system without first shutting down the associated system. This allows forensic
investigators to access a variety of invaluable information that would have been lost in a Dead Forensic
Acquisition (Jones 2007:1). In addition, Live Forensic Acquisition allows for investigations on mission
critical systems that might not have been possible if the machine had to be switched off. Unfortunately,
the practice of Live Forensic Acquisition brings about its own limitations, especially with regard to legal
implications. The next section addresses this approach.
3.3.2 Live Forensic Acquisition
Some aspects of Live Forensic Acquisition are similar to aspects of Dead Forensic Acquisition. However, it
developed in response to the shortcomings of the traditional Dead Forensic Acquisition approach and the
advancing of technology. Live Forensic Acquisition considers the retention of volatile data and the
expanded use of encryption on a live system, stronger OSs with specialised security features, multiple
computers per user and the pervasive use of networks (Brown 2005b:7). These systems cannot be
acquired with Dead Forensic Acquisition, necessitating the use of Live Forensic Acquisition.
The acquisition philosophy is the same in that both approaches need to ensure that the acquired image
remains unchanged. The sequence of stages applies to both the Dead and Live Forensic processes
(Collection, Examination, Analysis, and Reporting). Scientists, however, should tailor the inner workings of
these stages to allow for a forensically sound Live Forensic Acquisition (Jones 2007:3). Figure 3-3
presents the First Responder’s actions during Live Forensic Acquisition. At the time of research, no
analogous diagram was found and the author accordingly developed this figure from knowledge gained
through this research project.
The chain of custody is documented from the moment the investigator first approaches the computer and
determines its power status. If the computer’s power is off, he/she continues with the Dead Forensic
Acquisition procedure discussed in Section 3.3.1. If the computer is switched on, the investigator first
needs to select whether the data will be copied with a crossover connection or over the network. Additionally,
he/she needs to decide whether the investigation will take place overtly or covertly. The difference in
operation during an overt and a covert investigation are addressed in Paragraph 5.2.1.
To initiate acquisition, the investigator needs to activate the forensic agent that was installed on the machine
prior to the incident. The forensic agent is a tiny, covert software component that can be deployed using
standard patch management systems. It functions similar to a rootkit, being used by third parties after gaining
access to a computer system in order to conceal the altering of files, or processes being executed by the third
party without the user's knowledge (Wiktionary 2008:Internet). The forensic agent is placed within the kernel
space of the computer system, giving the forensic investigator administrative rights to the suspect machine.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 26 of 268 Chapter 3
Figure 3-3: Live Forensic Acquisition (Own compilation)
During a Live Forensic Acquisition, the agent provides a point of contact for the forensic workstation console,
which is used by the forensic investigator to communicate with the suspect computer. The agent allows the
forensic investigator to collect volatile evidence directly from the machine, without the knowledge of the
computer user (BrightForensics 2009:Internet). Once the agent is in place, the entire suspect system
needs to be attached to the forensic system. Agents are completely hidden in the system and can only be
identified if someone tries to install another agent on the same machine. The next section looks at how a
virtual computer environment can affect an acquisition.
Virtual Environment
During a Live Forensic Acquisition, it is necessary to determine whether the logged on account lies in a
real or virtual environment. In essence, the different environments require the same investigation method.
However, if the logged on account links to a virtual machine, the investigator needs to do further seizure
work to acquire both the real machine’s system image, as well as other possible virtual machines located
on the real machine. It may be difficult to detect whether the forensic investigator accessed a real
computing environment or a virtual machine.
A number of techniques exist that can indicate whether a system is real or virtual. The most popular
technique is hardware fingerprinting (checking for hardware that is always present in a virtual machine). This
technique is of a very technical nature. A more reliable technique is to install virtual machine detectors or
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 27 of 268 Chapter 3
fingerprinting tools, but this software may have a negative impact on the forensic soundness of the
evidence. Examples of these tools are Red Pill, Jerry, ScoopyNG and VMware Virtual Machine Detector
(MSDN 2009:Internet). An easier technique is to look for:
− copyright notes or vendor strings in various files;
− VMware specific hardware drivers, Basic Input Output System (BIOS) and Media Access
Control (MAC) addresses;
− installed VMware tools; and
− hardware virtualisation (e.g. virtual sets of some registers).
Similar to Dead Forensic Acquisition, Live Forensic Acquisition allows investigators to acquire a range of
digital data. However, Live Forensic Acquisition can retrieve both static and dynamic, volatile data. This
volatile data includes data residing in the RAM, system and peripheral memory (Forte 2008a:13). These
are the data sources that are most valuable during a forensic investigation.
This study focuses on developing a comprehensive model for Live Forensic Acquisition. It shows that Live
Forensic Acquisition is a viable countermeasure for problems caused by Dead Forensics: not only is Dead
Forensic Acquisition not always able to appropriately address modern technology, but Live Forensic
Acquisition can better handle more powerful hard drives and read obfuscated data by circumventing
encryption. The next sections discuss the advantages and disadvantages of Live Forensic Acquisition.
3.3.2.1 Positive Aspects of Live Forensic Acquisition
The forensic discipline in itself brings about a number of advantages that supports the process of cyber
investigations and prosecutions. Although the application of Live Forensic Acquisition in itself is more
complicated, the advantages are vast when performing this acquisition correctly. The list below shows
some of the more prominent advantages:
1. One of the main advantages of forensics, both Dead and Live Forensics, is the ability to retrieve
hidden and deleted data (see Paragraph 3.3.1.1). This retrieved data can be applied in a
number of ways, including inter-organisational disciplinary investigations and jurisdictional court
cases. In addition, Live Forensic Acquisition can access obfuscated data.
2. In response to the limitations of Dead Forensic Acquisition, Live Forensic Acquisition has
surfaced as a remedy. This analysis allows forensic investigators to retrieve volatile information
specific to the suspect system’s network settings, including any remote server/drive connections
and shared files and folders. Live Forensic Acquisition will also allow the retrieval of domain
information, networked computers and any password constraints (Gallo 2008:20). In many
instances, this information is invaluable to the prosecution of a cyber criminal. It is thus possible
to view the development of Live Forensic Acquisition as an improvement of current methods of
Dead Forensic Acquisition (Nikkel 2006:2).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 28 of 268 Chapter 3
3. In contrast to Dead Forensic Acquisition, Live Forensic Acquisition can be minimally disruptive
with regard to mission and business critical machines that cannot be shut down. Where it was
previously impractical to shut down the Department of Defence’s server or a heart-lung machine
in a hospital, Live Forensics now presents the opportunity to do analysis on actively running
machines. Other examples of business critical systems that can benefit from Live Forensic
Acquisition is mobile networks, air traffic control systems, banking networks and correctional
services’ access control systems. The Live Acquisition, however, will have an impact on the
bandwidth availability of the specific network.
4. Live Forensic Acquisition collects information about the running state of the machine. This involves
information about the logged on user account, the currently open network ports, applications
listening on open ports, the state of the network interface (promiscuous or not), system date and
time, as well as active applications and web pages (Mandia, Prosise & Pepe 2003:17).
5. In contrast with the deficiency of Dead Forensic Acquisition, Live Forensic Acquisition enables
forensic investigators to access encrypted files systems whilst the system is active and the files
already decrypted. These aspects prove to be very helpful in a number of digital investigations.
In addition to the fact that the live system is already active, the forensic agent works on the
logical system and does not need any passwords or keys to access the machine.
6. Live Forensics remedies the practical problems that Dead Forensic Acquisition encounters when
the suspect machine has implemented a RAID system (discussed in Paragraph 3.3.1.2 (8)).
During a Live Forensic Acquisition, the data is read directly from RAID in the normal manner,
without the need to puzzle the data together before it can be considered as evidence.
7. Partial extractions are possible. A Dead Forensic Acquisition limits a forensic investigator to
imaging the entire drive. Depending on the size of the drive, this may be a lengthy process. Live
Forensic Acquisition allows the extraction or imaging of selected parts of the suspect drive, such
as Ntuser.dat or the SAM file (Brown 2005b:15). This is especially beneficial if the suspect drive
ranges in the Terabytes.
8. Trojan defence can be proven. During Live Forensic Acquisition, investigators can retrieve the
suspect system’s pagefile. This file will indicate whether a Trojan embedded in the system is
active or not, and is facilitating a third party to commit an offence remotely.
The application of Live Forensic Acquisition addresses some of the more recent developments in
technological advances. However, this relatively new techniques has a number of limitations as well.
3.3.2.2 Limitations of Live Forensic Acquisition
Although Live Forensic Acquisition addresses most of the problems associated with Dead Forensic
Acquisition, it brings about additional problems:
1. Many unique practical and legal constraints make the application of Digital Forensics complicated.
These constraints have already been discussed in Paragraph 3.3.1.2 (1). One additional practical
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 29 of 268 Chapter 3
limitation is that Live Forensic Acquisition is much more labour intensive than Dead Forensic
Acquisition and requires a higher level of competency on site (Gallo 2008:48). Live Forensic
Acquisition is also not possible on an offline machine.
2. A lack of standardised procedures leads to uncertainties about the effectiveness of current
investigation techniques. In turn, this has led to the suboptimal use of resources. In some
instances, investigators gather worthless data that take unnecessary time. In addition, this data
have to be stored and take up valuable space (Leigland & Krings 2004:3).
3. Anti-forensic toolkits may block the acquisition of evidence. These toolkits are widely available and
may obstruct the collection of evidence from live network sources (Nikkel 2006:2). This may lead to
the acquisition of incorrect data from the suspect machine, affecting the authenticity and reliability of
the digital evidence.
4. Data modification during the acquisition process and the dependence of the forensic acquisition on
the suspect system’s OS are two of the more prominent concerns regarding Live Forensic Acquisition.
If the acquisition process alters the data, courts will dismiss the data as forensically unsound. The
investigation into this aspect will contribute to the model for forensically sound Live Forensic
Acquisition, presented in Chapter 14. Linked to the problem of data modification are slurred images,
discussed in detail in Paragraph 5.2.1. This potential constant evidence tampering is one of the
main critiques of Live Forensic Acquisition.
5. Forensic investigators have a limited window of opportunity. Live Forensic Acquisition can only be
performed if the suspect machine is in an active session. The suspect machine needs to be logged
on for the forensic investigator to gain access to it.
6. Bandwidth restrictions can limit/slow down the acquisition process. Since the suspect machine is
live and active, forensic investigators need to connect to the agent installed on the machine via a
network. Copying data as digital evidence from the suspect machine to the forensic workstation will
slow down the bandwidth, especially if there are a large number of other computer users also using
the bandwidth at that time. In addition, large remote acquisitions may have to be done after hours to
accommodate the small South African bandwidth capacity (Coetzee 2009:Interview).
7. To ensure the success of a Live Forensic Acquisition, forensic readiness should be in place.
Organisations need to be proactive and install the necessary agents on all machines prior to any
incident. In a large organisation, these agents can be distributed to all machines by using network
management software or USB scripts, or by issuing standard organisational clones (with the agent
already installed) to all employees (Coetzee 2009:Interview). After an incident took place, it is only
possible to perform Live Forensic Acquisition if an agent was installed on that particular machine.
8. Every computer installation is different. Although there are many common components and aspects,
computer users can compile their system to their own desire. For this reason, it is the forensic
investigator’s job to ensure that he/she has sufficient knowledge of a wide variety of hardware,
software and OSs. In addition, the computer may be a single workstation, a server, outsourced or
part of a cloud computing network. It is indeed possible to come across any combination of these
components and the investigator should be prepared to handle all of these. Due to the range of
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 30 of 268 Chapter 3
possibilities provided by Live Forensic Acquisition, forensic investigators should be comfortable with
the acquisition principles and the effect that specific actions may have on the validity of the
evidence. It is further up to the interpretation of the investigator to analyse the situation and apply
the forensic principles in such a way that his/her actions can be justified in a court of law.
This study addresses these limitations to determine whether Live Forensic Acquisition is a viable alternative
to Dead Forensic Acquisition. The next section summarises the current research results, comparing Dead
and Live Forensic Acquisition according to both positive aspects and limitations (presented in the preceding
paragraphs of Section 3.3).
3.3.3 Comparison Between Dead and Live Forensic Acquisition
In conclusion to the discussion on the two Forensic Acquisition approaches, this section summarises all the
information presented in previous chapters. Table 3-1 compares Dead and Live Digital Forensics, based
on the advantages and disadvantages of using the two approaches during a forensic investigation.
Table 3-1: Comparing Dead and Live Forensics (Own compilation)
DDeeaadd FFoorreennssiiccss LLiivvee FFoorreennssiiccss
Possible to retrieve hidden and deleted data. Possible to retrieve hidden, deleted and obfuscated data.
No modification during the copying process. Possible to retrieve volatile information specific to the system’s network settings.
Modern RAMs retain their contents for a short while after power loss, allowing a window of opportunity to do a Forensic Acquisition.
Can be minimally disruptive with regard to mission and business critical machines that cannot be shut down.
Collects information about the running state of the machine.
Access decrypted files whilst the machine is active.
Possible to retrieve readable data from RAID arrays.
Partial extractions are possible.
Po
sit
ive A
sp
ects
Trojan defence can be proven.
Unique practical and legal constraints. Unique practical and legal constraints.
A lack of standardised procedures. A lack of standardised procedures.
Massive volumes of data lead to complex, time-consuming investigations.
Anti-forensic toolkits may block the acquisition of evidence.
Cryptography can render a system forensic image useless.
Data modification is a reality with current Live Forensic practices.
Lim
itati
on
s
Passwords and usernames are needed to Limited window of opportunity (acquisition
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 31 of 268 Chapter 3
DDeeaadd FFoorreennssiiccss LLiivvee FFoorreennssiiccss
access the system. only possible if the system is active).
Data acquired in certain ways may be inadmissible in court.
Bandwidth restrictions can limit/slow down acquisition process.
Highly disruptive if a mission critical machine needs to be shut down for acquisition.
Forensic readiness – agent need to be installed prior to incident.
Data retrieved from different disks of a RAID system need to be puzzled together before it can be considered as evidence.
Customised computer installations complicate the preparation for an investigation.
Volatile network data is regularly lost.
Trojan defence cannot be argued.
This comparative table shows that neither Dead nor Live Forensic Acquisition is a foolproof technique.
However, Dead Forensic Acquisition seems to have more limitations, while Live Forensic Acquisition has
more aspects that are positive. The next section will look at the details of the forensic process, as
applied to both Dead and Live Forensic Acquisition.
3.4 The Digital Forensic Acquisition Process
The basic principles for forensics are very simple. However, the variety of computer hardware and
software, and various types of OSs and platforms complicate the Digital Forensic Acquisition process. It is
very rare that the investigator knows exactly what to expect when walking into a field setting. In many
cases, the client will provide some information regarding the number of systems in question, their
specifications and current state. However, if the person does not have substantial computer knowledge,
or is involved in the crime, the provided information may be completely off track. This scenario correlates
with that of traditional forensics, where forensic investigators get calls to a crime scene, but the
information relayed to them is incorrect (Stimmel 2008:1).
In both Dead and Live Forensic Acquisition, the forensic investigators need to be prepared for any
possible scenario. Figure 3-4 shows a sample Digital Forensic Acquisition checklist, presenting a
systematic guideline to the crime scene areas and components the investigator needs to acquire. Within
the context of this study, this checklist merely serves an explanatory purpose and is not a detailed, set
standard for acquisition checklists. The Digital Forensic Acquisition checklist comprises consecutive
steps with a checkbox for each, allowing the investigator to concentrate on the individual tasks. Should
investigators use this technique, it is unlikely that he/she will forget a step or mix up the order of steps to
compromise the case (Stimmel 2008:1).
The checklist, identified by the case number and the client name, shows 48 different actions that the
investigator needs to do or components that the investigator needs to acquire. The checklist allows for
an additional 10 searches specified by the investigator to acquire specific evidence in unique cases. For
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 32 of 268 Chapter 3
example, when the state charged Michael Jackson with child molestation in 2003, the investigators
defined and performed a specialised search on his Internet history to look for websites related to child
molestation or pornography (Daniel 2006:Internet). This sample checklist needs to be personalised
depending on the nature of the investigation.
To tapeRecent
To diskDocument links
To clientFile structure
Blown to diskExtract Midi
ReportExtract HTML
MetadataExtract Images
FTK ViewExtract databases
AccountsExtract sheets
Search 10Extract documents
Search 9Internet history
Search 8Unique email
Search 7Link parser
Search 6Initialise case
Search 5Graphics file
Search 4Info record extract
Search 3Hash analysis
Search 2Signature analysis
Search 1Malware scan
ArchitectureRecover files
HTML/WebBIOS data
TempVerified
DesktopImaged
My DocumentsPhotos
FavouritesReceived
SignatureDateTaskSignatureDateTask
Client Name:Case No:
To tapeRecent
To diskDocument links
To clientFile structure
Blown to diskExtract Midi
ReportExtract HTML
MetadataExtract Images
FTK ViewExtract databases
AccountsExtract sheets
Search 10Extract documents
Search 9Internet history
Search 8Unique email
Search 7Link parser
Search 6Initialise case
Search 5Graphics file
Search 4Info record extract
Search 3Hash analysis
Search 2Signature analysis
Search 1Malware scan
ArchitectureRecover files
HTML/WebBIOS data
TempVerified
DesktopImaged
My DocumentsPhotos
FavouritesReceived
SignatureDateTaskSignatureDateTask
Client Name:Case No:
Figure 3-4: Digital Forensic Acquisition Checklist
(Adapted from: Computer Forensics Toolkit 2005:Internet)
[
Although the Digital Forensic Acquisition process is relatively straightforward and the acquisition
checklist provides an easy-to-follow set of steps, a number of external factors may render the Forensic
Acquisition process unpredictable. However, if there are no irregularities to complicate the acquisition
process, investigators need to access the acquired device and initiate the acquisition with the appropriate
write-blocking strategy, document the chain of custody and securely transport and store the evidence
media (Stimmel 2008:1).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 33 of 268 Chapter 3
Figure 3-5 presents the generic Forensic Acquisition process, generalising the content of both Figure 3-2
and Figure 3-3 to present the generic steps of any Digital Forensic Acquisition. In addition, Figure 3-5
adds the steps Accusation or incident alert (Casey 2007:104) and Transport and store evidence media
that is applicable to both Dead and Live Forensic Acquisition. The first step, Accusation or incident alert,
normally triggers the instigation of the forensic process. The last step, Transport and store evidence media,
is normally considered part of the remainder of the forensic stages (Examination, Analysis and Reporting
introduced in Paragraph 3.3.1) and is a logical end for the Acquisition stage.
Figure 3-5: The generic Forensic Acquisition process (Own compilation)
This Collection stage is never performed in isolation and therefore the author extended this stage to
include additional aspects (such as the chain of custody, transport and storage). This extended Collection
stage is referred to as the Acquisition process in the remainder of this research study. The next sections
will introduce the steps that form part of the Forensic Acquisition process.
3.4.1 Accusation or Incident Alert
An accusation or incident alert generally is the catalyst for the forensic process. Once the accusation or
alert is made known, actions can be taken to initiate the investigation. Generally, if an organisation has
an internal forensic team, this team would know about the incident alert as it occurs, and should be
notified of all accusations as soon as possible.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 34 of 268 Chapter 3
This step is the preliminary fact gathering and initial assessment stage. The organisation needs to
decide whether further action is required. If this is the case, the internal forensic team should continue to
apply investigative resources based upon the merits of the evidence examined (Casey 2004a:104). If
the applicable organisation does not have an internal investigating team, an external organisation with
forensic capabilities should be contacted to begin the forensic process.
3.4.2 Approach Computer
This section addresses the second step of Figure 3-5, Approach computer (locally or over the network).
Kruse II and Heiser (2002:5) list three methods that forensic investigators can employ to approach a
computer and access the acquired device. Depending on the acquisition mode that the investigator
chooses to follow, access to the acquired device might be different.
• The first method is to pull the power plug from the back of the computer - Dead Forensic Acquisition.
• The second method is to follow the normal administrative shut down procedure - Dead Forensic
Acquisition.
• The third method is to keep the system running - Live Forensic Acquisition.
The next sections will discuss the need for isolation, as well as the collection of non-technical and
technical information during this step. As a part of accessing the device, investigators need to collect
non-technical and technical information. Some of the information acquired in this manner may provide
the investigator with necessary passwords, or assist them in cracking passwords to access the system.
Isolation
Regardless of the acquisition methods used, the first step in any Forensic Acquisition should be the isolation
of both the system and relevant data. The purpose of this isolation is two-fold: isolation can prevent the
corruption of other systems, reducing the risk of a cascading failure throughout the organisation IT
infrastructure, and isolation freezes the state of the affected system, preserving an exact image to assist
in the subsequent investigation (Weise & Powell 2005:16). This isolation generally occurs on both a
physical and logical system level.
Collecting Non-Technical Information
Investigators should collect information by interviewing system administrators and other users who might
have had contact with the suspect system (Weise & Powell 2005:16). Investigators should always note what
the system administrator and computer users did prior to the arrival of the acquisition team. Although
interviews might not always be possible in the event of a covert acquisition, investigators should still try to
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 35 of 268 Chapter 3
gather as much information about the system before starting the acquisition process. Occasionally it might be
possible to retrieve passwords beforehand, saving a lot of time and effort on the investigator’s side.
Once the system is completely isolated, the investigator should collect all possible non-technical information,
such as the suspect’s office attendance in the days preceding the incident. This information assists in
establishing a probable timeline of events leading to the suspected cyber crime. In many cases, producing
an accurate timeline of events is central to the investigation. It allows investigators to establish the relative
time of events and sequence, correlate events and undertake causal analysis (Stevens 2004:225). The
sooner this collection can start the better for the acquisition, since bystanders often forget relevant facts,
dates and times when investigators only probe them about it long after the incident. At the least, collecting
non-technical information should be able to narrow down the search (Weise & Powell 2005:16).
Collecting Technical Information
Since many different versions of most available hardware and software exist, forensic investigators need
expert knowledge and patience. This will enable them to acquire evidence correctly from any crime
scene with any combination of hardware and software. Occasionally it may be necessary to do additional
research on software encountered on the system. Sometimes expert advice is necessary to take small
devices apart to access the drive. Sometimes a hardware or software incompatibility may cause problems.
On very rare occasions, a forensic hardware failure may delay the acquisition (Stimmel 2008:1).
During any Forensic Acquisition, it is necessary to check the BIOS. The BIOS provides many pieces of
critical information, such as the date and time of the system. It can also provide a variety of other
information, depending on which manufacturer wrote the BIOS software. In addition, it is possible to
identify the Hardware Protected Area (HPA) and the Device Configuration Overlay (DCO) of the computer
by investigating the BIOS. One method to identify these areas is to compare the hard drive settings
stored in the Complimentary Metal Oxide Semiconductor (CMOS) with the values on the drive’s labels.
Alternatively, the investigator can do a similar comparison with a series of Advanced Technology
Attachment (ATA) commands (READ_NATIVE_MAX_ADDRESS and IDENTIFY_DEVICE).
Some forensic applications, such as EnCase and X-Ways Forensics (discussed on the accompanying CD,
see Forensic tools), also allow for the detection of a HPA presence. The HPA and the DCO are reserved
areas for data storage outside the normal file system. Since these areas are normally used for specialised
application data and configuration data, forensic investigators do not necessarily search these areas for
additional hidden data. Knowledgeable cyber criminals can store incriminating data in both the HPA and
the DCO (Bedford 2005:269). Should the two sets of compared values differ, the investigator knows that
a HPA exist and can make a more specialised effort of locating these files.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 36 of 268 Chapter 3
Once the investigator identified the existence of the HPA and DCO, he/she can make a full bit stream copy
of the system to copy these hidden areas (Stimmel 2008:2). When this process is complete, the forensic
investigator can initiate the Forensic Acquisition with a write blocker to prevent accidental writing to the
protected hard drive.
3.4.3 Acquiring the Evidence
This section addresses the third and fourth steps of Figure 3-5, Protect system from evidence modification
and Make a copy of the system (physical or logical). During forensic acquisition, it is possible to write to
the evidence drive accidentally. Since this may lead to the immediate dismissal of the evidence from
court, the investigator should take care not to compromise the evidence. There are two ways to ensure
the protection of evidential data.
Protect the System from Evidence Modification
Protection of evidential data during Dead Forensic Acquisition can be enforced by using a write blocker.
A write blocker allows a system to read data from an external drive at full speed. At the same time, it
blocks any write commands to the external drive to prevent the unauthorised modification or formatting of
the drive under examination (Paralan 2007:Internet). A computer writes data to or reads data from a
storage device via specific commands, transmitting these commands from the computer's interface
connection to the storage device's interface connection. By using a write blocker, the investigator prevents
the forensic computer from writing to the evidence hard drive’s interface (NIST 2003a:4). Figure 3-6
illustrates this.
Figure 3-6: Protecting a dead system from data modification (Own compilation)
There are two types of write blockers: software write blockers and hardware write blockers. A software
write blocker replaces the suspect machine’s hard drive access interface with forensically sound external
hard drives. It blocks any commands that could modify a hard drive (NIST 2003b:10). A hardware write
blocker is a hardware device that physically attaches to a computer system. Its main purpose is to
intercept and block any modifying commands from reaching the storage device (NIST 2003a:4).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 37 of 268 Chapter 3
Protection of evidential data during Live Forensic Acquisition can be enforced by installing forensic
software agents on the machines before the incident takes place. Paragraph 3.3.2 introduced the use of
these agents. In contrast with Dead Forensic Acquisition where the use of write blockers completely
blocks all writes to the suspect hard drives, a live system needs to write to its hard drive in order to be
considered live. For that reason, a forensic software agent does not prevent writes to the hard drive, but
facilitates the protection of the data during its normal read/write functioning, whilst enabling the forensic
investigator to read otherwise encrypted data. Figure 3-7 shows this interaction.
Figure 3-7: Protecting a live system from data modification (Adapted from: Battistoni, Di Pietro, Di Biagio, Formica & Mancini 2008:9)
The agent serves as interface between the suspect computer and the forensic investigator. The forensic
investigator therefore never directly interacts with the suspect computer, eliminating the opportunity for
data modification. These forensic software agents have been proven forensically sound and are
accepted in courts (Louwrens 2009b:Interview).
The connection between the suspect machine and the mobile forensic workstation may be a direct
connection, should the investigator use a network crossover. However, although this process is able to
capture live data on the suspect machine, a boot disk is required when a crossover connection is made.
It is unable to capture the volatile RAM memory or the current processes on the machine. This specific
acquisition is thus not purely a Dead nor Live Acquisition (Coetzee 2009:Interview).
In all instances, exceptions may occur, allowing data modification on the suspect drive. To protect the
integrity of both the data and the investigator, the investigator needs to document all steps taken as well
as the motivation behind taking the step. In addition, the investigator should be experienced and
appropriately qualified to perform the acquisition. These precautions are necessary should the
admissibility of the evidence be questioned in court.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 38 of 268 Chapter 3
Make a Forensically Sound Copy of the System
Both the use of write blockers and forensic software agents are forensically sound and can assist in the
forensic process to make copies of the required data on the suspect system. It is a very important step
in the Forensic Acquisition process to preserve the evidence and create additional copies of the evidence
for analysis purposes (Weise & Powell 2005:17). After the physical acquisition, it is necessary to
document the incident and all the actions taken by the investigators. The chain of custody, discussed in
the next section, reflects this documentation.
3.4.4 Chain of Custody
This section addresses the omnipresent step of Figure 3-5, Document chain of custody. In any investigation,
the investigators should be able to account for all the acquired data and devices during the entire extent
of the forensic acquisition process. Technically, this chain of custody should commence the moment the
First Responder enters the crime scene and continue until the court case completes. Although this step
does not only belong to the acquisition process, it forms a fundamental aspect of the case’s validity.
According to Ghelani (2006:Internet), chain of custody defines as the “… gathering and preservation of the
identity and the integrity of the evidential proof that is required to prosecute the suspect in court”. Scalet
(2005:Internet) provides another definition: “… a chain of custody is the process of validating how any
kind of evidence has been gathered, tracked and protected on its way to a court of law”. Black’s Law
Dictionary provides yet another definition: “… chain of custody is proven if an officer is able to testify that
he or she took control of the item of physical evidence, identified it, placed it in a locked or protected area
and retrieved the item being offered on the day of the trial”. In essence, it is the maintenance of the
integrity of the evidence from seizure until the time the investigator produces it in court (Trench 1994:16).
The main objective of maintaining chain of custody is to protect the integrity of the evidence. Digital
integrity can be defined as “… the property whereby digital data has not been altered in an unauthorised
manner since the time it was created, transmitted or stored by an authorised source” (Hosmer 2002:1).
The protection of this integrity is only successful if an independent third party can examine the recorded
process and achieve the same results (ACPO 2007:69). Additionally, it serves to make it difficult for a
defence attorney to argue that the forensic investigator tampered with the evidence whilst in his/her
custody (Kruse II & Heiser 2002:6).
The chain of custody procedure is very simple. The evidence-tracking log documents anyone who possesses
the evidence, the time at which they took and returned possession, and why they were in possession of
the evidence. It should also document the case and tracking number, acquisition location, suspect and
evidence type. In general, the evidence-tracking log documents answers to the following questions:
• Who collected the evidence?
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 39 of 268 Chapter 3
• How and where did the evidence collection take place?
• What are the date, time and place of the investigation?
• Who took possession of the evidence?
• What is the acquired evidence’s media-specific description (type, manufacturer, serial numbers
and/or volume names, etc.)?
• What tools was used during the acquisition (type, make, version, etc.)?
• What measures ensure the protection of the evidence in storage? (Forte 2008a:13).
• Who took the evidence out of storage and why? (Ghelani 2006:Internet; Kruse II & Heiser 2002:8).
• What is the final fate of the evidence: destruction, secure deletion or returned to owner?
If investigators fill this form in diligently, they appropriately maintain the chain of custody. This will
prevent opposing counsel from arguing evidence dismissal on the grounds of evidence tampering (PMI
Evidence Tracker s.a.:Internet). In addition to this manual evidence-tracking log, many Digital Forensic
tools often have their own logging systems to add to a comprehensive log. Complete and accurate chain
of custody logging procedures help to ensure that the court will authenticate electronic data. It is therefore
crucial to ensure that the chain of custody adheres to the prescribed standards (LexisNexis 2008:
Internet). Figure 3-8 shows the chain of custody log, with all the actions relevant to a specific evidence
item logged into the system. It shows the case and tracking number, as well as the individuals taking
and returning custody of a specific item.
Figure 3-8: Chain of custody log (PMI Evidence Tracker s.a.:Internet)
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 40 of 268 Chapter 3
The ability to prosecute any case rests on the validity of the evidence usable in court. A court considers
evidence valid if forensic investigators can prove that the evidence is in the same condition as during
seizure. To do this, people who handled the evidence should testify as to the condition the evidence was
in before and after it entered their possession. The chain of custody is more timeous (Trench 1994:17)
and can replace this long and tedious process. Scalet (2005:Internet) identified a number of rules when
working with the chain of custody:
• Expect that all evidence will end up in court. A poor chain of custody may cause the dismissal of
digital evidence from a court. Since it is impossible to know the extent of the investigation
beforehand, it is better to treat all investigations as court material. Even a simple internal
investigation of an employee may escalate to a court case if you uncover details that prove it
necessary.
• Guard the "best evidence" closely. Investigators refer to the original image of a hard drive as the
best evidence. The investigator should attach the chain of custody log to this best evidence and
ensure sufficient and secure storage. Storage should preferably be either offsite or in a fireproof
safe. As far as possible, investigators should never work with the best evidence. It is better to
create a second copy and keep the best evidence as back up.
• Chain of custody logs should always be up-to-date. Every time somebody handles the evidence,
he/she needs to update the chain of custody log. This is very important to prove the authenticity
of the evidence in court.
• Do not submit the hardware to court unless you have to. Courts accept validated copies of best
evidence. Therefore, it is unnecessary to submit the original hardware or best evidence as
evidence. In most cases, an affidavit supports the submission of a copy of the best evidence.
Additionally, the original evidence remains safe in storage throughout the entire investigation.
3.4.5 Transport and Storage of Evidence
This section addresses the last step of Figure 3-5, Transport and store evidence media. To complete the
Digital Forensic Acquisition process, investigators transport the evidence from the crime scene to the
forensic laboratory. At the laboratory, the evidence will be stored securely.
3.4.5.1 Handling and Preservation during Transportation
Digital evidence can be stored in various forms and on any of a number of different media. These media
are subject to inadvertent alteration, degradation and loss (PoliceOne.com 2008:Internet). Forensic
investigators need to take all the necessary precautions to ensure that the digital evidence are handled
according to forensic best practice and transported in a safe and secure manner to the forensic
laboratory. Table 3-2 shows some guidelines regarding removable storage media.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 41 of 268 Chapter 3
Table 3-2: Handling and preservation guidelines for digital evidence media (Australian Government 2008:Internet, Gallo 2008:28, ISO 2009:12-18, PoliceOne.com 2008:Internet,
Preservation101 2006:Internet, Wikirank 2009:Internet)
Handling guidelines Preservation guidelines Media type: Optical Media – CDs and DVDs
Do not label optical media with adhesive material, directly on the surface.
Do not use permanent markers to label CDs/DVDs.
The top side of CDs are more fragile and scratch prone than the top of DVDs. However, special care should be taken to prevent both media types from scratching.
Fingerprints, smudges and scratches may interfere with the ability of the laser to read the data layer on the optical media. Investigators should take care to handle optical media in such a manner to avoid these interferences.
For reliable long-term backup storage, Gold CD-R (Compatible Disc-Recordable) and DVD-R (Digital Video Disc-Recordable or Digital Versatile Disc-Recordable) are preferred by experts over similar media.
Media type: Flash memory – USBs, memory sticks, solid state drives and digital cameras Do not expose media to static electricity by using plastic bags for transporting or photocopying serial numbers as part of chain of evidence.
Flash memory devices need to be secured using anti-static bags.
Never remove the device or turn off power while writing.
Do not expose the flash memory devices to direct sunlight or excessive humidity.
Flash memory devices can sustain limited write and erase cycles before failure. Investigators should handle flash disks only when necessary, and preferably back up on other media as well.
Do not expose the flash memory devices to corrosive environments that can hasten the degradation of the disks.
Remove the power supply cable by first removing the end attached to the computer and not attached to the socket. This will avoid the system from writing data to the computer’s storage media if it is fitted with and uninterruptible power supply (UPS).
Evidence labels should not be placed directly on the mechanical parts of the electronic devices, nor should it cover or conceal information such as the serial number, model number or part number.
Although flash memory devices often have a hard protective casing, a hard bump or drop may damage the inner working of the device, damaging the potential digital evidence.
Media type: Mobile disk drives Do not expose media to static electricity by using plastic bags for transporting or photocopying serial numbers as part of chain of evidence.
Mobile disk drives need to be secured using anti-static bags.
Remove the power supply cable by first removing the end attached to the computer and not attached to the socket. This will avoid the system from writing data to the computer’s storage media if it is fitted with UPS.
Evidence labels should not be placed directly on the mechanical parts of the electronic devices, nor should it cover or conceal information such as the serial number, model number or part number.
Although mobile disk drives often have a hard protective casing, a hard bump or drop may damage the inner working of the drive, damaging the potential digital evidence.
Do not expose the mobile disk drives to direct sunlight or excessive humidity.
Media type: Mobile phones Do not expose media to static electricity by using plastic bags for transporting or photocopying serial numbers as part of chain of evidence.
Mobile phones need to be secured using anti-static bags.
Collect all associated mobile device items such as charger, memory card, SIM card and cradle for synchronisation with a computer.
Evidence labels should not be placed directly on the mechanical parts of the electronic devices, nor should it cover or conceal information such as the serial number, model number or part number.
Special care should be taken not to depress any of the mobile phone’s buttons since this may be
If the mobile device is switched off, carefully package, seal and label the device to avoid any
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 42 of 268 Chapter 3
Handling guidelines Preservation guidelines considered as tampering with the evidence. accidental or deliberate depression of the keys.
Place mobile phones in a Faraday box to prevent the device from connecting to the network and sending/receiving messages - radio frequency shielding material or aluminium foil can be used.
If the device is continued to be left on, the battery life will be reduced due to power loss. These devices should be delivered to the forensic lab as soon as possible and power charged in a monitored environment.
Media type: Laptops Do not expose media to static electricity by using plastic bags for transporting or photocopying serial numbers as part of chain of evidence.
Laptops need to be secured using anti-static bags.
Remove the power supply cable by first removing the end attached to the computer and not attached to the socket. This will avoid the system from writing data to the computer’s storage media if it is fitted with UPS.
Evidence labels should not be placed directly on the mechanical parts of the electronic devices, nor should it cover or conceal information such as the serial number, model number or part number.
Remove the main power source battery of the laptop. Ensure the volatile data is acquired before removing the battery.
Disconnect and secure all cables from the computer and label the ports so that the system can be reconstructed in a later stage.
Remove the main power source battery from the laptop after ensuring that the laptop is powered off and not in standby mode (some laptops may power on by opening the lid).
If the device is left on, the battery life will be reduced due to power loss. These devices should be delivered to the forensic lab as soon as possible and power charged in a monitored environment.
Collect all associated laptop device items such as charger, memory card and cradle.
If the laptop is live, either an individual should be designated or a Mouse Jiggler employed to prevent the screen saver from activating and potentially locking the system from use.
Media type: Magnetic media Do not expose media to static electricity by using plastic bags for transporting or photocopying serial numbers as part of chain of evidence.
Magnetic media need to be secured using anti-static bags.
Magnetic media consists of a carrier of plastic film coated with magnetisable particles and should be handled as carefully as possible.
Investigators should only remove items from their protective packaging for immediate use.
Magnetic tape should not be touched, but rather picked up by their protective cases. Investigators should always wear lint-free gloves and ensure that hands are clean and dry. The labels should stick onto a protective case and not directly onto the magnetic tape or disk.
Magnetic media should never be stored in paper or cardboard enclosures which tend to generate dust that interferes with the media’s functioning. Investigators should store magnetic media in cases made of nonmagnetic immobile material, such as polypropylene.
Magnetic media should never be flexed or bent. Place tape over the floppy or stiffy disk slot, if present.
Investigators should label evidence with ink rather than pencil, since the pencil’s graphite dust can interfere with the reading of the disk or tape.
Cassettes and tapes should be wound to the end of one side after use, and not be left in a partly wound state for any length of time.
Magnetic media should not be bumped or dropped, since these actions can drastically damage the stored data.
Evidence labels should not be placed directly on the mechanical parts of the electronic devices, nor should it cover or conceal information such as the serial number, model number or part number.
Media type: Computer peripherals
Computers and digital devices should be packaged in such a way to prevent damage from shock and vibration during transportation.
Evidence labels should not be placed directly on the mechanical parts of the electronic devices, nor should it cover or conceal information such as the serial number, model number or part number.
All peripherals should be placed in aerated packaging to prevent mould growth.
Keep all peripherals out of direct sunlight and high humidity.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 43 of 268 Chapter 3
Table 3-2 provides some guidelines regarding the handling and preservation of storage media and other
digital devices containing potential digital evidence. This list is not comprehensive, but gives the forensic
investigator basic guidance. Some preservation principles are applicable to all/most storage media and
other digital devices. These general guidelines are listed below:
• Seal the acquired digital data by using hashing algorithm, digital signatures or biometric
features. This is necessary to confirm that the contents of the copied image have not been
spoiled or tampered with since the image was created.
− Hash the original data by using any hashing function specified in ISO/IEC 10118 and
record the hash value to prove that data acquired is the exact copy of the original data.
− Digital signatures are a secure method of binding the identity of the signer with digital data
integrity methods. It involves attaching a piece of code to an electronically transmitted
message with the sole purpose of establishing identity.
− Biometrics uses physical and behavioural characteristics to determine the identity of an
individual (ISO 2009:14,15).
• All devices collected should be sealed with tamper evident seals, labelled and signed.
• Storage media should be wrapped or placed in appropriate packaging suitable for the nature of
the media, e.g. shrink-wrap plastic to avoid contamination of the media prior to transportation,
and shock resistance packaging to avoid physical damage to the media. All digital evidence
should be packaged in a manner that will prevent it from being bent, scratched or deformed.
The ideal would be to transport evidence in tamper-evident packaging.
• If the device/media has a power button, the forensic investigator should place a strip of tape
over this button to prevent accidental powering on/off.
• Digital evidence may contain latent, trace or biological evidence and the forensic investigator
should take the appropriate steps to preserve it. Digital evidence imaging should be done
before latent, trace or biological evidence processes are conducted on the evidence.
To ensure that nobody tampers with the evidence during transportation, the last investigator to handle
the evidence at the crime scene should seal the package. He/she then labels the package and signs the
seal. If anybody attempts to open the package, the seal will be broken and the signature spoiled. Every
time somebody needs to access the evidence, the old package should be put into a new package, and
the new package be sealed and signed (Kruse II & Heiser 2002:11).
To ensure correct identification, the investigator should tag each evidence media with the client name,
attorney’s office and evidence number. It is required that each evidence media links up with a chain of
custody document, a job and an evidence number (Stimmel 2008:2). Both during transportation and
storage, the evidence should be stored in static-free packaging. Generally, the pink bubble wrap is used
(Kruse II & Heiser 2002:11).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 44 of 268 Chapter 3
3.4.5.2 Storage Guidelines
Some court cases are postponed several times, stretching over a number of years. Accordingly, it is
necessary to control bit rot. According to Church (2007:Internet), bit rot can be defined as “… the
degradation of magnetic media over time”. It can be hugely problematic if the evidence has deteriorated
beyond use when the court date comes up. It is therefore crucial to protect the evidence as best as
possible, and use the original data as little as possible. This will not stop the deterioration, but at least
slow it down a bit (Australian Government 2008:Internet).
Table 3-3 provides some guidelines regarding the storage of digital evidence media and other digital
devices containing potential digital evidence. This list is not comprehensive, but gives the forensic
investigator basic guidance.
Table 3-3: Storage guidelines for digital evidence media (Australian Government 2008:Internet, Gallo 2008:28, ISO 2009:12-18, Patriot Memory 2009:Internet, PoliceOne.com 2008:Internet,
Preservation101 2006:Internet, Wikirank 2009:Internet)
Media type: Optical Media – CDs and DVDs Keep optical media away from direct sunlight. Keep optical media away from high humidity to prevent fungi growth between the physical layers. Optical media should be stored in a temperature range of 18 – 23°C, humidity range of 30 - 50 % (ISO 9660 compliance). Higher temperatures may cause the disks to warp or crack. Keep multiple copies for added protection. Extensive exposure to ultraviolet light will accelerate the deterioration of the dyes used in optical media, making disk reading difficult. With proper care, optical media should be able to last up to 3 years. Media type: Flash memory – USBs, memory sticks, solid state drives and digital cameras Keep flash disks away from static electricity. Do not expose the flash disks to direct sunlight, excessive humidity or corrosive environments. Flash memory devices may be stored in a temperature range of 5 – 70°C. It is generally able to retain data for 5 years, if stored at the optimum 25°C. Media type: Mobile disk drives Keep mobile disk drives away from static electricity. Do not expose the flash disks to direct sunlight or excessive humidity. Media type: Mobile phones Keep mobile phones away from static electricity. A live mobile phone need to be constantly monitored to ensure that the battery does not run flat and spoil digital evidence. Mobile phones may be charged in a monitored environment to ensure the availability of the evidence. Mobile phones need to be stored in Faraday boxes to prevent the devices connecting to the network. Media type: Laptops Keep laptops away from static electricity. A live laptop need to be constantly monitored to ensure that the battery does not run flat and spoil digital evidence. Laptops may be charged in a monitored environment. Laptops need to be stored in Faraday boxes to prevent the devices connecting to the network. If the laptop is live, a Mouse Jiggler should be employed to prevent the screen saver from activating and potentially locking the system from use. Media type: Magnetic media Keep magnetic media away from static electricity. Investigators should only remove items from their protective packaging for immediate use. Magnetic media should never be stored in paper or cardboard enclosures which tend to generate
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 45 of 268 Chapter 3
dust that interferes with the media’s functioning. Investigators should store magnetic media in cases made of nonmagnetic immobile material, such as polypropylene. Cassettes and tapes should be wound to the end of one side after use, and not be left in a partly wound state for any length of time. Dust, grease and chemical pollutants promote oxidative deterioration and moisture condensation on the magnetic layer and can interfere with the playback head/tape interaction and result in a weakened playback signal. Print-through occurs when tapes are stored for long periods without active usage. This is the transfer of a signal from one loop of tape onto an adjacent loop, similar to a carbon copy, resulting in poor signal quality. Magnetic tapes are inclined to support mould growth. The tapes’ mechanical pieces trap pockets of air to create an ideal growing environment. Magnetic media should be stored in a temperature range of 18 - 20°C, and humidity should range between 35 and 40%. If the humidity rises to around 60%, mould will start to grow. More than 10% humidity variance in 24 hours or a too high temperature will deteriorate items faster. Variable temperature and humidity levels may cause changes in the magnetic and base layers. Either it can separate completely, or adjoining layers can stick together. High temperatures may also weaken or demagnetise the magnetic layer. Magnetic media should ideally be stored in closed metal cabinets to provide extra protection against heat and dust. Media type: Computer peripherals Keep all peripherals away from static electricity. Do not expose peripherals to direct sunlight, excessive humidity or corrosive environments.
Some storage principles are applicable to most/all storage media and other digital devices. These
general guidelines are listed below:
• The collected digital device(s) should be stored in a secure, climate controlled environment or a
location that is not subject to extreme temperature or humidity. It should not be exposed to
magnetic fields, dust, vibration, or any other environmental elements that may damage it.
• Storage areas should be fitted with special alarm systems, such as VESDA (Very Early Smoke
Detection Alarm). These systems provide early warnings of fire or high dust levels.
• Storage areas need to be completely void of magnets or magnetic fields. The areas should
also be free from potential sources of dust.
• Exposure to ultraviolet (UV) light will also hasten degradation. It is necessary to invest in
fluorescent tubes with UV-filters and a light meter to measure the level of UV light. The
investigator needs to ensure that these levels never exceed 75µW/lumen. The overhead lights
should be off when not in use (Australian Government 2008:Internet).
• All stored media should periodically be reviewed and reread to determine the status of bit rot.
These guidelines will assist forensic investigators in correctly handling, preserving and storing digital
evidence media. This is a very important aspect of the Digital Forensic Acquisition process.
3.4.6 Closing the Digital Forensic Acquisition Process
Section 3.4 focused on the Forensic Acquisition process, more specialised than the generic Digital Forensic
process discussion in Section 3.3. This section provided technical details to aid the understanding of the
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 46 of 268 Chapter 3
Digital Forensic Acquisition process, focusing on all the steps that are necessary to ensure a successful
Forensic Acquisition: accessing the acquired device and initiating the acquisition with the appropriate
write-blocking strategy, the chain of custody and media transport and storage.
This section on the Digital Forensic Acquisition Process includes more detail than the original Digital
Forensic stage Collection (the acquisition process includes the accusation or incident alert, the entire
Collection stage, as well as the chain of custody, transport and storage of the evidence). However, this
acquisition is only a small part of the Digital Forensic process, but the focus point of this particular study.
Therefore, Examination, Analysis and Reporting were not discussed in this section.
The next paragraph summarises the content of Chapter 3 and puts the chapter into context with Chapter
2 and Chapter 4. The summary also presents a number of drivers identified from Chapter 3 that can
assist in the later development of the Liforac model.
3.5 Summary
Chapter 3 introduced the field of Digital Forensics by defining necessary terminology and presenting a
basic historical timeline. This chapter mainly focused on two aspects of Digital Forensics: the Digital
Forensic process and the forensic acquisition process as a subsection of the Digital Forensic process.
In the Digital Forensic process discussion, this chapter established a knowledge foundation based on
different Digital Forensic Acquisition approaches: Dead and Live Forensics. This chapter discussed both
the advantages and disadvantages of these techniques and compared them in tabular format (Table 3-1).
The forensic acquisition process discussion introduced and explained the steps necessary to ensure a
successful Forensic Acquisition, whether the investigator uses Dead or Live Forensic Acquisition.
In summary, the 12 drivers identified from Chapter 3 to contribute to the development of the Liforac
model are as follows, with the originating paragraph between brackets:
• A formal Digital Forensic definition ensures understanding of the discipline. This definition forms
the core of the Liforac model in determining what relates to the model and what does not
(Paragraph 3.1);
• The retrospective profiling nature of Digital Forensics can contribute to the legal understanding of
the discipline. Although this specific aspect would probably not be adopted into the Liforac
model, the historic value contributes to the understanding of the discipline within the legal
context (Paragraph 3.2);
• The contamination of the crime scene by a negligent investigator can render the evidence
inadmissible in court, as stipulated in forensic related legislation. This driver is key to the Liforac
model and determines the admissibility of evidence in court (Paragraph 3.2);
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 47 of 268 Chapter 3
• The current debate on either pulling the plug, or exercising the analysis on a live, running system
has an impact of both legislation regarding the discipline, as well as the amount of forensic
knowledge that an investigator needs to possess (Paragraph 3.3);
• The Digital Forensic methodology consists of three important steps that need to be performed
meticulously to ensure evidence admission in court. This methodology directly influences the
sequence of activities required by the Liforac model (Paragraph 3.3);
• The complete Digital Forensic process consists of four stages that support the Digital Forensic
methodology when performed in order. These four stages are the foundation for the forensic tool
analysis in Chapter 4, and directs the Liforac model development (Paragraph 3.3.1);
• A formal First Responder definition supports a better understanding of the discipline. The
Liforac model focuses on the development of an acquisition model and accordingly First
Responders will play a prominent role in the enacting of the model (Paragraph 3.3.1);
• Comparison between Dead and Live Forensics widens the forensic knowledge base and
introduces potential new problems that needs to be addressed by the Liforac model (Paragraph
3.3.3, Table 3-1);
• A consistently unpredictable field setting requires knowledgeable forensic investigators and
introduces new problems that needs to be addressed by the Liforac model (Paragraph 3.4);
• The generic forensic acquisition process applies to both Dead and Live Forensic Acquisition and
consists of stages that need to be incorporated into the Liforac model (Paragraph 3.4, Figure 3-5);
• A formal chain of custody definition supports a better understanding of the discipline. Chain of
custody plays an important part in the admissibility of forensically sound evidence in court and
accordingly is a very important driver for the Liforac model (Paragraph 3.4.4);
• Investigators should be trained to protect the integrity of the evidence at all times in order to
address some of the problems identified by the Liforac model (Paragraph 3.4.4).
When considered individually, some of these drivers suggest a knowledge component while others refer
to stages or steps that imply some link with time or sequence. These two themes will influence the
identification of possible dimensions for the Liforac model.
At the completion of Part 1, this study has completed Objective A, the Digital Forensic discipline. Chapter 2
introduced the study whilst Chapter 3 introduced the Digital Forensic discipline, focusing on both Dead
and Live Forensic Acquisition. Chapter 4 will now extend this objective by examining a number of tools
developed for Digital Forensic investigations. This chapter builds on Chapter 3 by elaborating on the
existing knowledge base of forensic methodologies. Each of the identified Digital Forensic toolkits are
discussed according to the forensic stages identified in Paragraph 3.3.1 (listed under Definition). Part 2
will now introduce this chapter.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 48 of 268 Part 2
Part 2: Live Forensic Acquisition
This study, Liforac - A Model For Live Forensic Acquisition, divides into four distinct parts (originally
presented in Figure 1-1). Figure Part 2-1 presents the status of the Liforac model development study.
Part 1 has already been completed. Part 2, Live Forensic Acquisition, investigates the current Digital
Forensic environment and comprises three chapters of the study.
Figure Part 2-1: Part 2 of the Liforac model development study
Chapter 4, Forensic Tools, presents a literature survey of a number of popular Digital Forensic tools.
Although this list is by no means exhaustive, it provides background knowledge to understand the process
depicted in Part 2. A basic understanding of some of these tools will enforce deeper understanding of
some of the forensic principles that form an integral part of the proposed Liforac model.
Chapter 5, Current Application of Live Forensics, provides background knowledge on the developing
Live Forensic technology. This chapter looks at the advances Live Forensic Acquisition has made in the
areas in which traditional Dead Forensic Acquisition lacks and focuses on the problems that arise with the
application of Live Forensic Acquisition. This chapter also introduces forensic concepts such as evidential
weight and validity of digital evidence. Chapter 5 concludes with a discussion on currently applied software
and hardware Live Forensic Acquisition techniques. The rationale behind Chapter 5 is to focus on specific
Live Forensic Acquisition practices that are currently applied around the globe.
Chapter 6, Forensically Sound Live Forensic Acquisition Admissible in Court, focuses on the term
forensic soundness and measures different kinds of evidence retrieved through Live Forensic techniques
according to its definition. This chapter identifies a number of potential problems that may render digital
evidence inadmissible in court. It also compares Digital Forensics with Biological Forensics and discusses
the volatile nature of Digital Forensics.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 49 of 268 Part 2
Chapters 4, 5 and 6 focus on the internal workings of the Live Forensic technology and lay the foundation
of the application of Live Forensic Acquisition as sound practice. It familiarises the reader with the concept
of forensic soundness and inadmissibility in a court of law. Chapter 4 will now introduce the currently
used forensic tools, as applied in a number of countries.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 51 of 268 Chapter 4
Chapter 4: Forensic Tools
“The kids are fascinated by it. Teachers want to grab that interest and motivate them to do better in science. It’s very exciting and dramatic because of the cinema sense to it, but the real forensic
sciences is a serious sober business.”
- Jim Hurley
Part 1 focuses on setting the scene for Digital Forensic analysis. Chapter 2 introduced the study holistically
and Chapter 3 introduced the field of Digital Forensics, focusing on Dead and Live Forensics. Chapter 4 will
now examine tools applicable to Digital Forensics. This chapter will look at tools for different OSs and
discuss them according to functionality in the different forensic stages identified in Paragraph 3.3.1 (listed
under Definition).
The unique needs of Digital Forensics spurred the creation of specialised tools and techniques (Fei 2007:24)
to ensure the proper acquisition and preservation of digital evidence to maintain the integrity of digital
evidence. This tool discussion is two-fold: it provides background information and an understanding of
how forensic tools assist investigators in the Forensic Acquisition process, whilst the advantages and
limitations discussed can assist in the development of a comprehensive, forensically sound Live Forensic
Acquisition model in Part 4 of this study.
Figure 4-1 indicates the current level of progress with regard to identifying building blocks for the Liforac
model. Chapter 4 partly fulfils Objective A, Digital Forensic discipline (originally presented in Figure 2-2).
Figure 4-1: Liforac model progress - Digital Forensic discipline (b) (Own compilation)
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 52 of 268 Chapter 4
4.1 Introduction
In order for forensic investigators to do a thorough Digital Forensic Acquisition, it is necessary to have the
correct supporting software packages and applications. This is true whether the acquisition is dead or
alive. For that reason, investigators can use Digital Forensic tools developed to assist in conducting accurate
and comprehensive acquisition, ensuring appropriate acquisition techniques and preservation of digital
evidence (Fei 2007:30).
There are a number of Digital Forensic tools on the market, each differing in characteristics and applications.
Many platform specific tools exist, whilst some tools perform on multiple platforms. Figure 4-2 shows the
total market share (current in August 2009) related to OSs. Based on these statistics, Chapter 4 will look
at forensic tools, toolkits and suites from the Windows, Mac and Linux OSs. Although the Windows OS
is the holder of the majority market share, Mac and Linux have a more than 1% share and warrant a brief
tool discussion.
Figure 4-2: Operating System market share (Format adapted: Market Share 2009:Internet)
In addition, this chapter will also look at forensic tools, toolkits and suites from the Microsoft Disk Operating
System (DOS) environment. DOS was first introduced in 1981 and was the main OS for all IBM compatible
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 53 of 268 Chapter 4
computers until the launch of Windows 95 in 1995. Although DOS is rarely used as OS nowadays, it was
running on more than 100 million computers worldwide in 1994 (White 2005:Internet). Many modern OS
incorporated the DOS prompt from the original DOS. Modern forensic tools address this, often
performing critical portions of the investigation on DOS level.
Figure 4-3 shows the four OSs mentioned, with a selection of forensic tools, toolkits and suites relevant to
them. From the Windows environment, this chapter looks at eight packages, from the Mac environment
six packages, from the Linux environment seven packages and from the DOS environment five packages.
Some of the packages are multi-platform. The author chose the tools based on industry popularity and
availability.
Figure 4-3: Forensic investigation tools, toolkits and tool suites (Own compilation)
To complement the range of activities of a forensic investigator, it may be necessary to employ a number
of different forensic tools. Although many of the tools have overlapping functionalities, some software
developing organisations included unique functions and capabilities to specific tools to make them
exclusive and a preferable choice for forensic investigators. The next section shows a comparative
classification of the Digital Forensic tools shown in Figure 4-3. The accompanying CD provides a more
in-depth discussion of the individual tools (see Forensic tools).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 54 of 268 Chapter 4
4.2 Classification of Digital Forensic Tools
Earlier research done by Fei (2007:54) provides a Digital Forensic tool classification founded on the
Windows, DOS and Linux platforms. This research is extended to include additional forensic packages for
these platforms, as well as tools for the Mac platform. In support of this classification process, the
accompanying CD presents a more comprehensive portrayal of the relevant forensic suites. This
classification is borrowed directly from Fei’s research, adapting it to add additional packages and
Live Forensic Acquisition capabilities.
This study presents the tools included in the classification according to the forensic stages identified in
Paragraph 3.3.1 (listed under Definition): Collection, Examination, Analysis and Reporting. Although the
study focuses only on the acquisition of forensic evidence (the extended Collection stage), this chapter
discusses the three other forensic stages to present a thorough understanding of the Digital Forensic
process and how acquisition fits within the bigger forensic framework. Table 4-1 shows a brief summary
of the tools and the forensic stages in which they apply. This table can be of assistance when selecting
the right tool. No single tool, toolkit or suite can retrieve all evidence from a system. It is recommended
to use a combination of tools to facilitate more effective investigations (Coetzee 2009:Interview).
Table 4-1: Forensic abilities of investigation tools, toolkits and tool suites (Own compilation, adapted from: Fei 2007:54)
CCoo
ll lleecctt ii
oonn
EExxaamm
ii nnaatt ii
oonn
AAnn
aall yy
ssii ss
RReepp
oorr tt
ii nngg
LLii vv
ee FF
oorr ee
nnssii cc
AAccqq
uuii ss
ii ttii oo
nn
ccaapp
aabb
ii llii tt
ii eess
Windows-based
EnCase Forensic � � � �
EnCase Enterprise � � � � �
Forensic Toolkit � � � �
FTK Enterprise � � � � �
X-Ways Forensics � � � � �
MacForensicsLab � � � � �
Perl � � � � �
ProDiscover Forensics � � � � �
Mac-based
BlackBag Forensic Suite � � � � �
Autopsy Forensic Browser � � � �
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 55 of 268 Chapter 4
CCoo
ll lleecctt ii
oonn
EExxaamm
ii nnaatt ii
oonn
AAnn
aall yy
ssii ss
RReepp
oorr tt
ii nngg
LLii vv
ee FF
oorr ee
nnssii cc
AAccqq
uuii ss
ii ttii oo
nn
ccaapp
aabb
ii llii tt
ii eess
Forensic Toolkit � � � �
FTK Enterprise � � � � �
MacMarshal � � � �
MacForensicsLab � � � � �
Linux-based
EnCase Forensic � � � �
EnCase Enterprise � � � � �
SMART � � � �
Autopsy Forensic Browser � � � �
The Coroner’s Toolkit � � � �
MacForensicsLab � � � � �
Perl � � � � �
DOS-based
EnCase Forensic � � � �
EnCase Enterprise � � � � �
ByteBack �
SafeBack � �
X-Ways Forensics � � � � �
Fei (2007:54) classified the original list of tools in an informal, not scientifically validated manner. He compared
different packages used by forensic investigators according to analysis capabilities, allowing for a
classification of more comprehensive tools versus less comprehensive tools. Fei’s original classification
focused on the general Digital Forensic processes and do not clearly distinguish between Dead and Live
Forensic Acquisition. Table 4-1 presents a number of additional forensic investigation tools, toolkits and
suites, as well as an additional column to indicate the possible contribution of the Digital Forensic tools
on Live Forensic Acquisition as considered by the author, based on the preliminary study.
It is important to note that the forensic tools attributed with Live Forensic Acquisition capabilities have varying
degrees of the Live Acquisition ability. The author has not conducted any formal research to prove that these
forensic tools can acquire evidence in a forensically sound manner. Literature studies do show, however,
that these tools have some ability to acquire live data. The area of Live Forensic Acquisition still needs
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 56 of 268 Chapter 4
more research and validation as part of a practical analysis in Part 2 of this study. The next four sections
look at the forensic stages identified in Paragraph 3.3.1 (listed under Definition), presented in the first
four columns of Table 4-1. These sections look at the forensic stages in general. A more detailed, tool-
specific discussion is available on the accompanying CD.
4.2.1 Collection
Collection is a very important aspect of the forensic acquisition process. It was already discussed briefly in
relation to Dead Forensic Acquisition (Paragraph 3.3.1) and Live Forensic Acquisition (Paragraph 3.3.2).
The most important aspect of collection is the forensic tool’s ability to image media. This is the delicate
process of copying data sector-by-sector from a piece of media to create a bit stream copy, known as an
image of the media. Specialist software reads a piece of media and creates an image file containing all the
data in exactly the same order as the software read it. This includes all active data (residing on the direct access
storage media of computer systems) and residual data (not active on a computer system) (Fei 2007:51).
The most important focus of Digital Forensic tools is to ensure the accuracy of results and maintain the
integrity of digital evidence. At the end of the forensic acquisition process, the forensic investigator obtains
the outcome of the process by applying the MD5 and SHA-1 hash algorithms (Fei 2007:48, 51). If it is
not possible to maintain the integrity or prove the accuracy of the data without a doubt, a court of law
may dismiss all data from being used as evidence. This can literally disable the current investigation.
Therefore, it is very important to pay close attention during the Collection stage.
With the exception of Autopsy Forensic Browser and MacMarshal, all the investigated tools have imaging
and collection abilities. All these tools met the requirements set by the National Institute of Standards
and Technology (NIST) for Digital Forensic tools when performing imaging. According to NIST, the
imaging tools should produce a bit stream copy of a piece of media without any alteration and should
verify the integrity of the image file (Fei 2007:48). This stage of the Digital Forensic investigation process is
the only of the four stages that applies directly to the forensic acquisition process. The next section
discusses the Examination stage and tools with examination capabilities. The Examination stage is part
of the holistic Digital Forensic process.
4.2.2 Examination
The Examination stage is crucial in any digital investigation and was already briefly discussed in relation
to Dead Forensics (Paragraph 3.3.1) and Live Forensics (Paragraph 3.3.2). Right after the imaging, before
the actual analysis of the evidence, forensic investigators may find it necessary to locate specific pieces
of data and determine their contents. For example, in the case of child pornography it is necessary to
locate graphical images and determine the nature thereof to establish the applicability of the acquired
image to the case (Fei 2007:52).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 57 of 268 Chapter 4
At the time of writing there was no publicly available software developed solely to search and classify
graphical images. The result is a time consuming process, where forensic investigators are required to
extract all unknown graphical images from the acquired media and manually search through them.
However, international anti cyber crime agencies, such as the FBI and AccessData, daily publish
updated databases with the hash values of known pornographic images. These databases can be used
to compare the hash values of unknown images on the suspect system in order to eliminate known
pornography.
From the discussion in the previous section, however, it is clear that most Digital Forensic tools have a
viewing capability that can help to greatly reduce the human processing time required during this part of
the Digital Forensic process (Fei 2007:52). With the exception of ByteBack and SafeBack, both DOS-
based, all the forensic tools allow for examination of the image before formal analysis starts. The next
section discusses the Analysis stage and tools with analysis capabilities. The Analysis stage is part of
the holistic Digital Forensic process.
4.2.3 Analysis
The third stage in the forensic investigation process is the Analysis stage, already briefly discussed in
relation to Dead Forensics (Paragraph 3.3.1) and Live Forensics (Paragraph 3.3.2). This stage follows
the successful completion of the collection, imaging and possible examination, and mainly concerns the
analysis of the acquired bit stream copy.
Analysis is an investigation of the component parts of a whole and their relations in making up the whole.
When faced with a complex topic, analysis is a systematic process of simplifying the topic to gain a better
understanding of the topic. In the forensic sense, an analysis breaks down a complex crime scene to
simpler terms where it is possible to identify the criminals. The aim of this stage is to extract any relevant
evidence, interpret the resultant data and to place it in a logical and useful format. During this stage, it is
also possible to determine the importance of the data and draw conclusions from it. The investigator
should also be able to retrieve and analyse both active and residual data (Fei 2007:52).
Majority of the mentioned tools offer analysis capabilities, with the exception of ByteBack and SafeBack.
The rest of the tools have the capabilities to perform hash analysis, registry analysis, file signature
analysis, filtering and keyword searches (Fei 2007:48). The following section discusses the Reporting
stage and associated capabilities.
4.2.4 Reporting
The final step in Digital Forensic investigation involves reporting. All forensic investigations need to terminate
with a full report. Reporting was accordingly already discussed briefly in relation to Dead Forensics
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 58 of 268 Chapter 4
(Paragraph 3.3.1) and Live Forensics (Paragraph 3.3.2). The investigator needs to document and report
every activity and event of the investigation. This includes recommendations to the relevant authorities
on whether the result should include prosecution (Fei 2007:49). Reporting is therefore the process of
capturing the findings of an investigation.
The final forensic report should contain critical details from each of these four stages of the investigation:
Collection, Examination, Analysis and Reporting. This should reference procedures followed and methods used
to seize, document, collect, preserve, recover, reconstruct, organise and search key evidence. Relevant
evidence, comments, recovered pictures, search criteria, search results, the date and time of the search
process should be included meticulously in the report. Normally, the forensic investigator presents the
report in legal proceedings as a role-player in the outcome of the prosecution (Fei 2007:53).
Most tools have the ability to build reports that can include some information regarding the acquisition
process, bookmarked files, graphical images and other relevant pieces of information. The scripting tools
offer less refined reports, but can still output results to text files to use as reports. According to Table
4-1, all the tools have built-in or implied report capabilities, with the exception of ByteBack, SafeBack and
The Coroner’s Toolkit. Although each of these tools has different reporting capabilities, most of them are
comprehensive enough to report for official evidence in a court of law (Fei 2007:49). The next section
gives a holistic overview of the tool capabilities according to OS.
4.2.5 Classification Overview
A general overview of Table 4-1 shows that publicly available tools for the Windows OS seem to be the
most comprehensive. This is a reasonable observation since Windows is also the holder of the majority
market share and accordingly computers with this OS are more pervasive in the community. As a result,
computers with the Windows OS are more frequently the targets of computer crime, or used by cyber
criminals to perform the crime. Windows Forensics consequently tends to dominate the market.
Mac-based forensic tools also seem to be rather comprehensive, with most tools covering all four the
forensic stages. The only gaps in the Mac Forensic spectrum is Autopsy Forensic Browser and
MacMarshal that does not cover the Collection stage, and Forensic Toolkit (FTK) that does not allow Live
Forensic Acquisition.
The trend for Linux-based forensic tools is very similar to that of the Windows forensic tools. These tools
do provide for the Collection stage, but focus largely on capabilities for the Analysis stage. Autopsy
Forensic Browser does not cover the Collection stage, and The Coroner’s Toolkit does not cover the
Reporting stage. Both EnCase and SMART do not cover Live Forensic Acquisition, although EnCase
Enterprise enables Live Forensic Acquisition.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 59 of 268 Chapter 4
The DOS-based forensic tools all are usable in the Collection stage. EnCase, EnCase Enterprise and X-
Ways Forensics address all the forensic stages, whilst ByteBack and SafeBack only caters for the
Collection stage. EnCase Enterprise, SafeBack and X-Ways Forensics enables Live Forensic Acquisition.
Each of these tools, as well as a detailed application on the forensic stages, is presented on the
accompanying CD (see Forensic tools).
4.2.6 Limitations of Forensic Tools
Resulting from the previous sections, a fully functional Digital Forensic tool offers capabilities that match
the requirements of the Digital Forensic stages: Collection, Examination, Analysis and Reporting. It is
important to have a well balanced mixture of these capabilities to ensure the investigation is done
comprehensively and that the volumes of data do not affect the case negatively with regard to time and
complexity (Fei 2007:55).
There are three main limitations concerning forensic tools. The first is the problem of acquisition and
imaging data on a live system. The second problem is that tools adapt poorly to large-scale investigations.
Forensic investigators find it increasingly difficult to use current tools to locate vital evidence within
massive volumes of data. The third problem is a result of many forensic tools presenting evidence files
in a spreadsheet-style format: the process of scrolling through many rows of data can be extremely
tedious when working with large data sets. It is also difficult to view the evidence file holistically to see
the overall pattern of the data set (Fei 2007:55).
In the development of a forensic tool used specifically for Live Forensic Acquisition, these limitations
need to be addressed. Although the Liforac model does not address the development of forensic tools, it
is necessary to look at all facets of Live Forensic Acquisition, both the process and the tools, to ensure a
complete understanding of the discipline. The next section concludes the forensic tool classification.
4.2.7 Conclusion of Forensic Tool Classification
The previous section discussed and classified the forensic investigation tools according to the forensic
stages. These tools apply to the Windows, Mac, Linux and DOS platforms and have varying degrees of
capabilities for the Collection, Examination, Analysis and Reporting stages. This section gave a brief
overview of all the different operating platforms and compared the abilities of forensic tools on these
platforms. Additional information of forensic tools can be found on the study’s accompanying CD.
The next paragraph summarises the content of Chapter 4 and puts the chapter into context with Chapter
3 and Chapter 5. The summary also presents a number of drivers identified from Chapter 4 that can give
a better understanding in the later development of the Liforac model.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 60 of 268 Chapter 4
4.3 Summary
The increasing number of Digital Forensic tools available on the market creates a complex environment
in which the cyber investigator needs to choose applicable tools. This chapter introduced a number of
Digital Forensic investigative tools suitable for the Windows, Mac, Linux and DOS platforms. This
section also provided a basic classification of the discussed tools.
In summary, the seven drivers identified from Chapter 4 to contribute to the development of the Liforac
model are as follows, with the originating paragraph between brackets:
• The correct supporting software packages and applications are necessary to do a thorough Digital
Forensic Acquisition. Without properly developed software packages, the Acquisition process can
not be forensically sound, nor used to its full extent in a court of law (Paragraph 4.1);
• A number of different forensic suites exist for Windows, Mac, Linux and DOS. Although these
tools, toolkits and suites do not have a direct impact on the development of the Liforac model, the
understanding of a number of different forensic suites, available for a number of different operating
platforms, provides a better understanding of the discipline. This aspect may lead to better
understanding and insight into the knowledge aspect of the Liforac model (Paragraph 4.1);
• Summary of the tools and the stages in which they can be applied. Similar to the motivation for
the inclusion of a number of different forensic suites for different OSs, this aspect of tools and the
specific stages in which they apply aids the understanding of the Liforac model. Although this
aspect is not a direct driver to the model, the understanding of this aspect can improve a forensic
investigator’s experience, which in turn are beneficial in the acquisition of forensic data
(Paragraph 4.2, Table 4-1);
• Many traditional forensic suites also cater to some extent for Live Forensic Acquisition. This
aspect has not been tested in a real forensic scenario, but research indicates that many of the
existing packages have some abilities to comply with Live Forensic Acquisition. This knowledge
may directly impact the Liforac model (Paragraph 4.2, Table 4-1);
• Collection, Examination, Analysis and Reporting all form an important part of the Digital Forensic
process. Similar to the Digital Forensic methodology in Chapter 3, these steps are a prominent
aspect of the Liforac model development (Paragraph 4.2, Table 4-1);
• The most important focus of Digital Forensic tools is to ensure the accuracy of results and
maintain the integrity of digital evidence. This aspect is crucial for the development of the Liforac
model and lays the foundation for forensically sound evidence (Paragraph 4.2.1);
• There are three main limitations concerning forensic toolkits (Paragraph 4.2.6):
− the problem of acquisition and imaging data on a live system,
− tools adapt poorly to large-scale investigations involving multiple machines, and
− difficult to view large evidence files holistically to see the overall pattern of the data set.
These limitations may not be used directly in the development of the Liforac model, but
knowledge about these limitations can extend a forensic investigator’s skill and understanding.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 61 of 268 Chapter 4
When considered individually, all seven of these drivers suggest a knowledge component or refer to stages
or steps that imply some link with time or sequence. They also address potential problems and refer
consistently to the admission of evidence to court. Depending on the drivers identified in subsequent
chapters, these themes may influence the identification of possible dimensions for the Liforac model.
Chapter 4 looked in more detail at the tools used to do a Forensic Acquisition, contributing seven
potential drivers to the final Liforac model. Part 2 will now continue with a focus on Live Forensic
Acquisition, focusing on Objective B, Current Live Forensic techniques. Chapter 5 looks at the current
application of Live Forensic Acquisition.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 63 of 268 Chapter 5
Chapter 5: Current Application of Live Forensics
“In today’s world, people put most everything on computers. We need the forensics capability to go in and retrieve that information off the company’s networks.”
- Earl Devaney
Part 1 provides a literature study to set the scene for Digital Forensics and all the related aspects, whilst
Part 2 focuses specifically on Live Forensics, its uses and applications within the cyber environment.
Part 2 orientates the reader in a more specialised environment, focusing exclusively on Live Forensics
and the differences between this discipline and Dead and Physiological Forensics.
Chapter 5 starts this orientation with a brief discussion on the different ways that organisations currently
use globally to respond to a cyber attack. The chapter also looks at the properties of digital evidence that
are addressed by a court of law when determining the validity of the evidence. Chapter 5 then looks at the
practical problems experienced by forensic investigators when implementing Live Forensic Acquisition,
ending with the current application of Live Forensics with software- and hardware-based techniques.
This entire chapter focuses on the current application of Live Forensics when acquiring evidence.
Figure 5-1 indicates the current level of progress of the research study, showing the building blocks/
objectives (originally presented in Figure 2-2) that need to be fulfilled to successfully develop the Liforac
model. Chapter 5 fulfils Objective B, Current Live Forensic techniques.
Figure 5-1: Liforac model progress – Current Live Forensic techniques (Own compilation)
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 64 of 268 Chapter 5
The information portrayed in this chapter will form an integral part of the proposed model for forensically
sound Live Forensics, the Liforac model.
5.1 Introduction
Research done by Amenya (2004:4) shows that as much as 30% of information stored on computers never
reduces to printed form. In addition, the electronic version of a document usually contains information that
does not appear in the printed version (this information is referred to as metadata or data about data).
This electronic information is a valuable resource for any organisation and needs proper security.
It has now become commonplace for lawyers to request evidence in electronic format as routine evidence
discovery. Since the average lawyer does not have sufficient experience in collecting and analysing
electronic data, they can use the expertise of forensic investigators to ensure that they collect and
authenticate data in a forensically sound manner. The next sections further the background discussion
on currently applied Live Forensics. The sections address different ways of responding to cyber attacks,
the validity of digital evidence and the occurrence of cyber trails.
How to Respond to an Attack
In the event of a suspected attack on a computer system, the first step is to decide how to respond to the
attack. Organisations generally have three possible options for responding:
• Firstly, the organisation does nothing. At present, many organisations simply do not recognise
the existence of cyber crime, resulting in an inaccurate statistical representation of cyber crime.
• The second option is to perform an internal investigation to assess the extent of the damage, but
the organisation still does not report the incident.
• Thirdly, the organisation can perform a detailed analysis with the intention to prosecute the cyber
criminal (Weise & Powell 2005:10).
Naturally, the recommended option in most cases would be to perform a detailed analysis. To gather all
the necessary evidence, investigators apply all Digital Forensic principles. By incorporating traditional
Dead Forensic Acquisition techniques, it is possible to gain enough data for most cases. However, the
problem arises when this collected data needs to be introduced as evidence in a court.
Many unique practical and legal constraints make the implementation of Digital Forensic Acquisition both
interesting and complex. Paragraph 3.1 already looked at some of these constraints. If forensic investigators
do not follow these restrictions exactly, data acquired in certain ways may be inadmissible in court and
not allowed as intelligence (Jones 2007:1), negating the forensic investigation. For this reason, it is
important that forensic investigators are equipped with tools and mechanisms that can result in the
acquisition of forensically sound system images. Only when this is possible can data be seen as evidence
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 65 of 268 Chapter 5
and be admissible in a court of law. The next section looks at properties of evidence that render it either
valid or inadmissible in court.
Validity of Digital Evidence
Although lawyers and the physical admission of evidence to court generally takes place at a later stage
in the forensic process, it is necessary to know whether the evidence acquired in the forensic acquisition
process will be valid. If this evidence is rejected at the end of the forensic investigation process, all the
stages completed before the admission will be a waste of time and energy. Accordingly, the original
Collection stage is extended to form the Forensic Acquisition process. This process considers aspects
that will ensure successful admission of the evidence to court at a later stage.
At first, lawyers disputed the validity of digital evidence as a type of physical evidence. However, they
finally concluded that digital evidence, although less tangible than other forms of physical evidence, do
classify as physical evidence. In this sense, digital evidence includes all items composed of magnetic fields
and electronic pulses. Investigators can collect and analyse these fields and pulses using special tools
and techniques (Casey 2000:4). Although digital evidence corresponds to physical evidence in a number
of ways, it has some properties that make it unique:
• Latent nature. It can only be seen, understood, analysed and presented with specialised software.
Digital evidence is naturally fragmented.
• Ambiguous meaning. Patterns of data combine to provide a specific meaning in context.
• Fragile and time sensitive. Data can easily be destroyed or modified and is very volatile in
nature if not specifically saved to secondary storage (Cohen 2006:7).
Considering these aspects, digital evidence has a number of advantages over traditional physical evidence.
Digital evidence should therefore be valid in more cases than where physical evidence is valid. Some of
these advantages are:
• Investigators can make exact duplicates and examine it as if it were the original;
• Specialised tools enable investigators to identify any modification to the digital evidence, compared
with the original; and
• Electronic evidence is difficult to destroy (Casey 2000:4).
The next section extends the discussion on evidence properties. It introduces and explains the concept
of cyber trails and how it can be useful in a forensic investigation.
Cyber Trails
The Locard principle largely validates the existence of digital evidence: “… when any two objects come
into contact, there is always transference of material from each object onto the other”. For example,
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 66 of 268 Chapter 5
although knowledgeable hackers might be able to remove some of the evidence of their tampering with a
system, it is not possible to remove all evidence. Small sections of bits and bytes might be transferred to
unallocated sectors, slack space or swap space on a hard disks, waiting for a knowledgeable forensic
investigator to retrieve it (Brown 2005a:5). However, it must be properly collected, preserved and
interpreted to be suitable for presentation as evidence in court proceedings. These leftover bits and
bytes can be referred to as digital detritus, or the remains of something that does not exist as a whole
anymore (Gallo 2008:6).
Investigators refer to the pieces of digital evidence that cyber criminals leave all over the cyber realm, as
cyber trails. These are “… rich sources of digital evidence that include, but are not limited to, web pages,
e-mail, digitised still images, digitised video, digitised audio, digital logs of synchronous chat sessions,
files stored on a personal computer and computer logs from an ISP” (Casey 2000:10). Adhering to the
Locard principle, any action of an electronic system will always transfer some kind of evidence.
A cyber trail extends to both the physical world and the electronic world. It can therefore provide evidence in
both a murder investigation and an electronic money laundering investigation. Cyber trails can prove to be
critical in some investigations. If investigators neglect to follow these trails, they risk losing valuable evidence.
Additionally, investigators may face negligent liability charges (Casey 2000:10). The forensic investigation
ends with the investigator producing a report to the client, either the authority or an independent organisation
(refer to Paragraph 4.2.4). In order to produce a thorough report, it is necessary to examine and investigate
several aspects concerned with the implementation of Live Forensic Acquisition.
All aspects considered in this thesis aim to investigate the status of current forensic investigations in South
Africa, both the positive aspects and the limitations thereof. Additionally, this research study aims to add
to the positive features and attempt to salvage the limitations by investigating the process of Live Forensic
Acquisition. The following section introduces some of the most prominent practical problems countering
successful Live Forensic Acquisition. These problems will play an important role in the final Liforac model.
5.2 Practical Problems Experienced With Live Forensic Acquisition
This section looks at the current practical problems identified as related to Live Forensic Acquisition.
This section and the following sub sections will look at these problems in detail and discuss it in context
of the Live Forensic discipline.
One of the most critical problems regarding Live Forensic Acquisition is that the forensic investigator has
a constant job of knowledge building. Technology is constantly developing and therefore it is crucial for
the investigator to ensure that he/she is familiar with the technology. However, this problem is relevant to
all new technologies and applies not only to Live Forensics.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 67 of 268 Chapter 5
The current most critical problem concerning Live Forensic Acquisition specifically is to ensure forensic
soundness. Most of the problems identified and presented in Figure 5-2 relate directly to forensic
soundness. All of these challenges can create major problems later in the investigation and the
proposed Liforac model will accordingly address this. The problems presented in Figure 5-2 have been
identified earlier in Paragraph 3.3.2.2. These problems are grouped in a chronological fashion based on
the Live Forensic Acquisition process depicted in Figure 3-3.
Practical problem 5: Ensuring full
acceptance of technology by
the court
Practical problem 4:
Demonstrate authenticity
Practical problem 3:
Data modificationduring
acquisition
Practical problem 2: Acquisition dependant
on OS
Practical problem 1:
Gaining access to the machine
ProblemswithLive
Forensics
Practical problem 5: Ensuring full
acceptance of technology by
the court
Practical problem 4:
Demonstrate authenticity
Practical problem 3:
Data modificationduring
acquisition
Practical problem 2: Acquisition dependant
on OS
Practical problem 1:
Gaining access to the machine
ProblemswithLive
Forensics
Figure 5-2: Practical problems associated with Live Forensics (Own compilation)
Although these five identified problems are not the only problems that a forensic investigator may
encounter during the Live Forensic Acquisition process, the author deems these as the most prominent
practical obstacles that can have a potentially negative affect on the forensic soundness and admissibility
of digital evidence in a court of law. The following sections address these problems in chronological
order, starting with the investigator gaining access to the suspect machine.
5.2.1 Practical Problem 1: Gaining Access to the Suspect System
Gaining access to the machine is the first practical problem that a forensic investigator may encounter.
Not only must the investigator gain access to the building in question, but also to the office in which the
computer is located and the physical machine by means of a username and password combination. In
addition to these physical barriers, mandate and search warrants prove to be another logical problem.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 68 of 268 Chapter 5
To ensure the success of a Live Forensic Acquisition, forensic readiness should be in place. Due to the
nature of Live Forensic Acquisition, investigations are generally covert. However, the investigator or a
representative of the forensic team requires prior access to the machines in question to install the
software forensic agent (refer to Paragraph 3.3.2). This in itself brings about problems regarding access
and privacy.
Once the incident has been reported, the investigators do not necessarily need direct access to the
machine, since only a remote connection to the suspect machine is needed for the acquisition (refer to
Figure 3-7). The inherent risk with this remote connection is that those under investigation may have put
measures in place to create alerts or countermeasures (such as logic bombs) when their computers are
accessed remotely. Furthermore, the remote network connection must be free from port and bandwidth
restrictions and access control mechanisms that might prevent the investigator from connecting to the
software agent on the subject computer (Casey 2004b:284,286). In this sense, Live Forensic Acquisition
stands in close relation to Network Forensics, facilitating remote data collection over the network, and
potentially affecting network traffic.
In the event of a covert Live Forensic Acquisition, the suspect machine’s legitimate user will be active on
the machine. He/she will continue normally, without knowing that the machine is investigated. However,
should the acquisition be overt, the legitimate user may not access his/her machine or office, and one of
the investigating team’s members need to sit with the machine and move the mouse cursor to keep the
machine active and logged on. All investigations must be done with the permission and consent of either
the machine’s owner or user, or the possession of a search warrant. The assumption is made that
organisations set system administrators as the machines’ owners and not the employees using the machines.
This is relevant in the case of a covert investigation.
Gaining access to the suspect machine is one of the most critical times in an investigation. Should the
investigator not strictly adhere to the applicable laws, the court may later reject the evidence either as
forensically unsound, or on the grounds of illegal acquisition. Once the investigator has considered these
practical problems, he/she can start with the physical Forensic Acquisition process. This process is often
directly dependant on the OS. The next section looks at this dependency.
5.2.2 Practical Problem 2: Acquisition Dependant on Operating System
The current forensic practices require the forensic investigation to interact with the suspect machine’s
OS. Not only can this practice accidentally modify evidentiary data, but it can also pose a serious problem
in the event of a covert investigation. This dependency on the OS can potentially render evidence
forensically unsound.
Criminals that foresee the use of forensic acquisition techniques used against them, may modify the OS - it
is possible to provide programmes in user space with deliberately sanitised data, which can deliberately
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 69 of 268 Chapter 5
feed forensic investigators with incorrect information (Jones 2007:5). Anti-forensics toolkits may block
the acquisition of evidence. Different types of OSs also present different problems and opportunities.
Volatile memory loses its data when power is removed (traditional Dead Forensic Acquisition). Therefore, the
acquisition of data from a live system seems much more reliable. However, rootkits (a hacker security tool
that captures passwords and message traffic to and from a computer) and Trojan attacks against OSs and
applications can cause the system to produce unreliable data. Technically, before an investigator can submit
evidence to a court, he/she needs to prove that there was no attack present on the suspect system before
or during the acquisition. Such attacks, with the resultant unreliable data, may cause the dismissal of
evidence from court (Carrier & Grand 2003:51).
Once the investigator bypassed the problem related to the OS, he/she needs to be careful not to tamper
with or modify any of the data on the suspect machine. In the event that the data has been modified, a
court of law will definitely dismiss the data as evidence. The next section looks at the problem associated
with data modification.
5.2.3 Practical Problem 3: Data Modification during the Acquisition Process
Evidence dynamics is a very volatile process. Anything that interacts with the computer in one way or
another can change the dynamics and eventually modify computer data during a forensic acquisition.
These interactions can be human force (investigator interacting with the suspect computer and system),
natural force (progress of time and a change in the environment) or tool force (the forensic tools used
during the investigation) (Brown 2005b:9). This section identifies and discusses four sub categories of
ways in which evidence can possibly change on a suspect system (Jones 2007:4).
• Forensic investigators can potentially modify the evidence. Part of the Live Forensic Acquisition
process is to execute code running on the CPU of the suspect system, potentially changing data in
the registers or the RAM. Even if the forensic system specifies no explicit write commands, the
suspect system’s OS may decide to swap the programme to hard disk. This may potentially
render the relevant evidence inadmissible in court (Jones 2007:4), if the software used is not
forensically sound and the evidence’s integrity are not maintained.
• Inappropriate action taken by forensic investigators may ruin evidence. In the event that a forensic
investigator handles a situation incorrectly, a preventable amount of data may be changed. For
example, running an application on the suspect hard drive may overwrite some of the associated
properties, such as recent actions. If the specifics of this application were critical to the case, it
will cause many issues in court (Jones 2007:4).
• Images can slur. Similar to taking a photo of a moving object, slurred images is the result of acquiring
a file system while another programme modifies it. The smallest modification may cause a problem,
since the file system first reads the metadata section of the hard disk. If the files or folders on the
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 70 of 268 Chapter 5
file system change after the file system have read the metadata and before the files system
acquires the data, the metadata and sectors do not correlate anymore (Jones 2007:4).
Similarly, volatile memory does not represent a single point in time, but rather a time sliding view.
When acquiring volatile data, investigators cannot always use write blockers, nor is there always
a MD5 comparison to the original data (Vidas 2006:21). Figure 5-3 shows an example real image.
Figure 5-4 shows the results if that real image slurs. Although the forensic data image cannot be
presented as a real image, Figure 5-4 gives an indication of the extent of the damage on the image.
Figure 5-3: Example image (O’Neal 1997:Internet)
Figure 5-4: Example slurred image (O’Neal 1997:Internet)
• Criminals use anti-forensic programmes. By applying anti-forensic measures, clued-up criminals
may reduce the effectiveness of a potential forensic investigation. It is, for example, possible to
write a logic bomb that destroys evidence when a Forensic Acquisition tool is detected on the
system (Jones 2007:4). These types of programmes is developed by individuals or organisations
that want to thwart legitimate forensic investigations, and aims to delete all incriminating evidence
on the victim computer and system. Some of these programmes include Evidence Eliminator, The
Defiler’s Toolkit, Diskzapper, CryptoMite and Invisible Secrets (Computer Network Defence 2007:
Internet).
The Metasploit Project developed another type of anti-forensic software to target specific
functionalities of legitimate forensic investigation tools. These anti-forensic programmes interfere
with the forensic software’s results during an investigation (Hilley 2007:13). Anti-forensic tools
work on a variety of platforms and perform a number of different functions.
Problems regarding data modification during acquisition make it difficult for investigators if they cannot
prove its legitimacy and demonstrate the authenticity of the evidence. This can limit the investigator’s
ability to prove the integrity and security of data in court, ensuring full acceptance of computer technology by
the judicial system and to establish a proper chain of custody (Amenya 2004:17). This section concentrated
on data modification, whilst the next section looks at the investigator’s ability to demonstrate the authenticity
of evidence.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 71 of 268 Chapter 5
5.2.4 Practical Problem 4: Demonstrate the Authenticity of Evidence
The importance of electronic data to modern organisations has been mentioned numerous times in this
study. According to Klaff (2008:Internet), electronic records have literally taken over the business world.
Not only have e-mail become the preferred method for business communication, but financial records,
legal documents and assignments are now primarily kept in electronic format. Klaff claims that 93% of all
corporate data is in electronic format and that almost 80% of organisations accept e-mail as formal
confirmation documents.
Despite the fact that the nature of traditional evidence and electronic evidence differs completely, electronic
evidence still needs to meet the same criteria as traditional evidence. These criteria require evidence to:
• be relevant to the issue at hand;
• be authentic (the evidence is what it purports to be);
• not be unfairly prejudicial to either party in relation to the evidence’s probative value; and
• not be hearsay or if hearsay, able to meet the requirements for an exception; be the original or
duplicate of the evidence or able to meet an exception to that rule (Klaff 2008:Internet).
The problem regarding authenticity lies in the technical detail. The court considers an original signed
document as authentic evidence, but a printout of an electronic document or a scanned-in version of a
paper original as hearsay and remote evidence. Although this classification can complicate a legal matter,
the justice system accepts it since it is very easy to alter electronic documents deliberately. It is accordingly
just much more difficult to prove the authenticity of electronic evidence (Information Age 2006:Internet).
United States Magistrate Judge Paul W. Grimm in the case of Lorraine v. Markel, 2007, handled the first
landmark court case. Judge Grimm would not allow either party to submit electronic evidence since
neither followed proper authentication measures prior to trial. A sure way to render electronic evidence
admissible is to ensure that all requested documents are produced in native file format as “… metadata may
be especially relevant in a case such as this where the integrity of dates entered facially on documents
authorising the award of stock options is at the heart of the dispute” (Klaff 2008:Internet). In essence,
authentication can be considered as conditional relevancy.
The evidence should also have “… the tendency to make the existence of any fact… more or less
probable” (LexisNexis 2007:3). Interestingly, Judge Grimm states “… there is a distinction between the
admissibility of evidence and the weight to which it is entitled in the eyes of the fact finder”. Should the
judge find the evidence irrelevant to the case at any point, the inquiry ends and the evidence is
considered inadmissible. The main objective of ensuring authenticity is to assure that the digital data
and records are as valid on retrieval, as when they were first stored and preserved. Largely, authenticity
walks hand in hand with reliability, or the trustworthiness of the content of the record. An authentic record
defines as “… reliable records that over time have not been altered, changed or otherwise corrupted”. It
guarantees that the record is not changed or manipulated after creation (Sanett & Park 2002:15).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 72 of 268 Chapter 5
Forensic investigators can use any of a number of data-level authenticity controls to address authenticity
and trustworthiness successfully. The problem remains, however, that the current lack of standardised
procedures can lead to uncertainties about the effectiveness of investigation techniques. This makes it
more difficult for the investigator to prove authenticity. Specific controls for authenticating the evidence
are discussed in Chapter 13. The next section looks at the last practical problem that an investigator
may encounter during a Live Forensic investigation - acceptance in court.
5.2.5 Practical Problem 5: Ensuring Full Acceptance of Computer Technology
by the Court
In South Africa, the Electronic Communications and Transactions (ECT) Act was formalised in 2002.
This act discusses the admissibility of computer evidence and emphasises the necessity of digital
evidence integrity.
One of the Act’s main objectives is to promote the understanding and acceptance of growth in the
number of electronic transactions. It should form the basis of discussion of data requirements for
evidential purposes in South Africa (South Africa 2002:Internet). However, many individuals in South
Africa are still not computer literate, let alone able to understand the intricacies and complexities of
advanced computer technology.
A further problem is the general global fear of older generations to embrace technology, this being a
particular prevalent problem within the global judicial system: “While judges may resist the use of
technological advances within the court itself, we cannot avoid the impact of these scientific and
information revolutions on the substance of what we do. The rush of new scientific developments has
been so swift that the court system is struggling to deal with the expert testimony they produce…”
(Shelton 2006:63). According to studies done by Jones and Fox (2009:Internet), between 85% and 95%
of 18 to 30-year olds are online, whilst only 50% of 50-year olds and older are online.
Although courts do accept technology as evidence in court, as guided by the ECT Act of 2002, ensuring
full acceptance of computer technology in court may prove to be a prolonged process. This complicates
the processing of Digital Forensic cases. The next paragraph summarises the practical problems that
may be encountered during a Live Forensic Acquisition.
5.2.6 Summary of Practical Problems
So far, this study has revealed five prominent problems that may hamper the further development of the
Live Forensic discipline. These problems are:
• how to gain forensically sound access to a suspect machine (Paragraph 5.2.1);
• the dependency of the acquisition on OS (Paragraph 5.2.2);
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 73 of 268 Chapter 5
• the inherent possibility of data modification (Paragraph 5.2.3);
• how to prove authenticity of the evidence (Paragraph 5.2.4); and
• how to ensure acceptance of the technology use in a court of law (Paragraph 5.2.5).
The previous sections introduced these five potential problems. Chapter 13 will look at them in more detail
and suggest possible control measures. The next section looks at current techniques used to perform
Live Forensic Acquisition.
5.3 Currently Applied Techniques for Live Forensic Acquisition
The implementation of Live Forensic Acquisition can be very complicated, especially if the investigator
needs to consider the problems mentioned in Paragraph 5.2. There are several methods to perform Live
Forensic Acquisition, based on either software applications or hardware devices. Most of these involve
running an agent or application of some kind on the system itself, or installing a hardware device
beforehand. Accordingly, these techniques can potentially allow for possible data modification.
Regardless of the acquisition approach used by the forensic investigator, a number of basic rules should
be adhered. These rules are:
• The acquisition tool should read all digital data from the source and write them to a non-volatile
destination location.
• The tool must not allow data to be written to the source.
• The investigator needs to document all steps followed fully, including hardware and software
resources that it used to read the source data.
• If there are I/O errors while reading the source data, the tool must write a specified value to the
corresponding locations in the image and log the type and location of the error.
• If the destination of the data is larger than the source, the tool shall identify the start and end
locations of the source data within the destination.
• The tool should freeze the target system during the acquisition process to prevent memory
modification. The page table should also remain consistent.
• The tool should calculate one or more hash values of the data that are read from the source.
• If the destination of the data is smaller than the source, the investigator needs to either abort
the action, or copy as much data as possible into the destination. This may be rendered as
forensically unsound data (Carrier & Grand 2003:57).
Unfortunately, most techniques involve the introduction of an additional process into a system of already
running processes. To limit the interference of these processes with currently running processes, it is
necessary to shut down some of the currently running processes or services. These include:
• Antivirus programmes. Most antivirus programmes are set to update themselves or run scans
automatically, potentially interfering with the investigation.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 74 of 268 Chapter 5
• Task scheduler. Scheduled jobs may get in the way of the acquisition process should they start
during the investigation.
• Windows firewall. Depending on the configuration, the firewall may interfere with the Live
Forensic Acquisition and block some of the volatile information sources.
• Exchange/Internet Information Services (IIS). The system will continue to process email and web
pages during the acquisition if it is not disconnected (Carvey 2007:Internet).
Once the investigator terminated the unnecessary processes, he/she needs to select a software- or
hardware-based technique to initiate the Forensic Acquisition. The next paragraph looks at current software
techniques used to perform Live Forensic Acquisition.
5.3.1 Software Techniques to Perform Live Forensic Acquisition
Many incident responders run tools such as ps and netstat to collect obvious data. Linux uses ps tools to
look at the system’s internals, while Windows uses netstat to search for new files and services, high
execution times, the Address Resolution Protocol (ARP) table and new users (Vidas 2006:9). However,
these tools leave most of the system’s memory unanalysed (Carrier & Grand 2003:51).
A number of Live Forensic techniques involve the use of either proprietary or customised software packages.
In general, these methods acquire a system’s volatile memory using invasive techniques and typically
write back to memory or to the system’s hard disk (Carrier & Grand 2003:51). The main problem with these
intrusive methods is the overwriting of valid evidence. Every time an investigator creates a new file, the
system may overwrite un-reallocated clusters. Similarly, new processes may take up space in the RAM,
removing valid evidence from the cache (Vidas 2006:13).
Even though it is unlikely that any court will accept this evidence as forensically sound, it is still a good
idea to document all steps and tools used thoroughly. This may provide sufficient expert knowledge to
convince the judge of the forensic soundness of the evidence. The remainder of this section discusses
four software techniques: software agents, memory dump, NotMyFault and the Live Response Toolkit.
5.3.1.1 Software Technique 1: Software Agents
The current software best practice is to load a tiny forensic software agent in the kernel of the computer
to gain access remotely to the physical memory of the computer (see Paragraph 3.3.2). The intention is
that this evidence can be used, provided that the forensic investigator can give reasonable assurance
that the evidence was not substituted, contaminated, or tampered with (Casey 2007:49).
A number of forensic packages allow forensic investigators to use an agent or install a programme on the
suspect system to perform Live Forensic Acquisition. ProDiscover requires the installation of the
PDServer agent from a DVD or thumb drive. FTK Imager runs from a CD or thumb drive and writes the
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 75 of 268 Chapter 5
image files to an external drive or an already-mapped share. EnCase Enterprise requires the installation
of a servlet on the suspect system (these tools are all discussed in more detail on the accompanying CD,
see Forensic tools).
Although investigators can prove that these techniques are forensically sound, experts recommend
consideration of Heisenberg's Uncertainty Principle (Carvey 2007:Internet). Paragraph 6.4 introduces this
principle. Many of the tools discussed in this section propose some variation on this best practice.
5.3.1.2 Software Technique 2: Memory Dump
A popular software-based technique is to perform a complete system memory dump (Vidas 2006:13). A
memory dump is a display or printout of the contents of a computer’s memory. When a programme abruptly
ends, an investigator can examine the memory dump to determine the status of the computer at the time
of the crash. The investigator looks into the buffers to see which data items caused the failure. Additionally,
the investigator can inspect the counters, variables, switches and flags (PC Magazine 2008:Internet).
A memory dump file records the smallest set of useful information that may help identify problems with
the computer. Generally, a memory dump file requires a paging file of at least 2 megabytes on the boot
volume. This dump file includes the following information:
• the stop message, its parameters and other data;
• a list of loaded drivers;
• the processor context for the processor that stopped;
• the process information and kernel context for the process that stopped;
• the process information and kernel context for the thread that stopped; and
• the kernel-mode call stack for the thread that stopped (Microsoft 2008a:Internet).
Figure 5-5 and Figure 5-6 shows the tabs investigators need to access in a Windows OS to create a
memory dump. A memory dump does not explicitly install a software package onto the suspect machine,
but rather reflects the software and its processes already existing on the machine. The next section
deals with NotMyFault, which involves the explicit installation of additional software.
5.3.1.3 Software Technique 3: NotMyFault
A more controversial technique used to crash a system is NotMyFault, developed by Mark Russinovich
of Sysinternals. NotMyFault can generate faults like High IRQL fault, Code Overwrite, Buffer Overflow
and Deadlock, which can crash Windows. This tool is very helpful in analysing memory dumps,
introduced in Paragraph 5.3.1.2 (Swatkat 2005:Internet).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 76 of 268 Chapter 5
Figure 5-5: Screenshot - Windows My Computer Properties
Figure 5-6: Screenshot - Windows My Computer Properties Advanced Properties
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 77 of 268 Chapter 5
The NotMyFault system composes two parts, a driver and an application. The driver, MyFault.sys (less
than 7kb) must be loaded onto the suspect system, whilst the investigator uses the application
NotMyFault.exe (less than 50 kb) to issue calls to the driver loaded into the kernel. This crashes the
system on behalf of the user level in various ways (Vidas 2006:20). Figure 5-7 shows the NotMyFault
screenshot. It gives the user the option to choose a method to crash the system.
Figure 5-7: Screenshot - NotMyFault (Vidas 2006:20)
The NotMyFault system may be very useful and provide invaluable information to the forensic investigator.
However, research still needs to prove that this technique leaves the evidence forensically sound. This
technique is an advanced form of the traditional Forensic Acquisition, since the system forces the
suspect system to crash. The next section introduces a toolkit used specifically for Live Forensic Acquisition.
5.3.1.4 Software Technique 4: Live Response Toolkit
The Anti-Hacker toolkit, written by Shema and Johnson (2004:577), recommends the use of the Live
Response Toolkit. The response toolkit outputs the results of all the commands it runs directly to a
destination workstation for storage and analysis, preventing the output from destroying or overwriting
potential evidence on the suspect computer system.
According to Shema and Johnson (2004:577-592), the Live Response Toolkit consists of the following tools:
• fport. Investigators generally run this tool first when encountering a compromised machine.
This tool maps every open TCP and UDP port on the suspect machine to a running executable
on the system. It is useful to locate different types of backdoors that would allow an attacker an
easier entry into your system.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 78 of 268 Chapter 5
• cmd.exe. This tool is a trusted command shell, located on every Windows NT or 2000 system.
cmd.exe is a 32-bit command prompt that offers disk and file maintenance functions to your
computer as well as network functions (Uniblue 2007:Internet).
• Netstat. This tool is useful for checking your network configuration and activity. It displays the
listening and current connections’ network information for the suspect machine. This information
helps to identify disreputable activity and installed backdoors on a suspect machine. Unlike fport,
however, netstat tells only which ports are open, and not which processes are using them.
• Nbtstat (NETBIOS tool). This tool, automatically installed in the Windows OS, lists the NETBIOS
name cache within the suspect computer. It is designed to access resources such as network
drives or printers shared by Windows through the NetBIOS protocol (NetScanTools
2008:Internet). If there are machines on the list that should not be connected to the system, it
is easy to identify them.
• ARP. The ARP tables maps the physical machine addresses of the Ethernet cards to the
associated Internet Protocol (IP) addresses in the subnet. By using the ARP command, it is
possible to see which MAC address map to which IP address, identifying individuals who may
be busy with unlawful actions.
• Loggedon. This tool provides a list of all users using proper logging on procedures for a specific
machine. It does not show users in a backdoor of the system.
• Dump Event Log (dumpel). This tool is a command line utility that dumps event logs in a human-
readable format for offline analysis. The investigator can import this format into a spreadsheet,
and then use the utility to filter for certain event types and to filter out certain event types.
• Regdmp. The registry is a computer’s largest logging facility. It contains all the information about a
particular installation of Windows and other installed programmes. This information could be useful
to the investigator and could supply additional leads such as the last few places the machine
connected to with the telnet client, the last few most recently used documents for each programme
and the executables started when the machine is booted.
• PsList. This tool lists all rogue processes, such as backdoors, sniffers and password crackers
in the process table listing. The attacker may execute these processes on the system after its
compromise.
A forensic investigator can use any combination of these software tools to acquire the necessary evidence
from the system in question. Generally, the Live Response Toolkit is not a standard toolkit, but can
constitute any combination of the above tools.
5.3.1.5 Conclusion of Software Techniques
This section identified four techniques that forensic investigators can apply during a forensic investigation:
• software agents (Paragraph 5.3.1.1);
• memory dump (Paragraph 5.3.1.2);
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 79 of 268 Chapter 5
• NotMyFault (Paragraph 5.3.1.3); and
• the Live Response Toolkit (Paragraph 5.3.1.4).
All four techniques are software-based and require the investigator to run a programme on the suspect
computer system. This may complicate the investigation on a legal foundation, since opposing counsel or
the court may argue that these programmes interfere with the data. It therefore may lead to a ruling of
inadmissible evidence. The next section looks at the hardware techniques currently used to perform Live
Forensic Acquisition.
5.3.2 Hardware Techniques to Perform Live Forensic Acquisition
Hardware techniques to perform Forensic Acquisition are less common than software techniques. These
techniques, although proven highly successful by some investigators, are not as popular as their software
counterparts are. The remainder of this section discusses four hardware techniques:
• the Tribble device;
• PCI expansion card;
• Sparc OpenBoot; and
• COFEE (Computer Online Forensic Evidence Extractor).
5.3.2.1 Hardware Technique 1: Tribble Device
The Tribble device, developed by Carrier and Grand (2003:50), acquires computer memory with the push of
a button. This hardware-based procedure makes an accurate and reliable copy of volatile memory
contents for investigative examination. However, the forensic investigator needs to pre-install the device on
the suspect system prior to an incident (Casey 2007:49).
The Tribble device may prove to be very helpful in an investigation with the Code Red and SQL Slammer
worms. These worms reside only in volatile memory and do not write anything to disk. Accordingly, Dead
Forensic Acquisition may only find limited evidence in the swap and hibernation file. Investigators may also
find the memory contents interesting, due to the vast variety of information found there. It contains data
from running processes, unencrypted data, passwords, viruses and the state of user activity (Carrier &
Grand 2003:50,51).
One of the reasons why Live Forensic Acquisition is necessary is because data stored in volatile memory are
lost when the computer shuts down. The Tribble device, in contrast with the software techniques discussed
in Paragraph 5.3.1, does not involve untrusted software, nor is it invasive (Carrier & Grand 2003:57).
Figure 5-8 shows the environment in which the Tribble device functions.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 80 of 268 Chapter 5
Figure 5-8: The Tribble development environment (Carrier & Grand 2003:57)
The Tribble device employs a PCI expansion card, installed into the computer before an intrusion occurs.
This card dumps the exact contents of the volatile physical memory to an external, non-volatile storage
medium. When the PCI controller is installed for this reason, the person installing it generally disables it
after installation. The controller then purely serves as catalyst in the event of a criminal incident. The card
is only activated by the incident response team and will not respond to bus queries from the host system.
The theory is that the device only becomes visible once the incident response team enables it. Therefore,
the computer user should remain unaware of the additional card, unless he/she looks at the computer’s
hardware (Carrier & Grand 2003:57).
During a forensic investigation, the investigator plugs the Tribble card into the PCI bus. It is then possible
to read the system memory via the PCI interface, without modifying its contents. First, the Tribble device
accesses the volatile memory through the PCI controller. Then the Joint Test Action Group (JTAG) does a
boundary scan and tests the interface, before saving the content in the development platform. As visual
aid to the investigator, the content of the retrieved volatile memory displays on the debug console in both
ASCII and hexadecimal format (Carrier & Grand 2003:57).
In principle, the Tribble device works perfectly. However, it does present a number of problems. Firstly, the
device needs prior installation. Accordingly, this technique is viable for a high-risk environment where
the system administrator takes the necessary precautions, but is not viable in a random environment
where investigators need a search warrant for the investigation. The device has not been designed for
an Incident Response Team member to carry in his toolkit to install after an incident and needs to be
implemented as part of a forensic readiness plan. Systems with Plug-and-Play support pose another
problem. These systems may, upon enabling of the PCI controller, detect the new device and ask for a
driver. To prevent this, PCI controller’s original installer can install a dummy device driver that is loaded
when the card is enabled, but does not interact with the physical card (Carrier & Grand 2003:57).
Originally, Carrier and Grand developed this device to prove that system memory could be read via the
PCI interface without modifying its contents. The goal was to design and implement a procedure that can
make an accurate copy of volatile data, whilst minimising the amount of volatile and non-volatile data that
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 81 of 268 Chapter 5
is modified on the suspect during the process (Carrier & Grand 2003:57). Therefore, forensic investigators
can now also use this system successfully, should it be proven forensically sound.
5.3.2.2 Hardware Technique 2: PCI Expansion Card
An alternative method is to install a PCI expansion card into a computer before an intrusion occurs. This
will dump the exact contents of volatile physical memory to an external, non-volatile storage medium.
The PCI controller is by default disabled, and only activated by the forensic team. Accordingly, the card
will not respond to bus queries from the host system. Neither will the device show visible connection to
the PCI bus (Carrier & Grand 2003:51).
When the incident response team activates the controller on the card, it takes control of the PCI bus.
The card first suspends the CPU, preventing an attacker from modifying memory contents while the
acquisition is in process. After that, the card uses Direct Memory Access (DMA) to copy the contents of
physical memory to an external non-volatile storage device. Once the investigator successfully copied
the physical memory to the non-volatile storage device, the CPU resumes and the OS continues to
execute (Carrier & Grand 2003:55).
5.3.2.3 Hardware Technique 3: Sparc OpenBoot
Similar to the memory dump, the OpenBoot firmware in a Sun system uses Sparc architecture to dump
the contents of physical memory to a storage device. This memory dump allows the investigator to suspend
any running processes within the system. By typing the sync command in the OpenBoot prompt, the
memory and register contents are dumped to a pre-configured device such as the swap space on a hard
drive (Carrier & Grand 2003:53). In essence, the sync command debugs the OS.
After writing the memory, the system reboots and copies the memory from the dump device to the file
system. By default, Sparc OpenBoot will only save the pages for kernel memory, but users can configure the
system to save all memory. The design is hardware-based and executes from ROM. It is designed in such
a way that attackers cannot modify the system. An added benefit is that the system suspends all activities
whilst a response team are busy with the acquisition (Carrier & Grand 2003:53). A disadvantage of this
technique is that it overwrites data in swap space. Additionally, it requires the system to reboot to copy the
memory contents from the swap space (Carrier & Grand 2003:53). This renders the acquired evidence
forensically unsound.
5.3.2.4 Hardware Technique 4: COFEE
One of Microsoft’s latest inventions is a small USB plug-in device that investigators can use to extract
forensic data quickly from computers. As part of its trial, Microsoft distributed a number of these devices
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 82 of 268 Chapter 5
free of charge to Law Enforcement agencies in June 2007 (My Opera 2008:Internet). COFEE is a
framework for First Responders to acquire evidence quickly and accurately from a live computer system.
This framework can be used by Law Enforcement to leverage publicly available tools to access
information on a live Windows system operating from a USB storage device (Microsoft 2008b:Internet)
Originally developed by Anthony Fung in 2006 (Romano 2008:Internet), the device is perfect for Live
Forensic Acquisition. It can gather evidence on site by scanning the suspect computer with the device.
This tool provides investigators with a means to extract data from a suspect’s live computer at the crime
scene. It contains 150 commands to gather digital evidence and can decrypt passwords, analyse a
computer's Internet activity and analyse stored data in the computer memory (My Opera 2008:Internet).
COFEE is a preconfigured compilation of publicly available forensic tools (Romano 2008:Internet) and
plain text scripts. The creator did not intend to develop new forensic tools, but rather focus on the
automation of tools that are already accepted within the industry (Vamosi 2008:Internet). COFEE is an
automated tool (Cranton 2008:Internet) intended for use with a command line, but do allow an option for
GUI. It attempts to ensure forensic soundness by generating either a SH1 or an MD5 checksums to verify
the data’s integrity (Romano 2008:Internet).
COFEE decreases investigation time dramatically. Additionally, forensic investigators can customise
COFEE with additional tools and commands, should the forensic investigator require a specific functionality
not included by default (Romano 2008:Internet). Unfortunately, this tool only works on Windows.
5.3.2.5 Conclusion of Hardware Techniques
This section identified four hardware devices that forensic investigators can use during a forensic
investigation:
• the Tribble device (Paragraph 5.3.2.1);
• the PCI expansion card (Paragraph 5.3.2.2);
• SPARC OpenBoot (Paragraph 5.3.2.3); and
• COFEE (Paragraph 5.3.2.4).
All four devices are hardware-based and the first three require the investigator to install the device’s
driver beforehand on the suspect computer system. This may complicate the investigation on a legal
foundation, since opposing counsel may argue that these programmes interfere with the data. It
therefore may lead to a ruling of inadmissible evidence. However, in general hardware applications
make it more difficult for attackers to tamper with.
Although these solutions do require driver installation, it has two main advantages: it can access memory
without relying on the OS and it will not need to use system memory whilst running (Carrier & Grand
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 83 of 268 Chapter 5
2003:53). The next section summarises the currently used software and hardware techniques for Live
Forensic Acquisitions.
5.3.3 Conclusion of Current Applied Techniques
The previous sections look at some of the software and hardware techniques currently applied to perform
Live Forensic Acquisition. This list is not comprehensive, but rather representative of the different types
of techniques applied at the time of writing. Table 5-1 present a summation of these techniques. None
of the techniques is completely forensically sound.
Table 5-1: Currently applied techniques for Live Forensic Acquisition (Own compilation)
SSooffttwwaarree tteecchhnniiqquueess HHaarrddwwaarree tteecchhnniiqquueess
Software agents Tribble device
Memory dump PCI Expansion Card
NotMyFault SPARC OpenBoot
Live Response Toolkit COFEE
The idea behind forensically sound evidence is to disturb the crime scene as little as possible. However,
it is very difficult to introduce a new process without leaving some traces of activity on the system. The basic
traces include the memory used, buffers and the pagefile (Carvey 2007:Internet). The next section
summarises the content of Chapter 5 and lists some of the drivers identified as valuable in the
development of the Liforac model.
5.4 Summary
Part 2 focuses on the practical aspects of Live Forensic Acquisition. Chapter 5 started with a brief
discussion on the different ways that organisations currently use globally to respond to a cyber attack,
and looked at the properties of digital evidence. It also looked at two important aspects of Live Forensic
Acquisition: a number of practical problems associated with Live Forensics and current techniques of
applying Live Forensics. Although these techniques may not all be scientifically validated, it gives the
reader an idea of the direction Live Forensic Acquisition is heading in. These techniques are divided into
software-based techniques and hardware-based techniques.
In summary, the six drivers identified from Chapter 5 to contribute to the development of the Liforac
model are as follows, with the originating paragraph between brackets:
• Electronic information is a valuable resource for any organisation and need to be protected. Although
this driver does not directly contribute to the development of the Liforac model, this knowledge
provides some motivation for the development of the model (Paragraph 5.1);
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 84 of 268 Chapter 5
• Digital evidence has unique properties that set it apart from real world evidence. This driver has
a direct impact on the legal aspects of the proposed Liforac model (Paragraph 5.1);
• Organisations generally have three possible options to respond to a cyber attack, and accordingly,
a cyber investigation (Paragraph 5.1);
• Locard principle: “… when any two objects come into contact, there is always transference of
material from each object onto the other”. This driver has a direct impact on the problems Live
Forensics face regarding forensic soundness and modification of data (Paragraph 5.1);
• Five identified practical problems with Live Forensics (Paragraph 5.2, Figure 5-2):
− gaining access to the suspect system;
− acquisition dependant on OS;
− data modification during the acquisition process;
− demonstrate the authenticity of evidence;
− ensuring full acceptance of computer technology by the court.
These problems directly influence the Scope dimension of the Liforac model.
• Both software and hardware methods exist to perform Live Forensic Acquisition. These methods aid
the understanding and the application of Live Forensics and accordingly influence the development
of the Liforac model (Paragraph 5.3.1, Paragraph 5.3.2).
When considered individually, most of these drivers suggest a knowledge component. Depending on
the drivers identified in subsequent chapters, this theme may influence the identification of possible
dimensions for the Liforac model. The themes will be addressed in Chapter 9.
Chapter 6 will now consider the concept of forensic soundness. This chapter will address Objective C,
Identifying sound forensic techniques. Chapter 6’s information builds on the foundation of Live Forensics
set by Chapter 5, looking at sound forensic techniques in the Live Forensic discipline.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 86 of 268 Chapter 6
Chapter 6: Forensically Sound Live Acquisition Admissible in Court
“In this age of ‘CSI’ and forensic medicine it’s clear that with good old-fashioned police work…
We can put together a circumstantial case…
And we can make sure that justice, however delayed, is not denied.”
- Jeanine Pirro
Part 2 of this study focuses specifically on Live Forensics, its uses and applications within the cyber
environment and the possibility to admit associated data as evidence to court. Chapter 5 looked at the
practical problems with implementing Life Forensics, as well as the current application of Live Forensics
within the field of Digital Forensics. Chapter 6 is taking the study on Live Forensics a step further: in order
to identify which data are admissible in court, it is necessary to examine the idea of forensic soundness.
Chapter 6 involves a lot of in-depth and background research. It looks at court standards and requirements to
classify data as evidence that is admissible in court. This involves investigating the Frye and Daubert tests,
as well as the rules for electronic records and its legal admissibility. This chapter also compares Digital
Forensics and Physiological Forensics, and the possibility to apply Physiological Forensic principles to
ensure forensic soundness in Digital Forensics. This investigation links to the volatile nature of Digital
Forensics and which measures need to be taken to ensure the admissibility of evidentiary data to court.
Figure 6-1: Liforac model progress - Identify sound forensic techniques (Own compilation)
Figure 6-1 indicates the current level of progress with regard to identifying building blocks for the Liforac
model. Chapter 6 fulfils Objective C, Identify sound forensic techniques (originally presented in Figure
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 87 of 268 Chapter 6
2-2). Figure 6-1 shows that both Objective A and B have been addressed in previous chapters. The
following paragraph introduces the concept of forensic soundness and provides formal definitions for this
concept.
6.1 Introduction
Digital Forensics is a technical application of computer related knowledge, constricted by a number of
technical issues. In addition to these restrictions, numerous laws strictly bind forensic investigators to the
letter. The implementation of some of these laws is sometimes rather disdainful (Jones 2007:1).
According to Bejtlich (2006:Internet), a forensically sound copy of a hard drive is “… created by a method
that does not, in any way, alter any data on the drive being duplicated. A forensically sound duplicate
must contain a copy of every bit, byte and sector of the source drive, including unallocated empty space
and slack space, precisely as such data appears on the source drive relative to the other data on the
drive. Finally, a forensically-sound duplicate will not contain any data (except known filler characters)
other than which was copied from the source drive."
An alternative definition for a forensically sound copy of a drive is “… a complete and accurate representation
of the source evidence. A forensically sound duplicate is obtained in a manner that may inherently (due
to the acquisition tools, techniques and process) alter the source evidence, but does not explicitly alter the
source evidence. If data not directly contained in the source evidence is included in the duplicate, then
the introduced data must be distinguishable from the representation of the source evidence. The use of
the term complete refers to the components of the source evidence that are both relevant and reasonably
believed to be relevant" (Bejtlich 2006:Internet).
Since neither of these definitions of forensic soundness allows any leeway for live acquisitions, Mike Murr
redefined forensic soundness by adding “… the manner used to obtain the evidence must be documented,
and should be justified to the extent applicable” (Murr s.a.:Internet). The next section shows how these
definitions can be applied in the real crime environment. It shows two possible tests, the Frye and
Daubert tests, to determine whether evidence can be considered as admissible in court.
6.2 Evidence Admissible in Court
Evidence can either make or break an investigation. Therefore, it is crucial to ensure that all evidence is
admissible in court, according to the definitions presented in Paragraph 6.1. Should the court reject any
item of evidence, it can hurt the case. At the very least, this rejection can portray the investigators as
incompetent. Since the items of evidence first need to be submitted to court for approval of admission,
the correct terminology is “… artefacts of potential evidentiary value”, rather than evidence. An item can
only be formally considered evidence once the court accepts it (Brown 2005a:4).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 88 of 268 Chapter 6
Especially with Digital Forensics, where the court and/or opposing counsel may not be too familiar with
the topic, it is necessary to educate the audience. The educating witness teaches the audience about
the underlying scientific theory. This witness classifies as an expert witness and may elicit professional
opinions regarding the validity of a theory and the reliability of specific tools. A court may accredit a witness
as an expert witness if they have the necessary academic qualifications or specific forensic training.
Additionally, many jurisdictions require the theory used by an expert witness to meet certain qualifications
before being used in court.
Paragraph 6.2 presents an overview of when digital evidence (artefacts of potential evidentiary value) can
be expected to be successfully admitted to court. Many organisations and institutions set up their own
rules and regulations regarding this matter. In general, courts apply the Frye and Daubert tests to determine
the validity of the artefacts. These two tests are discussed in the following sub sections.
6.2.1 Frye Test
From 1923 to 1993, a heuristic known as the Frye test controlled the admissibility of expert evidence after a
District of Columbia Court of Appeals case. The Frye test held the expert scientific evidence admissible
only if the scientific community generally accepted the scientific principles upon which it was based (Ryan &
Shpantzer 2005:2).
In 1923, a Washington D.C. court found James Frye guilty of murder. This conviction based on a new lie-
detector test that indicated a person was lying if his/her systolic blood pressure elevated. Frye appealed
this conviction and the appeals court ruled that a new scientific principle or discovery can only be used
as evidence in a court of law if it is "… sufficiently established to have gained general acceptance in the
particular field in which it belongs" (Gardner 2000:Internet). The court ruled that the blood-pressure test
had not gained such acceptance. Accordingly, the appeals court reversed Frye’s conviction.
Interestingly, lie-detector tests only gained respect in the scientific community, and accordingly in courts,
during the 1970s and 1980s (Net Industries 2008:Internet).
The Frye test states that admissible scientific evidence must be a result of a theory that had general
acceptance in the scientific community. This test results in uniform decisions regarding admissibility.
Although no law forces courts to apply the Frye test, non-committing cases can easily be appealed (Gardner
2000:Internet). The Frye test proves to be helpful in many disputed court cases. However, with the new
development of Live Forensic Acquisition in Digital Forensics it may be problematic in some instances.
In the practical application of this standard, proponents of a particular scientific issue need to provide a
number of experts to speak to the validity of the science behind the issue in question. The downside of
this test is that it may not be flexible enough to adapt to truly new and novel scientific issues. In most
jurisdictions, the Daubert standard has superseded the Frye standard (Gardner 2000:Internet).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 89 of 268 Chapter 6
6.2.2 Daubert Test
In the late 1990s, the Daubert test officially took the place of the Frye test in controlling the admissibility
of expert evidence. A Daubert motion is raised before or during trial to exclude the presentation of
unqualified evidence to the jury. Counsel uses this technique to exclude the testimony of an expert
witness who has no specific expertise in the area or used questionable methods to obtain the information.
Generally, courts should only allow expert witnesses if their testimony is relevant to the case, with judges
having authority to exclude inappropriate testimony. Before Daubert, trial courts preferred to let juries hear
evidence offered by both sides. A Daubert motion excludes this evidence since it fails to meet the
relevancy and reliability standard (Daubert v. Merrell Dow Pharmaceuticals 1993:Internet).
The Daubert test arose out of the United States Supreme Court case Daubert v. Merrell Dow
Pharmaceuticals of 1993. Jason Daubert and Eric Schuller had been born with serious birth defects.
Jason Daubert was born in 1974 with only two fingers on his right hand and without a lower bone on his
right arm. His mother took Bendectin, an anti-nausea drug made by Merrell Dow, during her pregnancy
(Daubert v. Merrell Dow Pharmaceuticals 1993:Internet). Daubert, Schuller and their parents sued
Merrell Dow Pharmaceuticals Inc, claiming that the drug caused the birth defects.
Merrell Dow’s expert witness submitted documents showing that no published scientific study demonstrated
a link between Bendectin and birth defects. Daubert and Schuller submitted expert evidence suggesting
that Bendectin could cause birth defects, based on in vitro and in vivo animal studies, pharmacological
studies and re-analysis of other published studies. These methodologies had not yet gained acceptance
within the general scientific community, as required by the Frye test in Paragraph 6.2.1 (Daubert v. Merrell
Dow Pharmaceuticals 1993:Internet).
Daubert and Schuller argued that the Federal Rules of Evidence in 1975 withdrew Frye as the governing
standard for admitting scientific evidence in trials held in federal court. The Supreme Court agreed and
applied the rules governing expert testimony established by the Federal Rules of Evidence to the admission
of scientific evidence at trials conducted in federal courts. Under these rules, the judge determines
whether the evidence is scientifically valid and relevant to the case at hand. In addition, the jury uses
counsels’ cross-examination and the presentation of contrary evidence to determine whether the scientific
evidence is ultimately credible (Daubert v. Merrell Dow Pharmaceuticals 1993:Internet).
In Daubert, the court held that Rule 702 of the Federal Rules of Evidence succeeded Frye. Rule 702 provides
“… if scientific, technical or other specialised knowledge will assist the trier of fact to understand the
evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience,
training or education, may testify thereto in the form of an opinion or otherwise”. This implies that the
scientific evidence proposed possesses the scientific validity to be considered competent as evidence if it
is grounded in the methods and procedures of science (Ryan & Shpantzer 2005:2). Not all of the considerations
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 90 of 268 Chapter 6
in Daubert have to be met for the evidence to be admitted. It is only necessary that the majority of the
tests be substantially complied with. The Daubert test requires four things:
• the theory is testable;
• the reliability and error rate;
• the extent of general acceptance by the scientific community; and
• the theory has been peer reviewed (Daubert v. Merrell Dow Pharmaceuticals 1993:Internet).
Eventually, Daubert presented a number of affidavits based solely on animal testing, claiming the existence
of a link between Bendectin and animal birth defects. The court dismissed the case on the basis that the
plaintiff’s evidence was “… not sufficiently established to have general acceptance in the field to which it
belongs". The court of law believes that the Daubert principles will result in a fair and rational resolution of
the scientific and technological issues that lie at the heart of product liability adjudication (Daubert v. Merrell
Dow Pharmaceuticals 1993:Internet).
In short, the Daubert ruling necessitates the judge to assess the scientific validity of a methodology or
technique invoked by an expert witness before the trial starts. The intention is to decide beforehand
whether the methodology can be applied to the facts in issue. To assist the judge in the ruling, he/she
can consider the following:
• Can and has the technique been tested?
• Has the technique been subjected to peer review and publication?
• Is the potential rate of error known?
• Are there any standards controlling the technique?
• Does the relevant scientific community accept this technique? (Amenya 2004:16).
Although the original plaintiffs of the Daubert v. Merrell Dow Pharmaceuticals of 1993 case lost the case,
it set a precedent for future cases involving scientific evidence. The following paragraph extends on this
scientific admissibility by examining the legal admissibility of specifically electronic records. This follows on
both principles from the Frye and Daubert tests.
6.2.3 Electronic Records and Legal Admissibility
The previous section looked at the tests used to determine whether evidence is admissible in court. This
section is an extension of this discussion, but focuses more specifically on the admissibility of electronic
records. Electronic records are particularly vulnerable to tampering since additions or deletions are not
necessarily apparent to the document viewer. Whilst it might be possible to identify the original or a copy
of a printed or photocopied document, it is a lot more difficult to identify the original from copies of an
electronic document (University of Edinburgh 2004:1).
What complicates matters even more is the increasing sophistication of electronic records. For example, a
record may embed a word-processed document with a dynamic link to a spreadsheet. This spreadsheet
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 91 of 268 Chapter 6
allows automatic updates, making a paper audit trail tedious and an electronic trail impossible. During an
investigation, it would be a cumbersome process to recreate the electronic record in the exact form that
the user accessing the system saw it and accordingly to prove what information the user had access to
(University of Edinburgh 2004:3). This complexity complicates the defending argument to show beyond
a reasonable doubt that the user did/did not see a specific set of digital links.
Electronic Records
Electronic records and evidence are any form of data stored in digital format. In the simplest form, there
are two main types of electronic records:
• Records created electronically. This category includes word processor documents, e-mails,
spreadsheets and database records.
• Paper records copied to electronic media. This includes documents scanned into an electronic
filing system or database records that mimic paper documents (University of Edinburgh 2004:1).
Legal admissibility is the characteristic of a piece of evidence that determines whether a court of law will
accept it as evidence. This concept, however, is not at all straightforward. On the one hand, evidence
might be legally admitted to the court. On the other hand, opposing counsel often rely on placing doubt
on the evidential weight to diminish the efficacy of the legally admissible evidence. Counsel should be
able to prove that:
• the record has not been tampered with;
• the system the record is kept in is a secure system; and
• the system was secure throughout the lifetime of the record (University of Edinburgh 2004:1).
According to studies done by the University of Edinburgh (2004:1), there are no set rules for determining
the legal admissibility of an electronic document. However, it is possible to maximise the evidential
weight of a document by setting up authorised procedures and being able to demonstrate in court that
those procedures have been followed. The ECT Act includes a detailed section (Chapter III, Part 1) on the
legal admissibility of electronic records. Organisations and individuals complying with this practice should
be able to maximise the evidential weight of electronic records.
Evidential weight enables investigators to demonstrate the authenticity and reliability of electronic records.
There are two main elements to demonstrating the authenticity of these records:
• The possibility to freeze a record at a specific moment in time. This freezing literally brings the
contents of a specific file to a standstill, allowing no further changes to the file. This ensures that
no changes have been made to the file since it was frozen, proving authenticity.
• Maintaining a documented audit trail. An audit trail provides supporting information about the
records being stored, proving authenticity. The supporting information include:
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 92 of 268 Chapter 6
− The name of the author;
− The date the record was created and stored;
− The names of people who accessed the document and the relevant dates; and
− Version information (University of Edinburgh 2004:3).
Once the court determined the evidential weight of electronic records, the evidence is in principle accepted
in courts. The previous section looked at the specific occasions in which these evidentiary artefacts are
allowed in court, providing guidelines on determining both the evidential weight and the admissibility.
6.2.4 Conclusion of Evidence Admissible in Court
The most important question in determining the admissibility of real artefacts, concerns the authenticity of
the data. If the data changed in any way, counsel will have a very hard time convincing the court to include
it as evidence (Brown 2005a:18). The next section compares the Digital Forensic discipline with
traditional Physiological Forensics. This section looks at both the similarities and the main differences
between these disciplines.
6.3 Comparing Digital Forensics with Traditional Forensics
According to the Mirriam-Webster online dictionary (2008:Internet), the word forensics dates back to
1659 and is from Latin origin. It consists of two root words: forensis, which means public, and forum,
which translates to debate. The general acceptance of this word relates to courts or judicature, public
discussions and debate. It is therefore a reasonable assumption that both Digital Forensics and traditional
forensics relates to the legality of matters, applying only to different types of matter. This section looks at
different ways in which Digital Forensics and Physiological Forensics can be altered and briefly motivates
why this alteration should be allowed in court cases.
Altering Physiological Forensic Evidence
Although the modification of evidentiary data remains a huge problem, it is not a new concept. Methods in
Physiological Forensics, such as Deoxyribonucleic Acid (DNA) analysis, also alter the original evidence.
However, courts still accept this evidence. When a traditional forensic investigator collects samples of
biological material, he/she needs to scrape or smear the original evidence. In many cases, DNA tests are
highly destructive.
Although investigators can extract information from the original evidence, investigators cannot present
the original blood sample or skin sample to the court as evidence. Despite the changes that occur during
preservation and processing, courts consider these methods as forensically sound. In fact, investigators
regularly submit DNA evidence as evidence (Casey 2007:49).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 93 of 268 Chapter 6
Altering Digital Forensic Evidence
Similarly, Digital Forensic investigators need to acquire data from a suspect system and analyse, examine
and alter its presentation to produce meaningful information to the courts. This meaningful information is
rarely in the same condition as when the investigator acquired the original data (similar to a traditional
forensic investigator obtaining a piece of fingernail and running DNA analysis to present in court).
When considering the use of traditional Digital Forensic measures, courts should allow the minor alteration
of original evidence, similar to the allowed minor alterations of original evidence in traditional Physiological
Forensics. However, investigators should still adhere to the basic Digital Forensic principles and not
alter evidence in such a way that the meaning thereof changes. The legal system therefore needs to be
updated to accept Digital Forensic analysis in a court of law, as long as the data still adhere to the definition
of forensic soundness presented in Paragraph 6.1. Investigators should focus on maintaining the reliability
and authenticity of the evidence (Casey 2007:49).
The Necessity of Altering Evidence
The growing number of attorneys and courts that rely on the results of digital examinations ignited a
global debate on the exact constitution of sound forensics. All parties involved agree that Forensic
Acquisitions should not alter the original evidence source in any way. However, forensic experts show
that the act of preserving certain digital sources in many cases require the alteration of the original
evidence item (Casey 2007:49).
For example, the common method of performing Live Forensic Acquisition requires that the investigator
load the acquisition tool into memory. This overwrites some of the system’s volatile data and is a distinct
alteration of the original data evidence source. Another example concerns the use of remote forensic
tools. These tools necessitate the investigator to establish a network connection, accordingly altering the
original evidence source. Even the use of hardware write blockers (discussed in Paragraph 3.4.3) in data
acquisition from an Integrated Development Environment (IDE) hard drive may temporarily reconfigure
evidentiary data to access the HPA (Casey 2007:49).
It is not practical to set an absolute standard that dictates the preservation of everything and the modification
of nothing. This excludes the viability and usability of both Cyber and Physiological Forensic methods, and
would send the entire legal system in disarray (Casey 2007:49). As discussed earlier, even the globally
accepted method of DNA analysis allows for some form of controlled alterations.
The next section introduces the uncertainty principle. This discussion on the volatile nature of Digital
Forensics emphasises that evidentiary data will be modified by the slightest action in a computer system.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 94 of 268 Chapter 6
This volatile nature illustrates that it is practically impossible to investigate a computer system without
changing some aspects of the system log or volatile memory. This forms an integral part of the model for
comprehensive, forensically sound Live Forensic Acquisition.
6.4 Volatile Nature of Digital Forensics
The previous section explained that both Physiological as well as Digital Forensics occasionally requires
controlled modifications to ensure the appropriate interpretation of the evidentiary artefacts. Although the
forensic discipline requires that no alterations be made to the evidentiary data, the volatile nature of
forensic evidence often requires just that.
In quantum physics, the Heisenberg uncertainty principle is the statement that locating a particle in a
small region of space makes the momentum of the particle uncertain. Additionally, measuring the
momentum of a particle exactly makes the position uncertain (Heisenberg 1930:Internet). This is very
similar to the concept of Live Forensic Acquisition: the mere action of collecting evidence can make the
environment unstable. This translates as rendering evidence forensically unsound.
According to Heisenberg, it is possible to measure the position of an atom with a photon. The
uncertainty principle states that, when the photon is introduced, it will change the momentum of the atom
by an uncertain amount that is inversely proportional to the accuracy of the position measurement. The
amount of uncertainty can never be reduced below the limit set by the principle, regardless of the
experimental setup. Similar to the uncertainty principle, is the observer effect. This principle refers to
changes that the physical act of observing will make on the observed phenomenon. The same example
applies to this principle. In order to see an electron, a photon must first interact with it. This interaction
will indefinably change the path of the electron (Heisenberg 1930:Internet).
The Heisenberg uncertainty principle and the observer effect explain the volatile nature of forensics, both
digital and traditional. These disciplines are so volatile that the simplest interaction can indefinitely
change the nature of the evidence, but not necessarily its meaning. The next section elaborates on this
volatile nature, explaining how the evidence can still be considered as forensically sound.
6.5 Ensuring Forensically Sound Acquisition
The key to forensic soundness is documentation. This links strongly with the concept of chain of custody
(see Paragraph 3.4.4). The acquisition process should change the original evidence as little as possible.
Investigators should document any changes whatsoever and assess it in the context of the final analytical
results (Casey 2007:50). Ensuring forensically sound acquisition relies on two aspects: authenticity and
reliability (introduced in Paragraph 3.3.2.2). The remainder of this chapter will focus on these aspects.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 95 of 268 Chapter 6
6.5.1 Authenticity
The authenticity of an object refers to its trustworthiness. With regard to ensuring the forensic soundness
of an object, authenticity implies that the witness can indicate to the court that the piece of evidence has
not been altered since its original collection. In addition, he/she needs to prove the location, date and
time of collection also. The general method to prove the authenticity of a piece of digital evidence is by
using standardised evidence handling procedures and chain of custody records (Amenya 2004:10).
In general, authenticity is closely related to proving the integrity of the data (Kruse II & Heiser 2002:13).
This can be done by calculating a hash value, checksum or timestamp, or by using digital signatures
(these techniques have been discussed in Paragraph 5.2.4).
6.5.2 Reliability
In theory, courts should accept the forensic soundness of a piece of evidence if the supporting
documentation is sufficient. This documentation should report on the evidence’s origin and the way
investigators handled it since acquisition. Investigators need to preserve a complete and accurate
representation of the original data during the acquisition process, in such a way that courts can validate
its authenticity and integrity (Casey 2007:50).
There is no specific test to determine whether digital evidence possesses the required scientific validity.
When considering all the rulings made during the Daubert trial, Ryan and Shpantzer (2005:2) concludes
that Digital Forensic evidence proposed for admission in court should at the very least satisfy two
conditions. Firstly, the evidence should be relevant. Secondly, evidence must be “… derived by the
scientific method” and “… supported by appropriate validation”. Digital Forensics is very technical in
nature and therefore grounded in science. This includes computer science, mathematics and physics
(Ryan & Shpantzer 2005:3).
In order to ensure that digital evidence is in fact forensically sound, counsel need to investigate the
reliability thoroughly. When witnesses are involved, counsel need to investigate the testing and verification
of theories and techniques of Digital Forensics, peer review and existence of known error rates.
Additionally, counsel may investigate differences of opinion among Digital Forensic experts regarding the
validity and acceptance of specific tools and techniques (Ryan & Shpantzer 2005:3).
A number of techniques can be employed to ensure that the evidence acquired/to be acquired remains
forensically sound:
• Send a preservation of evidence letter. Information stored on computers changes every time a
user saves a file or loads a new programme. It is therefore critical to notify all relevant parties
in an overt operation that you will be acquiring electronic evidence through discovery. If the
relevant parties cooperate, the sooner the notice is sent the better to ensure that the suspect
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 96 of 268 Chapter 6
system is used minimally to limit the distortion of evidence. The notice should identify the types
of information that needs preservation and identify the possible locations of this information
(Amenya 2004:4). It is not practical to send such a letter during a covert investigation.
• Maintain a comprehensive, detailed chain of custody, with accompanying notes. This should
include definitions, instructions and specific questions about electronic evidence in your written
discovery. This step should be continued beyond the acquisition, and record all action relevant
to the case (Amenya 2004:4).
• Adhere to a comprehensive checklist for electronic media examination. This checklist ensure
forensic investigators of all the steps that will build up to forensically sound case:
− assign a unique number to each piece of media;
− write-protect all media;
− virus check all media and record any retrieved viruses;
− print directory listings for each piece of media and mark appropriately;
− virus check the destination drive and ensure that this drive is forensically wiped;
− verify that all files on the directory listing appear in the restored copy; and
− secure the source media (Amenya 2004:8).
In conclusion, both authenticity and reliability plays a crucial part in determining whether artefacts of
evidentiary value can be considered as evidence or not. Without these two characteristics, chances are
that the court may dismiss the forensic data as forensically unsound.
6.6 Summary
Although intense research still needs to be done before Live Forensic Acquisition can formally be introduced
into Law Enforcement, the preliminary study in Chapter 6 shows that Live Forensic Acquisition measures
up to traditional Digital Forensics. When the volatile nature of forensics as a whole (including Live Forensics,
traditional Digital Forensics and traditional Physiological Forensics) is considered, the possibility of
forensic soundness becomes a reality. However, similar to Physiological Forensic practices minor (controlled)
modifications should be allowed, without rendering the Digital Forensic evidence inadmissible in court.
In summary, the 13 drivers identified from Chapter 6 to contribute to the development of the Liforac model
are as follow, with the originating paragraph between brackets:
• A complete definition of forensic soundness contributes directly to the understanding of the
Liforac model (Paragraph 6.1);
• Digital Forensics is a technical application of computer related knowledge. This fact has a direct
impact on the discipline of Live Forensics and can contribute to the Knowledge level of the
Liforac model (Paragraph 6.1);
• Rejected forensic evidence can either hurt the case, or portray the investigators as incompetent.
These aspects have a practical influence on the Liforac model, since investigators will use the
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 97 of 268 Chapter 6
model to enhance the current investigation process. This aspect has a direct influence on the
legal aspects of the Liforac model and the admissibility of evidence in court (Paragraph 6.2);
• Correct terminology is “… artefacts of potential evidentiary value” (Paragraph 6.2);
• An expert witness may elicit professional opinions regarding the validity of a theory and the reliability
of specific tools. This driver directly impacts the forensic soundness of evidence, the foundation
of the Liforac model (Paragraph 6.2);
• Well-known heuristics are needed to establish the admissibility of expert evidence. These heuristics
form an integral component of proving the forensic soundness of evidence (Paragraph 6.2);
• Legal admissibility is the characteristic of a piece of evidence that determines whether it will be
accepted in court. This driver has a direct influence on the Liforac model (Paragraph 6.2.3);
• To ensure the acceptance of digital evidence, forensic investigators should maximise the evidential
weight of a document by setting up authorised procedures and being able to demonstrate in
court that those procedures have been followed. This fact also has a direct impact on the Liforac
model (Paragraph 6.2.3);
• This chapter introduced two main elements to demonstrate the authenticity of electronic records.
Since authenticity is crucially important in admitting evidence to court, this driver is very important
to the development of the Liforac model (Paragraph 6.2.3);
• Chapter 6 gives some guideline on how to ensure admissibility. This links with many of the other
drivers and directly impacts on the success of the Liforac model (Paragraph 6.2.3);
• In both traditional and Digital Forensic measures, courts should allow the minor alteration of
original evidence, without altering evidence in such a way that the meaning thereof changes.
This practice is similar to the current practice in Physiological Forensic sciences and will enable
the full implementation of the Liforac model (Paragraph 6.3);
• The Heisenberg uncertainty principle and the observer effect explain the volatile nature of, both digital
and traditional forensics. These principles give better understanding in the working of forensics,
and can assist the forensic investigators in understanding the Liforac model (Paragraph 6.4);
• Both authenticity and reliability plays a crucial part in determining whether artefacts of evidentiary
value can be considered as evidence or not (Paragraph 6.5).
When considered individually, most of these drivers suggest a legal or regulatory component. More
than half of these drivers suggest a relation with knowledge. Depending on the drivers identified in
subsequent chapters, these themes may influence the identification of possible dimensions for the Liforac
model. The themes will be addressed in Chapter 9.
Chapter 6 fulfilled Objective C, Identify sound forensic techniques. This chapter gave some insight into
the history of admissibility in court and forensic soundness. It showed the differences between Digital
Forensic practices and Physiological Forensic practices. In addition, this chapter also looked at the
volatile nature of all forensic evidence and investigations. In general, all the aspects considered in
Chapter 6 links to some extent to the forensic soundness principle, or at least to admitting evidence to
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 98 of 268 Chapter 6
court. Holistically, Chapter 6 provides sufficient information to be able to identify a number of sound
forensic principles.
Part 3 will next discuss Digital Forensics and the judicial system with Chapter 7 focusing specifically on
Cyber Crime and Cyber Criminals. This part follows on Part 2, building the knowledge on cyber crimes
as the reason for Digital Forensics.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 99 of 268 Part 3
Part 3: Digital Forensics and the Judicial System
This study, Liforac - A Model For Live Forensic Acquisition, divides into four distinct parts (originally
presented in Figure 1-1). Figure Part 3-1 presents the status of the Liforac model development study.
Figure Part 3-1: Part 3 of the Liforac model development study
Part 3, Digital Forensics and the Judicial System, investigates the legalities of both cyber crime and Digital
Forensics. It comprises two chapters of the study.
Chapter 7, Cyber Crime and Criminals, looks at the classification of cyber crime and provides
background on the subject. Additionally, it investigates the different types of cyber crime addressed by
Live Forensic Acquisition, the reasons for cyber crime as well as the occurrence of cyber crime. Chapter
7 clearly defines the difference between cyber crime and crime committed in the real world.
Chapter 8, Cyber Crime Legal Aspects, identifies current global laws addressing cyber crime. This
chapter also identifies a cyber crime framework and identifies some legal challenges regarding Forensic
Acquisition. Chapter 8 draws some links between Digital Forensics and other related disciplines.
These two chapters focus on the external links between forensic technology and the judicial system, and
form an important part of proving the technology admissible in court. Chapter 7 will now introduce cyber
crime and cyber criminals.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 101 of 268 Chapter 7
Chapter 7: Cyber Crime and Criminals
“Cyber panic is all about the demonization of a new form of technology, where that technology is automatically perceived as a crime or a criminal instrument”
- Shamburg
Part 3, Digital Forensics and the Judicial System, forms an important part of this research study. Chapter 7
looks at the crimes committed that necessitate Live Forensic Acquisition - cyber crime. To illustrate the
role of laws and the legal system as an intricate part to the application of Live Forensic Acquisition, it is
necessary to investigate the term cyber crime in-depth.
Chapter 7 firstly defines cyber crime. It also looks at different types of cyber crime, cyber crime incidents
and the classification of cyber crime. The chapter looks at the occurrence of crime, reasons why people
commit cyber crimes, as well as famous court cases involving some form of cyber crime or Digital
Forensics.
Figure 7-1 indicates the current level of progress with regard to identifying building blocks for the Liforac
model. Chapter 7 fulfils Objective D, Crimes and criminals (originally presented in Figure 2-2). Figure
7-1 indicates that the preceding chapters already addressed Objectives A, B and C.
Figure 7-1: Liforac model progress - Crimes and criminals (Own compilation)
The concept of cyber crime is two-fold. On the one hand, the criminal act plays a dominant part in this
chapter, but a crime is always committed either by an individual or by a group of people. This chapter will
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 102 of 268 Chapter 7
look at both instances. Chapter 7 contributes indirectly to the Liforac model, by creating an understanding
of the environment in which cyber crimes take place.
7.1 Introduction
Originally, computer crime only constituted the theft of electronic money, and unauthorised access and
alteration of data. However, after the introduction of viruses and other malicious software in the early
1980s, a more rigid legislative opinion emerged regarding computer related crime (Maat 2004:7).
South African Jurisdiction
An additional complication associated with cyber crime is the fact that the relevant jurisdiction is difficult
to determine (Maat 2004:205). Generally, when a crime is committed outside the borders of the Republic
of South Africa, a South African court does not have jurisdiction to adjudicate the suspects. The ECT Act
of 2002 (Maat 2004:206) provides guidelines in accordance with the provisions of the Convention of
Cyber Crime. Section 90 of the Act states:
• “A court in the Republic trying an offence in terms of this Act has jurisdiction where
- The offence was committed in the Republic;
- Any act of preparation towards the offence or any part of the offence was committed in
the Republic, or where any result of the offence has had an effect in the Republic;
- The offence was committed by a South African citizen or a person with permanent
residence in the Republic or by a person carrying on business in the Republic; or
- The offence was committed on board any ship or aircraft registered in the Republic or on
a voyage or flight to or from the Republic at the time that the offence was committed”.
Sharp Increase in Cyber Crime
Whatever the situation might be regarding jurisdiction of cyber crime, this serious matter has shown a
rapid increase in the past few years. According to Berghel (2003:15), computer scientists have branded
August 2003 as the worst month recorded for Internet malware. He states that Carnegie Mellon’s
Computer Emergency Response Team (CERT) Coordination Centre detailed the number of reported
incidents rising from six in 1988 to 82,094 in 2002. In the first half of 2003, computer users reported an
additional 76,404 incidents. To worsen these figures, it is estimated that the costs associated with cyber
crimes rose annually from 2003 with about 300% (Kjaerland 2006:522).
Criminals tend to exploit the speed, convenience and anonymity of modern technology more and more to
commit a diverse range of crimes (Interpol 2007:1). Since cyber crime is in many instances a silent,
unseen crime committed by anyone with sufficient knowledge, it is very tricky to classify cyber criminals
appropriately. The original stereotype of hackers was smart social outcast males between the ages of
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 103 of 268 Chapter 7
sixteen and thirty with poor social skills. These individuals take pleasure in writing and releasing software
exploits (Phair 2007:1). Following the trends of traditional crime, cyber crime can also involve well-
organised and hierarchical criminal syndicates.
The increase in cyber related crime is tremendous, and therefore it is crucial to find a forensic acquisition
technique that is fast, easy to use and admissible in a court of law. The next section provides a formal
definition of computer crime and introduces the reader to the different types of computer crime and the
classification thereof.
7.2 Definition
Cyber crime is the latest and one of the most complex problems facing the cyber realm. Although cyber
crime leans strongly towards conventional crime, it is much more complicated with a range of exceptions
that make every case a unique application of the law. Pati (2003:1) defines crime as “… a social and
economic phenomenon and is as old as human society… Crime or an offence is a legal wrong that can be
followed by criminal proceedings which may result into punishment.”
The definition for cyber crime is more extensive. The 10th United Nations Congress on the Prevention of
Crime and the Treatment of Offenders extends cyber crime as a misdemeanour including:
• unauthorised access;
• damage to computer data or programs;
• sabotage to hinder the functioning of a computer system or network;
• unauthorised interception of data to, from and within a system or network; and
• computer espionage (Shinder 2002:17).
The South African ECT Act 25 of 2002 adds the following instances to the definition of cyber crime:
• intentional and unauthorised access to, interception of or interference with data;
• computer related extortion, fraud and forgery; and
• attempting, aiding or abetting the above (South Africa 2002:Internet).
Cyber Crime Characteristics
According to Brenner (2004:9), real world crime possesses four characteristics: proximity, scale, physical
constraints and patterns. By looking at these characteristics, it is clear that real world crime and cyber
crime are quite different.
• Firstly, cyber crime does not require physical proximity between the victim and the
criminal. Cyber crime is completely unbound and the criminal only needs a computer linked to
the Internet to make his/her attack (Brenner 2004:15).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 104 of 268 Chapter 7
• Secondly, small scale is rarely applicable to cyber crime. Unlike real world crime, criminals
can automate cyber crime to commit thousands of crimes quickly and with little effort. One-to-
many victimisation is a realistic scenario for cyber crime, creating problems for Law Enforcement.
In the real world crime scenario, officers react to a crime by investigating, identifying and arresting
the perpetrator. This scenario assumes that crime is committed on a limited, manageable scale
and that Law Enforcement officers can react to individual crimes (Brenner 2004:14,15).
• Thirdly, cyber criminals avoid the physical constraints that govern real world crime. Cyber
crime can be committed instantaneously and more than one crime at a time. For example, a
real world bank robbery needs to be planned carefully and executed with extreme caution to not
attract the attention of security personnel. However, a cyber criminal can commit a virtual bank
robbery and deposit the funds into accounts in several countries before Law Enforcement
learns that a crime has been committed. Cyber criminals exploit Law Enforcement’s reactive
strategy that is considerably less effective in the virtual world than in the real world. The virtual
crime scene is further complicated since criminals are never physically present at the crime
scene. Cyber criminals can take advantage of anonymity or pseudonymity (Brenner 2004:16).
• Lastly, it is very difficult to identify offender-offence patterns comparable to those for real
world crime. As a result, it is very difficult to combat cyber crime effectively, partly because
investigators do not document it accurately. In addition, countries do not track cyber crime
properly when compared to real world crime. This is largely due to a lack of standardised
definitions and procedures of cyber crime (Brenner 2004:17).
Cyber Crime Differs from Traditional Crime
It is possible to define cyber crime broadly as criminal acts involving computers and networks. McConnell
International states that cyber crime differs in four distinct ways from crimes committed in the real world:
• it is easy to learn how to commit cyber crimes;
• cyber crimes require few resources relative to the potential damages caused;
• they can be committed in a jurisdiction without being physically present in it; and
• it is often not clearly illegal (Chizoba 2005:2).
To put the topic of cyber crime into perspective, the next section will discuss the different types of cyber
crimes that exist.
7.2.1 Types of Cyber Crime
Cyber crime is an all-rounded topic with a vast range of different types and classes. Not only is cyber crime
a mysterious phenomenon, but it is also ever expanding. Pati (2003:5) classifies cyber crime as follows:
• Stalkers use the cyber realm as medium. This crime involves following a person's movements
across the Internet. Stalkers either post hostile messages on bulletin boards or enter chat rooms
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 105 of 268 Chapter 7
frequented by the victim. Additionally, they can subvert to harassment via e-mail (Pati 2003:7).
CyberAngels is an online safety education programme that serves as a virtual learning
community. One of its functions is to educate both parents and kids about the occurrence of
cyber stalkers. It also provides school programmes and online mentoring for victims of cyber
stalking (CyberAngels 2007:Internet).
• Stalkers use e-mails as medium for harassment. Harassment through e-mails and SMSes succeeds
harassment via letters. Although this type of crime may not cause physical harm, it can be a
source of emotional distress to the receiver (Pati 2003:7). In a recent case of cyber stalking,
Jack Jordan was convicted of second-degree aggravated harassment on actress Uma Thurman.
Jordan was sentenced to three years probation and was committed to a mental institution
(People’s Daily Online 2008:Internet).
• Criminals disseminate obscene material. This type of crime includes indecent exposure and child
pornography, and constitutes the use of computers for producing, downloading or distributing these
obscene materials (Pati 2003:7). Although conviction of this type of crime can lead to
imprisonment, courts also often require offenders to register as sex offenders. Related to this, is
cyber grooming. This crime involves actions deliberately undertaken with the aim of befriending
and establishing an emotional relation with a child, with the intention of sexual abuse.
• Criminals use the internet to defame other individuals. It is an act of implicating any person with
intent to lower the person in the estimation of the right-thinking members of society. This exposes
the victim to hatred, disrespect and ridicule. Cyber criminals may commit defamation by hacking
someone’s email account and sending mail from the account with malicious intent (Pati 2003:7).
There is a very fine line between freedom of speech and libel (written defamation) on the Internet.
http://theantimadonnaboard.yuku.com is an example of a website used to defame an individual.
• Criminals gain unauthorised control/access over computer systems. Generally referred to as hacking,
this crime involves gaining unauthorised access to computer mediums (Pati 2003:7). In what is
referred to as “… the biggest military computer hack of all times”, Gary McKinnon is accused by
the United States of causing more than R5 billion worth of damage by hacking into 97 American
military computers at the Pentagon and NASA combined. He is also charged with stealing 950
passwords and deleting files at Earle naval weapons station in New Jersey, and faces up to 70
years in prison (Harris 2008:Internet).
• E-mail spoofing. These e-mails misrepresent its origin and may fool the recipient in opening an
e-mail containing a virus or a Trojan (Pati 2003:7). Cyber criminals can spoof e-mails by tweaking
the settings on standard email clients, and can cause accepting recipient computers to be
infected with spambots.
• Criminals can vandalise computers. Vandalism means deliberately destroying or damaging property
of another. This crime includes any kind of physical harm done to the computer or its peripherals
of any person, as well as the theft of a computer, parts of a computer or peripherals attached to
the computer (Pati 2003:8).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 106 of 268 Chapter 7
• Criminals unlawfully trade with Intellectual Property (IP). This crime refers to any unlawful act that
deprives the rightful owner of the intellectual property completely or partially of his rights. This
includes software piracy, copyright infringement, trademark and service mark violation and theft
of computer source code (Pati 2003:8).
• Criminals can transmit viruses/worms. This includes the deliberate dissemination and distribution
of malicious software (Pati 2003:8). The creator of the well-known and highly destructive Melissa
virus, David Smith, has been sentenced to 20 months in prison, with a fine of almost R40 000
(Teather 2002:Internet). Before the enactment of the South African ECT Act of 2002, South
African could not charge virus creators with a cyber crime. Instead, in 2004, Berend Howard was
charged with malicious damage to Edcon property, after loading a virus onto the computers of
Edgars. This virus affected up to 700 stores, and cost the company R20 million in trading losses
and damage control (SABC News 2004:Internet).
• E-mail bombing. This crime refers to sending a large amount of e-mails to the victim, resulting in
interruption of the victim’s email account or mail servers (Seth 2007:5). This type of attack is
often referred to as a Distributed Denial of Service (DDoS) attack and involves the flooding of a
victim’s computer with more requests than it can handle, causing a system crash (Pati 2003:5).
• Criminals can commit cyber terrorism against the government. A cyber terrorist uses a computer
system as a means to put the public in fear. Their intention is often to adversely affect the harmony
between different religious, racial, language or regional groups, castes or communities. The
ultimate goal is to repress the government or to endanger the sovereignty and integrity of the
nation. Internet-based terrorist attacks include DDoS attacks, attacks on sensitive computer
networks, hate websites and hate emails. A formal definition of cyber terrorism is “… the
premeditated use of disruptive activities, or the threat thereof, in cyber space, with the intention
to further social, ideological, religious, political or similar objectives, or to intimidate any person in
furtherance of such objectives” (Pati 2003:9).
• Criminals illegally traffic with goods. Trafficking may refer to many different items, such as drugs,
human beings and weapons. In the cyber realm, trafficking often goes undetected since
pseudonyms are used. For example, traffickers refer to drugs as honey.
• Criminals resort to fraud, cheating and stealing information. Online fraud and cheating may assume
different forms, ranging from credit card crimes and contractual crimes, to offering illegitimate jobs
and identity theft (Pati 2003:9). In South Africa, a syndicate using high-tech spyware has
defrauded the KwaZulu-Natal government of more than R199 million over the past three years. In
response to this type of serious cyber fraud, the provincial government launched a project called
“Operation Unumbeza”, translated to “Operation Conscience” (Naidoo 2008:Internet).
• Salami attacks. These attacks relate primarily to the commission of financial crimes and involve
insignificant alterations to software. In individual cases, the change would go completely unnoticed,
for example, a bank employee inserts a programme into the bank’s servers that deducts a small
amount from every customer’s account. Salami attacks can extend to web jacking (Seth 2007:5).
Numerous variations exist in salami attacks. In 1993, four executives of a rental-car franchise in
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 107 of 268 Chapter 7
Florida, United States of America, were charged with defrauding at least 47 000 customers. The
defendants allegedly modified a computer-billing programme to add five extra gallons to the actual
gas tank capacity of their vehicles. When customers returned their rental car without filling the petrol
tank, they ended up paying inflated rates for an inflated total of petrol (Kabay 2002:Internet).
• Criminals resort to web jacking. This crime derives its name from hi jacking. It is an offence in which
the hacker gains access and control over the web site of another, often mutilating or changing the
site’s information (Pati 2003:5). Web jacking are often associated with zombie networks, where a
group or an individual takes control of a number of individual computers to use as distribution
point for malicious code, or as zombies in attacks against other websites. This class of computer
crime links strongly to a DDoS.
• Criminals can diddle data. This crime involves altering raw data just before a computer processes
it. Once the processing completes, criminals change the data back (Pati 2003:5). For example,
when a person entering accounting data changes the input to show that an account is paid in full,
whilst the opposite is true. Based on court cases and criminal reports, it is estimated that
worldwide more than R6 300 million is lost yearly due to data diddling (Usborne 1996:Internet).
• Criminals create logic bombs. Criminals use software to do something only when a trigger event
occurs. For example, criminals may programme a system to crash on a specific date and time
(Pati 2003:5). A disgruntled employee may even programme a logic bomb to search for his/her
name in the employee record on a daily basis. Should the name not be found, the bomb would
figuratively explode, causing damage to the computer system.
Although there are quite a number of different cyber crimes, many of these crimes overlap. It is often
that two or more different cyber crimes go hand in hand. The next section looks more specifically at the
incidents of these cyber crimes.
7.2.2 Cyber Crime Incidents
The number of cyber crime incidents is rapidly increasing and is a major global concern. The Korean
National Police Agency (KNPA 2007:Internet) presents crime statistics in Table 7-1, according to crime
type. The KNPA compiled these statistics based on incidents from 2002 to 2006. With the exception of
illegal copying and sales, a steady rise in incidents is noticeable. Both Internet fraud and other types
show a sharp decrease in the 2005 and 2006 periods. Although this list is by no means exhaustive, it
lists the most common types of cyber crime.
Although all these security incident figures are official, the figures cannot be exact. Not all organisations
report security incidents (discussed in Paragraph 5.1). In fact, the director of the CERT Coordination
Centre estimates that as much as 80% of all actual security incidents go unreported (Kjaerland
2006:523). Therefore, the only concrete fact derived from these figures is that there were no less than
the mentioned incidents. The next section discussed the classification of the different cyber crimes.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 108 of 268 Chapter 7
Table 7-1: Cyber crime statistics by type (KNPA 2007:Internet)
YYeeaarr TToottaall HHaacckkiinngg,, vviirruuss
IInntteerrnneett ffrraauudd
CCyybbeerr vviioolleennccee
IIlllleeggaall wweebbssiitteess
PPiirraaccyy OOtthheerr
2002 41900 9707 19395 4726 862 1778 5432
2003 51722 8891 26875 4991 1719 677 8569
2004 63384 10993 30288 5816 2410 1244 12633
2005 72421 15874 33122 9227 1850 1233 11125
2006 70545 15979 26711 9436 7322 2284 8813
7.2.3 Classification of Cyber Crime
There is a significant difference between types of cyber crimes and the classification of cyber crimes.
Paragraph 7.2.1 listed different types of cyber crime. Each of these crime types further classifies
according to the victim group. Table 7-2 shows the different types of cyber crime. This table presents
and clusters the crimes according to the group affected by the crime.
Table 7-2: Cyber crime classification (Adapted from: Pati 2003:10, Seth 2007:5)
CCrriimmeess aaggaaiinnsstt iinnddiivviidduuaallss
CCrriimmeess aaggaaiinnsstt iinnddiivviidduuaall pprrooppeerrttyy
CCrriimmeess aaggaaiinnsstt oorrggaanniissaattiioonnss
CCrriimmeess aaggaaiinnsstt ssoocciieettyy
Information theft Information theft Information theft Information theft
Hacking Hacking Hacking Child pornography
Obscene material IP crimes Cyber terrorism Obscene material
Indecent exposure Computer vandalism Pirated material Financial crimes
Harassment via e-mails Netrespass E-mail bombing Sale of illegal articles
Defamation Internet time thefts Salami attacks Online gambling
Salami attacks Salami attacks Possession of unauthorised information Forgery
Email spoofing Transmitting viruses Data diddling Salami attacks
Cheating and fraud Logic bombs Trafficking
Cyber-stalking DOS attacks
A study done by the School of Information Systems Technology and Management at the University of
New South Wales, Australia, identifies a number of key issues concerning cyber crime in the current
Information Security environment:
• Jurisdiction is unclear. Difference in jurisdiction between state and federal legislation can create
confusion and loopholes aiding cyber criminals.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 109 of 268 Chapter 7
• Computer evidence presentation is difficult. Related to jurisdictional difficulty, legislation of
individual countries differs regarding presentation and admissibility of computer evidence
(Brungs & Jamieson 2005:59). Even worse, gaps in national criminal laws mean that cyber crime
is unpunished in many countries worldwide (Ticehurst 2000:Internet).
• Some cases require the presentation of original evidence. This scenario may cause many problems
in the event of an appeal situation, as the computer is no longer in its original state. This issue
reiterates the lack of a best practice guide for Digital Forensics (Brungs & Jamieson 2005:59).
• The legal sector is not computer literate enough. A low standard of computer literacy in the legal
sector could potentially have a negative impact on the Digital Forensic domain. This sector tends
to place unrealistic and incorrect demands upon electronic evidence.
• Records need to remain confidential. Evidence collection forms an important part of Digital
Forensics work. Appropriate legislative mechanisms should be in place to ensure that evidence
collection does not infringe on professional privilege rights.
• Criminal prosecution opposes civil trial. The study suggests that investigators should conduct
research into the differences between a criminal prosecution and a civil trial and the impact that
those differences have. The aim is to allow the progression of the Digital Forensic field away
from police and government regulators base. In many situations, companies are not looking to
prosecute an offender, but rather to stop the incident and prevent the occurrence from recurring.
• Information access and exchange needs to be controlled. This issue relates to the preservation
of clients’ privacy while gaining enough information to complete an investigation successfully.
• Privacy and workplace surveillance is an issue. The introduction of privacy legislation created
uncertainty in Digital Forensics with regard to what is permissible behaviour in collecting and
retrieving personal information, and what is an infringement of an individual’s right to privacy
(Brungs & Jamieson 2005:60).
• International agencies need to cooperate. International cooperation is essential for Digital Forensics
work since digital evidence collection often crosses national borders. The inability to work in real-
time intensifies this problem (Brungs & Jamieson 2005:61).
• Launching actions against unknown people in a civil trial is difficult. To subpoena information such
as the offender’s identity from communication companies, investigators need to launch a civil
case. However, it is not possible to launch a civil action against unknown persons. Civil action
requires that investigators name a person.
• Technical issues include the testing of tools and techniques. To ensure complete functionality
and validity, all forensic experts should conduct a third-party validation of tools and techniques.
This is to ensure that investigators apply a scientific methodology within the field to guarantee
repeatability and verification of techniques and findings.
• Qualifications include expert witness skills and techniques. Guidelines for defining an expert
witness should be defined, incorporating required skill sets, minimum working experience, and
formal qualifications such as a university degree or commercial certification (Brungs & Jamieson
2005:62).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 110 of 268 Chapter 7
This classification of cyber crimes is rather extensive and will be useful in the development of the Liforac
comprehensive, forensically sound model. Section 7.2 looked in detail at many different classifications
and views on cyber crime. Not only will this information aid the understanding of the forensic discipline,
but it also stresses the importance of Digital Forensics as an aid to combat cyber crime.
7.3 Occurrence of Cyber Crime
Computer-related crime is one of the fastest growing forms of crime worldwide. According to Wolfgang
Selzer, head of security at a South African Information Technology Solutions and Consulting Services
company, cyber crime had become a R703 billion business per year. It officially passed the value of the
international illegal drug trade (News24 2007:Internet). Nykodym et al. (2005:264) claim that the
reported total loss from cyber crime increased annually in 2000, 2001 and 2002 to R2,075 million,
R2,961 million and R3,525 million respectively. Unfortunately, the trend to have a completely paperless
office environment feeds the growth of cyber crime.
Although the first commercial computer only became available in 1950 (AC 2007:Internet), the first
recorded cyber crime already took place in 1820. Joseph-Marie Jacquard, a textile manufacturer in France,
produced the loom, a mechanical device that has holes punched in pasteboard. In essence, the loom was
the first machine to use punch cards to create the designs of textiles (Computer History Museum 2009:Internet). Jacquard's employees feared for retrenchment, should this new device be able to
replace them. They sabotaged Jacquard’s loom to discourage him from further use of the new
technology, committing the first recorded cyber crime type (Planet India 2001:Internet).
The Korean National Police Agency (KNPA 2007:Internet) did an in-depth study on cyber crime. Their
analysis shows that students commit 13.3% of cyber crimes, unemployed individuals commit 29.6%,
company workers 16.6% and self-employed individuals 17.9%. The remaining 22.4% are unclassified.
External Opportunity for Cyber Crime
Although the occurrence of cyber crime is increasing, it is very difficult to catch perpetrators. In part, the
application of the current legal system contributes to this. The principle of placing the criminal at the
scene falls away completely. In fact, the real perpetrator may have many alibis, but could still have
committed the crime - cyber crime does not require a physical presence of the perpetrator. This is
possible because many of the cyber crimes allow for some time delay (Nykodym et al. 2005:266).
Additionally, cyber crimes often go unnoticed at first. In conventional crimes involving money, the responsible
person will notice immediately the next time he/she counts the money. However, if the perpetrator steals
data, the responsible person might not notice it until the perpetrator uses or makes the stolen information
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 111 of 268 Chapter 7
public. Considering this aspect, the original data may remain intact, whilst the perpetrator merely makes
an illegal copy of the data. In the same regard, cyber criminals can enter a system in more than one
way. They can steal data from the main server or the back up server, whilst the data are in transition
between two points or from a web page or application programme (Nykodym et al. 2005:266).
The increasing role of Internet sales, the massive amount of sensitive data transferred through the
computerised information systems and the overpowering storage abilities online all contribute to the
growing threat of cyber crime. In 2002, organisations reported more than R1,332 million of loss due to
theft of proprietary information, such as customer and product databases (Nykodym et al. 2005:264).
Recent statistics from the US Internet Crime Complaint Centre shows an increase in total losses from R3
230 million ($231 million, amount converted on 22 December 2008) in 2006 to R1,844 billion ($191
million, amount converted on 22 December 2008) in 2007 (McMillan 2008:Internet).
Adding to this existing problem, organisations put more value on their information. If the power is off and
employees cannot use their computers, many organisations come to a complete standstill. Employees
are hugely dependent on their electronic environment and the information stored within that environment.
Cyber criminals are aware of this matter and accordingly hit organisations where it hurts the most: their
information (Nykodym et al. 2005:264).
Insider Opportunity for Cyber Crime
Insider cyber crimes are a major component of cyber crime today. Employees commit these crimes
against their employing organisation, generally exploiting information only available to employees.
Research done by Nykodym et al. (2005:264) shows that cyber crimes committed by managers generally
account to greater amounts of money on average, although these types of cases are fewer. With
sufficient computer knowledge, authority and capabilities ensuring access to the system, organisation
insiders can easily hide their crimes. Nykodym suggests that insiders commit more than 70% of all
computer crime directed toward companies.
In Mumbai, India, more than 90% of reported cyber crime cases never make it to a court of law. Mukund
Pawar, senior investigator at the Cyber Crimes Investigation Cell, says, “… When the victim approaches
us with a complaint, he or she is unsure who might be behind the crime. But once they come to know
about the accused, they tend to withdraw their complaint thinking it would be embarrassing for them to
face people in society”. More often than not investigations prove neighbours, ex-lovers or jealous friends
to commit some kind of fraudulent act over the Internet. Complainants then prefer to settle the matter
privately (Shelar 2007:Internet).
Cyber crime has been occurring more regularly since the creation of the Internet. However, authorities
still do not address this problem properly, since international governments are imposing different and
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 112 of 268 Chapter 7
often conflicting legislation to deal with this type of crime. The Council of Europe's Convention on Cyber
Crime has made some progress, and started working towards creating a treaty intended to establish
international standards for combating cyber crime (Nykodym et al. 2005:264). The next section looks at
the possible reasons for the high occurrence of cyber crime.
7.4 Reasons for Cyber Crime
There is no conclusive evidence that specific factors or conditions contribute pertinently to cyber crime.
If it were indeed possible to identify such factors, the occurrence of these crimes would have readily
been decreasing and not increasing.
Despite the rising numbers of cyber crimes, it is very difficult to pinpoint a specific factor as the reason for
its occurrence. As with real world crime, it is very difficult to isolate one or two factors as the overarching
reason for cyber crime. These motivators, combined with a number of convenience factors, ensure that
the occurrence of crimes skyrockets. Below is a list of possible reasons for cyber crime:
• Recognition. Generally, young individuals commit cyber crimes in an attempt to be noticed.
The youngsters’ intention is not to hurt anyone in particular.
• Easy money. These individuals are more ambitious and generally motivated by greed. They tend
to tamper with data on the Internet or computer system purely for economic and commercial
gain. They often commit fraud and swindle money off unsuspecting customers.
• Activism. This is the most dangerous of all the causes of cyber crime. Those involved believe
that they are fighting a just cause and do not mind who or what they destroy in their quest to
achieve their goals. These are often referred to as cyber terrorists (Chizoba 2005:3).
• Omnipresent Internet. The number of Internet users consistently grows by 10% a month. This
translates into tens of millions of people each month that are not familiar with cyber scams.
Accordingly, these newbies are prime targets. Crime has evolved to profit from the millions of
potential victims connected to one global network (Stiennon 2007:1).
• New vulnerabilities. The latest research predicted that the number of viruses will reach 1 million
by the end of 2008 (Pauli 2008:Internet). The amount and type of security vulnerabilities are
accordingly another omnipresent threat.
• Markets for identities and tools. Online trading sites for identities create a market for thieves to
sell to criminals that are more sophisticated. This drastically opened the playing field for
criminals: it is not a requirement for individuals to be an expert with coding, hacking, credit card
merchant accounts, eBay, wire transfers, counterfeiting and money laundering (Stiennon 2007:1).
In addition, there are companies that focus on security flaws and vulnerabilities that actually sell
details about software vulnerabilities to cyber criminals. The most notorious security flaw merchant
is WabiSabiLabi (Popa 2008:Internet).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 113 of 268 Chapter 7
Therefore, a combination of reasons contributes to the occurrence of cyber crime. However, the most
prominent reason by far is the endless possibilities that computers create for cyber criminals to act upon.
The next section looks at a number of famous court cases where computers, forensics or the Internet
was involved.
7.5 Famous Cyber Crime Cases
Cyber crime does not only happen to the average person. It is indeed something that can happen to,
and be committed by, famous people. This section looks at some prominent cyber crime incidents and
court cases in which the cyber realm or Digital Forensics played some part.
According to Susan Brenner (Coren 2005:Internet), "… digital evidence is becoming a feature of most criminal
cases". Digital Forensics contributed to many famous criminal cases in the past. Although many of the cases
do not necessarily involve high-tech computer resources, all cases do comply with the definition provided
in Paragraph 7.2. CNN also states that the use of digital evidence, such as emails, hard drives and
Internet files are becoming more common in crimes all over the world (Business Wire 2005:Internet).
Although many types of cyber crimes can eventually lead to the murder of someone, it is very rare for
police to classify an action as a cyber murder. According to Chizoba (2005:2), this rare phenomenon
occurred in the United States in the late 1990s. This incident involves the admission of an underworld
academic to hospital for minor surgeries. His rivals hired a computer expert to hack into the hospital’s
computer systems and alter his prescribed medicine. The nurse on duty unknowingly gave him a too
high dosage, initiating a lethal allergic reaction. Technically, authorities can also classify this incident as
gaining unauthorised access to a computer system.
The BTK Killer (Blind, Torture and Kill) pleaded guilty in 2005 to 10 murders in Kansas. The police used
EnCase (discussed on the accompanying CD, see Forensic tools) to investigate a floppy disk sent to
the local radio station. On this disk, the BTK Killer apparently gloated at the police’s inability to catch him
(Afentis s.a.:Internet). The police identified Dennis Rader as the author of the documents on the disk
and traced the letter back to the church computer where Rader served as president of the council (Taub
2006:Internet).
EnCase also played a part in convicting the American Scott Peterson of killing his pregnant wife in 2002.
Originally, Peterson was not a suspect. However, a change in his statement and his affair with Amber
Frey that surfaced later on, ruled him as chief suspect (Rocha 2006:2). Peterson’s Internet history
showed searches for websites detailing the tidal conditions in San Francisco Bay. This is the dumpsite
where police found his wife’s body (Taub 2006:Internet). The court sentenced Peterson to death in 2005
and he currently remains on death row. He later confessed to strangling his wife.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 114 of 268 Chapter 7
Digital Forensics played an important role in the investigation of murdered Holly Wells and Jessica
Chapman in 2002. Technical analysts examined one of the girls’ mobile phone accounts to identify its
location just before the murderer supposedly switched it off. Mobile phones store information on the
nearest network communication tower in the phone’s memory. The communication information maps the
signal coverage of the tower, and allows a narrowed down squared area where the phone was probably
located. Using this information, authorities had a rough estimate of where to start their search for the two
girls (Afentis s.a.:Internet). The court eventually convicted Ian Huntley for the murders to two life
sentences.
In 1996, Robert Glass brutally murdered Sharon Lopatka. Police found this lead by examining Lopatka’s
computer. They were able to recover almost 900 pages of e-mails between Lopatka and Glass, all
regarding death and torture fantasies. The police found Lopatka in a shallow grave, where Glass buried
her after strangling her and tying her hands and feet. Glass eventually pleaded guilty to manslaughter in
2000 (Gleason 2007:Internet).
The Enron case made worldwide headlines in 2001. Prosecutors arrived with a virtual mountain of digital
evidence, constituting more than 31 terabytes of data. The FBI gathered this evidence during a five-year
investigation. The FBI made use of the Greater Houston Regional Computer Forensics Laboratory to
assist with the forensic processing of the digital evidence. Combined, these entities processed data from
130 computers, thousands of e-mails, and more than 10 million pages of documents. This investigation
delivered evidence that helped to convict some of the company’s top executives (FBI 2007:Internet).
The large-scale document shredding that took place after the initial Enron whistle blowing sparked this
intense investigation (Wilding 2002:1).
In a very public trial in 2004, a jury found Martha Stewart guilty of conspiracy, obstruction of an agency
proceeding and making false statements to federal investigators. She was sentenced to serve a five-
month term in a federal correctional facility, five months of home confinement and a two-year period of
supervised release (Landon 2006:Internet). Digital evidence that contributed to her sentencing was
testimony of her assistant. She stated that Stewart altered an electronically recorded phone message from
her broker (Watson 2004:1). This message was incriminating evidence that Stewart received internal
information.
In South Africa, the most prominent recent cyber crime case involves the hacker Alistair Peterson.
Peterson is a Gauteng computer scientist that headed an elaborate online bank-hacking syndicate. When
he was caught in February 2008, he had already gathered R17 million by defrauding businesses, trust
funds and corporate accounts. Peterson entered a plea bargain with the Scorpions (former Directorate
of Special Operations in South Africa, a multi-disciplinary agency that investigated and prosecuted
organised crime and corruption), suspending majority of his sentence. Part of the plea bargain was that
he works with the CSIR to develop an anti-virus to prevent further attacks by Regger.W32, a virus
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 115 of 268 Chapter 7
programme originally created by him. Although this crime was not solved by means of forensic practices,
Peterson confessed afterwards that he enjoyed the forensic part of computers, looking for holes in
systems that can be plugged by cyber crime fighters to prevent crooks from getting in (Rondganger
2008:Internet).
It is clear that cyber crimes are not only limited to incidents of hacking and identity theft. These real life
crimes range from first-degree murder to supreme fraud and white collar crimes. The next section
summarises the chapter on cyber crimes and criminals.
7.6 Summary
Chapter 7 looked at the various aspects of cyber crimes: the definition, types and classification,
occurrence and reasons for these types of crimes. Additionally, the chapter also looked at some
prominent court cases involving cyber crime or digital evidence.
In summary, the eight drivers identified from Chapter 7 to contribute to the development of the Liforac
model are as follows, with the originating paragraph between brackets:
• Jurisdiction is difficult to determine when cyber crime is concerned. This global problem facing
cyber crime Law Enforcement contributes to Chapter 10 of the Liforac model (Paragraph 7.1);
• Criminals tend to exploit the speed, convenience and anonymity of modern technology more and
more to commit a diverse range of crimes. Although this aspect may not directly impact the
development of the Liforac model, this knowledge may aid the understanding of why the model is
necessary (Paragraph 7.1);
• The cyber crime definition influences in particular the dimension on laws and regulations of the
Liforac model (Paragraph 7.2);
• Cyber crime differs from real world crime in four prominent aspects. Although this does not
contribute directly to the Liforac model, it may aid the forensic investigator in understanding the
Digital Forensic discipline better (Paragraph 7.2);
• Many different types of cyber crime exists, directly impacting the dimension on laws and
regulations of the Liforac model (Paragraph 7.2.1);
• The number of cyber crime incidents is rapidly increasing. This aspect may not directly have an
influence on the development of the Liforac model, it gives an indication of the urgency with
which cyber crime and Digital Forensics should be treated (Paragraph 7.2.2; Paragraph 7.3);
• Cyber crime types can be classified into four distinct groups. This classification contributes to the
forensic investigator’s understanding and need for Digital Forensics (Paragraph 7.2.3);
• There are some key issues concerning cyber crime in the current Information Security
environment. These aspects also contribute indirectly to the Liforac model (Paragraph 7.2.3).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 116 of 268 Chapter 7
When considered individually, all these drivers suggest a legal or regulatory component. Allowing for
the number of drivers related to this theme and the importance of this theme in relation with the proposed
Liforac model, this theme might influence the identification of possible dimensions for the Liforac model.
The themes will be addressed in Chapter 9.
Chapter 7 addressed Objective D of the study. It included a formal definition of cyber crime and looked
at different types of cyber crime, cyber crime incidents and the classification of cyber crime. This chapter
looked at the occurrence of crime, reasons why people commit cyber crimes and famous court cases
involving some form of cyber crime or Digital Forensics. As part of fulfilling Objective E, Laws, Chapter 8
will now look at existing legislation that covers cyber crime and forensics. This chapter extends Chapter
7’s discussion on cyber crime and ends Part 3 of the study.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 118 of 268 Chapter 8
Chapter 8: Cyber Crime Legal Aspects
“It is the smaller cases of hacking on normal people and businesses that don’t get given the same type of focus. If each and every cyber crime case was given the same amount of attention as this
one, then the world would be a safer place for us normal users.”
- Tom Newton
Whilst Chapter 7 focuses on cyber crimes and the cyber criminal, Chapter 8 looks at the legalities
regarding these cyber threats. To put current cyber crime legal aspects into perspective, it is necessary
to look at a range of contributing factors and disciplines. Chapter 8 first looks at the legal acceptance of
forensic evidence, then at how forensics fits into the current legal system. This discussion investigates
the relationship between forensics and computer science, forensic science, criminal investigation,
computer security and Information Security, system administrations and businesses.
Chapter 8 briefly looks at the current cyber legislations available. Chapter 8 also looks at global cyber
crime fighting agencies and examines a number of cyber crime frameworks that can contribute directly to
the Liforac model. This discussion on frameworks is extremely important to the study and will be referred
to in the development of the Liforac model in Part 4. It is important to note that Chapter 8 is not a legal
discussion, but rather a technical discussion of a law related subject. All legal references are therefore
from a non-legal, technical viewpoint.
Figure 8-1: Liforac model progress - Laws (Own compilation)
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 119 of 268 Chapter 8
Figure 8-1 indicates the current level of progress with regard to identifying building blocks for the Liforac
model. Chapter 8 fulfils Objective E, Laws (originally presented in Figure 2-2). Objective E is the last of
the objectives to be addressed by this study. Once this objective is addressed, the study will address the
physical development of the Liforac model.
8.1 Introduction
A vast number of technical issues can physically constrict Digital Forensics, being a technical application
of computer related knowledge. In addition to these limitations, numerous laws strictly bind forensic
investigators to the letter. The implementation of these laws can sometimes be rather complicated (Jones
2007:1).
In contrast to the advantage of the high pace of new technological advances, the same high-paced
development of the judiciary system and legislation can be highly detrimental. According to Pati (2003:14),
it is unlikely to eliminate cyber crime completely from cyber space. Authorities should rather aim to
minimise and control cyber crime by monitoring cyber crime, making people aware of their rights, their
duty to report crime and the application of laws to regulate cyber crime.
Implementation Problems
The problems regarding the legislation and Law Enforcement of cyber crime are two-fold. On the one
hand, there are simply not enough Law Enforcement officers with appropriate Digital Forensic and
computer crime investigative skills. In American Law Enforcement agencies, there is an average of
six months to a year backlog within the states and major cities. In general, there is limited legal support
training in Digital Forensics law. This leads to unqualified Forensic Acquisitions, which in turn results in
inadmissible evidence and non-prosecutable cases (Bhaskar 2006:81,82).
Globally, a serious shortage of knowledgeable Law Enforcement officers presents a major challenge to
any Cyber Security Response plan. A study done in America reveals that 49.2% of Law Enforcement
officers are assigned to investigate computer crimes. Of that percentage, only 12.3% have had formal
training in Digital Forensics, whilst only a further 6.8% of those have had formal computer science
training (Bhaskar 2006:82,83).
The South African Constitution, Schedule 6, strictly forbids the extension of current legislation to an analogy
to include cyber crimes. "Old order legislation that continues in force… does not have a wider
application, territorially or otherwise, than it had before the previous Constitution took effect unless
subsequently amended to have a wider application…" (Constitutional Court s.a.:Internet). This implies
for example, that any South African law prohibiting the forceful seizure of a vehicle in transit (hi jacking)
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 120 of 268 Chapter 8
cannot be directly analogised to also prohibit the forceful seizure of an active webpage on the internet
(web jacking). This restriction adds to the implementation problems of laws to regulate cyber crime.
Concerning the South African Constitution, every accused person has the right to a fair trial (ICRC
2005:Internet). This includes the right “… not to be convicted for an act or omission that was not an
offence under either national or international law at the time it was committed or omitted” (Maat 2004:5).
The creators of the I love you virus caused significant damage by infecting more than 60 million computers
worldwide. However, due to the principle of nullum crimen sine lege (Latin, lit. "No crime, no punishment
without a previous penal law"), the perpetrators were not prosecuted (Maat 2004:7): “… A person shall
not be criminally responsible under this Statute unless the conduct in question constitutes, at the time it
takes place, a crime within the jurisdiction of the Court” (ICRC 2005:Internet).
There is also a fine line between jurisdictional mandate and privacy legislation; this can complicate the
implementation of a proper forensic system. Most organisations expect their employees to sign an
organisational equipment usage disclaimer on joining the organisation. This disclaimer generally states
that the employee will abide by all organisational policies, not misuse organisational equipment, as well
as an acknowledgement that the equipment remains the property of the organisation and that some
higher authority may have access to the equipment for inspection.
The implication of this disclaimer is that, in the event of a computer incident, the system administrator
may access the suspect machine or give access to the forensic investigator involved in the investigation.
This is also the mandate on which forensic investigators access machines without an explicit search
warrant (refer to Paragraph 5.2.1). Employees can argue that their reasonable expectation of privacy
has been violated.
Forensic investigators should be aware of the difference between these two states and ensure that their
actions are defendable in court. To further exacerbate the situation, research in the United States shows
that nearly 85% of the legal system’s current caseload involves some form of digital evidence (Taylor,
Endicott-Popovsky & Frincke 2007:101), yet cyber law is not addressed appropriately. In this regard,
legislation is not on par with reality.
Legal Problems
On the other hand, very few legal systems presently take the digital world into account and laws need
to be modified, edited or amended to fit the requirements of the cyber world (Baggili 2006:1). South
Africa has a hybrid legal system, composed of a number of distinct legal traditions: a civil law system
inherited from its Dutch colonisers, a common law system from its English colonisers, and an indigenous,
African customary law (Du Bois 2007:45). At that time, it was unthinkable that the emergence of new
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 121 of 268 Chapter 8
technology could change the world as much as it did today. Accordingly, it did not take long before it
became difficult, if not impossible, for the legal system to cope with advanced technology (Maat 2004:4).
The computer is a magnificent invention that allows us to do so many things that would have otherwise
been completely impossible. However, it is separate from the legal system, complicating the merging of
human and computer. “… The question that arises is whether our criminal law, which evolved before the
space and electronic age…, is supple enough to meet the onslaught of the white collar criminal that
specialises in computer crime” (Maat 2004:5).
In the words of Jonathan Burchell: “… Before succumbing to the crime-control model of criminal justice
and developing new crimes to counter the ingenuity of the criminal mind, we need to answer two
questions: (a) has a thorough and creative examination been done to determine whether the existing
common or statutory law is inadequate to deal with the new or revived nefarious manifestation; and (b)
does the cost in human and financial terms warrant the intervention of legislation, diverting already
limited resources from the detection and prosecution of common-law crimes of violence to special and
costly forms of law enforcement and to defending potentially time-consuming constitutional challenges to
the legislation?” (Maat 2004:6).
According to the US-CERT (2005:2), recent legislation makes it possible to hold organisations liable in civil
or criminal court if they fail to protect customer data. This legislation includes the Health Insurance
Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX). Nowadays it is becoming
more important to prove that your organisation complies with computer security best practices. If there is
no proof that an organisation followed a sound security policy, it is potentially open to regulatory audits or
lawsuits (US-CERT 2005:3). The next section will formally introduce forensics into the legal system.
8.2 Legal Acceptance of Forensic Evidence
Digital Forensics is a relatively new discipline to the courts. Many of the existing laws used to prosecute
computer-related crimes do not adequately cover the proper adjudication of digital evidence (US-CERT
2005:3). Accordingly, very few forensic cases have been successfully trialled in South Africa.
Forensic Nature
According to the US-CERT (2005:1), the word forensics literally means “… to bring to the court” (refer to
Paragraph 6.3). This is a definite indication that Digital Forensics does have a place in the legal system.
Forensics deals primarily with the recovery and analysis of latent evidence: anything from fingerprints
and DNA to files on a hard drive. Four key factors in forensic software make the difference when it
comes to court acceptance (MD5 2008:Internet):
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 122 of 268 Chapter 8
• Forensic software does not alter data. ProDiscover (see accompanying CD, see Forensic
tools) will not alter any data on the disk. ProDiscover accesses the suspect disk in a read-only
fashion at the disk sector level. The software does not allow writing to the disk. Most forensic
packages have similar features to prevent any unauthorised modification of evidentiary data
(refer to Paragraph 3.4.3).
• Forensic software provides maximum data access. Most forensic packages take raw data and
rebuild it into files using an internal file viewer so that you see all the data. This includes slack
space, meta files and alternate data streams (refer to Paragraph 5.2.4).
• Forensic software ensures proof of authenticity. All forensic packages generate a hash signature
for evidence gathered. Investigators can use these signatures at any time to prove that the data
is the same as the original evidence after its capture (refer to Paragraph 3.4.5.1).
• Scientific community verifies forensic software. Scientific communities constantly review software
packages to ensure its accuracy (refer to Paragraph 8.2.1).
Considering these four aspects, it is crucial for anyone overseeing network security to be aware of the
legal implications of forensic activity. To ensure the acceptance of forensic evidence in a legal context at
a later stage, security professionals should consider their policy decisions and technical actions in the
context of existing laws. This can be a matter as simple as getting authorisation first before monitoring
and collecting information regarding a computer intrusion (US-CERT 2005:3). Accordingly, it is clear that
any organisation with Digital Forensic capabilities will be at a distinct advantage should the case proceed
to a court of law (US-CERT 2005:4).
Relating Forensics to Law
Traditional investigation methods are ill equipped and inefficiently developed to deal with cyber crime.
These methods developed with the sole purpose to investigate physical crimes situated on physical
premises. However, criminals have advanced so significantly that investigators need to investigate both
physical and virtual crimes situated on both physical and virtual premises. Highly sophisticated technology
now allows cyber criminals to wreck havoc in virtually borderless information networks (Maat 2004:11).
Cyber crime directly resulted in the emergence of an alternative approach to traditional Law Enforcement,
now not purely enforced by the State, but rather by specialists of the environment in which the crime was
committed. Only with the co-operation between these entities is it possible to effectively deal with cyber
crime (Maat 2004:11). The ECT Act eliminated many of the discrepancies that existed in previous
legislative documentation regarding cyber crimes. For example, before this Act came into being, an
action such as hacking and Denial of Service (DoS) attacks where not classified as criminal acts (Maat
2004:i). The ECT Act also created new offences in our legal system to fill a previously identified gap. It
is important to remember that both technology and cyber crime are evolving disciplines and to rule out
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 123 of 268 Chapter 8
the possibility of new types of cyber crime can be hazardous (Maat 2004:10). Cyber criminals, most
likely, will use more inventive and technologically advanced methods to commit cyber crimes.
Strict laws and regulations bind Digital Forensic investigators. When they do not precisely abide by these
laws, the court may dismiss the case, rendering the gathered data useless in a Law Enforcement
capacity. The court may classify the data as unconstitutionally obtained evidence, and will render the
trial unfair or detrimental to the administration of justice (Maat 2004:223).
Live Forensics and the Law
The judicial system does not accept all types of Digital Forensics, although the concept of forensics is
justified. For example, Dead Forensic Acquisition techniques are tested and, under normal circumstances,
allowed as evidence in court. The aspects of Live Forensic Acquisition and Network Forensics, however,
need more research done before it can be included, without a doubt, as evidence.
There are currently issues concerning authenticity, reliability, preservation, admissibility, tool testing and
verification that need to be addressed before Live Forensic evidence and Network Forensic evidence can
be accepted with a similar degree of confidence as Storage Media Forensics (Nikkel 2006:2). In general,
Law Enforcement can apply Digital Forensics in either a civil case or a criminal case:
• In civil cases, forensic copies of the computer hard drive are often produced on the suspected
crime scene, thus reducing downtime and leaving the original material in the possession of the
owner. The forensic investigators generally keep only a copy of the evidence for analysis and
treat this with maximum security.
• In criminal cases, forensic copies of the computer hard drive are produced and the forensic
investigators keep both the original drive and a copy for evidence. Both these drives are kept
securely, but all analysis is done on the copied image. The original drive serves as best
evidence (defined in Paragraph 3.3.3.3), and is kept by the investigator for the duration of the
case. In the event of a covert operation, the investigator does not physically remove the best
evidence from the site before criminal charges have been laid (Cyber Forensics 2007:Internet).
Many factors play a role in the relationship between forensics and the legal system. The following sections
look at computer science, forensic science, criminal investigations, computer security and Information
Security, system administrators and business. These aspects form part of the alternative approach to
traditional Law Enforcement, in which Live Forensics is applied in relation to a multiple of interrelated
disciplines.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 124 of 268 Chapter 8
8.2.1 Computer Science
Although computer science is a very wide topic, the necessity of it concerning Digital Forensics involves
the development of new software. This software may potentially have an impact on the analytical value
and evidential integrity of acquired data (Jones 2007:2).
Digital Forensic investigators have seen a drastic increase in the number and complexity of computer
crimes in recent years. As a result, both the field of Digital Forensics and the nature of computer crimes
advanced in complexity. In fact, the growing intricacy of cyber crimes demands more technically
advanced software and techniques that enables forensic investigators to obtain and analyse data more
efficiently. Computer crimes greatly assist computer science advances, by forcing developers to create
bigger and faster machines, and more sufficient, secure Forensic Acquisition packages that can navigate
a vast magnitude of data in a shorter time span (Rogers & Seigfried 2004:12,13).
The computer technology also did not remain dormant and bigger, faster computers were developed.
Originally, when Digital Forensic first surfaced as a scientific field, the majority of analysis done by
forensic experts where done on a single target computer and a single forensic computer. Nowadays it
might be necessary to span an OS over multiple machines in order to investigate it. Equally, cyber
criminals have pushed the boundaries for encryption schemes as well. This allows them to hide their
crimes, whilst forcing computer scientists to advance the forensic techniques associated with encryption
(Rogers & Seigfried 2004:12). The following section relates Digital Forensics to traditional forensics.
8.2.2 Physiological Forensic Science
The principles for Digital Forensics are the same as those for traditional Physiological Forensics (Jones
2007:2), except that these principles are applied to digital sources and not physical, biological sources.
Both of these disciplines focus on acquiring and preserving evidence to facilitate prosecution.
Traditional or Physiological Forensics developed from the practice of forensic medicine recognised as a
medical specialty at the end of the 18th century. Forensic science began during the early 1920s in United
States university laboratories, although the first official crime laboratories were only established in 1929
(Wang, Cannady & Rosenbluth 2005:120). Traditional Physiological Forensics applies to answer a limited
set of questions and to individualise an object. For example, forensic investigators need to compare
blood retrieved from a crime scene with a sample from a suspect’s blood to determine if the samples
correspond.
Although the foundation corresponds to Physiological Forensics, Digital Forensics is more complicated
on a core level. For example, to determine how a cyber criminal compromised a computer, the forensic
investigator needs to identify the access point into the compromised system. It is a rather intricate process
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 125 of 268 Chapter 8
of searching for evidence, acquiring it and then analysing it (Carrier 2006:2). The Digital Forensic
science was created to address the specific and articulated needs of Law Enforcement to make the most
of this new form of electronic evidence. As discussed in Chapter 3, Digital Forensics is the science of
acquiring, preserving, retrieving and presenting data that has been processed electronically and stored
on computer media (Amenya 2004:3).
In Physiological Forensics, all evidence is relatively similar. For example, DNA from any source (whether
it is a blood sample, piece of hair or nail) is in generic form once it is cleared from contaminants and
reduced to its elemental form. Once this stage is reached, the protocols for forensic DNA analysis may be
applied similarly to all submissions. In Digital Forensic evidence, however, there is such a vast magnitude
of different types of evidence and each piece needs to be handled and investigated differently. Digital
Forensic evidence rarely gets the same elemental form of evidence, due to the difference in OSs, unique
applications programmes and the different storage methods.
Despite the obvious differences between the disciplines, there is some overlap. Both disciplines consider
evidence inadmissible if a forensically sound investigation has not been followed. The next section links
Digital Forensics with criminal investigations.
8.2.3 Criminal Investigations
As with any criminal investigation, it is important to determine the role that the computer plays in the
committed crime, before starting with the physical investigation. The computer may either be a tool of
the crime, or be subsidiary to the crime. This determination generally happens before the preparation of
the warrant to seize the computer and/or parts of the computer system.
In the first scenario, the computer plays an active role in committing the crime. For example, the criminal
uses the computer as a means to counterfeit certain documents. In the latter scenario, the criminal may
not actively use the computer during the committal of the crime, but rather as a repository of evidence
pertaining to the crime (Robbins 1994:7). A criminal might keep email communication in which he/she
refers to the committed crime. The nature of the computer’s role may be indicative to using either Dead
or Live Forensic Acquisition.
Before a forensic investigator or Law Enforcement agency can commence with the investigation, an
appropriate authority should issue a search warrant. If an organisation has well-defined policies in place,
the process is dramatically fast-forwarded. Investigators then automatically have permission to collect
evidence and analyse it (Laubscher, Olivier, Venter, Rabe & Eloff 2005:5).
Any advances in the field of Digital Forensics allow criminal investigators greater flexibility to conduct
enquiries and investigations (Jones 2007:2). On the other hand, the more success stories about
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 126 of 268 Chapter 8
forensic-aided criminal investigations, the industry can recognise Digital Forensics as a full-fledge
discipline, leading to more technology advancing research. The next section links Digital Forensics with
the Computer Security and Information Security disciplines.
8.2.4 Computer Security / Information Security
Computer Security and Information Security are major issues within organisations. Not only can it be
rather tragic if an organisation’s highly paid-for research or a best-kept trade secret is stolen, but an
organisation can be sued for negligence in the event that clients’ personal information are stolen.
Two issues to consider are that of data protection and ISP liability:
• The organisation should protect data. Data that your employees or clients provide to you under
the auspice of confidentiality should remain confidential. The law requires organisations to ensure
the accuracy, relevancy and security of provided information, under all circumstances. Since this
information may include identity and contact information, financial information or performance
appraisals, it may cause a violation of trust in the event of a system breach. Worst-case scenario,
the cyber criminal may sell this confidential information to corrupt individuals or organisations,
leading to possible further crimes such as unauthorised withdrawals from bank accounts or
harassment. Not only will the original organisation be liable for any financial loss suffered by
employees or clients, but will also suffer a loss of reputation and organisational confidence.
• The ISP has a liability. If an organisation does not have the necessary notices and policies in place
to inform employees about the unauthorised use of organisational resources, it may lead to
Information Security problems. If an organisation does not have these measures in place, the
ISP may hold the organisation liable for illegal material hosted on its computers, including copied
music files, pornographic or defamatory material. An organisation may face prosecution, an in-
depth investigation of its IT infrastructure and a loss of reputation (JISC Legal 2005:2).
Proactive organisations can configure computer networks and systems for forensic readiness. Chief
Information Officers (CIO) has a list of actions to take to prepare a system effectively for easier forensic
investigation and maintenance, such as logging (Jones 2007:2). Such proactive actions may be very
handy in the event of sensitive data where Information Security should apply at all times.
A different kind of Information Security breach occurred recently. A researcher at the National Heart,
Lung and Blood Institute in Bethesda, Maryland had his laptop stolen from the trunk of his car. The
laptop contains medical records for 2500 study participants and a breach can expose seven years’ worth
of clinical trials (Hulme 2008:Internet). Another security breach occurred at the Binghamton University,
New York. The Coordinator of Undergraduate Advising for the School of Management accidentally
mailed a group of almost 300 students a list of the accounting students’ names, social security numbers
and grade point averages (Hill 2008:Internet).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 127 of 268 Chapter 8
This real life example shows that there is a clear relationship between Computer Security, Information
Security and Digital Forensics. The next section looks at the role that system administrators play in the
Digital Forensic discipline.
8.2.5 System Administrators
Although employees often expect a certain degree of privacy regarding their workstation, case law
demonstrates that courts examine the totality of circumstances. This is necessary to determine whether
this reasonable expectation of privacy applies, or whether an employer shares authority over the
employee's space (Robbins 1994:22). The generally accepted practice regards the employer-consent as
standing. It allows the employer to delegate some of these responsibilities to appointed experts, such as
the qualified system administrator.
The First Responders (defined in Paragraph 3.3.1) to a cyber crime scene are often the organisation’s
system administrators. In performing their daily duties and monitoring tasks, the system administrator
often notices suspicious network and system behaviour first. Therefore, they play a crucial role in
Forensic Acquisition. The entire process starts with them and, if they act in a forensically safe manner, it
is possible to collect evidence for possible future prosecutions (Jones 2007:2).
The role of the system administrator compares to that of the cyber inspector, except for the inspector’s
legal rights. System administrators can thus access employees’ files and folders and often leave no physical
clues of their actions. It remains the responsibility of the organisation to publish clear policies about privacy
on the network (refer to Paragraph 8.1). In addition, the organisation needs to explain to employees that
its network administrators have oversight responsibility and control (Robbins 1994:22,23).
By ensuring that the system administrator or forensic investigator sees to the system continually, an
organisation can ensure forensic readiness in the event of a cyber crime. “Although digital forensic
investigations are commonly employed as a post-event response to a serious Information Security or
criminal incident, when forensics is used to its potential, it can provide both pre- and post event benefits”
(Laubscher et al. 2005:5). Accordingly, system administrators can play a very big pro-active role in
Digital Forensics. However, few organisations take this pro-active stance. The next section looks at the
general relationship between Digital Forensics and businesses.
8.2.6 Business
Most businesses and organisations rely on computers to perform their day-to-day business functions.
People are dependant on their computer for communication, data records, transferring and sharing files,
information searches and data exchanging forums. Consequently, it is very easy for employees to
misuse organisational resources under the banner of day-to-day computer related tasks. In collaboration
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 128 of 268 Chapter 8
with the Internet increasing the potential digital crime opportunities, businesses are more likely to
become either the victims or the unknowing participants in modern cyber crimes (Fei 2007:13).
Many organisations believe that time is money. It is thus understandable that organisations are not too
keen on calling in forensic experts, since the earlier, traditional Forensic Acquisition techniques took
hours to acquire a system image. It was common for an entire business to come to a standstill in order
for a forensic investigation to take place. Advances in Digital Forensics, which reduce the disruption
caused by an investigation, are highly beneficial and surrounds forensic investigations with less negative
perceptions (Jones 2007:2).
Cyber crime attacks can compromise both personal and business data stored on a central server. It is
thus important for all organisations, whatever their line of business, to be pro-forensics and to respond
quickly and efficiently to Computer Security incidents, on a daily basis. By doing this, organisations can
reap the following benefits:
• respond to incidents systematically so that the appropriate steps are taken;
• help personnel to recover quickly and efficiently from security incidents, minimising loss or theft
of information and disruption of services;
• use information gained during incident handling to prepare for better handling of future incidents
and to provide stronger protection for systems and data; and
• deal properly with legal issues that may arise during incidents (Grance, Kent & Kim 2004:18).
Business and organisational computers remain the main catchment area for Digital Forensic investigations.
Most people spend majority of their day at work and a large part of their time at work on the computer.
The data held on computer systems and networks can thus tell us a lot about an individual’s interests,
patterns of behaviour and even their whereabouts at a specific time (Fei 2007:14).
As computer systems, networks and other computing devices become more widely used and prevalent,
the chances of such computing devices and networks being involved in criminal activity also increase.
The next section looks at current legislation that deals with cyber crime and cyber investigations.
8.3 Legal Matters
Unfortunately, many countries’ laws do not clearly prohibit cyber crimes. Equally, existing laws against
physical acts of trespassing or breaking and entering often do not cover their virtual counterparts
(Ticehurst 2000:Internet). It is only in the last couple of years that countries realised the urgency of this
matter and started the development of cyber crime legislation. This lack of updated laws means that
cyber criminals around the world believe they their crimes will go unpunished. Earl Warren sums up the
legal overview quite appropriately. “Our legal system faces no theoretical dilemma but a single continuous
problem: how to apply to ever changing conditions the never changing principles of freedom” (Cheeseman
2005:341).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 129 of 268 Chapter 8
In a report published by the World Information Technology and Services Alliances (WITSA), shocking
statistics reveal that only nine of the 52 countries analysed in the report have extended their criminal laws
into cyberspace to cover most types of cyber crimes. Another nine countries have updated their laws to
prosecute against six or more types of cyber crime, while ten more countries have enacted legislation to
address five or fewer types of cyber crime. Thirty-three of the countries surveyed have not yet updated
their laws to address any type of cyber crimes. The conductor of the research said: "The long arm of the
law does not yet reach across the global internet. Organisations must rely on their own defences for now"
(Ticehurst 2000:Internet). The accompanying CD presents the full report, see WITSA report.
In 1978, Donn Parker created the first official law to deal with computer crime. Parker is one of the
pioneers on the subject of computer-related crime and played a key role in enacting Florida’s Computer
Crime Act of 1978 (Casey 2000:32). After intense research, Parker proposed the following four categories
of computer crime, the foundation for many Information Technology related legislation:
• A computer is the object of crime and the crime directly affects the computer; e.g., a criminal
steals or destroys the computer.
• A computer is the subject of a crime, or acts as the environment in which the crime is committed;
e.g., a criminal infects the computer with a virus to inconvenience the individuals who use it.
• A computer is the tool for conducting or planning a crime; e.g., a criminal uses the computer to forge
documents or break into other computers.
• A computer is the symbol to intimidate or deceive; e.g., a criminal uses the computer to lure
victims into doing something (Casey 2000:32).
Although accurate, Parker omitted the use of computers as sources of digital evidence. Computers are
often not actively used in the committal of a crime, but contains digital evidence that can prove that the
crime was committed, often also implicating the criminal. In 1995, Professor David Carter improved
Parker’s categorisation of computer-related crime, by employing his knowledge of Criminal Justice.
Carter added another category describing scenarios in which computers are incidental to other crimes
but hold related digital evidence (Casey 2000:33).
The following acts and laws are considered in the development of the Liforac model. This list is not
exhaustive, but constitutes some of the more prominent laws available to the general public, gathered
from a number of countries across the world:
• Information Technology Act of 2000, India;
• No Electronic Theft (NET) Act of 1997, United States of America;
• Information Infrastructure Protection (IIP) Act of 1996, United States of America;
• Telecommunications Act of 1996, United States of America;
• Computer Fraud and Abuse Act of 1986, United States of America;
• Electronic Communications Privacy Act (ECPA) of 1986, United States of America;
• Securing Adolescents From Exploitation-Online (SAFE) Act of 2007, United States of America;
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 130 of 268 Chapter 8
• Computer Security and Critical Information Infrastructure Protection Bill of 2005, Nigeria;
• Electronic Communications and Transactions Act of 2002, South Africa.
Although the cyber legislation in itself is very important, it is also necessary to look at the agencies that
implement the law to ensure cyber security. One of these cyber crime-fighting agencies is the International
Association of Computer Investigative Specialists (IACIS), an international non-profit organisation
composed of Law Enforcement professionals that volunteer to fight cyber crime. These individuals are
dedicated to education in the field of Digital Forensics (IACIS 2007:Internet).
The following section looks at two existing frameworks for cyber crime. The examination of these
frameworks is crucial to the construction of the proposed model for Live Acquisition. The next section
will contribute directly to the development of the Liforac model in Chapter 9.
8.4 Cyber Crime Frameworks
The law constitutes rules to regulate the conduct of individuals, businesses and other organisations within
society. The intention is to protect people and their property against unwanted interference from others
(Cheeseman 2005:2). These laws are enforced by the implementation of cyber crime frameworks. This
section will look at a number of cyber crime frameworks. Since a good cyber crime model is necessary
before any investigation can start, this section plays an important role in the definition and development
of the framework for the proposed Liforac model.
The Liforac model should provide a conceptual reference framework, independent of organisational environment
or technology and a basis for common terminology to support discussion and sharing of expertise. Although
the model does not promote any single technology, it helps develop and apply methodologies to new
technologies as they emerge. A comprehensive cyber crime model includes the investigative process,
incorporating the gathering, analysing and presenting of evidence (refer to Paragraph 3.3 and Figure 3-5),
as well as the legislative aspects (refer to Paragraph 8.2). Such a comprehensive model can benefit IT
managers, security practitioners and auditors (Ciardhuáin 2004:1). The next section discusses a possible
model for investigation.
Ciardhuáin’s Extended Model of Cyber Crime Investigation
According to Ciardhuáin (2004:1), it is necessary to define an extensive model for the investigation of
cyber crime. He did a comparative study on four distinct cyber crime investigation models and found that
neither of these is comprehensive enough to ensure a complete acquisition. His intention of a cyber
crime investigation model is to create a platform for future forensic development.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 131 of 268 Chapter 8
The models used in Ciardhuáin’s study are Lee’s model of Scientific Crime Scene Investigation, Casey’s
model for processing and examining digital evidence, the Digital Forensics Research Workshop (DFRWS)
model and the Reith, Carr and Gunsch model (Ciardhuáin 2004:1). Processes and process flows form
the foundation for all of these models. This idea of processes is re-enforced by the continuous
references to the acquisition process throughout the thesis (see definition of Forensic Analysis in
Paragraphs 3.3.1 and 3.3.2, as well as the process flows presented in Figure 3-2, Figure 3-3 and Figure
3-5). The identification of a time related theme (see summary of Chapters 3, 4 and 8) also strongly
supports the use of processes in the final Liforac model.
Following on his study, Ciardhuáin (2004:5) proposed a model that combines and extends the elements
from all these models. He suggested processes that are more detailed and included additional process
flows in his model. Ciardhuáin’s model has 13 processes in total, listed in the first column of Table 8-1.
To show that his model was more comprehensive than the four original models, Ciardhuáin did a
mapping based on the identified processes. Table 8-1 presents this comparative mapping.
Table 8-1: Comparison of activities in the discussed models (Ciardhuáin 2004:10)
MMooddeell
PPrroocceessss LLeeee CCaasseeyy DDFFRRWWSS RReeiitthh,, CCaarrrr && GGuunnsscchh
CCiiaarrddhhuuááiinn
Awareness � �
Authorisation �
Planning � �
Notification �
Search/identify � � � � �
Collection � � � � �
Transport �
Storage �
Examination � � � � �
Hypothesis � � � �
Presentation � � � �
Proof/defence � �
Dissemination �
Although the first four models listed are Cyber Crime Investigation models, none of these is comprehensive
enough to apply directly to a forensic investigation. These models identify in general what processes
need to be performed in specific order, but neither of the models expressly states the information flow
between the processes. Although this might not seem a crucial point, an unclear process flow may have
a significant influence on the chain of custody of the evidence retrieved.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 132 of 268 Chapter 8
For the purpose of the Liforac model, Ciardhuáin’s model is simplified to eight processes. Ciardhuáin’s
original model is satisfactory for the most of the Digital Forensic process, but since the Liforac model
focuses only on acquisition of data, some of the latter activities are merged to create a simpler model.
These processes will play a crucial role in the model for Live Forensic Acquisition (presented in Chapter
11) and will be presented as the explicit processes associated with the Liforac model. Table 8-2
presents the merging of the processes and the mapping of Ciardhuáin’s model on the process flow of the
Liforac model.
Table 8-2: Mapping Ciardhuáin’s processes on the Liforac processes (Own compilation)
CCiiaarrddhhuuááiinn’’ss mmooddeell pprroocceesssseess LLiiffoorraacc mmooddeell pprroocceesssseess ((aaddoopptteedd
ffrroomm CCiiaarrddhhuuááiinn’’ss mmooddeell))
Awareness Awareness
Authorisation Authorisation
Planning Planning
Notification Notification
Search/identify
Collection Search/identify
Transport
Storage Preservation
Examination Examination
Hypothesis
Presentation
Proof/defence
Hypothesis
Dissemination Dissemination
Table 8-2 shows that Ciardhuáin’s search/identify, collection, transport and storage activities are all merged
and split into two separate activities in the Liforac model: search/identify and preservation. These four
activities identified by Ciardhuáin’s relates directly to forensic acquisition process discussed in Chapter 3.
To simplify the final Liforac model, these four activities can be simply referred to as search/identify, with the
implication that collection, transport and storage are inherent in this process. An additional activity, preservation,
is added at this stage to ensure that the forensic investigator keep the chain of custody up-to-date.
Ciardhuáin’s hypothesis, presentation and proof/defence are also merged into a single hypothesis activity
in the Liforac model. In a complete forensic analysis process, the hypothesis, presentation and proof/
defence would each constitute its own in-depth discussion. However, for the purpose of this study these
activities are merged because the study focuses on the acquisition aspect and only touches on the
remainder of the forensic cycle.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 133 of 268 Chapter 8
Based on Ciardhuáin’s model and further research on the Digital Forensic cycle, the Liforac model’s
process framework extends to nine processes (discussed extensively in Part 4). The next section looks
at some of the challenges that forensic investigators have to face when busy with Digital Forensics.
8.5 Legal challenges
The previous section provided a framework for process flows in the Liforac model. This section
orientates the reader again with regard to the difficulties that Digital Forensics faces in the legal aspects.
Although Digital Forensics proves to be a very valuable addition to fighting crime, there are many legal
challenges that the discipline needs to overcome first. Cohen (2006:70) identified a number of these
legal challenges:
• Jurisdiction. The global nature of IT makes definite jurisdiction difficult (see Paragraph 7.1). To
complicate this matter, email communications are not restricted to a single jurisdiction. In this
event, it is very difficult to determine which jurisdiction needs to take action, often resulting in
both (or more) countries sitting idle, expecting the other country to react. Once jurisdiction is
determined, it can be difficult to gather evidence internationally. Not only is it logistically very
difficult, but when the supposed crime is illegal in one country and legal in another, the country
allowing the actions may not cooperate with the investigating country.
• Case law. Currently there are very little Digital Forensic cases, providing very little precedent. In
the rare cases that case law does exist, the technology is constantly changing and accordingly
the case law may not apply fully anymore.
• Qualifications. No standard international qualifications exist for expert witnesses, making it
difficult for courts to be consistent in the approval of expert witnesses.
• Privacy. The balance between invasion of privacy and a proper Digital Forensic investigation still
needs to be determined.
• Search warrants and permission. It is difficult to specify exactly what needs to be covered in the
search warrants when the range of technologies is so wide.
• Privileges. Doctors, lawyers and clergy may store privileged data in digital format. There are
strict laws that prohibit Law Enforcement from accessing these records.
This section proves that Digital Forensics still have a lot of potential for further research before it can be
considered as fully accepted by the local courts of law. The next section summarises Chapter 8 and lists
the drivers identified in this chapter.
8.6 Summary
As was illustrated in the previous chapters, Live Forensics is a multi-faceted discipline. Chapter 8 looked
at the legal acceptance of forensic evidence and the relationship between forensics and the current legal
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 134 of 268 Chapter 8
system. The most prominent aspects this chapter comprises are laws and legal requirements, and the
relationship between Digital Forensics and computer science, forensic science, computer and
Information Security, system administrators and business aspects.
In summary, the eight drivers identified from Chapter 8 to contribute to the development of the Liforac
model are as follows, with the originating paragraph between brackets:
• Legislation and Law Enforcement of cyber crime are facing two main problems with regard to
Digital Forensics. These problems have a direct impact on the development of the Liforac model
and will be addressed in Chapter 10 (Paragraph 8.1);
• The South African Constitution strictly forbids the extension of any current legislation to an
analogy to include cyber crimes. This fact allows many cyber criminals to go free, without any
punishment for their actions. The Liforac model will try and address this matter (Paragraph 8.1);
• Traditional investigation methods are ill equipped and inefficiently developed to deal with cyber
crime. Chapter 10 of the development of the Liforac model looks at how traditional investigation
methods can adapt to be more forensic-oriented (Paragraph 8.2);
• The judicial system does not accept all types of forensic evidence, while the concept of forensics
is justified. The Liforac model addresses this matter in the development process (Paragraph 8.2);
• Digital Forensics has a strong relationship with a number of wide-ranging disciplines. These
relationships contribute to the understanding of Digital Forensics and therefore directly impacts
the development of the Liforac model (Paragraph 8.2);
• Many countries do not have legislation that covers cyber crime. This matter is addressed on the
accompanying CD, see Legislation (Paragraph 8.3);
• Chapter 8 proposes a framework with nine processes that are incorporated as explicit processes
in the timeframe of the Liforac model (Paragraph 8.4);
• Many legal challenges exist that makes the acceptance of Digital Forensics in the judicial system
very difficult. Some of these challenges may contribute directly to the development of the Liforac
model and the general understanding of the Digital Forensic discipline (Paragraph 8.5).
When considered individually, most of these identified drivers suggest a legal or regulatory component.
In addition, another prominent driver strongly hints at the time aspect of the model. Allowing for the
number of drivers related to these themes and the importance of these themes in relation with the proposed
Liforac model, this theme might influence the identification of possible dimensions for the Liforac model.
The themes will be addressed in Chapter 9.
Chapter 8 briefly looked at currently available cyber legislations and cyber crime fighting agencies to fulfil
Objective E, Laws. This chapter looked in general at how Digital Forensics fits into the legal system, and
presented a Live Forensic Acquisition specific process model with all the processes necessary to
produce forensically sound evidence. This chapter builds on Chapter 7, focusing on cyber criminals, and
brings Digital Forensics more into the legal perspective. Chapter 8 is the last chapter in Part 3.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 135 of 268 Chapter 8
Part 4 will now commence with Chapter 9, summarising all the drivers identified from Parts 1 to 3. Once
this summary is presented, Part 4 will continue with the development of the Liforac model as method to
present forensically sound Live Forensic Acquisition. Chapter 9 is the first of five chapters that addresses
the specifics of the development process.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 136 of 268 Part 4
Part 4: The Possibility of Sound Live Forensic
Acquisition This study, Liforac - A Model For Live Forensic Acquisition, divides into four distinct parts (originally
presented in Figure 1-1). Figure Part 4-1 presents the status of the Liforac model development study.
Figure Part 4-1: Part 4 of the Liforac model development study
Part 4, The Possibility of Sound Live Forensic Acquisition, proposes the Liforac model and presents the
model dimension by dimension in Chapters 10 to 13. These chapters introduce each of these dimensions
by further breaking it down into components. This part investigates the legalities of both cyber crime and
Digital Forensics. It comprises seven chapters, including the conclusion of the study.
Chapter 9, Building a Model, presents the framework for the planned model for Live Forensic Acquisition.
This chapter defines a model and presents a visual representation of the generic model of this study.
Chapter 9 is the basis for the remainder of the chapters, acting as a bridge between Parts 1, 2 and 3 (the
literature rich chapters) and Part 4 (the empirical construction of the Liforac model). This chapter shows
the process involved in composing a model from the information gathered in Parts 1 to 3 to represent a
comprehensive, forensically sound model. The themes originally identified in the summaries of Chapters
3 to 8 evolve to four dimensions: Laws and Regulations, Timeline, Knowledge and Scope. Chapter 9
presents all the drivers gathered from Chapters 3 to 8 and maps it against an appropriate Liforac
dimension.
Chapter 10, Laws and Regulations Dimension, looks in more detail at the dimension concerning laws
and regulations relevant to Digital Forensics. Chapter 10 graphically portrays the Laws and regulations
dimension as the foundation of the Liforac model, the basis of all the other dimensions. It needs to be
adhered with to ensure that the other three dimensions have a solid foundation. This chapter visually
shows the segregation of this dimension into a number of components: Common crime laws applicable to
cyber crime, Specific cyber laws, Court cases and precedents and Definition of court admissibility. It also
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 137 of 268 Part 4
indicates which of the original drivers apply to this dimension and maps these drivers back to their
original chapters. This dimension builds largely on Chapter 8.
Chapter 11, Timeline Dimension, looks in more detail at the sequential order in which investigators need
to perform actions to ensure sound Live Forensic Acquisition. This dimension is an extension of the
Laws and regulations dimension (shown in Figure 9-2). Chapter 11 visually shows the segregation of the
Timeline dimension into a number of components and discusses these components in more detail. The
two main components portrayed in this chapter are implied and explicit processes, discussed in detail
and presented visually. It also indicates which of the original drivers apply to this dimension and maps
these drivers back to their original chapter.
Chapter 12, Knowledge Dimension, looks in more detail at the people involved in successful Live
Forensic Acquisition: who they are and what training and skills they should have. This dimension is an
extension of the Laws and regulations dimension (shown in Figure 9-2). Chapter 12 visually shows the
segregation of the Knowledge dimension into a number of components and discusses these components
in more detail. The six main components portrayed in this chapter are Law, Forensic Sciences, Social
Sciences, Information Systems, World Security Trends and Events and Computer Science, all based on
new technology. This chapter discusses these components in detail and present them visually. It also
indicates which of the original drivers apply to this dimension and maps these drivers back to their
original chapter.
Chapter 13, Scope Dimension, looks in more detail at the problems associated with Live Forensic
Acquisition, identified earlier in the research. This chapter visually shows the segregation of this dimension
into five components and discusses these components in more detail. These components are Gaining
access to the suspect machine, Dependency on the operating system, Data modification, Authenticity
and Court acceptance. Although Chapter 5 already identified these problems, Chapter 13 addresses the
solutions to these problems. This dimension is an extension of the Laws and regulations dimension (shown
in Figure 9-2).
Chapter 14, Presenting the Final Liforac model, presents the final model for complete, forensically
sound Live Forensic Acquisition. Chapter 14 presents a complete model, consisting of the four dimensions
discussed in the previous chapters. The model is in its final stage, ready to be applied by forensic
investigators.
Chapter 15, Closure, concludes the study and justifies the development of the Liforac model for
comprehensive, forensically sound Live Forensic Acquisition.
These seven chapters form the crux of the study and present a comprehensive, forensically sound model
for Live Forensic Acquisition. Chapter 9 will now summarise all the drivers identified in Parts 1 to 3,
before Chapter 10 proceeds with the refinement of the Liforac model.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 139 of 268 Chapter 9
Chapter 9: Building a Model
“Neither the Internet nor cyberspace will ever be a safe haven for individuals who attempt this type
of cyber crime. The Secret Service, along with our law enforcement partners,
will hunt you down, keystroke by keystroke.”
- Brian Marr
Paragraph 2.2 states that this thesis aims to develop a model that underwrites full forensically sound Live
Forensic Acquisition. Chapters 2 to 8 have been building the reader’s knowledge base to such an extent that
it is now possible to start constructing the model’s framework. Chapter 9 will incorporate the important
aspects discussed previously to present a basic model for forensically sound Live Forensic Acquisition.
Part 4, The Possibility of Sound Live Forensic Acquisition, forms the general foundation of this research
study. Chapter 9, more specifically, brings together many of the important aspects of the proposed
forensically sound Live Forensic Acquisition model. This chapter defines what the author understood
from the term model and combines all the drivers identified in previous chapters to present the reader
with a full progress report on the development of the Liforac model. This chapter lays the foundation for
the Liforac model, constructed in Chapters 10 to 13 and presented in totality in Chapter 14.
Figure 9-1 indicates the current level of progress with regard to identifying building blocks for the Liforac
model. All five the objectives have been addressed in preceding chapters, whilst Chapter 9 now expands
purposely on the development of the Liforac model. Figure 9-1 is the last in the series of Liforac model
progress figures.
Figure 9-1: Liforac model progress - Model development (Own compilation)
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 140 of 268 Chapter 9
9.1 Introduction
To ensure a successful investigation, investigators are required to deliver verifiable and repeatable results.
Therefore, forensic investigators are responsible for technical insight, knowledge of the law and complete
objectivity during investigations. Then investigators can present direct evidence of suspected misconduct
or potential exoneration (Stimmel 2008:1). The best way to ensure verifiable and repeatable results is by
creating an acquisition model that investigators can apply consistently. This chapter unites all the drivers
identified in the previous chapters to ensure a strong foundation for the Liforac model.
What is a model?
Research shows that it is often much easier to solve complex problems by using a model that is based
on real situations. A model is in general a simplified version of the problem and solution combination (Nova
2006:Internet). As a result, this chapter focuses on building a model to guide forensic investigators to
comprehensive, forensically sound Live Forensic Acquisition.
According to WordNet (2008:Internet), a model is “… a hypothetical description of a complex entity or
process”. A conceptual model, as is the proposed model, is a theoretical construct that represents an
idea, with a set of variables and logical and quantitative relationships between the variables (Wikipedia
2008:Internet). The model generally presents a road map that shows the sequence of related events, to
ensure the desired outcomes (NMS Foundation 2007:Internet). The conceptual model is developed in
such a way to lead to insight into the final system (Ehrlich 2002:Internet).
Generally, a model is of exemplary value and serves as a basis for imitation. The proposed model for
comprehensive forensically sound Live Forensic Acquisition is similar to a best practice document,
compiled by industry experts from the best techniques and methods. The aim of the model is to assist
other individuals and organisations to implement a specific idea as smooth as possible (WordNet 2008:
Internet) to ensure the best possible output. In this specific event, the best practice or model would focus
on ensuring forensically sound Live Forensic Acquisition.
The next section presents the generic Liforac model framework, based on Ciardhuáin’s adapted model
(see Paragraph 8.4). Both the Ciardhuáin and Liforac models allow for standardisation, consistency of
terminology and the identification of research and development areas. Such a model can also prove
useful to explain the work of cyber crime investigators to non-specialists. This can be especially supportive
when presenting digital evidence in a court of law (Ciardhuáin 2004:11).
9.2 Generic Liforac model Framework
To develop a useful model, it is necessary to include a number of wide-ranging components to cover all
aspects relevant to Live Forensic Acquisition. Although the idea of this model is not to present a rigid or
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 141 of 268 Chapter 9
restrictive set of steps to follow, the intention is to develop a comprehensive set of guidelines that can
assist a forensic investigator throughout the Live Forensic Acquisition process, should the investigator
require assistance.
Figure 9-2 presents the proposed generic Liforac model. This model comprises four distinct dimensions:
Laws and regulations, Timeline, Knowledge and Scope, derived from the drivers identified in the study.
These four dimensions were developed throughout this study, as a number of drivers have been
identified and listed at the end of Chapters 3 to 8. The respective summaries of Chapters 3 to 8 not only
provided the drivers but also proposed a number of potential themes derived from the listed drivers. The
discussion and grouping of drivers into logical related groups culminated into four different themes
indicating four applicable dimensions of the model. The drivers and themes accordingly strongly directed
the decision to divide the model into these four specific dimensions.
The remainder of the study focused on expanding these four dimensions to develop a comprehensive
framework with four distinctly developed dimensions. Each of these dimensions further divides into
components to present a fully comprehensive model for Live Forensic Acquisition. Chapters 10 to 13
present these components in detailed discussion and relate the components back to the drivers identified
at the end of Chapters 3 to 8.
Figure 9-2: Generic Liforac model (Own compilation)
The Laws and regulations dimension is the foundation of the entire model. It affects all three the other
dimensions and forms the basis on which these dimensions rest (discussed in Chapter 10). The Timeline
dimension focuses more on the process view of the model, indicating the sequence in which investigators
need to execute processes (discussed in Chapter 11).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 142 of 268 Chapter 9
This chapter largely borrows from Ciardhuáin’s model, identified and adapted in Paragraph 8.4. The
Knowledge dimension indicates the different stages of awareness and understanding investigators need to
acquire to perform sound Live Forensics (discussed in Chapter 12). Lastly, the Scope dimension addresses
the practical problems related to Live Forensics identified in Chapter 5 (discussed in Chapter 13).
In this chapter as well as the next five chapters, specific terms are going to be used to describe certain
aspects of the proposed Liforac model. These terms/building blocks are defined below, whilst Figure 9-3
illustrates the relation between these building blocks.
• Dimension. The magnitude of something or the construct whereby objects
can be distinguished (WordNet 2009a:Internet). A dimension often relates
independently to other dimensions, giving the specific object a unique identity.
A dimension often presents specific measurable features that can link with
other measurable dimensions to present a bigger integrated object. For
example, this study presents the Laws and Regulations, Timeline, Knowledge
and Scope aspects as independent dimensions of the Liforac model.
• Sub dimension. A sub dimension is a smaller version of the dimension, also
presented as an independent entity with measurable features. A sub
dimension forms a logic smaller section of a dimension, but is more distinct
than a component. For example, this study presents Common crime laws,
Specific cyber laws, Court cases and precedents, and Definition of court
admissibility as logic sub dimension of the Laws and regulations dimension.
• Component. The smallest identifiable part that can be used to compose another
entity. Generally, a component has no function when considered in isolation,
but adds to the symbiotic meaning of a bigger entity. For example, the Scope
dimension has five components listed in this study: Access to the machine,
Dependency on the OS, Data Modification, Authenticity and Court Acceptance.
• Driver. This term can be seen as the driving force behind a specific action. For
example, at the end of Chapters 3 to 8, a list of drivers from that particular chapter
is identified and its inclusion into the Liforac model motivated. These drivers
form the driving force behind many of concepts build into the Liforac model.
The next section combines all the drivers identified in earlier chapters and maps it in a comprehensive
table onto its source chapter.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 143 of 268 Chapter 9
9.3 Presenting the Drivers
Chapters 3 to 8 all concluded with a summary of the drivers identified from that specific chapter. These
summaries also identified preliminary themes that evolved into dimensions. Table 9-1 unites all these
previously identified drivers. It also indicates the originating chapter of the respective drivers, as well
as the Liforac model dimension to which the driver applies. These drivers are accordingly duplicates of
the drivers already seen at the end of Chapters 3 to 8, but is presented in a single comprehensive list of
drivers.
Figure 9-3: Relation between Liforac model building blocks (Own compilation)
Table 9-1 below should not be memorised, but seen purely as a grouping of all the drivers identified in
the development of the Liforac model up-to-date. The next four chapters split this table into four smaller
tables, indicating only the drivers relevant to a specific dimension. These identified drivers will be
discussed and its inclusion to a specific dimension motivated in the respective chapters.
Table 9-1: Summary of identified drivers (Own compilation)
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr LLiiffoorraacc ddiimmeennssiioonn
Digital Forensic definition Paragraph 3.1 Knowledge
Retrospective profiling nature of Digital Forensics Paragraph 3.2 Laws and regulations
A crime scene contaminated by the investigator renders the evidence inadmissible in court Paragraph 3.2 Laws and regulations,
Knowledge
Current forensic methods: pulling the plug or doing a live analysis Paragraph 3.3 Knowledge
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 144 of 268 Chapter 9
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr LLiiffoorraacc ddiimmeennssiioonn
Digital Forensic methodology consists of three key steps:
• acquire evidence without altering the original;
• authenticate that the recovered evidence is the same as the originally seized data; and
• analyse the data without modifying it
Paragraph 3.3 Knowledge, Timeline
Digital Forensic process consists of four steps:
• collection;
• examination;
• analysis; and
• reporting
Paragraph 3.3.1, Paragraph 4.2, Table 4-1
Knowledge, Timeline
The First Responder has a very definite role in the Live Forensic process Paragraph 3.3.1 Knowledge,
Timeline
Comparison between Dead and Live Forensics Paragraph 3.3.3, Table 3-1
Knowledge, Scope
Forensics has a volatile and unpredictable field setting Paragraph 3.4 Knowledge, Scope
The generic Forensic Acquisition process applies to both Dead and Live Forensic Acquisition
Paragraph 3.4, Figure 3-5
Knowledge, Timeline
Chain of custody plays an important role in forensics Paragraph 3.4.4 Laws and regulations, Timeline
The integrity of the evidence should be protected at all times Paragraph 3.4.4 Timeline,
Scope
A thorough Digital Forensic Acquisition and analysis can be done with supporting software packages and applications Paragraph 4.1
Laws and regulations, Timeline, Knowledge, Scope
Different forensic suites exist for Windows, Mac, Linux and DOS Paragraph 4.1
Laws and regulations, Timeline, Knowledge, Scope
Specific tools can be applied in specific stages of the forensics process
Paragraph 4.2, Table 4-1
Laws and regulations, Timeline, Knowledge, Scope
Many traditional forensic suites also cater for Live Forensic Acquisition
Paragraph 4.2, Table 4-1
Laws and regulations, Timeline, Knowledge, Scope
The accuracy of results and the integrity of digital evidence need to be maintained at all times Paragraph 4.2.1 Laws and regulations,
Scope
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 145 of 268 Chapter 9
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr LLiiffoorraacc ddiimmeennssiioonn
Forensic toolkits have three main limitations:
• the problem of acquisition, imaging a live system,
• tools adapt poorly to large-scale investigations,
• difficult to view large evidence files holistically
Paragraph 4.2.6 Laws and regulations
Electronic information is a valuable resource Paragraph 5.1 Knowledge
Organisations generally have three possible options to respond to a cyber attack:
• do nothing;
• perform an internal investigation; or
• perform a detailed analysis with the intention to prosecute the cyber criminal
Paragraph 5.1 Laws and regulations, Knowledge
Digital evidence has some unique properties Paragraph 5.1 Laws and regulations, Knowledge
Locard’s exchange principle applies to all crime scenes Paragraph 5.1 Knowledge
Live Forensics has five identified practical problems:
• gaining access to the suspect system;
• acquisition dependant on OS;
• data modification during the acquisition process;
• demonstrate the authenticity of evidence;
• ensuring full acceptance by the court
Paragraph 5.2, Figure 5-2 Scope
Several methods exist to perform Live Forensic Acquisition:
• software applications
− software agents;
− memory dump;
− NotMyFault; and
− Live Response Toolkit
• hardware devices
− the Tribble device;
− the PCI expansion card;
− SPARC OpenBoot; and
− COFEE
Paragraph 5.3 Knowledge
Digital Forensics is a technical application of computer related knowledge Paragraph 6.1 Knowledge
Forensic soundness is the foundation of court admissibility of evidence Paragraph 6.1 Laws and regulations,
Knowledge
Rejected forensic evidence can hurt the case, or portray the investigators as incompetent Paragraph 6.2 Laws and regulations
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 146 of 268 Chapter 9
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr LLiiffoorraacc ddiimmeennssiioonn
Evidence should be referred to as “… artefacts of potential evidentiary value” Paragraph 6.2 Laws and regulations
An expert witness may elicit professional opinions about the validity of a theory and the reliability of specific tools Paragraph 6.2 Knowledge
A well-known heuristic is needed to determine the admissibility of expert evidence:
• Frye test; and
• Daubert test
Paragraph 6.2 Laws and regulations
Legal admissibility is the characteristic of a piece of evidence that determines whether it will be accepted by a court of law
Paragraph 6.2.3 Laws and regulations
To ensure the acceptance of digital evidence, forensic investigators should maximise the evidential weight of a document
Paragraph 6.2.3 Laws and regulations, Knowledge
There are two main elements to demonstrate the authenticity of electronic records:
• freeze a record at a specific moment in time;
• maintaining a documented audit trail
Paragraph 6.2.3 Laws and regulations, Knowledge
To ensure admissibility, counsel should prove that:
• the record has not been tampered with;
• the system the record is kept in is secure; and
• the system was secure throughout the record lifetime
Paragraph 6.2.3 Laws and regulations
In both traditional and Digital Forensic measures, courts should allow the minor alteration of original evidence, without altering evidence in such a way that the meaning thereof changes
Paragraph 6.3 Laws and regulations, Knowledge
The Heisenberg uncertainty principle and the observer effect explains the volatile nature of forensics Paragraph 6.4 Knowledge
Both authenticity and reliability plays a crucial part in determining whether artefacts of evidentiary value can be considered as evidence or not
Paragraph 6.5 Laws and regulations
Jurisdiction of cyber crime is difficult to determine Paragraph 7.1 Laws and regulations
Criminals tend to exploit anonymity, convenience and speed and of modern technology to commit crimes Paragraph 7.1 Laws and regulations
Cyber crime definition Paragraph 7.2 Laws and regulations
Unlike real world crime, cyber crime does not have:
• physical proximity;
• small scale;
Paragraph 7.2 Laws and regulations
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 147 of 268 Chapter 9
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr LLiiffoorraacc ddiimmeennssiioonn
• physical constraints; or
• offender-offence patterns
Many different types of cyber crime exists Paragraph 7.2.1 Laws and regulations
The number of cyber crime incidents are rapidly increasing Paragraph 7.2.2, Paragraph 7.3 Laws and regulations
Cyber crime types can be classified according to:
• crimes against individuals;
• crimes against individual property;
• crimes against organisations; and
• crimes against society
Paragraph 7.2.3 Laws and regulations
There are some key issues concerning cyber crime in the current Information Security environment Paragraph 7.2.3 Laws and regulations
Legislation and Law Enforcement of cyber crime has two main problems:
• too few Law Enforcement officers have appropriate computer forensics and computer crime investigative skills;
• very few legal systems presently take the digital world into account
Paragraph 8.1 Laws and regulations
The South African Constitution strictly forbids the extension of current legislation to an analogy to include cyber crimes Paragraph 8.1 Laws and regulations
The rapid development of new criminal techniques leaves Law Enforcement techniques outdated and ineffective Paragraph 8.1 Laws and regulations
Traditional investigation methods are ill equipped and inefficiently developed to deal with cyber crime Paragraph 8.2 Laws and regulations
The judicial system does not accept all types of Digital Forensics, although the concept of forensics is justified Paragraph 8.2 Laws and regulations
There is a strong relationship between Digital Forensics and:
• computer science;
• forensic science;
• criminal investigations;
• computer security and Information Security;
• business; and
• system administrators
Paragraph 8.2 Laws and regulations, Knowledge
Digital Forensics ensures that investigators can identify and prosecute criminals that commit crimes involving the confidentiality, integrity and availability of electronic resources
Paragraph 8.2 Laws and regulations
Digital Forensic Governance recently evolved from the other Governance disciplines to include the governance
Paragraph 8.2 Laws and regulations
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 148 of 268 Chapter 9
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr LLiiffoorraacc ddiimmeennssiioonn
and management of Digital Forensics
In support of the security policies and technologies, Digital Forensics provides the means of investigation when these plans are compromised in some way
Paragraph 8.2 Laws and regulations
Many countries do not have cyber legislation Paragraph 8.3 Laws and regulations
Four possible solutions exist to the problem of data changing during Live Forensic Acquisition. Paragraph 8.3 Scope
Ciardhuáin’s cyber crime investigation model is modified to contribute to the Liforac model Paragraph 8.4 Laws and regulations
Legal challenges makes the acceptance of Digital Forensics in the judicial system very difficult Paragraph 8.5 Laws and regulations
The last column indicates a Liforac dimension that is based on the opinion of the author. Although this is
only the first version of the Liforac model, the following are proposed as read from Table 9-1:
• Laws and regulations dimension consists of at least 41 drivers;
• Timeline dimension consists of at least 10 drivers;
• Knowledge dimension consists of at least 26 drivers; and
• Scope dimension consists of at least 10 drivers.
Of the study done so far, many drivers identified relates to the Laws and regulations aspect of the proposed
Liforac model (discussed in Chapter 10). The Knowledge dimension (discussed in Chapter 12) has the
second most drivers related to it, considering that Digital Forensics is a very complex discipline and
investigators need thorough training and preparation to handle these investigations. Both the Timeline
(discussed in Chapter 11) and the Scope (discussed in Chapter 13) dimensions have only 10 drivers.
However, these identified drivers are very labour intensive and requires a lot of attention.
Each of these dimensions gives origin to a number of components (presented in Figure 9-3), based on
the drivers identified in the chapters preceding the dimension discussion. The chapters succeeding this
generic model discussion will discuss these components in more detail.
9.4 Summary
Chapter 9 initiated Part 4 as a bridge between the literature rich chapters (Parts 1 to 3) and the construction
of the Liforac model (Part 4). This chapter discussed and defined the concept of a model as understood
within the bounds of this study. The chapter also presented a visual representation of the framework
proposed for the Liforac model.
Table 9-1 unites all the previously identified drivers that can contribute to the development of the model.
This table is a comprehensive view of the most important aspects discovered in the study so far. The
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 149 of 268 Chapter 9
final Liforac model incorporates these concepts to ensure full coverage of all aspects in the presentation
of the comprehensive model. Table 9-1 divides into four separate tables in the next four chapters,
showing only those drivers relevant to a specific dimension.
Chapter 9 played a very important role in summarising the study up-to-date and introducing the next
chapters that focuses on specific levels and specific components. Chapter 10 will now discuss the Laws
and regulations dimension in more detail and show how this dimension fits into the Liforac framework.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 151 of 268 Chapter 10
Chapter 10: Laws and Regulations Dimension
“Law and justice are not always the same.”
- Gloria Steinem
Chapter 10 looks at the previously identified drivers (presented in Table 9-1) that map specifically onto the
Laws and regulations dimension. This chapter also considers in detail what the forensic investigator needs
to know and do concerning related laws and regulations to remain within the legal bounds of the discipline.
This chapter looks at a number of legalities and procedures that may have an impact on the Digital Forensic
discipline. However, this discussion is the opinion and observation of the author and is not a legally
binding document. The legal dimension is a technical discussion of a legal subject and only provides a
high-level abstraction of the topic.
Chapter 10 is now the first of four chapters that focuses specifically on the construction of the Liforac model.
Figure 10-1 shows the proposed layout of the Liforac model, with the Laws and regulations dimension
forming the foundation of the model. Figure 10-1 presents this dimension as the physical base of the model.
Figure 10-1: Focusing on the Laws and regulations dimension (Own compilation)
Chapter 10 extends the generic framework for the Liforac model by extending the Laws and regulations
dimension into four distinct sub dimensions. At this point, it is important to note that the dimension discussed
in Chapter 10 divides into sub dimensions, whilst the dimensions discussed in Chapters 11, 12 and 13
divides into components (refer to Figure 9-3 for an explanation of the difference between sub dimensions
and components).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 152 of 268 Chapter 10
The reasoning behind this division is that the Laws and regulations dimension in Chapter 10 is the foundation
for the three other dimensions and their corresponding components. By dividing this dimension into sub
dimensions, the figure constellation (Figure 10-1) is sturdier and the foundation reinforced with additional
sub dimensions. The sub dimensions ensure that the Laws and regulations dimension are distinct from the
other dimensions and stands out as the foundation of the model. This chapter will look in more detail at
these sub dimensions, as well as how the drivers identified in earlier chapters map to these sub dimensions.
10.1 Introduction
Laws and regulations as a dimension are crucially important and form the foundation for all the other
dimensions. Figure 10-2 shows four sub dimensions identified as relevant to this dimension. These sub
dimensions were identified through in-depth discussions with forensic knowledgeable colleagues (Nare
2008:Interview; Perold 2008:Interview) as the four most prominent points of contact between legal and
regulatory aspects and Forensic Sciences. Although the value of these points is not yet scientifically
established, it seems as if these sub dimensions contribute largely to Digital Forensics specifically.
Sub dimension 3:Court cases
and precedents
Sub dimension 4:Definition of
court admissibility
Sub dimension 1:Common crime laws applicable to cyber crime
Sub dimension 2:Specific
cyber laws
Sub dimension 3:Court cases
and precedents
Sub dimension 4:Definition of
court admissibility
Sub dimension 1:Common crime laws applicable to cyber crime
Sub dimension 2:Specific
cyber laws
Figure 10-2: Laws and regulations dimension (Own compilation)
The inclusion of these four sub dimensions is motivated as follow:
• Sub dimension 1. Common crime laws applicable to cyber crime refer to already existing
legislations created with only traditional crimes in mind. The interpretation of these laws can
allow the extension to cyber crimes as well.
• Sub dimension 2. Specific cyber laws refer to laws created specifically with cyber crime in
mind. Chapter 8 looked at some of the existing cyber laws already in place.
• Sub dimension 3. Court cases and precedents are crucial in the acceptance of any new
technology in court. Examples of these precedents are the Frye and Daubert tests described in
Paragraph 6.2.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 153 of 268 Chapter 10
• Sub dimension 4. Definition of court admissibility largely determines whether the court would
allow Live Forensic Acquisition. This definition and its implementation have a big impact on the
Live Forensic Acquisition discipline.
A combination of these four sub dimensions covers the extent of the Laws and regulations dimension
identified by the Liforac model. The next section maps the drivers identified in Table 9-1 onto the four
sub dimensions listed above.
10.2 Mapping the drivers to the dimension
Table 9-1 showed a comprehensive list of all the drivers identified in the first eight chapters. Table 10-1
now shows a sub section of that table, with only those drivers applicable to Laws and regulations. This
table should not be memorised, but seen purely as a grouping of all the drivers identified in the
development of the Liforac model, applicable to the Laws and regulations dimension. The last column
maps the specific driver to one of the four sub dimensions shown in Figure 10-2.
Table 10-1: Identified drivers on the Laws and regulations dimension (Own compilation)
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr
SSuubb ddiimmeennssiioonn wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr
Retrospective profiling nature of Digital Forensics Paragraph 3.2 Specific cyber laws (2)
A crime scene contaminated by the investigator renders the evidence inadmissible in court Paragraph 3.2 Definition of court
admissibility (4)
Chain of custody plays an important role in forensics Paragraph 3.4.4 Definition of court admissibility (4)
A thorough Digital Forensic Acquisition and analysis can be done with supporting software packages and applications
Paragraph 4.1 Court cases and precedents (3)
Different forensic suites exist for Windows, Mac, Linux and DOS Paragraph 4.1 Court cases and
precedents (3)
Specific tools can be applied in specific stages of the forensics process
Paragraph 4.2, Table 4-1
Court cases and precedents (3)
Many traditional forensic suites also cater for Live Forensic Acquisition
Paragraph 4.2, Table 4-1
Definition of court admissibility (4)
The accuracy of results and the integrity of digital evidence need to be maintained at all times Paragraph 4.2.1 Definition of court
admissibility (4)
Forensic toolkits have three main limitations:
• the problem of acquisition, imaging a live system,
• tools adapt poorly to large-scale investigations,
• difficult to view large evidence files holistically
Paragraph 4.2.6 Specific cyber laws (2)
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 154 of 268 Chapter 10
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr
SSuubb ddiimmeennssiioonn wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr
Organisations generally have three possible options to respond to a cyber attack:
• do nothing;
• perform an internal investigation; or
• perform a detailed analysis with the intention to prosecute the cyber criminal
Paragraph 5.1 Specific cyber laws (2)
Digital evidence has some unique properties Paragraph 5.1 Specific cyber laws (2)
Forensic soundness is the foundation of court admissibility of evidence Paragraph 6.1 Definition of court
admissibility (4)
Rejected forensic evidence can hurt the case, or portray the investigators as incompetent Paragraph 6.2 Definition of court
admissibility (4)
Evidence should be referred to as “… artefacts of potential evidentiary value” Paragraph 6.2 Specific cyber laws (2)
A well-known heuristic is needed to determine the admissibility of expert evidence:
• Frye test; and
• Daubert test
Paragraph 6.2 Court cases and precedents (3)
Legal admissibility is the characteristic of a piece of evidence that determines whether it will be accepted by a court of law
Paragraph 6.2.3 Definition of court admissibility (4)
To ensure the acceptance of digital evidence, forensic investigators should maximise its evidential weight Paragraph 6.2.3 Definition of court
admissibility (4)
There are two main elements to demonstrate the authenticity of electronic records:
• freeze a record at a specific moment in time;
• maintaining a documented audit trail
Paragraph 6.2.3 Definition of court admissibility (4)
To ensure admissibility, counsel should prove that:
• the record has not been tampered with;
• the system the record is kept in is secure; and
• the system was secure throughout the record lifetime
Paragraph 6.2.3 Definition of court admissibility (4)
In both traditional and Digital Forensic measures, courts should allow the minor alteration of original evidence, without altering evidence in such a way that the meaning thereof changes
Paragraph 6.3
Common crime laws applicable to cyber crime (1),
Specific cyber laws (2), Court cases and precedents (3),
Definition of court admissibility (4)
Both authenticity and reliability plays a crucial part in Paragraph 6.5 Definition of court
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 155 of 268 Chapter 10
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr
SSuubb ddiimmeennssiioonn wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr
determining whether artefacts of evidentiary value can be considered as evidence or not
admissibility (4)
Jurisdiction of cyber crime is difficult to determine Paragraph 7.1
Common crime laws applicable to cyber crime (1),
Specific cyber laws (2)
Criminals tend to exploit anonymity, convenience and speed and of modern technology to commit crimes Paragraph 7.1 Specific cyber laws (2)
Cyber crime definition Paragraph 7.2 Specific cyber laws (2)
Unlike real world crime, cyber crime does not have:
• physical proximity;
• small scale;
• physical constraints; or
• offender-offence patterns
Paragraph 7.2 Specific cyber laws (2)
Many different types of cyber crime exists Paragraph 7.2.1 Specific cyber laws (2)
The number of cyber crime incidents are rapidly increasing
Paragraph 7.2.2, Paragraph 7.3
Specific cyber laws (2),
Court cases and precedents (3)
Cyber crime types can be classified according to:
• crimes against individuals;
• crimes against individual property;
• crimes against organisations; and
• crimes against society
Paragraph 7.2.3 Specific cyber laws (2)
There are some key issues concerning cyber crime in the current Information Security environment Paragraph 7.2.3 Specific cyber laws (2)
The South African Constitution strictly forbids the extension of current legislation to an analogy to include cyber crimes
Paragraph 8.1 Common crime laws applicable to cyber crime (1)
Legislation and Law Enforcement of cyber crime has two main problems:
• too few Law Enforcement officers have appropriate computer forensics and computer crime investigative skills;
• very few legal systems presently take the digital world into account
Paragraph 8.1 Specific cyber laws (2)
Traditional investigation methods are ill equipped and inefficiently developed to deal with cyber crime Paragraph 8.2
Common crime laws applicable to cyber crime (1)
The judicial system does not accept all types of Digital Paragraph 8.2 Common crime laws applicable to cyber
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 156 of 268 Chapter 10
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr
SSuubb ddiimmeennssiioonn wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr
Forensics, although the concept of forensics is justified crime (1),
Specific cyber laws (2)
There is a strong relationship between Digital Forensics and:
• computer science;
• forensic science;
• criminal investigations;
• computer security and Information Security;
• business; and
• system administrators
Paragraph 8.2
Common crime laws applicable to cyber crime (1),
Specific cyber laws (2),
Court cases and precedents (3)
Many countries do not have cyber legislation Paragraph 8.3 Common crime laws applicable to cyber crime (1)
Ciardhuáin’s cyber crime investigation model is modified to contribute to the Liforac model (nine activities) Paragraph 8.4
Specific cyber laws (2),
Court cases and precedents (3)
Many legal challenges exist that makes the acceptance of Digital Forensics in the judicial system very difficult Paragraph 8.5
Specific cyber laws (2),
Court cases and precedents (3)
The rapid development of new criminal techniques leaves Law Enforcement techniques outdated and ineffective Paragraph 8.1
Common crime laws applicable to cyber crime (1)
Digital Forensics ensures that investigators can identify and prosecute criminals that commit crimes involving the confidentiality, integrity and availability of electronic resources
Paragraph 8.2 Specific cyber laws (2)
In support of the security policies and various security technologies, Digital Forensics provides the means of investigation when these plans are compromised in some way
Paragraph 8.2 Specific cyber laws (2),
Court cases and precedents (3)
Digital Forensic Governance recently evolved from the other Governance disciplines to include the governance and management of Digital Forensics
Paragraph 8.2 Specific cyber laws (2),
Court cases and precedents (3)
Table 10-1 shows the interpretational mapping of the four sub dimensions of the Laws and regulations
dimension onto the drivers already identified in this study. Some of these identified drivers overlap and
can be merged at a later stage.
Figure 10-3 presents the Laws and regulations sub dimensions within the boundaries of the Liforac model.
This figure indicates the Laws and regulations dimension, the four sub dimensions specific to the Laws and
regulations dimension (Common crime laws, Specific cyber laws, Court cases and precedents and Definition
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 157 of 268 Chapter 10
of court admissibility), as well as the drivers in relation with these sub dimensions. Table 10-1 presents
these drivers. The remainder of this chapter is devoted to discussions on the four main sub dimensions
of the Laws and regulations dimension.
Figure 10-3: Laws and regulations sub dimensions and respective drivers presented within the Liforac model (Own compilation)
10.3 Developing the Laws and regulations dimension
With the emerging cyber crime rates and hike in cyber crime incidents, the Laws and regulations
dimension is a very important part of the Liforac model for comprehensive Live Forensic Acquisition. Not
only is it necessary to pay attention to all aspects of cyber crime in order to do this, but these crimes need
to relate to the legal discipline. The next four sections address the four sub dimensions linking cyber
crime, Live Forensics and the justice system.
10.3.1 Sub dimension 1: Common crime laws
Common crime laws, generally referred to as penal law, involve the “… prosecution by the government of a
person for an act that has been classified as a crime. It is the body of statutory and common law that deals
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 158 of 268 Chapter 10
with crime and the legal punishment of criminal offenses…” Although many different definitions exist for crime
(refer to Paragraph 7.2), it can in general be described as any act, or omission of an act, in violation of
public law either forbidding or specifically commanding the act in question (HG.org 2008:Internet).
Accordingly, common crime laws applicable to cyber crime refer to already existing legislations created
with only traditional crimes in mind. The applicable stakeholders wrote the laws in such a manner that
interpretation within given circumstances can include the legal punishment of acts related to computers,
digital evidence and cyber issues (Nare 2008:Interview). Table 10-1 indicates that there are eight drivers
identified in earlier chapters that may contribute to the sub dimension Common crime laws applicable to
cyber crime. Table 10-2 presents these eight drivers.
Table 10-2: Drivers applicable to sub dimension 1 (Own compilation)
SSuubb ddiimmeennssiioonn 11:: DDrriivveerrss aapppplliiccaabbllee ttoo ccoommmmoonn ccrriimmee llaawwss aapppplliiccaabbllee ttoo ccyybbeerr ccrriimmee
Driver 1 In both traditional and Digital Forensic measures, courts should allow the minor alteration of original evidence, without altering evidence in such a way that the meaning thereof changes.
Driver 2 Jurisdiction is difficult to determine when cyber crime is concerned.
Driver 3 The South African Constitution strictly forbids the extension of current legislation to an analogy to include cyber crimes.
Driver 4 Traditional investigation methods are ill equipped and inefficiently developed to deal with cyber crime.
Driver 5 The judicial system does not accept all types of Digital Forensics, although the concept of forensics is justified.
Driver 6
There is a strong relationship between Digital Forensics and
• computer science; • forensic science; • criminal investigations; • computer security and Information Security; • business; and • system administrators.
Driver 7 Many countries do not have legislation that covers cyber crime.
Driver 8 Owing to the rapid development of new criminal techniques, Law Enforcement techniques are equally outdated and ranged ineffective against criminal techniques.
The application of these drivers in the Liforac model depends largely on whether the implementing country
has its own legislation that applies to forensic sciences. If the country does not have its own legislation,
it is advisable to use these drivers as a basis for legal and regulatory aspects to ensure some level of
court acceptance based on legislation from other countries. Some of the laws and regulations that fall
into this generic category, but can be interpreted in relation to digital evidence, include:
• Telecommunications Act no 103 of 1996 (South Africa);
• ICASA Act of 2002 (South Africa);
• RICA Act of 2002 (South Africa);
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 159 of 268 Chapter 10
• Trade Secrets Act (United States);
• The Act of Extortion and threats (United States); and
• Forgery and Counterfeiting Act of 1981 (United Kingdom).
Figure 10-4 presents the Laws and regulations dimension, sub dimension Common laws applicable to
cyber crime. This figure evolves from Figure 9-2. The ideal circumstances for fully employing the Liforac
model relies on the assumption that Digital Forensic evidence, similar to Physiological Forensic
evidence, allows minor alterations to the original evidence without altering the meaning of the evidence
(refer to Paragraph 6.3). Although Parliament has not approved this regulation yet, it will make a number
of additional common laws applicable to Digital Forensics. This regulation will mitigate the current urgent
problem that many countries do not have specific cyber laws (refer to Chapter 8).
Figure 10-4: Drivers of the common crime laws (Own compilation)
Whether the implementing country allows the extension of current crime laws to apply to cyber crimes or
not, criminal laws can still be a source of valuable information for forensic investigators. Regardless of
its direct applicability, a sound knowledge of these legislations will definitely give forensic investigators a
competitive advantage in relating cyber crimes to real world scenarios. Currently, the South African
Constitution does not allow the extension of current legislation to include an analogy applicable to cyber
crime. These additional legislations are automatically excluded, unless the law can be interpreted beyond
reasonable doubt as applicable to a cyber crime case.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 160 of 268 Chapter 10
An additional complication concerning cyber crimes is the difficulty of determining the applicable jurisdiction.
Once again, many of the current common criminal laws might help to determine the specific jurisdiction to
some extent. However, should a country have both specific cyber laws and common criminal laws that
apply to cyber crimes, the first will determine jurisdiction in all events. In a similar analogy, the close
relationship between Digital Forensics and other disciplines (Computer Science, Forensic Science, Criminal
investigations, Computer and Information Security, Business and System administration, all discussed in
Paragraph 8.2) might allow forensic investigators to adopt some legal aspects regarding these disciplines
from common laws that might not be specifically addressed in specific cyber laws.
Yet another reason why it is crucial to include common crime laws into the Liforac model is that the drastic
development trends regarding computer technology leave many Law Enforcement techniques outdated.
Not only is it time consuming to develop new countermeasures for cyber crimes, but it is also costly when
all Law Enforcement officers need to attend training on the new techniques and new legislations.
Additionally, writing and adopting new laws and regulations is a very time consuming process – it might be
outdated even before its formal adoption. Therefore, some of the common laws allow for a more generic
description that a court of law can interpret accordingly as soon as new criminal techniques evolve.
Although investigators still need to be trained, this application avoids the waiting period before a law can
be adopted. The other alternative regarding current legislation is laws created and adopted specifically
for cyber issues and electronic related aspects. The next section investigates these types of laws.
10.3.2 Sub dimension 2: Specific cyber laws
Specific cyber laws refer to laws created specifically with cyber crime in mind. These laws address
current issues related to cyber space, computers and electronic media or communication. Although
Paragraph 10.3.1 relates that in certain circumstances it may be beneficial to have common criminal laws
that apply to cyber crime, specific cyber laws are much more specific and worth more in the event of a
legal interpretation dispute. These laws are occasionally referred to as netlitigation.
Table 10-1 indicates that there are 22 drivers identified in earlier chapters that may contribute to the sub
dimension Specific cyber laws applicable to cyber crime. Table 10-3 presents these 22 drivers.
Table 10-3: Drivers applicable to sub dimension 2 (Own compilation)
SSuubb ddiimmeennssiioonn 22:: DDrriivveerrss aapppplliiccaabbllee ttoo ssppeecciiffiicc ccyybbeerr llaawwss aapppplliiccaabbllee ttoo ccyybbeerr ccrriimmee
Driver 1 Retrospective profiling nature of Digital Forensics.
Driver 2
There are three main limitations concerning forensic toolkits:
• the problem of acquisition and imaging on a live system, • tools adapt poorly to large-scale investigations, and • difficult to view large evidence files holistically.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 161 of 268 Chapter 10
SSuubb ddiimmeennssiioonn 22:: DDrriivveerrss aapppplliiccaabbllee ttoo ssppeecciiffiicc ccyybbeerr llaawwss aapppplliiccaabbllee ttoo ccyybbeerr ccrriimmee
Driver 3
Organisations generally have three possible options to respond to a cyber attack:
• do nothing; • perform an internal investigation; or • perform a detailed analysis with the intention to prosecute the cyber
criminal.
Driver 4 Digital evidence has some unique properties.
Driver 5 Correct terminology is “… artefacts of potential evidentiary value”.
Driver 6 In both traditional and Digital Forensic measures, courts should allow the minor alteration of original evidence, without altering evidence in such a way that the meaning thereof changes.
Driver 7 Jurisdiction is difficult to determine when cyber crime is concerned.
Driver 8 Criminals tend to exploit the speed, convenience and anonymity of modern technology to commit a diverse range of crimes.
Driver 9 Cyber crime definition.
Driver 10
Cyber crime differs from real world crime in that is does not have:
• physical proximity; • small scale; • physical constraints; or • offender-offence patterns.
Driver 11 Many different types of cyber crime exist.
Driver 12 The number of cyber crime incidents is rapidly increasing.
Driver 13
Cyber crime types can be classified according to:
• crimes against individuals; • crimes against individual property; • crimes against organisations; and • crimes against society.
Driver 14 There are some key issues concerning cyber crime in the current Information Security environment.
Driver 15
Legislation and Law Enforcement of cyber crime has two main problems:
• there are not enough Law Enforcement officers with appropriate computer forensics and computer crime investigative skills;
• very few legal systems presently consider the digital world.
Driver 16 The judicial system does not accept all types of Digital Forensics, although the concept of forensics is justified.
Driver 17
There is a strong relationship between Digital Forensics and:
• computer science; • forensic science; • criminal investigations; • computer security and Information Security; • business; and • system administrators.
Driver 18 Ciardhuáin’s Cyber Crime Investigation model is modified to contribute to the Liforac model (nine activities).
Driver 19 Many legal challenges exist that makes the acceptance of Digital Forensics in the judicial system very difficult.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 162 of 268 Chapter 10
SSuubb ddiimmeennssiioonn 22:: DDrriivveerrss aapppplliiccaabbllee ttoo ssppeecciiffiicc ccyybbeerr llaawwss aapppplliiccaabbllee ttoo ccyybbeerr ccrriimmee
Driver 20 Digital Forensics ensures that investigators can identify and prosecute criminals that commit crimes involving the confidentiality, integrity and availability of electronic resources.
Driver 21 Digital Forensic Governance has only recently evolved from the other Corporate Governance disciplines and involves the governance and management of Digital Forensics.
Driver 22 In support of the security policies and various security technologies, Digital Forensics provides the means of investigation when these plans are compromised in some way.
Some of the laws and regulations that falls into this category include:
• Electronic Communications and Transactions Act of 2002 (South Africa);
• Information Technology Act 2000 (India);
• Computer Misuse Act of 1990 (United Kingdom);
• Cybercrime Act of 2001 (Australia);
• No Electronic Theft Act of 1997 (United States);
• Information Infrastructure Protection (IIP) Act of 1996 (United States);
• Computer Fraud and Abuse Act of 1984 (United States);
• Electronic Communications Privacy Act of 1986 (United States);
• Securing Adolescents from Exploitation-Online Act of 2007 (United States);
• Computer Crimes Act of 1997 (Malaysia);
• Cybercrime Bill of 2007 (Botswana);
• Computer Security and Critical Information Infrastructure Protection Bill of 2005 (Nigeria); and
• Electronic Communications and Transactions Act of 2002 (South Africa).
Figure 10-5 (on page 163) presents the Laws and regulations dimension, sub dimension Specific cyber
crime laws. This figure evolves from Figure 9-2. Unfortunately, the forensic toolkits available to forensic
investigators are not all updated regularly and not immune to the constant onslaught of new cyber crime
techniques. As a result, many of the cyber crime specific laws do not address specific forensic
packages, but rather discuss general guidelines to which forensic toolkits need to adhere.
This generic discussion ensures that laws are not regularly outdated, but it can lengthen the process when
a new forensic toolkit is made available. Courts first need to scrutinise and certify a specific toolkit before
cyber crime laws can apply to the toolkit. However, specific cyber crime laws help organisations to prepare
their systems for faster recovery in a cyber event and educate users on preserving electronic evidence.
Although there are numerous overlaps between Digital Forensics and traditional overlaps, the technical
details make it a much-specialised discipline. Lawyers need to be able to comprehend the technical
details of these specific cyber laws, as well as interpret it with regard to the legal discipline. At present,
very few lawyers can merge these two disciplines successfully. This matter, as well as non-technical
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 163 of 268 Chapter 10
judges, presents numerous limitations in the legal system. Ideally, this sub dimension should include
legislation relevant to Digital Forensic Governance, a newly evolving discipline. At the time of research,
no legislation regarding this topic was available for public viewing.
Figure 10-5: Drivers of the specific cyber crime laws (Own compilation)
The third sub dimension of the Laws and regulations dimension of the Liforac model is previous court
cases and precedents. In the event that a court case involves a new phenomenon – whether it is a new
type of crime or a new investigative method – and a court makes a specific ruling regarding the available
evidence, this court case may have a significant impact on similar future cases. The next section
investigates these types of occurrences and precedents.
10.3.3 Sub dimension 3: Court cases and precedents
Court cases and precedents are crucial in the acceptance of any new technology in court. Lectric Law
Library defines a court precedent as a “… legal principle, created by a court decision, which provides an
example or authority for judges deciding similar issues later”. These precedents are also referred to as
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 164 of 268 Chapter 10
case law. Generally, decisions made by higher courts are binding on lower courts, but not the other way
round (Lectric Law Library 2005:Internet). Precedents in court cases establish a principle or rule that
another court needs to adopt when deciding cases with similar issues or facts. Table 10-1 indicates that
there are eleven drivers identified in earlier chapters that may contribute to the sub dimension Court
cases and precedents. Table 10-4 presents these eleven drivers.
Table 10-4: Drivers applicable to sub dimension 3 (Own compilation)
SSuubb ddiimmeennssiioonn 33:: DDrriivveerrss aapppplliiccaabbllee ttoo ccoouurrtt ccaasseess aanndd pprreecceeddeennttss
Driver 1 A thorough Digital Forensic Acquisition and analysis can be done with supporting software packages and applications
Driver 2 Different forensic suites exist for Windows, Mac, Linux and DOS
Driver 3 Summary of the tools and the stages in which they can be applied.
Driver 4 A well-known heuristic is needed to determine the admissibility of expert evidence:
• Frye test; and • Daubert test
Driver 5 In both traditional and Digital Forensic measures, courts should allow the minor alteration of original evidence, without altering evidence in such a way that the meaning thereof changes.
Driver 6 The number of cyber crime incidents is rapidly increasing.
Driver 7
There is a strong relationship between Digital Forensics and:
• computer science; • forensic science; • criminal investigations; • computer security and Information Security; • business; and • system administrators.
Driver 8 Ciardhuáin’s Cyber Crime Investigation model modifies to add to the Liforac model.
Driver 9 Many legal challenges exist that makes the acceptance of Digital Forensics in the judicial system very difficult.
Driver 10 Digital Forensic Governance recently evolved from the other Governance disciplines to include the governance and management of Digital Forensics
Driver 11 In support of the security policies and various security technologies, Digital Forensics provides the means of investigation when these plans are compromised in some way.
Figure 10-6 presents the Laws and regulations dimension, sub dimension Court cases and precedents.
This figure evolves from Figure 9-2. One of the most important precedents in cyber crime cases is the
use and acceptance of forensic toolkits. Evidence produced by some toolkits are more readily accepted
by courts, while less common and less often used toolkits are subjected to more intense scrutiny during a
cyber trial. In the same manner, some toolkits are more readily accepted on specific OSs.
Another important court precedent is the acceptance of a specific knowledge or experience level for
expert witnesses. Forensic experts that appear regularly in court as witnesses will spend less time per
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 165 of 268 Chapter 10
trial giving evidence if the judge is acquainted with him/her on a professional basis (Wood
2008:Presentation). The first couple of times as witness are a time consuming process during which the
court first need to establish whether the prospective witness can be regarded as a trustworthy, reliable
witness with sufficient discipline knowledge and experience. However, in later trials this timeous process
may be shortened since the witness reliability has already been established.
Figure 10-6: Drivers of the court cases and precedents (Own compilation)
The occurrences of cyber crime are drastically increasing. This provides the opportunity for previous court
cases and precedents to learn from. However, with the large number of new types of crime, many trials are
a first of a kind and the presiding judge have difficulty in finding guidance regarding the case.
A similar situation exists with cyber trials related to the new area, Digital Forensic Governance. In some
cases, it might be possible to relate some of the evidence to precedents in disciplines that have a strong
relation with Digital Forensics. The Ciardhuáin’s Cyber Crime Investigation model is also a great help in
this regard, serving as a guideline for solutions for many of the existing problems in the cyber crime
investigations.
The fourth sub dimension of the Laws and regulations dimension of the Liforac model is the formal definition
of court admissibility. Although this is the smallest of the four sub dimensions, it is probably the most
important of the sub dimensions: if the data does not adhere to this definition, it may not be provided as
evidence in the court. The next section investigates this definition.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 166 of 268 Chapter 10
10.3.4 Sub dimension 4: Definition of court admissibility
The definition of court admissibility largely determines whether the court would allow Live Forensic
Acquisition. This definition, and the implementation thereof, has a big impact on the Live Forensic Acquisition
discipline and is in many cases the most important aspect to consider during the lifetime of a forensic
investigation.
Admissibility depends on a number of things, but the most crucial factor is the manner in which the evidence
was collected. In many cases, this is the main reason why evidence can be rendered inadmissible.
Table 10-1 indicates that there are twelve drivers identified in earlier chapters that may contribute to the
sub dimension Definition of court admissibility. Table 10-5 presents these twelve drivers.
Table 10-5: Drivers applicable to sub dimension 4 (Own compilation)
SSuubb ddiimmeennssiioonn 44:: DDrriivveerrss aapppplliiccaabbllee ttoo ddeeffiinniittiioonn ooff ccoouurrtt aaddmmiissssiibbiilliittyy
Driver 1 A crime scene contaminated by the investigator renders the evidence inadmissible in court.
Driver 2 Chain of custody definition.
Driver 3 Many traditional forensic suites also cater for Live Forensic Acquisition.
Driver 4 The accuracy of results and the integrity of digital evidence need to be maintained at all times.
Driver 5 Complete definition of forensic soundness.
Driver 6 Rejected forensic evidence can hurt the case, or portray the investigators as incompetent.
Driver 7 Legal admissibility is the characteristic of a piece of evidence that determines whether it will be accepted by a court of law.
Driver 8 To ensure the acceptance of digital evidence, forensic investigators should maximise the evidential weight of a document by setting up authorised procedures and being able to demonstrate in court that those procedures have been followed.
Driver 9 There are two main elements to demonstrate the authenticity of electronic records:
• freeze a record at a specific moment in time; • maintaining a documented audit trail.
Driver 10
To ensure admissibility, counsel should be able to prove that:
• the record has not been tampered with; • the system the record is kept in is a secure system; and • the system was secure throughout the record lifetime.
Driver 11 In both traditional and Digital Forensic measures, courts should allow the minor alteration of original evidence, without altering evidence in such a way that the meaning thereof changes.
Driver 12 Both authenticity and reliability plays a crucial part in determining whether artefacts of evidentiary value can be considered as evidence or not.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 167 of 268 Chapter 10
Figure 10-7 presents the Laws and regulations dimension, sub dimension Definition of court admissibility.
This figure evolves from Figure 9-2. Court admissibility is the most important aspect of the Laws and
regulations dimension. This sub dimension forms the basis of the Liforac model – to develop an inclusive
Live Forensic Acquisition model to ensure the admissibility of forensic evidence in court.
Figure 10-7: Drivers of the definition of court admissibility (Own compilation)
To ensure that evidence can be admitted in court, the forensic investigator needs to ensure and maintain
the accuracy, reliability and authenticity of the evidence at all times. The easiest way to accomplish this is
by maintaining a proper chain of custody. Many countries have guidelines regarding these chains of custody,
ensuring the minimum requirements needed for admissibility. The process of maintaining integrity is
theoretically straight forward, but the implementation of all the guidelines prove to be complicated at times.
At the moment, no evidence is allowed in court if it has been modified the slightest bit. Due to the nature of
electronic data, this renders a large number of potential evidence as inadmissible. Should the definition
of court admissibility, however, change to include data modified in a controlled manner in which the
meaning of the evidence does not change, forensic applications will be made much easier.
Equally, the manner in which evidence are retrieved has left a number of high profile South African cases
with little or no admissible data. All four sub dimensions of the Laws and regulations dimension of the
Liforac model have been discussed and presented visually in relation to the Liforac model.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 168 of 268 Chapter 10
10.4 Summary
Chapter 10 showed in more detail what the Laws and regulations dimension of the Liforac model entails.
This chapter focused solely on the Laws and regulations dimension, as highlighted in Figure 10-1.
Discussions with Forensic knowledgeable colleagues resulted in a basic separation of the dimension into
four distinct sub dimensions: Common crime laws applicable to cyber crime, Specific cyber laws, Court
cases and precedents and Definition of court admissibility.
These four sub dimensions are developed in the remainder of the chapter. Each sub dimension is
presented visually in relation with the dimension, showing all the drivers applicable to the specific sub
dimension. These sub dimensions are also discussed and examples presented to motivate its inclusion
in the Laws and regulations dimension.
Chapter 11 will now focus on the Timeline dimension of this model. The chapter proceeds similarly than
Chapter 10, by highlighting the specific dimension in relation to the Liforac model, identifying its components
and mapping previously identified drivers on the relevant components. Chapter 11 is the second chapter
focusing on a specific dimension and will be presented as part of the complete model in Chapter 14.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 170 of 268 Chapter 11
Chapter 11: Timeline Dimension
“A little help at the right time is better than a lot of help at the wrong time.”
- Anonymous
Chapter 11 looks at the previously identified drivers (presented in Table 9-1) that map specifically onto
the Timeline dimension. This chapter considers in detail what processes forensic investigators need to
follow to ensure a forensically sound investigation. Chapter 11 divides all investigation processes into
two process types: implied and explicit processes. Additionally, these processes split amongst three
timeframes: Before the acquisition, During the acquisition and After the acquisition.
Figure 9-1 showed the last step in the Liforac model progress - the study reached the physical construction
of the Liforac model. Chapter 11 now builds on the Laws and regulations dimension presented in Chapter
10 and is the second of four chapters that focuses specifically on this construction. Figure 11-1 shows
the proposed layout of the Liforac model, with the Timeline dimension forming one of the diagonal
sections of the model, connected to all three the other dimensions.
Figure 11-1: Focusing on the Timeline dimension (Own compilation)
Chapter 11 extends the generic framework for the Liforac model by extending this dimension into two
distinct types of processes and three timeframes. This chapter will look in more detail at these components
and indicate how the drivers identified in earlier chapters map to them. Due to the significant importance
and intricate nature of the timeline during a Live Forensic Acquisition, this chapter is rather lengthy.
Case studies and detailed figures are included to provide additional explanation.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 171 of 268 Chapter 11
11.1 Introduction
During any process, a proper established timeline can prove to be very helpful. Not only does a timeline
present a chronological outline of events, but also in the case of forensic investigations can a proper
timeline ensure admissibility of the acquired evidence in court. Ultimately, a properly established timeline
can lead to the identification and prosecution of a cyber criminal. Figure 11-2 shows the two types of
processes identified for the development of the Liforac model (based on Hertzberg’s motivation/hygiene
theory discussed in Paragraph 11.3)) as Component 1 and 2, as well as three chronological timeframes
that each incorporates both process types as Timeframe 1, 2 and 3.
Figure 11-2: Timeline dimension (Own compilation)
The inclusion of these components and timeframes is motivated as follow:
• Component 1 (C1): Implied processes. These processes refer to specific processes that may
not necessarily contribute directly to the successful completion of the Timeline dimension, but
the absence of these processes may render the timeline unsuccessfully completed.
• Component 2 (C2): Explicit processes. These processes refer to specific processes that
contribute directly to the successful completion of the Timeline dimension.
• Timeframe 1 (T1): Timeframe before the acquisition. The timeframe before the acquisition
ensures full coverage of all possible processes involved before the actual acquisition starts.
This ensures a solid planning and foundation stage.
• Timeframe 2 (T2): Timeframe during the acquisition. The timeframe during the acquisition
ensures full coverage of all possible processes for the duration of the acquisition. This ensures that
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 172 of 268 Chapter 11
investigators collect all the necessary evidence in a manner that will lead to the admission
thereof in a court of law.
• Timeframe 3 (T3): Timeframe after the acquisition. The timeframe after the acquisition ensures
full coverage of all possible processes involved after the actual acquisition ends. This ensures
that the chain of custody remains intact and the evidence are stored and returned safely after
the investigation.
These two types of processes and the three timeframes form the Timeline dimension of the Liforac model.
The next section maps the drivers identified in Table 9-1 onto the components listed above.
11.2 Mapping the drivers to the dimension
Table 9-1 united all the drivers identified in the first eight chapters. Table 11-1 shows a sub section of
that table, with only those drivers applicable specifically to the Timeline dimension. The last column maps
the specific driver to one of the components shown in Figure 11-2.
Table 11-1: Summary of identified drivers on the Timeline dimension (Own compilation)
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr CCoommppoonneenntt wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr
Digital Forensic methodology consists of three steps:
• acquire evidence without altering the original;
• authenticate that the recovered evidence is the same as the originally seized data; and
• analyse the data without modifying it
Paragraph 3.3
Implied process (C1);
Timeframe before acquisition (T1); Timeframe during acquisition (T2);
Timeframe after acquisition (T3)
Digital Forensic process consists of four steps:
• collection; • examination; • analysis; and • reporting
Paragraph 3.3.1, Paragraph 4.2, Table 4-1
Explicit process (C2);
Timeframe before acquisition (T1);
Timeframe during acquisition (T2);
Timeframe after acquisition (T3)
The First Responder has a very definite role in the Live Forensic process Paragraph 3.3.1
Implied process (C1);
Timeframe before acquisition (T1)
Generic Forensic Acquisition process applies to both Dead and Live Forensic Acquisition and consists of the following steps:
• accusation or incident alert;
• approach computer;
• protect the system from evidence modification;
• make a copy of the system;
Paragraph 3.4, Figure 3-5
Explicit process (C2);
Timeframe during acquisition (T2);
Timeframe after acquisition (T3)
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 173 of 268 Chapter 11
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr CCoommppoonneenntt wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr
• document chain of custody; and
• transport and store evidence media
Chain of custody plays an important role in forensics Paragraph 3.4.4 Implied process (C1);
Timeframe during acquisition (T2)
The integrity of the evidence should be protected at all times Paragraph 3.4.4
Implied process (C1); Timeframe during acquisition (T2)
A thorough Digital Forensic Acquisition and analysis can be done with supporting software packages and applications
Paragraph 4.1
Explicit process (C2);
Timeframe during acquisition (T2);
Timeframe after acquisition (T3)
Different forensic suites exist for Windows, Mac, Linux and DOS Paragraph 4.1
Explicit process (C2); Timeframe during acquisition (T2);
Timeframe after acquisition (T3)
Specific tools can be applied in specific stages of the forensics process
Paragraph 4.2, Table 4-1
Explicit process (C2);
Timeframe during acquisition (T2); Timeframe after acquisition (T3)
Many traditional forensic suites also cater for Live Forensic Acquisition
Paragraph 4.2, Table 4-1
Explicit process (C2);
Timeframe during acquisition (T2)
Table 11-1 shows the interpretational mapping of the five identified components onto the drivers already
identified in this study. Some of these identified drivers overlap and can be merged. The remainder of this
chapter is devoted to discussions on the two types of processes (Components 1 and 2) and the three
timeframes (Timeframes 1, 2 and 3).
11.3 Developing the Timeline dimension
A timeline presents a visualisation of a sequence of events to show the relationship between the entities.
The Timeline dimension presents all processes performed by forensic investigators, and presents it visually
in the sequence it should be executed to ensure sound forensic practices. In essence, this specific
timeline representation consists of implied and explicit processes.
Fredrick Hertzberg’s motivation/hygiene theory puts the implied and explicit processes into perspective.
Hertzberg based his theory on factors determining whether employees feel good or not about their work.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 174 of 268 Chapter 11
On the one hand, there are motivators or satisfiers. Motivators contribute to a sense of achievement and
a sense of recognition for work done. These factors make employees feel better about their work and
environment (Newell 2005:131).
On the other hand are the hygiene factors or dissatisfiers. These factors include things like company
policies, relationships with supervisors and peers, salary, personal factors and status. These factors are
environmental in nature and their loss associates with bad feelings. Accordingly, hygiene factors do not
necessarily contribute to happier employees, but the absence thereof may spark unhappiness with them
(Newell 2005:131).
In the context of the Timeline dimension, the implied processes compare to the hygiene factors (discussed
in the next section). These processes may not play a very pertinent role in the timeline, but their absence
may cause dissatisfaction or eventually lead to the inadmissibility of evidence in court. The explicit
processes (discussed in Paragraph 11.3.2) compares to the motivators. These processes form a crucial
part in the successful completion of the timeline. The next paragraph introduces the implied processes.
11.3.1 Component 1: Implied processes
The idea for implied processes developed from the notion that some processes are inherent to ensuring
the forensic soundness of digital evidence. These processes are not once-off actions, but should be
maintained throughout the entire acquisition approach. In this sense, the implied processes are similar
to the hygiene factors in Hertzberg’s motivation/hygiene theory. These processes may not necessarily
contribute directly to the successful completion of the Timeline dimension, but the absence of these
processes may render the timeline unsuccessfully completed.
According to Haggerty and Taylor (2006:14), a Digital Forensic policy needs to include guidance on how to
conduct computer forensic investigations. These guidance processes are hygiene factors that do not
necessarily contribute directly to the successful investigation, but its absence may cause problems later
on in the process (an investigation can be considered successful if the evidence retrieved are acceptable
in court, irrespective of whether the guilty party has been found or not). By putting down these guidelines
and ensuring the organisation’s compliance with these guidelines, the integrity of the investigation and
the data obtained can be maintained. They suggest that the policy should include guidance on:
• how to secure potential evidence Secure
evidenceSecure
evidence;
• how to preserve the integrity of the original data PreserveintegrityPreserveintegrity
;
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 175 of 268 Chapter 11
• how to record actions taken if the original data has to be examined
RecordactionsRecordactions
;
• the production of an audit trail covering all aspects of a forensic examination
Audit trailAudit trail;
• how to analyse the collected data and information Sound
analysisSound
analysis;
and
• the establishment of a responsibilities matrix for staff involved in the examination
Responsibilitymatrix
Responsibilitymatrix
.
Figure 11-3 shows the incorporation of Haggerty and Taylor’s (2006:14) suggestions included into the
proposed Liforac model as implied processes. Although these blocks will form part of the model, it will not
be included as part of the physical Live Forensic process, but rather as separate building blocks. These
six identified guidance aspects are implied processes, or hygiene factors that need to be present
during the full duration of the timeline. These building blocks need to influence all the individual processes
to ensure a successful forensic investigation.
Implied process
Legend:
Audit trail
Secureevidence
Preserveintegrity
Soundanalysis
Responsibilitymatrix
Recordactions
Implied process
Legend:
Audit trail
Secureevidence
Preserveintegrity
Soundanalysis
Responsibilitymatrix
Recordactions
Implied process
Legend:
Implied processImplied process
Legend:
Audit trail
Secureevidence
Preserveintegrity
Soundanalysis
Responsibilitymatrix
Recordactions
Figure 11-3: Liforac model implied processes (Adapted from: Haggerty & Taylor 2006:14)
Paragraph 3.3 introduced the Digital Forensic process, showing the similarities and differences between Dead
Forensic Acquisition and Live Forensic Acquisition. For both these approaches, it is necessary to ensure
that the evidence remains forensically sound, regardless of the processes involved in the acquisition.
The implied processes (presented in Figure 11-3) ensure that evidence remains forensically sound. It may
not necessarily be distinct processes, but it does affect the successful completion of the investigation.
For example, the existence of a responsibility matrix will not ensure a successful forensic investigation.
However, the absence of such a matrix may complicate the investigation process dramatically. The next
section introduces the explicit processes, similar to Hertzberg’s motivators.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 176 of 268 Chapter 11
11.3.2 Component 2: Explicit processes
The Liforac model’s process framework builds largely on Ciardhuáin’s model (refer to Paragraph 8.4).
Table 8-2 originally presented the mapping of his model onto the generic cyber crime model, resulting in
a more compact model with only eight processes. Although Ciardhuáin’s model applies in its entirety to
the Digital Forensic investigation approach, some of the model’s processes merged to present a model
wholly applicable to the Digital Forensic Acquisition process. An additional process, Preservation, is also
included for completeness. According to this mapping, the Liforac model constitutes nine processes:
1. Awareness. Events external to the organisation typically create
awareness: someone reports a crime to the police or requests an
auditor to perform an audit (Ciardhuáin 2004:5). This process
also incorporates the accusations and incident alerts introduced
in Paragraph 3.4.1 (Casey 2004a:102).
;
2. Authorisation. Investigators need to have authorisation before
starting an investigation. Without the necessary authorisation,
courts of law can dismiss evidence from trial. ;
3. Planning. Information from both inside and outside the
investigating organisation influences the planning stage. Outside
the organisation, regulations and legislation set the context of the
investigation. Investigators may also collect information from
other external sources. From within the organisation, the
organisation’s own strategies, policies and previous
investigations’ case studies can influence the investigation.
;
4. Notification. Notification refers to informing the subject of an
investigation or other concerned parties that the investigation is
taking place. On some occasions, the intention is to perform a
covert investigation and the respective parties should not be
notified (Ciardhuáin 2004:6).
;
5. Search and identify evidence. This process represents the
traditional search and seizure, collection of the evidence and the
transport and storage of the evidence. This also includes the
Live Forensic Acquisition process. ;
6. Preservation. To ensure that digital evidence can be used in
future court cases and disciplinary hearings, it is necessary to
preserve the data against inevitable decay, damage or spoilage.
This process ensures the maintenance of the evidence integrity. ;
7. Examination of evidence. The manual and automatic
investigation of the acquired data to find information that can be
used in a court of law. This examination includes feature
extraction and file system parsing. ;
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 177 of 268 Chapter 11
8. Hypothesis. Investigators need to present the hypothesis of the
investigation and then either prove or defend it. Investigators
have to prove the validity of their hypothesis and defend it
against criticism and challenge. ;
and
9. Dissemination of information. Once investigators gathered
enough information to assist in Law Enforcement, it is necessary
to disseminate this information to the relevant parties. The
easiest way to do this is by using an intelligent computer
software system. In essence, such a system can substantially
improve crime and terrorism detection (Orbitron 2007:Internet).
.
The drivers identified as applicable to the explicit processes (refer to Table 11-1) overlap and further enforce
the nine processes listed above. Half of the identified drivers refer to specific processes that need to be
followed, whilst the remainder of the processes focus on the use of forensic toolkits to perform the
processes. These nine processes are explicit in nature and can be considered as the motivation
factors to be addressed in the acquisition process.
Figure 11-4 shows the incorporation of the Live Forensic explicit processes into the proposed Liforac
model. These blocks form the basis of the Timeline dimension of the Liforac model. The integration of
the implied processes with these explicit processes will be discussed in Paragraph 11.3.3. All the
processes in Figure 11-4 have already been discussed above. However, the dissemination of information
requires more in-depth discussion. There are many different ways of disseminating information. In the
forensic investigation process all the collected information need to be used for the case itself, referred to
as secrecy. Although the information may not necessarily remain secret, the investigator generally prefers
a certain dimension of secrecy until the information is presented in either court or the organisation’s
disciplinary hearing.
This type of information dissemination is the main reason for the information collection in the first place,
and officially ends the forensic investigation. Another optional way to disseminate information after an
investigation is use the information as input to a case study. This also serves as an educational means
to further the understanding of the discipline. Using this kind of information in case studies may be either
anonymous or public. The next section integrates the implied and explicit processes and shows the
relation between these process groups.
11.3.3 Integrating the Timeline Components
The previous sections presented the process flows within the Liforac model. The generic framework
consists of implied (Paragraph 11.3.1) and explicit (Paragraph 11.3.2) processes, the timeframe before the
acquisition (Paragraph 11.3.4.1), the timeframe during the acquisition (Paragraph 11.3.4.2) and the
timeframe after the acquisition (Paragraph 11.3.4.3). Figure 11-5 (on page 179) shows the integration of
the implied and explicit process flows of the Liforac model.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 178 of 268 Chapter 11
Figure 11-4: Liforac model explicit processes (Own compilation)
Each of the implied processes has a very important role to play in the explicit process flow. Figure 11-5
shows a basic mapping of which of the implied processes map onto which specific explicit processes,
briefly listed below:
• Securing evidence is a crucial part of Examination, Search and identify, as well as Information
dissemination.
• Preserving integrity plays a part in Planning, Examination, Search and identify and Information
dissemination.
• Recording actions plays a vital role in the chain of custody. Accordingly, these indirectly affect
Awareness, Authorisation, Planning, Notification, Search and identify, Examination, Hypothesis and
Information dissemination.
• Keeping an audit trail relates to the chain of custody, but refers more to formal documentation
that will be included in the final case report. This is specifically relevant to Planning, Notification
and Examination.
• Sound analysis is similar to preserving the integrity of the information. Although it only implies
on the Examination process, it forms a very crucial aspect of it.
• A responsibility matrix is probably the most important of the implied processes, and applies to
all of the explicit processes: Awareness, Authorisation, Planning, Notification, Search and identify,
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 179 of 268 Chapter 11
Examination, Hypothesis and Information dissemination. Although it is possible that a complete
forensic team will be doing the investigation, it is necessary that a single person be responsible
for at least the progress reports of these processes.
Figure 11-5: Liforac model process flow (Own compilation)
The next section looks at the sub process flows present within the process blocks depicted in Figure
11-5. This section considers these data flows within the constraints of the Live Forensic process timeline.
11.3.4 Timeline for the Live Forensic Process
The timeline for the Live Forensic process roughly divides into three timeframes: before, during and after
the acquisition. These timeframes will form the discussion themes presented in the next sections.
Figure 11-6 shows the proposed Liforac model process flows with the new timeframes indicated.
• Timeframe 1: Before the Live Forensic Acquisition involves Awareness, Authorisation and Planning
(discussed in Paragraph 11.3.4.1).
• Timeframe 2: During the Live Forensic Acquisition involves Notification, Search and identify, and
Preservation (discussed in Paragraph 11.3.4.2).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 180 of 268 Chapter 11
• Timeframe 3: After the Live Forensic Acquisition involves Examination, Hypothesis and Information
dissemination (discussed in Paragraph 11.3.4.3).
Figure 11-6: Liforac model process flow indicating timeframes (Own compilation)
Figure 3-3 presented a rough timeline of events when investigators apply Live Forensic Acquisition. After
the additional research done in the preceding chapters, Chapter 11 now presents a more complete timeline
with a detailed discussion of the individual timeframes. The next sections discuss the three timeframes
in detail.
11.3.4.1 Timeframe 1: Before the Live Forensic Acquisition
Before the Forensic Acquisition is a very crucial time. Not only is it necessary to prepare all the people
on the case involved, but a solid foundation might help the case in court. Before the Forensic Acquisition
consists of three main processes: Awareness, Authorisation and Planning. Of these three processes,
Planning is the most crucial, presented as the overarching Planning process at the bottom of the figure
and mapped to many of the other sub processes.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 181 of 268 Chapter 11
A detailed process flow for the timeframe Before the Live Forensic Acquisition, incorporates information
gathered throughout the study. Figure 11-7 presents this updated process flow model, specifically for the
timeframe before the Live Forensic Acquisition.
Figure 11-7: Before the Live Forensic Acquisition timeframe (Own compilation)
This figure also extends to include the implied process mapping introduced in Figure 11-5 and to
introduce the explicit process mapping onto specific processes (noted with 1, 2 and 3). The updated
process flow model, however, still builds on the original model presented in Figure 3-3. Case study 1
gives an example interpretation of Figure 11-7 in a real-life forensic investigation example.
Case study 1: Before the Live Forensic Acquisition timeframe (see Figure 11-7)
Organisation ABC’s system administrator noticed unusual network activity after working hours for the
past three days. With specialised network software, the administrator is able to track the specific IP
address of the offending computer and determine the location of the office and the employee linked to
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 182 of 268 Chapter 11
that office. The administrator has a close working relationship with Organisation ABC’s trained forensic
support services. He logs an incident alert through the specified organisational channels to notify the
forensic support service staff member on duty about the unusual activity, citing the office and employee
identified.
The forensic support service staff member (further referred to as forensic
investigator) receives the incident alert and contacts the organisation’s security
services to arrange for a security guard with the master key to the office in
question to accompany him on a site inspection of the physical location of the
office specified by the system administrator.
The forensic investigator and the security guard (accompanying the forensic
investigator as independent witness) proceed to the office in question. From
the end of the corridor, the forensic investigator notes and documents that the
office door in question is open and the office lights switched on. The forensic
investigator and security guard decides to walk pass the open door, without
communicating with any individuals that might be in the office. This is an
indirect way of approaching the computer.
Whilst passing the open office door, the forensic investigator notes that there is
a Caucasian male in his late twenties sitting at the desk, evidently working on
the computer located on the office desk. Taking into account that the computer
is switched on, the forensic investigator decides to proceed with Live Forensic
Acquisition.
The man sitting behind the computer did look up when the two individuals (one
wearing formal office wear and the other Organisation ABC’s prescribed security
dress) passed the office, but did not appear to perceive the walk-by as a site
inspection. As a result, the forensic investigator decides to proceed with a covert
investigation from his forensic laboratory. The forensic investigator returns to the
forensic laboratory and makes comprehensive notes on all his observations, as
well as sketching a rough map of the layout of the office in question, as viewed
through the open door. The security guard returns to the security head quarters.
There are specific processes that need to be in place in the event of a covert
investigation. The forensic investigator previously installed EnCase Enterprise
on all the organisation’s registered computers. He now activates the secure
VPN from the EnCase server.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 183 of 268 Chapter 11
Isolation is not practical during a covert investigation. Accordingly, the forensic
investigator activates approved network monitoring software to constantly
monitor any activity on the machine in question. Should the network monitoring
software indicate that the activity on the computer seized, the forensic
investigator needs to contact the security guard with the master key again. The
security guard would then have to return to the suspect site, unlock the office
and serve as independent witness whilst the forensic investigator connects a
Mouse Jiggler to the system to maintain its active state. The security guard
knows about this possibility and remains on standby.
A covert investigation automatically suggests a network acquisition. The forensic
investigator now checks the activity throughout the entire organisation’s network.
The available bandwidth should be adequate to allow a network acquisition in
the least amount of time.
The forensic investigator checks the suspect system’s BIOS and check basic
system information as recorded in the system administrator’s logs. He checks the
size of the suspect drive and checks the destination drive for sufficient space.
The forensic investigator checks location data send by the system administrator
in the incident alert with his own notes made about the site visit. According to
the system administrator’s logs, the employee linked to the office in question is
supposed to be Susan Brown, a middle-aged Caucasian female. Checking
Human Resource records, the forensic investigator notes that Susan Brown has
been on extended sick leave for the past two weeks due to major back surgery.
Since this incident alert came through after hours and there is only one forensic
investigator on duty, no case briefing is required at this time.
As the only active member of the team at this specific point of time, the on duty
forensic investigator needs to assess his own competency regarding the
prospective case. He has practical experience in similar cases, and decides to
proceed with the investigation.
According to the system administrator’s logs, all the computers run Windows XP.
Regarding technical aspects, the forensic investigator decides that no additional
expert advice is necessary. However, he may need to involve additional people
to identify the man sitting behind the desk and to determine how he got access
to Susan Brown’s computer.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 184 of 268 Chapter 11
The forensic investigator knows that one of the organisational policies requires
that all employees should sign the standard electronic device disclaimer before
a computer is issued for their use. This disclaimer states that the organisation’s
electronic devices remain the property of Organisation ABC, and that the
employee can use the devices whilst in the employ of the organisation.
The disclaimer explicitly states that the system administrator may periodically
conduct searches on the electronic devices, and that the employees only have
a reasonable claim to privacy. Based on this knowledge, the forensic
investigator contacts the system administrator and gets written permission to
access the computer in question. This diminishes the forensic investigator’s
liability in the event of a legal rebuttal.
Once all these information are duly noted and documented, the forensic
investigator has successfully completed the processes necessary before the
Forensic Acquisition can commence. These processes include Awareness,
Authorisation and Planning.
* Throughout the entire process, the implied processes should be adhered to.
Figure 11-7 extends the information presented in Figure 11-6, focusing only on the three processes related
to the Before timeframe. Awareness, Authorisation and Planning extend to include in order:
• determining the current power status of the computer and computer system;
• selecting the investigation mode (overt or covert);
• isolating the system in question and secure it promptly;
• selecting the analysis mode (local or remote); and
• comprehensive pre-acquisition planning.
Each of these processes is now discussed in relation to Figure 11-7.
1 Awareness
It is essential that all personnel involved in the investigation, especially in the search and seizure, should
be adequately briefed beforehand. All participating investigators should be aware of any special
circumstances surrounding the particular investigation, as well as newest trends and legalities relevant to
the case. This briefing can either take the form of a written document, or a formal meeting where all the
people involved are verbally briefed by a superior, and should cover aspects regarding the suspect’s
intelligence, the crime scene’s information and logistics, as well as specifics regarding the computers
involved (ACPO 2007:21).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 185 of 268 Chapter 11
On a timeous basis, personnel should also be reminded of the basic rules and procedures involved with
computer-based electronic evidence. Briefings should make specific mention, where available, of any
specialist support that exists and how these specialists may be summoned (ACPO 2007:21). Generally,
these briefings are aimed at First Responders (introduced in Paragraph 3.3.1) who are the first people to
be sent out to the crime scene. At this stage, investigators may wish to consider the use of covert entry
and property interference in more serious cases (ACPO 2007:21).
Figure 11-7 presents Awareness as part of the overarching Planning process at the bottom of the figure.
Awareness includes:
• obtaining data regarding the computer system;
• obtaining data regarding the location; and
• case briefing.
The next process in the Before the Live Forensic Acquisition timeframe is authorisation, discussed next.
2 Authorisation
Anything done during an investigation needs to be authorised beforehand. In the event that it was not
authorised beforehand, the investigating team might encounter legal problems at a later stage.
The most important people involved in a Forensic Acquisition, is the First Responders. These individuals
receive specialised training to deal with these situations. They require a supervisor to brief him/her and
organise a search warrant, should the investigation require it. If the briefing reveals that there will be
special/unknown circumstances surrounding the computers present at the subject premises, services of
specialised staff should be contracted in before the acquisition commences. In rare circumstances, the
case officer may feel it necessary to secure the services of an independent consulting witness to attend
the scene of a search and subsequent examination (ACPO 2007:22).
Should external specialists or expert witnesses be required as part of the search and seizure, the name
of the person in question should be included in the wording of the search warrant. Due to a number of
restrictions and prerequisites, these specialists should be carefully selected before any involvement in an
investigation (ACPO 2007:33). More information on how to select expert witnesses can be found on the
accompanying CD, see Presenting evidence.
Figure 11-7 (on page 181) presents Authorisation as part of the overarching Planning process at the
bottom of the figure, as well as in some of the main processes. Authorisation includes
• identify necessity of expert advice;
• get necessary authorisation; and
• isolating the system (refer to Paragraph 3.4.2).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 186 of 268 Chapter 11
To ensure that a Live Forensic Acquisition goes according to plan, and results in forensically sound
evidentiary artefacts, preliminary planning is essential. If it is at all possible, as much information as
possible should be obtained beforehand about the type, location and connection of any computer
systems. Planning, discussed next, extends to include both Awareness and Authorisation.
3 Planning
A plan of action, the people involved and the tools needed for the investigation should be decided on
before the investigation commences, minimising the opportunity of unexpected surprises. For example,
single computers with an internet connection are those most commonly found and investigators with a
basic level of training in digital evidence recovery can usually seize these. However, when medium or large
network systems are involved, investigators need to call in relevant expert advice before proceeding.
If possible, the IT literacy of the suspect and the known intelligence should be determined to decide
whether specialist assistance should be considered for the investigation (ACPO 2007:21). It is very
important that a forensic investigation follow all of the above processes diligently and in order. Neither
investigators nor company staff members should be allowed to search the system and disturb evidence.
Only forensically qualified staff should enter the system with the necessary authorisation, since additional
activity may disturb the timeline of the files needed in the investigation.
Part of the Planning process is to ensure that the forensic investigation team has all the necessary
equipment (both hardware and software) readily available. To be fully prepared for any crime scenario,
the investigators need to take an extended list of equipment to the crime scene. The tools can be useful
in the proper dismantling of computer systems, as well as during packaging and removal. This will
ensure that the team is prepared for any system configuration. Table 11-2 presents a list of suggested
equipment needed to ensure full preparedness.
Table 11-2: Digital Forensic equipment needed during a Live Forensic investigation (Adapted from: ACPO 2007:21,22; DIBS USA Inc 2008:Internet)
DDiiggiittaall FFoorreennssiicc eeqquuiippmmeenntt nneeeeddeedd
property register
exhibit labels (tie-on and adhesive)
labels and tape to mark component parts of the system, including leads and sockets
tools such as screw drivers (flathead and crosshead), pliers, wire cutters for removal of cable ties
a range of packaging and evidential bags fit for the purpose of securing and sealing heavy items such as computers and smaller items such as PDAs and mobile phone handsets
cable ties for securing cables
flat pack assembly boxes - consider using original packaging if available
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 187 of 268 Chapter 11
DDiiggiittaall FFoorreennssiicc eeqquuiippmmeenntt nneeeeddeedd
coloured marker pens to code and identify removed items
camera and/or video to photograph scene in situ and any on-screen displays
torch
mobile telephone for obtaining advice, not to be used in the proximity of computer equipment
latex gloves
crime scene bandages
tweezers
mobile forensic workstation with appropriate forensically sound software already installed
Rapid Action Imaging Device (RAID)
This toolkit suggests only a number of basic tools, but can be extended as deemed necessary by the
investigator. Figure 11-7 (on page 181) presents Planning as the overarching process at the bottom of
the figure, as well as in most of the main processes. Planning includes:
• components of both the Awareness (1) and Authorisation (2) processes;
• selecting investigating mode and specific processes;
• selecting acquisition mode; and
• identifying the necessity of expert advice.
The implied processes relevant to this timeframe (refer to Paragraph 11.3.3) are Recording actions and
Keeping an audit trail. Both these processes are crucial during any planning process and involve a lot of
administration. The third implied process is the Responsibility matrix. This ensures that each member of
the investigating team knows exactly what is expected of him/her. Once the forensic investigator did all
the necessary pre-acquisition planning, he/she can proceed to the next timeframe - During the Live
Forensic Acquisition.
11.3.4.2 Timeframe 2: During the Live Forensic Acquisition
Although the planning before the actual acquisition is very crucial, the physical process of acquisition is
the main aspect of a forensic case. Opposing counsel often questions the integrity of this acquisition process
and occasionally proves an inadequate chain of custody that lead to the exclusion of crucial evidentiary
artefacts from the proceeding. This is often based on methods and techniques used during the
acquisition process. During the Live Forensic Acquisition timeframe is the most crucial time in which
forensic soundness of the evidentiary artefacts can be assured.
A detailed process flow for the timeframe During the Live Forensic Acquisition incorporates information
gathered throughout the study. Figure 11-8 presents this updated process flow model, specifically for the
timeframe During the Live Forensic Acquisition.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 188 of 268 Chapter 11
Figure 11-8: During the Live Forensic Acquisition timeframe (Own compilation)
This figure also extends the implied process mapping introduced in Figure 11-5 and introduces the
mapping of the explicit processes (noted with a 4, 5 and 6). The updated process flow model, however,
still builds on the original model presented in Figure 3-3. Case study 2 gives an example interpretation of
Figure 11-8 in a real-life forensic investigation example.
Case study 2: During the Live Forensic Acquisition timeframe (see Figure 11-8)
Organisation ABC’s on duty forensic investigator has duly prepared for a covert Live Forensic Acquisition.
He created awareness through observation, got the necessary authorisation from the system administrator
and planned the network acquisition (refer to Case study 1). He now proceeds with the forensic acquisition.
The forensic investigator includes a number of sketches and maps in the case
documentation: a blue print layout of the organisation’s floor plan (if available) and a
map made during the site inspection. In this case study, the forensic investigator
never entered the office in question. Accordingly, he includes the sketch he
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 189 of 268 Chapter 11
made when glimpsing through the open office door. The forensic investigator
contacts the system administrator to get a copy of the most up-to-date network
map to identify the location of the hubs and routers that may be relevant to the
investigation.
The forensic investigator notes and documents everybody present at the suspected
crime scene, and involved with the case in either a direct on indirect manner. This
would include himself, the system administrator, the after hours receptionist
answering the phone at security headquarters, the security guard with the master
key, the man sitting behind the computer and any other individuals encountered
during the site visit. It may be worthy to note Susan Brown – although she may not
be present, her assets are involved in the investigation.
Since the forensic investigator has not been able to interact with the physical
computer yet, he needs to note all the details recorded in the system administrator’s
log: type, operating system and service packs, size of hardware, etc. With
specialised network monitoring and probing software, the forensic investigator can
extend this list to open ports, actively running processes, the Windows registry,
open files, possible passwords, etc.
During this covert operation, the forensic investigator has not approached the
computer user. Accordingly, he provided no information to benefit the investigation.
All actions performed by the forensic investigator should be duly noted in the case
documentation. Any additional information that may be retrieved through network
monitoring and forensic software from the suspect compute, should be noted as it
is retrieved. The forensic investigator should also notify his supervisor and the
system administrator that the forensic investigation will commence.
If it is possible to log into the suspect machine through remote login, the forensic
investigator should note all details of the computer’s display.
If it is possible to determine which peripherals are connected to the computer in
question, the forensic investigator should note these in the case documentation.
Once all the necessary actions are documented and the necessary individuals
notified, the forensic investigator activates the Servlet on the suspect computer.
This Servlet is pre-installed on all computers of ABC Organisation, and acts
similar to a rootkit, without notifying the computer user (in this case, the
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 190 of 268 Chapter 11
unidentified Caucasian male using Susan Brown’s office computer) of its
existence. The Servlet identifies relevant information that may have evidentiary
value. This information will be used at a later stage during the analysis process.
The Servlet activates the incident response process, also known as a
Snapshot, to retrieve deep volatile data from the suspect machine. The
Snapshot enables the forensic investigator to see all accounts currently logged
into the computer, as well as all accounts that have been used prior to the
incident to log into the computer as well. The currently logged in account
belongs to Susan Brown.
The Servlet enables the forensic investigator to determine the existence of any
virtual machine software, and to interpret and analyse these formats. The Servlet
on Susan Brown’s machine does not indicate the presence of such software.
The forensic investigator makes notes of all evidence acquired and noted
throughout the investigation. Although the computer itself has not been seized
during the investigation, the forensic investigator should complete a chain of
custody log (refer to Figure 3-8).
Once this information is duly noted and documented, the forensic investigator
has successfully completed the processes required during the Forensic Acquisition.
These processes include Notification, Search and identify, and Preservation.
* Throughout the entire process, the implied processes should be adhered to.
Figure 11-8 extends the information presented in Figure 11-6, focusing only on the three processes
specified as related to the timeframe During the Live Forensic Acquisition. Notification, Search and identify,
and Preservation extends to include in order:
• collect technical and non-technical information regarding the suspect system;
• activate the pre-installed software forensic agent on the suspect machine;
• identify logged on account and administrative rights;
• identify the nature of the logged on system (real or virtual); and
• maintain the chain of command and preserve digital evidence.
The next section focuses on detailing this timeframe’s main processes: Notification, Search and identify,
and Examination.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 191 of 268 Chapter 11
4 Notification
Once the investigator performed all the necessary processes in Timeframe 1, he/she needs to notify the
success status of the current investigation to the person in charge. This is part of the chain of custody
process. The chain of custody (see Paragraph 3.3.3.3) is a very important aspect of a successful
investigation. To ensure a complete chain of custody, it is recommended that the investigator documents
all the processes performed at the scene of a search, preferably in a pre-designed form that can be
completed during the investigation.
All the people involved in the discovery and notification of the incident needs to provide a written report
documenting their observations and actions. These reports, as part of the chain of custody, will notify all
the relevant parties of the actions and decisions involved in the investigation. The next process is
Search and identify.
5 Search and Identify
The next process in the forensic investigation approach is Search and identify, or Search and seizure.
From the first moment that the physical searching begins, it is necessary to document all actions in the
chain of custody. This ensures that investigators document all actions fully and that these actions
comply with the extended definition of forensic soundness (discussed in Paragraph 6.1). Before the
investigator physically starts acquiring data, he/she needs to note some crucial aspects about the system
that will form the foundation for the chain of custody.
As far as possible, forensic investigators need to get appropriate information from bystanders, computer
system users and system administrators. Investigators need to record this information appropriately in
the chain of custody documentation. The investigators may invite trained personnel or independent
specialists to be present during an interview with a person detained in connection with offences relating
to computer-based electronic evidence. However, should any individual be part of the investigation
process, he/she may not be considered as an independent witness anymore (ACPO 2007:22).
During a Live Forensic Acquisition, it is necessary to gain access to the suspect system. In order to do
this, a forensic software agent needs to be installed on the system before the incident occurs (refer to
Paragraph 3.3.2). Once the incident occurred and the software agent has been activated, the forensic
investigator can gain access to the machine either locally or over the network.
The tools necessary to the Live Forensic Acquisition may be run from a forensically sound bootable
floppy disk, DVD, CD-ROM or USB flash drive. The most preferred (and recommended) hardware is the
flash drive, except when the suspect system runs on a Windows 9x platform. Most computers have a
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 192 of 268 Chapter 11
USB port that enables easy installation of the necessary software. This device also has the added
benefit that the results/image can be written back to the same device, limiting the number of introduced
processes to the system. An additional factor is the possible size of a memory dump. A USB flash drive
can allow for a sizeable image. Whichever hardware is introduced to the system, it should be stopped
and safely removed after the analysis, before the investigator shuts the suspect computer off with
standard power-off forensic procedures (ACPO 2007:18).
Introducing any tools or processes to a compromised computer/system may lead to further inconsistency.
The forensic investigator is accordingly recommended to follow a prescribed set of rules using a number
of basic trusted tools. He/she first needs to perform a risk assessment of the situation: in a hacker’s
attempt to hide his/her criminal activity, a potential Trojan defence may hamper the viability of collecting
volatile evidence in a Live Forensic Acquisition.
Paragraph 5.3 suggested that investigators kill certain known applications to limit the interference of the
forensic procedures with currently running processes. These processes include the antivirus programme,
task scheduler, the firewall and IIS (Carvey 2007:Internet). This practice is discouraged unless specific
expert knowledge is held about the evidential consequences of doing so. For example, closing Microsoft
Internet Explorer will dump data to the hard drive. In essence, this preserves some of the volatile data.
If it is safe to perform a forensically sound investigation, the investigator needs to install a volatile data-
capturing device using a USB flash drive or a similar device. The associated volatile data collection script
needs to run, and be stopped safely to limit potential data loss (ACPO 2007:19). During a Live Forensic
Acquisition, he/she needs to retrieve the evidentiary artefacts presented in Table 11-3.
Table 11-3: Evidentiary artefacts to retrieve during Live Forensic investigation (Adapted from: ACPO 2007:18; Amenya 2004:6)
EEvviiddeennttiiaarryy aarrtteeffaaccttss ttoo rreettrriieevvee
process listings
service listings
system information
logged on and registered users
network information including listening ports, open ports, closing ports
ARP cache
auto-start information
registry information
a binary dump of memory
running processes
network connections
− open network ports
− closing network ports
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 193 of 268 Chapter 11
EEvviiddeennttiiaarryy aarrtteeffaaccttss ttoo rreettrriieevvee
data stored in memory
− decrypted applications (useful if encryption software is installed)
− passwords
backup tapes
removable media
The rule of thumb is to seize computers and associated media only if it is necessary. The person in
charge of the search must make a conscious decision to remove property and there must be justifiable
reasons for doing so (ACPO 2007:22). Investigators can retrieve deleted data from a number of areas in
a filesystem. They can also identify data deliberately hidden by cyber criminals.
Before the Live Forensic Acquisition can be considered complete, the forensic investigator needs to check
the software installed on the suspect machine. This may give an indication if all possible data have been
acquired and what the suspect machine’s user has been doing in the days prior to the incident. The
forensic investigator needs to check:
• Websites, forum postings and blogs. Evidence relating to a crime may reside in the internet
history of the computer, or as a post in a forum or blog. It is essential to capture these images
as soon as possible after the alleged crime, since internet content is updated regularly. This
may introduce difficulties to prove that a specific image is exactly what the suspect saw.
• E-mail, web mail and Internet Protocol Address account information. Investigators might
be able to get additional subscriber information relating to e-mail, web mail or Internet
connections from the machine user’s ISP. The Regulation of Investigatory Powers Act (RIPA)
2000 regulates these information requests (ACPO 2007:13).
The forensic acquisition should adhere to sound and established forensic principles at all times,
documenting all actions taken fully. This documentation can be made available to opposing counsel who
may conduct a further examination to validate the actions (ACPO 2007:24). The next focus is preservation.
6 Preservation
To ensure that the acquired evidence can be used either in court or during organisational disciplinary
hearings, the forensic investigators need to take extra care to correctly preserve the evidence (refer to
Paragraph 3.4.5.1). Accordingly, the investigators need to know the preservation techniques for all the
involved digital media before the data is acquired.
The implied processes relevant to this timeframe (refer to Paragraph 11.2.3) are Securing evidence,
Preserving evidence, Keeping an audit trail and Sound analysis. All four these processes are necessary
to ensure admissibility in the court. Recording actions and the Responsibility matrix ensure that each
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 194 of 268 Chapter 11
member of the investigating team knows exactly what is expected of him/her. Once the preservation is
secured, the forensic investigation can proceed to the After Live Forensic Acquisition timeframe.
11.3.4.3 Timeframe 3: After the Live Forensic Acquisition
Although the timeframe directly after the physical acquisition does not legitimately fall in the acquisition
category, this timeframe is very important in ensuring that the acquired data remains forensically sound
and admissible in court. Once the investigators gathered all the information, the formal part of Live
Forensic Acquisition is complete. The investigator should immediately follow with the standard power-off
procedure, to ensure that no data modification can occur accidentally.
Once the investigator acquired the evidence, he/she needs to follow the rest of the forensic lifecycle:
examination, analysis and reporting (see Paragraph 3.3.1). A detailed process flow for the timeframe
After the Live Forensic Acquisition incorporates information gathered throughout the study. Figure 11-9
presents this updated process flow model, specifically for the timeframe After the Live Forensic Acquisition.
Figure 11-9: After the Live Forensic Acquisition timeframe (Own compilation)
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 195 of 268 Chapter 11
This figure also extends the implied process mapping introduced in Figure 11-5 and introduces the
mapping of the explicit processes (noted as 7, 8 and 9). The updated process flow model, however, still
builds on the original model presented in Figure 3-3 as well as the generic forensic process in Figure 3-5.
Case study 3 gives an example interpretation of Figure 11-9 in a real-life forensic investigation example.
Case study 3: After the Live Forensic Acquisition timeframe (see Figure 11-9)
Organisation ABC’s on duty forensic investigator has duly prepared for a covert Live Forensic Acquisition
on Susan Brown’ computer. He followed the correct procedures in notifying all relevant parties, activating
the EnCase Enterprise Servlet pre-installed on the computer, searching the computer in question and
identifying potential evidence, as well as preserving the evidence by maintaining the chain of custody
(refer to Case study 2).
The forensic investigator already checked that there is sufficient hard drive
space to make a complete bit-by-bit copy of the hard drive (refer to Case study
1). He now uses the EnCase interface to create an .E01 image of the drive.
Once the copy is complete, another exact copy should be made to be stored as
best evidence.
The forensic investigator documents responsibilities regarding the case. Currently,
he is still the only forensic investigator on duty, and therefore documents himself
as the sole person responsible for the image and the investigation up-to-date.
The Servlet has a built in write protector that prevents any unauthorised
interference with the data on the suspect’s computer. The forensic investigator
needs to practice basic safety measures: maintain physical security of the
forensic laboratory, and never leave the laboratory unlocked and unattended.
The forensic investigator fills in the evidence-tracking log:
• responsible investigator: the forensic investigator on duty;
• the evidence image was created and completed at 21:07 on
Wednesday 8 September 2009, GMT;
• case number: 2009090821071
• acquisition location: Forensic laboratory 2C ABC Organisation,
imaged over the network from office F227 Building 16A;
• suspect: unidentified Caucasian male in his late twenties;
• evidence type: hard drive image and network monitoring reports;
• acquired evidence’s media-specific description: type, manufacturer,
serial numbers and/or volume names, etc.
• tools used: EnCase Enterprise version 6.8
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 196 of 268 Chapter 11
As the investigation progresses, this evidence tracking log should be maintained
to include who, when and why evidence are removed from and returned to
storage, as well as the final fate of the evidence (destruction, secure deletion
or returned to owner).
The forensic investigator performed a covert acquisition within the secured
forensic laboratory premises and made the necessary backups. Once the
acquisition is complete, he will commence directly with the examination and
analysis. Accordingly, there is no need to secure the working copy of the hard
drive image. The forensic investigator should, however, seal the best evidence
copy in anti-static package and properly label this package with the case number
and as best evidence copy.
The forensic investigator performed a covert acquisition within the secured
forensic laboratory premises. There is no need to transport the evidence.
The forensic investigator should lock the best evidence copy securely in the
forensic hard drive safe.
The forensic investigator uses the information retrieved in earlier processes as
input to the EnCase software package to examine the content of the hard drive
fully. This examination is beyond the content of this research.
The forensic investigator uses the information from the examination process as
input to the EnCase software package to analyse the content of the hard drive
fully. This analysis is beyond the content of this research.
EnCase allows the automatic generation of fully detailed reports. These
automated reports show a wealth of information depending on the type being
generated (e.g. listing of all files and folders in a case, detailed listing of all
URLs and corresponding dates and times that websites were visited, document
incident report that helps create the required documentation relevant during the
incident response process, and detailed hard drive information about physical
and logical partitions).
Once all these information are duly noted and documented, the forensic
investigator has successfully completed the processes required after the Forensic
Acquisition. These processes include Examination, Hypothesis and Information
dissemination.
* Throughout the entire process, the implied processes should be adhered to.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 197 of 268 Chapter 11
Figure 11-9 extends the information presented in Figure 11-6, focusing only on the three processes
specified as related to the after timeframe. Examination, Hypothesis and Information dissemination extend
to include in order:
• update the chain of command;
• securely seal all packages to avoid any evidence tampering;
• transport evidence securely to a forensic laboratory;
• store evidence securely in a forensically approved storage facility;
• examine the evidence with forensically sound software;
• analyse the evidence with forensically sound software and techniques;
• all people involved in the discovery and notification of the incident needs to provide a written
report documenting their observations and actions.
The next section focuses on detailing this timeframe’s main processes: Examination, Hypothesis and
Information dissemination.
7 Examination
The examination involves a close inspection of the suspect machine. This generally occurs when the
investigator is looking for specific data on the suspect machine. Once the investigator is sure that he/she
acquired all the possible evidence located in the computer system, he/she then needs to verify the data
output on a separate forensic investigation machine (ACPO 2007:19).
8 Hypothesis
Once all the necessary processes in the investigation completes, the investigator may present evidence
in court. It is customary that the first hearing at a magistrate’s court will not involve the production of the
forensically acquired disk, although this practice is dictated by local Law Enforcement practices. During
subsequent hearings, the parties involved need to view the images on disk. The investigator will retain
control of the disk during these times. After the hearing, the investigator will return the disk to the
appropriate storage facility and sign it back in as before (ACPO 2007:31).
9 Information dissemination
Transporting evidence securely is crucial. Table 11-4 presents some guidelines on how to transport some
types of hardware to minimise any possible damage to the evidence. This is an extension of Table 3-2.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 198 of 268 Chapter 11
Table 11-4: Guidelines for transporting evidence securely (Adapted from: ACPO 2007:11,12)
TTrraannssppoorrttiinngg gguuiiddeelliinneess
PDAs, electronic organisers and palmtops
Protect from magnetic fields. Prevent from transmitting or receiving data.
Computer unit Keep upright to minimise serious physical shocks.
Keep away from magnetic sources (loudspeakers, heated seats and windows and police radios).
Hard disks
Protect from magnetic fields.
Place in anti-static bags or in tough paper bags or wrap in paper and place in aerated plastic bags.
Floppy Disks, Jaz and Zip cartridges and USBs
Protect from magnetic fields.
Do not fold or bend.
Do not place labels directly onto floppy disks.
Keyboards, leads, mouse and modems
Place in plastic bag.
Do not place under heavy objects.
After the seizure, the evidence needs to be stored in a secured environment, preferably close to the
forensic laboratory. The storage facility needs to be at normal room temperature, without the extremes
of humidity. It should also be free from magnetic influences such as radio receivers (ACPO 2007:12).
With the conclusion of the investigation, there should be information flows to disseminate the results. These
flows are subject to certain controls, for example, in the event that names or technical details need to
remain secret. The information produced by the investigators may influence internal policies of the
organisation, or become input to future investigations. It may pass through an organisation’s information
distribution function to become available to other investigators outside the organisation. This can take
the form of a published case study used for training investigators, or a security advisory to system
administrators (Ciardhuáin 2004:9).
The implied processes relevant to this timeframe (refer to Paragraph 11.2.3) are Securing evidence and
Preserving evidence. Both processes are necessary to ensure admissibility in the court. Recording actions
and the Responsibility matrix ensure that each member of the investigating team knows exactly what is
expected of him/her.
The timeframe After the Forensic Acquisition can become very involved and complicated. Although this
is necessary as part of the Live Forensic process, it is not of such relevance to this study on Live
Forensic Acquisition. The accompanying CD presents guidelines that are more detailed on how to
present evidence in court, see Presenting evidence.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 199 of 268 Chapter 11
11.3.4.4 Summary of the Process Flows
The previous paragraphs of this section presented process flows for the entire process of Live Forensic
Acquisition: Before, During and After the Forensic Acquisition. Figure 11-10 amalgamates the process
flows shown in Figure 11-7, Figure 11-8 and Figure 11-9. Figure 11-10 shows all the different processes
needed in a complete Live Forensic Acquisition.
This figure also shows a mapping of the implied processes onto the explicit processes. The previous
sections gave more information detailing these processes.
Figure 11-10: Complete process flow of Live Forensic investigation (Own compilation)
11.4 Summary
Chapter 11 showed in more detail what the Timeline dimension of the Liforac model entails. This is similar
to a complete process flow and shows all the processes involved in ensuring a successful and complete
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 200 of 268 Chapter 11
forensically sound Live Forensic Acquisition. The dimension splits into two types of processes: implied
and explicit. Additionally, these process types span over three separate timeframes: Before the
acquisition, During the acquisition and After the acquisition.
The majority of Chapter 11 develops timelines according to the set criteria. The chapter presents these
timelines graphically and incorporates the mapping of the implied processes on both the explicit
processes and the specific timeframes. Chapter 12 will now focus on the Knowledge dimension of this
model. The chapter proceeds similarly to Chapter 10 and Chapter 11, by highlighting the specific
dimension in relation to the Liforac model, identifying its components and mapping previously identified
drivers on the relevant components. Chapter 12 is the third chapter focusing on a specific dimension,
and will be presented as part of the complete model in Chapter 14.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 202 of 268 Chapter 12
Chapter 12: Knowledge Dimension
“No man’s knowledge here can go beyond his experience.”
- John Locke
Chapter 12 looks at the previously identified drivers (presented in Table 9-1) that map specifically onto
the Knowledge dimension. This chapter looks in detail at the people involved in successful Live Forensic
Acquisition: who they are and what training and skills they should possess. Chapter 12 divides the
Digital Forensic discipline into six main components of which a forensic investigator needs to have
sufficient knowledge and one component that relates to all six the main components.
Figure 9-1 showed the last step in the Liforac model progress - the study reached the physical construction
of the Liforac model. Chapter 12 now builds on the Laws and regulations dimension presented in Chapter
10 and the Timeline dimension presented in Chapter 11. This chapter is the third of four chapters that
focuses specifically on this construction. Figure 12-1 shows the proposed layout of the Liforac model,
with the Knowledge dimension forming one of the diagonal sections of the model, connected to all three
the other dimensions.
Figure 12-1: Focusing on the Knowledge dimension (Own compilation)
Chapter 12 extends the generic Liforac model by dividing this dimension into a further seven components.
These components were identified from research done for developing this dimension. These components
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 203 of 268 Chapter 12
are generic and allows for extension in future updates of the Liforac model. This chapter will look in
more detail at these components, as well as how the drivers identified in earlier chapters map to these
components.
12.1 Introduction
Knowledge roughly defines as cognitive perception, reasoning, expertise and skills that an individual
acquire through either direct or indirect learning. Figure 12-2 shows the seven components identified as
relevant to this dimension. This study borrowed and adapted these components from Broucek and Turner’s
(2002:2) suggested framework to raise awareness of forensic issues amongst system administrators.
Figure 12-2: Knowledge dimension (Adapted from: Broucek & Turner 2002:2)
The Knowledge dimension presents all the topics that forensic investigators need to be familiar with to
ensure a sound Forensic Acquisition. This dimension presents all the subjects that combine to present a
comprehensive foundation needed by forensic investigators. The matter of constant knowledge building
has already been touched on in Paragraph 5.2.
These seven components are not the only possible components that may influence the Knowledge
dimension. However, from research done for this study, these seven components are received as some
of the more prominent components, covering the basic concepts of forensic knowledge. The Liforac
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 204 of 268 Chapter 12
model allows for additions to this list at a later stage. The inclusion of these seven components is
motivated as follow:
• Component 1. The formal definition of Digital Forensics in Paragraph 3.1 already established
a link between computer science and forensics. Paragraph 8.2.1 further explored this relationship.
• Component 2. World security trends and events have a persistent influence on Digital Forensic
knowledge. Forensic investigators need to update their knowledge on new trends in cyber
crime and the combating of these crimes constantly.
• Component 3. Information Systems are the organised collection, storage and presentation of
information and related knowledge for decision-making. Since there is a direct relationship
between computers and information, this component is necessary in the Knowledge dimension.
• Component 4. Social sciences can play a role in Digital Forensics due to the discipline’s
profiling nature. People tend to react in specific ways under certain circumstances, which may
have an affect on the way the investigation is run.
• Component 5. Forensic sciences are the core of Digital Forensic investigations. Digital Forensics
borrows many principles from Physiological Forensics, as investigated in Chapter 8.
• Component 6. Forensic investigators should have a wide knowledge of relevant legislation and
policies, procedures, codes of practice and guidelines for investigating electronic evidence. It is
necessary to have a firm understanding of the relevant legislation and organisational
requirements regarding race, diversity and human rights, with respect to the country of the
investigation (Forte 2008b:18). Two complete chapters are dedicated to law and its relationship
to Digital Forensics. Chapter 8 and 10 explored the necessity of this relationship in detail.
• Component 7. New technology, similar to world security trends and events, has a persistent
influence on Digital Forensic knowledge. Forensic investigators need to update their knowledge
on new technology constantly to ensure their own forensic readiness.
These seven components form the foundation of the Knowledge dimension. The next section maps the
drivers identified in Table 9-1 onto the seven components listed above.
12.2 Mapping the drivers to the dimension
Table 9-1 showed a comprehensive list of all the drivers identified in the first eight chapters. Table 12-1
shows a sub section of that table, with only those drivers applicable to the Knowledge dimension. The
last column maps the specific driver to one of the seven components shown in Figure 12-2.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 205 of 268 Chapter 12
Table 12-1: Summary of identified drivers on the Knowledge dimension (Own compilation)
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr CCoommppoonneenntt wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr
Digital Forensic definition Paragraph 3.1 Forensic sciences (5)
A crime scene contaminated by the investigator renders the evidence inadmissible in court Paragraph 3.2 Law (6)
Current forensic methods: pulling the plug or doing a live analysis Paragraph 3.3 Computer science (1)
Digital Forensic methodology consists of three key steps:
• acquire evidence without altering the original;
• authenticate that the recovered evidence is the same as the originally seized data; and
• analyse the data without modifying it
Paragraph 3.3 Forensic sciences (5)
Digital Forensic process consists of four steps:
• collection;
• examination;
• analysis; and
• reporting
Paragraph 3.3.1, Paragraph 4.2, Table 4-1
Forensic sciences (5)
The First Responder has a very definite role in the Live Forensic process Paragraph 3.3.1 Law (6)
Comparison between Dead and Live Forensics Paragraph 3.3.3, Table 3-1 Computer science (1)
Forensics has a volatile and unpredictable field setting Paragraph 3.4 World security trends and events (2)
Generic Forensic Acquisition process applies to both Dead and Live Forensic Acquisition
Paragraph 3.4, Figure 3-5 Forensic sciences (5)
A thorough Digital Forensic Acquisition and analysis can be done with supporting software packages and applications
Paragraph 4.1 World security trends and events (2)
Different forensic suites exist for Windows, Mac, Linux and DOS Paragraph 4.1 Information systems (3)
Specific tools can be applied in specific stages of the forensics process
Paragraph 4.2, Table 4-1
World security trends and events (2)
Many traditional forensic suites also cater for Live Forensic Acquisition
Paragraph 4.2, Table 4-1
World security trends and events (2)
Electronic information is a valuable resource Paragraph 5.1 Information systems (3)
Organisations generally have three possible options to respond to a cyber attack Paragraph 5.1 Social sciences (4)
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 206 of 268 Chapter 12
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr CCoommppoonneenntt wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr
Digital evidence has some unique properties Paragraph 5.1 Information systems (3)
Locard’s exchange principle applies to all crime scenes Paragraph 5.1 Forensic sciences (5)
Several methods exist to perform Live Forensic Acquisition:
• software applications
• hardware devices
Paragraph 5.3 New technology (7)
Digital Forensics is a technical application of computer related knowledge Paragraph 6.1 Computer science (1)
Forensic soundness is the foundation of court admissibility of evidence Paragraph 6.1 Law (6)
An expert witness may elicit professional opinions regarding the validity of a theory and the reliability of specific tools
Paragraph 6.2 Law (6)
To ensure the acceptance of digital evidence, forensic investigators should maximise the evidential weight of a document
Paragraph 6.2.3 Law (6)
There are two main elements to demonstrate the authenticity of electronic records:
• freeze a record at a specific moment in time;
• maintaining a documented audit trail
Paragraph 6.2.3 Computer science (1)
In both traditional and Digital Forensic measures, courts should allow the minor alteration of original evidence, without altering evidence in such a way that the meaning thereof changes
Paragraph 6.3 Forensic sciences (5)
The Heisenberg uncertainty principle and the observer effect explains the volatile nature of forensics, both digital and traditional
Paragraph 6.4 Computer science (1)
There is a strong relationship between Digital Forensics and other disciplines Paragraph 8.2 World security trends and
events (2)
Table 12-1 shows the interpretational mapping of the seven components of the Knowledge dimension onto
the drivers already identified in this study. Some of these identified drivers overlap and can be merged.
Figure 12-3 (on page 207) presents the Knowledge components within the boundaries of the Liforac model.
This figure indicates the Knowledge dimension, its seven sub components Computer science, World
security trends and events, Information systems, Social sciences, Forensic sciences, Law and New
technology, as well as the respective drivers in relation with these components. These drivers can be
found in Table 12-1. The remainder of this chapter is devoted to discussions on the seven main
components of the Knowledge dimension.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 207 of 268 Chapter 12
Figure 12-3: Knowledge components and important aspects regarding each component presented within the Liforac model (Own compilation)
12.3 Developing the Knowledge dimension
With ever-changing technologies, tools and techniques, forensic investigators need to stay abreast and
updated with all new developments. To ensure that investigators are fully prepared for any type of forensic
investigation, they need to ensure that their knowledge is always up to standard to allow for any eventualities.
The next seven sub sections address the seven main components related to the Knowledge dimension.
12.3.1 Component 1: Computer science
Computer science is a very wide discipline, containing a wide range of topics. For the purpose of being a
forensic investigator, it is highly recommended that the individual have a proper computer science
foundation and background. Although a degree in computer science is not enforceable, it may help the
investigator in the understanding of basic concepts.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 208 of 268 Chapter 12
Some of the suggested knowledge topics are:
• Discrete structures focuses on the understanding of functions, relations and the theory behind
graphs and tree structures;
• Programming fundamentals teaches fundamental programming constructs, algorithms and
problem-solving;
• Architecture and computer organisation teaches machine level representation of data, binary
logic, as well as the functional organisation of computers;
• Operating systems explains OS principles, concurrency, scheduling and memory management;
• Net-centric computing focuses on communication and networking;
• Information management shows the principles of database systems and data modelling;
• Software engineering looks at software design, tools and environments, as well as software
requirements and validations (SIGCSE 2001:Internet); and
• File structures gives investigators sufficient background on file types and file behaviours – this
aspect is very important in a forensic investigation.
The knowledge gained from these specialised topics may prove to be helpful in certain forensic investigations.
In some cases, this computer science knowledge may be applied directly, whilst in others it just ensures
that the investigators are more familiar with the specific scenario found at the crime scene. A solid
computer science foundation is highly recommended for any forensic investigator.
12.3.2 Component 2: World security trends and events
World security trends and events can have a dramatic impact on technology and technological trends. In
this case, it may prove to be very helpful for forensic investigators to work in conjunction with the local
Computer Security Incident Response Team (CSIRT). These organisations work closely with CERTs/
CSIRTs in other countries and can draw up statistics regarding technological attack trends. For
example, once a specific worm hits a specific country, it might take an average of 48 hours before the
same worm generally hits South Africa. Cyber investigators can benefit from these statistics.
In the same manner, one type of cyber crime attack launched somewhere in the world might be repeated
in a different continent. If the first case’s forensic investigators make their strategy available, it might
save a lot of time and effort for investigators looking at subsequent cases. To utilise this knowledge
network properly, forensic investigators need to be networking with global colleagues, building a thorough
knowledge network.
According to an article in The New York Times (Markoff 2008:Internet), “… cyberweapons are now
routinely used during political and military conflicts, as in Estonia in 2007 during a political fight with
Russia, and the Georgian-Russian war…” If cyber investigators are aware of these events, it may be
easier to address some of the cases that they come across.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 209 of 268 Chapter 12
12.3.3 Component 3: Information systems
An information system can be defined as a collection of practices, algorithms and methodologies that
transforms data into information and knowledge that is useful for individuals or groups of people (UMBC
2008:Internet). According to this definition, there is a close relationship between information systems
and knowledge.
“… Information Systems, on the other hand, focuses on the entire system of information, knowledge,
delivery and use, taking an external, human-based perspective on technology – its focus is on how
technology can be implemented to serve the informational needs of people and organisations.” Compared
with computer science, information systems focus a lot more on the human aspect of computers and the
human-computer interaction (UMBC 2008:Internet). Accordingly, a proper foundation of information
system knowledge can aid a forensic investigator in the understanding of certain forensic principles and
the interaction between the cyber criminal and his/her computer.
12.3.4 Component 4: Social sciences
Social sciences link with information systems to the human aspect of computer science. The profiling
nature of Digital Forensics clearly benefits from any social science background that the forensic
investigator may have. Not only do investigators then understand the hardware and software aspects of
the suspect machine, but he/she may try to think like the person operating the suspect machine. He/she
may psychologically step into the suspect’s footsteps and think where the suspect may have hidden
evidentiary files and folders.
Social science purely focuses on society and the associated human behaviour. This discipline is
definitely not a prerequisite for forensic investigations, but may make the investigator’s task easier when
the behavioural aspect is also considered.
12.3.5 Component 5: Forensic science
Forensic science literally means the application of science to law. However, when considering the
Physiological Forensic science, a basic understanding of this discipline definitely contributes to a better
understanding of Digital Forensics. Many of the investigatory principles remain the same, although the
physical application of the techniques and the tools differ drastically. However, a very general
understanding of this discipline may be beneficial (see Paragraph 6.3).
12.3.6 Component 6: Law
Digital Forensics cannot stand separate from the law. Any forensic investigator needs to have updated
knowledge on current and pending legislation that may have an impact on the way forensic investigations
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 210 of 268 Chapter 12
are done. This aspect is so important that forensic investigators should not be allowed to enter the crime
scene without sufficient knowledge for fear that they might contaminate the crime scene. Chapters 8 and
10 already discussed the importance of law and its relationship with Digital Forensics.
12.3.7 Component 7: New technology
Every time new technology becomes publicly available, or an upgrade of software or a hardware component
is on the shelves, investigators need to be trained on this. The chances are very good that investigators
may encounter these new technologies in an investigation. If they do not know how to handle these
upgrades properly, investigators may encounter problems that may have a negative effect on the
investigation.
For example, Windows Vista has a built-in full hard drive encrypter, BitLocker. Should the forensic
investigator be unaware of this technology, he/she may attempt to do a Dead Forensic analysis on the
computer image - this new technology only allows Live Forensic analysis and decrypts the computer image
if the computer is not logged on.
12.3.8 Summary of Knowledge dimension components
All seven components of the Knowledge dimension of the Liforac model have been discussed and its
inclusion into the Liforac model motivated. This section motivated why each of these seven components
have been included in the Knowledge dimension.
12.4 Summary
Chapter 12 focused solely on the Knowledge dimension, as highlighted in Figure 12-1. Seven specific
disciplines are identified as important to the proposed model, borrowed and adapted from Broucek and
Turner’s (2002:2) suggested framework to raise awareness of forensic issues amongst systems
administrators. These components are Computer science, World security trends and events, Information
systems, Social sciences, Forensic sciences, Law and New technology. The remainder of the chapter
developed these components, with a brief discussion and a motivation on whether it is recommended
knowledge or a subsistent pre-requisite of being a forensic investigator.
Chapter 12 is the fourth chapter focusing on a specific dimension, and will be presented as part of the
complete model in Chapter 14. Chapter 13 will now focus on the Scope dimension of this model. The
chapter proceeds similarly to the previous three chapters, by highlighting the specific dimension in
relation to the Liforac model, identifying its components and mapping previously identified drivers on the
relevant components.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 212 of 268 Chapter 13
Chapter 13: Scope Dimension
“Every problem is just an opportunity waiting to be made use of.”
- Anonymous
Chapter 13 looks at the previously identified drivers (presented in Table 9-1) that map specifically onto
the Scope dimension. This chapter looks in detail at the problems associated with Live Forensic
Acquisition, identified earlier in Chapter 5. Chapter 13 divides the dimension into five main scope related
components and proposes a solution to each of these.
Figure 9-1 showed the last step in the Liforac model progress - the study reached the physical construction
of the Liforac model. Chapter 13 now builds on the Laws and regulations dimension presented in
Chapter 10, the Timeline dimension presented in Chapter 11 and the Knowledge dimension presented in
Chapter 12. This chapter is the last of four chapters that focuses specifically on this construction. Figure
13-1 shows the proposed layout of the Liforac model, with the Scope dimension forming one of the
diagonal sections of the model, connected to all three the other dimensions.
Figure 13-1: Focusing on the Scope dimension (Own compilation)
13.1 Introduction
In computer programming, scope is an enclosing context where values and expressions are associated
with the boundaries of the project. Generally, the type of scope determines what kind of entities it can
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 213 of 268 Chapter 13
contain and how it affects them. Scope is the sum total of a project’s products, its requirements and
features.
From these definitions, it is clear that the scope of Digital Forensics can be wide-ranging. For the purpose
of developing the Liforac model, the scope is understood to be the boundaries of the investigation, from
the time that the investigator tries to access the machine, right up to the time that the evidence are
presented in court. In this context, the scope is limited to five main components: the five practical
problems identified earlier in Paragraph 5.2. Figure 13-2 shows these five components.
Figure 13-2: Scope dimension (Own compilation)
The inclusion of these five components is motivated as follow:
• Component 1. The difficulty of gaining access to a computer has been discussed in Paragraph
5.2.1. Some investigations are covert, whilst others are overt. Both types bring about their own
complications.
• Component 2. The current forensic practices require the forensic investigation to interact with
the suspect machine’s OS. Each OS needs to be treated differently during a forensic investigation
and accordingly can pose a major practical problem.
• Component 3. Any process can modify computer data during acquisition, from user applications
to the OS itself. With current legislations, any data modification can render the evidence
inadmissible in court.
• Component 4. All potential data of evidentiary value need to be properly authenticated before
a court of law can accept it as legitimate evidence.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 214 of 268 Chapter 13
• Component 5. Computer technology and digital evidence have not always been accepted by
the judicial system. Without the court’s extensive knowledge of new technological developments,
forensic investigators may have some trouble to introduce digital evidence.
The next section maps the drivers identified in Table 9-1 onto the five components listed above. This
mapping is similar to the mappings done in Paragraph 10.2, 11.2 and 12.2.
13.2 Mapping the drivers to the dimension
Table 9-1 showed a comprehensive list of all the drivers identified in the first eight chapters. Table 13-1
now shows a sub section of that table, with only those drivers applicable to Scope. This table should not
be memorised, but seen purely as a grouping of all the drivers identified in the development of the Liforac
model, applicable to the Scope dimension. The last column maps the specific driver to one of the five
components shown in Figure 13-2.
Table 13-1: Summary of identified drivers on the Scope dimension (Own compilation)
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr SSuubb ddiimmeennssiioonn wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr
Comparison between Dead and Live Forensics Paragraph 3.3.3, Table 3-1
Access to the machine (1), Dependency on OS (2)
Forensics has a volatile and unpredictable field setting Paragraph 3.4 Access to the machine (1),
Dependency on OS (2)
The integrity of the evidence should be protected at all times Paragraph 3.4.4
Data modification (3), Authenticity (4), Court acceptance (5)
A thorough Digital Forensic Acquisition and analysis can be done with supporting software packages and applications
Paragraph 4.1 Dependency on OS (2), Court acceptance (5)
Different forensic suites exist for Windows, Mac, Linux and DOS Paragraph 4.1 Court acceptance (5)
Specific tools can be applied in specific stages of the forensics process
Paragraph 4.2, Table 4-1
Dependency on OS (2), Data modification (3)
Many traditional forensic suites also cater for Live Forensic Acquisition
Paragraph 4.2, Table 4-1
Data modification (3), Court acceptance (5)
The accuracy of results and the integrity of digital evidence need to be maintained at all times Paragraph 4.2.1 Authenticity (4),
Court acceptance (5)
Live Forensics has five identified practical problems: Paragraph 5.2, Access to the machine (1), Dependency on OS (2),
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 215 of 268 Chapter 13
IIddeennttiiffiieedd ddrriivveerr OOrriiggiinnaall cchhaapptteerr SSuubb ddiimmeennssiioonn wwiitthh ccoorrrreessppoonnddiinngg nnuummbbeerr
• gaining access to the suspect system;
• acquisition dependant on OS;
• data modification during the acquisition process;
• demonstrate the authenticity of evidence;
• ensuring full acceptance by the court
Figure 5-2 Data modification (3), Authenticity (4), Court acceptance (5)
Four possible solutions exist to the problem of data changing during Live Forensic Acquisition:
• the investigator can freeze the current state of the computer;
• investigators can swap hard disks for forensic hardware;
• investigators can kill unnecessary programmes; and
• imaging with write command policing
Paragraph 8.3 Data modification (3)
Table 13-1 shows the interpretational mapping of the five components of the Scope dimension onto the
drivers already identified in this study. Some of these identified drivers overlap and can be merged. The
remainder of this chapter is devoted to discussions on the five components of the Scope dimension.
Figure 13-3 (on page 216) presents the Scope components within the boundaries of the Liforac model.
This figure indicates the five components specific to the Scope dimension (Access to the machine,
Dependency on OS, Data modification, Authenticity and Court acceptance), as well as the drivers in
relation with these components. Table 13-1 presented these drivers. The next section develops the
Scope dimension, building on the information presented in Chapter 5.
13.3 Developing the Scope dimension
The concept of Live Forensic Acquisition is very viable, but the identified practical problems drastically
limit the scope and boundaries of the dimension’s applicability. This study identified five components, or
practical problems, that define the scope of the Live Forensic discipline. At the moment, these components
still pose serious problems to the successful admission of evidence to court, but the Liforac model will
provide some guidelines on handling these problems.
The next five sub sections address the five main components linking Live Forensics and the practical
application of the discipline. These sections are not as detailed, since these problems have also been
addressed in Chapter 5.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 216 of 268 Chapter 13
Figure 13-3: Scope components and drivers presented within the Liforac model (Own compilation)
13.3.1 Component 1: Access to the machine
Paragraph 5.2.1 already introduced the problem associated with accessing a suspect system. Generally,
investigators can access the suspect computer either overtly or covertly. Both access methods pose its
own problems and the investigator needs to be aware of this. The next paragraphs discuss possible
controls.
13.3.1.1 Control 1: Legitimate search warrant
For both overt and covert investigations, an investigator can save a lot of time by having a legitimate
search warrant before the investigation starts. This document gives the investigator the necessary legal
backing to ensure that most suspects cooperate during an investigation. This document also limits any
potential lawsuit against the investigator after the investigation completes.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 217 of 268 Chapter 13
13.3.1.2 Control 2: Get cooperation from suspect
During an overt investigation, forensic investigators follow the normal approach of search and seizure, as
well as doing on-site interviews with the machine’s owner, user and user’s colleagues. Generally, these
investigations are straightforward and the investigators can focus on acquiring all the necessary
evidence to present a solid case in court. However, if the investigator can get the cooperation from the
machine’s user, he/she may save a lot of time by obtaining the password and possible file locations
directly from the suspect. This will save the investigator time in searching or logically cracking the
passwords, as well as save time for the searching of the hard drive.
13.3.1.3 Control 3: Get cooperation from the system administrator
During a covert investigation, forensic investigators follow the normal approach of search and seizure,
but this normally occurs after hours and under cover. To ensure that the acquisition proceeds according
to plan, the investigator needs to do a lot of planning before the physical acquisition can start (see
Paragraph 11.3.4.1). He/she needs to organise the appropriate individual at the organisation to organise
access to the building, as well as unhindered access to the suspect computers.
It is common that these types of investigations occur with the permission of the owner of the machine,
but not with the user. This is in the event where a senior employee or the system administrator gives
permission to the forensic team to investigate a suspect individual using an organisation’s work machine.
Should the machine’s owner not comply with the investigation or the organisation’s policies not allow the owner
to waive the user’s privacy rights, the forensic investigator may face charges of violation of privacy and
trespassing.
In general, this scenario makes it much harder for the forensic team to investigate the machine, since
there is no cooperation from the user. The investigator needs to acquire all evidence electronically and
the user cannot assist by providing passwords or email accounts. If key escrow is in place, forensic
investigators can easily access the suspect machine without breaking any laws. Escrow is a written
agreement delivered to an authorised third party to be fulfilled in specific conditions (WordNet
2009b:Internet). In this example, an escrow agreement may be drawn up between the employee and the
employer that a third party (e.g. the system administrator or organisation’s lawyer) may provide
investigators with the necessary password and encryption keys in the event of an investigation.
13.3.1.4 Control 4: Reasonable discovery
An additional complicating factor is reasonable discovery, which allows investigators to search suspect
machines without the possession of a search warrant. Generally, a search warrant needs to be complete
with all the necessary details, also giving probable cause as to why the search warrant is needed.
However, in extreme cases it is possible to get a search warrant without all these additional information.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 218 of 268 Chapter 13
For example, in a episode of the series Shark (DSTV 2008:Television), the investigator gets a search
warrant with no physical evidence linking the suspect to the crime. This warrant was granted on the
basis that the suspect intended to wash his car (the suspected crime scene) shortly after the
investigators questioned him regarding it, potentially intending to discard of any bloodstains or DNA
evidence left in the car.
Search warrants related to computers need to be very specific in what need to be searched for and
where it can be found. These warrants generally include the emails located on a specific computer, but
exclude all documents found on the desk on which the computers are located. Any additional
information seized from the desk or anywhere else from the room in question can result in the revoking of
all the seized evidence. The accompanying CD presents a example search warrant (see Legislation),
detailing exactly what needs to be included for a legal warrant.
Should an investigator find a password scribbled on a piece of paper stuck under the keyboard, for
example, this is believed to be reasonable discovery. Although this password was technically found on
the desk excluded from the search warrant, the password is considered included in the warrant since the
investigator needs it to access the computer. Therefore, it is a reasonable assumption that any
passwords found in the nearby vicinity of the computer are a valid discovery.
Generally, reasonable discovery is implied within a search warrant. This complicates search and seizure
matters, since reasonable discovery depends on the judge’s interpretation of the crime scene. All these
exceptions on the basic rules can complicate access to the computer. The forensic investigator needs to
know all these technicalities to ensure successful access.
13.3.1.5 Summary of Component 1
Accessing a suspect machine poses a debilitating problem for Forensic Acquisition. This section looked
at the practicality of this problem, and presented four possible controls to ensure that the investigator can
access the machine. Figure 13-4 (on page 219) presents these controls graphically.
Once the investigator has considered how he/she will access the machine, the next potential
chronological problem is the OS run on the suspect system. The next section looks at the dependency
of the computer on the OS and the influence that this relationship can have on a forensic investigation.
13.3.2 Component 2: Dependency on operating system
The foundation for Live Forensic Acquisition lies on the suspect machine’s OS. Investigators perform Live
Forensic Acquisition by running programmes in user space, communicating with forensic software agents
running on top of the suspect system’s OS (refer to Figure 3-7). In order to perform acquisitions, it is
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 219 of 268 Chapter 13
Component 1:
Access to the machine
Legit search warrant
Cooperation from suspect
Cooperation from system administrator
Reasonable discovery
Component 1:
Access to the machine
Legit search warrant
Cooperation from suspect
Cooperation from system administrator
Reasonable discovery
Component 1:
Access to the machine
Legit search warrant
Cooperation from suspect
Cooperation from system administrator
Reasonable discovery
Figure 13-4: Controls for accessing the machine (Own compilation)
necessary for the forensic investigator to request information from the OS via its Application Programming
Interface (API). This can potentially render evidence forensically unsound (Jones 2007:4,5).
13.3.2.1 Control 1: Thorough OS knowledge
Different types of OSs present different problems and opportunities. For example, Windows Vista includes
built-in encryption, backup and system protection features. BitLocker, the built-in encryption feature, is a
data protection feature that prevents a thief from viewing the protected files offline (Hargreaves & Chivers
2007:1,4).
Unfortunately, this feature also prevents Digital Forensic investigators from viewing the protected files,
unallocated space, pagefile and temporary folders offline. This feature prevents all access to temporary
decrypted data, keys and passwords necessary for a digital investigation. If the investigator has a
thorough, up-to-date knowledge of all technological advances with regard to OSs, he/she can recognise
a specific OS and adapt the acquisition plan to accommodate that specific OS.
13.3.2.2 Summary of Component 2
An OS is the crux of a computer and can determine whether a Live Forensic Acquisition can be
completed successfully or not. Unfortunately, this problem has only one identified control – to be up-to-
date with all OS features and developments. Figure 13-5 presents this control graphically.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 220 of 268 Chapter 13
Component 2:
Dependency on OS
Thorough related knowledge
Component 2:
Dependency on OS
Thorough related knowledge
Figure 13-5: Controls for OS dependency (Own compilation)
Once the investigator has gained access to the OS, the next potential chronological problem is any
possible data modification during the extent of acquisition. The next section looks at data modification
and its negative influence on a forensic investigation.
13.3.3 Component 3: Data modification
Any process can modify computer data during acquisition, from user applications to the OS itself. During
a forensic investigation, this may prove to be very detrimental in any circumstance and can potentially
lead to the dismissal of evidence from being used during a trial.
Unfortunately, this component is the most crucial and the most difficult to control. This section identifies
two controls, but neither addresses the most critical aspect of data modification as an absolute solution:
slurred images.
13.3.3.1 Control 1: Thorough forensic training
To prevent accidental data modification by forensic investigators, it is important to ensure that only
trained and qualified investigators accesses suspect machines. This training is not a once-off
occurrence, but should be redone every time a major new hardware or software development is
released. Training may not be a solution to the problem of data modification, but at least it provides
some mitigation in controlling most of the occurrences.
13.3.3.2 Control 2: Up-to-date research
There are two aspects of data modification that can benefit from current up-to-date research: slurred
images and anti-forensic packages. Slurred images are probably one of the most critical problems facing
forensic investigators. At the time of writing, there was no solution to this problem. The other major point
is anti-forensic packages (discussed in Paragraphs 2.3.2.2 and 4.2.3). Criminals are constantly busy
with new ideas to counter legitimate forensic investigations. As long as computers will form an integral
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 221 of 268 Chapter 13
part of everyday life, researchers need to look into ways how to identify and mitigate the use of anti-
forensic packages.
For a relatively new discipline, such as Digital Forensics, it is always beneficial to keep up-to-date with
new developments and research. Although this may not be a proper solution, it does provide some
manner of control for data modification.
13.3.3.3 Summary of Component 3
Problems regarding data modification during acquisition make it difficult for investigators if they cannot
prove its legitimacy and demonstrate the authenticity of the evidence. This can limit the investigator’s
ability to prove the integrity and security of data in court, ensuring full acceptance of computer technology
by the judicial system and to establish a proper chain of custody (Amenya 2004:17). Figure 13-6
presents these controls graphically.
Component 3:
Data modification
Up-to-date research
Thorough forensic training
Component 3:
Data modification
Up-to-date research
Thorough forensic training
Figure 13-6: Controls for data modification (Own compilation)
Once the investigator acquired all the necessary evidence from the suspect computer, he/she needs to prove
the acquired evidence’s authenticity in a court of law. The next section looks at proving authenticity.
13.3.4 Component 4: Authenticity
One of the pillars of Information Security is authentication. Courts globally need to be sure that evidence
can be authenticated properly, before this evidence can be accepted in court. Traditional paper
documents have signatures or other identifying marks to demonstrate authenticity, whereas a typical e-
mail or electronic record needs to be authenticated in a different manner.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 222 of 268 Chapter 13
13.4.4.1 Control 1: Testimony of witness with knowledge
When an organisation suffers some form of computer incident, the forensic investigator may be required
to perform the investigation and to testify as expert witness for the prosecution. It is the expert witness’
function to collect evidence, examine it and present it to court. Accordingly, the expert witness needs to
understand his/her discipline thoroughly and have a good grasp of the nature of evidence. Additionally,
he/she should be aware of the various types of evidence and understand the conditions under which it
may be ruled inadmissible (Jones 2004:273).
The expert witness must “… provide factual specificity about the process by which the electronically
stored information is created, acquired, maintained and preserved without alteration or change or the
process by which it is produced of a system or process that does so” (LexisNexis 2007:3). Most witnesses
realise that their evidence can be crucial to the outcome of a trial. As a result, presentation of evidence
in court is an important element in the judicial decision making process.
The manner in which investigators give evidence, as well as their performance under cross-examination,
play a major role in establishing the adequacy and integrity of the evidence (Stockdale & Gresham 1995:1).
Witnesses should take the following elements into consideration when preparing for a court appearance
(the accompanying CD, see Presenting evidence, provides additional information on these elements):
• Personal presentation – looks and composure;
• Cross-examination;
• Written notes;
• Proper procedural preparation;
• Proper court preparation; and
• Training.
The expert witness needs to help the court to reach a decision based on the evidence placed before it,
and not necessarily to secure a conviction. The role of the expert witness is purely to explain, as clear and
concise as possible, what he/she has seen, heard, recorded or done, honestly, impartially and without
exaggeration, in order to help the jury or magistrate to reach a decision (Stockdale & Gresham 1995:32).
13.4.4.2 Control 2: Comparison by the expert witness with a prior authenticated specimen
As discussed in Paragraph 13.4.4.1, expert witnesses generally have high credibility to be accepted in
court. Once this credibility has been accepted in court, the expert witness can attest to anything within
his/her specialised field. Therefore, the expert witness need not necessarily be part of the investigation
team, but can also give a credible opinion regarding evidence presented in the court.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 223 of 268 Chapter 13
This control links to the discussion of precedents in Paragraph 10.3.3. If an expert witness’ resume is
sufficient and accepted in court, he/she can provide an expert opinion based on similar cases. In the
event of prior authenticated specimens (for example, a printed email proven to be authentic), the expert
witness can give an expert opinion regarding the authenticity of the specimen.
13.4.4.3 Control 3: Circumstantial evidence of the evidence itself
This rule is the most frequently used to authenticate email, as the content of what the email says can
often authenticate it. People frequently use descriptive language in emails. It is often easy to determine
the authenticity of an email when it is read within context, especially if the email message has been
replied to several times.
For example, people may refer to ‘tonight’s movie’ or ‘a specific event happening next week’. People may
also refer to individuals or groups within the emails, allowing further authentication with minimal further
investigation. Especially with emails of a personal nature, people can often determine whether the
corresponding individual is who he/she claims to be by the manner in which the email is written (use of
emoticons and slang, language, reference to people/events both individuals have knowledge of).
Alternatively, the use of hashing (unique identifier attached to electronic information) can provide
distinguishing information about the evidence.
13.4.4.4 Control 4: Public records
This rule applies when the proponent of the evidence can show that the office from which the electronic
records were taken is the legal custodian of the records. In this event, the authenticity goes to the weight
of the evidence rather than admissibility.
An example of this control may be a fraudulent Curriculum Vitae investigation. Investigators can prove
that academic records in the suspect’s possession are either authentic or fraudulent by contacting the
academic institution involved to obtain the academic records they have on their books. It is generally
accepted that public organisations (such as academic institutions, telecommunication companies, ISPs
and solicitors) are the legal custodians of the records in their possession.
13.4.4.5 Control 5: Evidence produced as a result of an accurate process or system
This control bases on the assumption that an accurate process or system will repeatedly present the
same results. In the e-discovery context, this rule is satisfied by “… evidence describing the process or
system used to achieve a result and demonstration that the result is accurate” (LexisNexis 2007:4).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 224 of 268 Chapter 13
If a process or system consistently presents the same results after a repetitive process, the evidence can
be considered authentic. An example of such a process is the fingerprinting process, accepted
universally as accurate and consistent. If a fingerprint retrieved at the crime scene matches the
fingerprint of a suspect stored in the Automated Fingerprint Identification System (AFIS), and both the
fingerprint at the crime scene and the AFIS fingerprint was recorded according to the accepted
fingerprinting procedures, it can be accepted that the fingerprint match are authentic and accurate.
13.4.4.6 Control 6: Evidential weight
In the event that a court considers an electronic document admissible, its evidential weight needs to be
determined. This is the value a court will place on the information presented to it, in conjunction with
corroborative evidence that can convince it that a document is what it claims to be. By planning for the
inclusion of this supporting evidence, companies need to ensure that they capture, store and manage
electronic records in such a way as to maximise their evidential weight.
Firstly, the system should be able to freeze a record at a specific moment in time. In this sense, freezing
prohibits any further changes to the contents of a file, from a specific moment in time. Secondly, the
investigator needs to maintain a fully documented audit trail at all times. This audit trail provides supporting
information about the records that are being stored. The supporting information should also include:
• the author's name,
• the date the document/record was stored,
• the names of anyone who has accessed or made changes to the document,
• details of the changes made to the document and version control,
• details of movement of the document from medium to medium and from format to format,
• evidence of the controlled operation of the system in which the document is stored, and
• the authentication measures used when the file is moved (Information Age 2006:Internet).
13.4.4.7 Control 7: Digital Signatures
Digital signatures are in essence the signatures used to sign electronic documents, a secure method of
binding the identity of the signer with digital data integrity methods (Hosmer 2002:2). This signature is
generally a piece of code attached to an electronically transmitted message with the sole purpose of
establishing identity. Accordingly, it is possible to use digital signatures to establish legal responsibility
and the complete authenticity of the host document.
A digital signature performs a function similar to that of a tamper-proof seal on a physical evidence bag
(Interactive Advertising Bureau 2008:Internet). It uses a public key crypto-system where the signer uses
a secret key to generate a digital signature. By using the published public key certificate of the signer,
anyone can validate the signature generated by comparing the resulting number. This number is
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 225 of 268 Chapter 13
generally between 512 and 4096 bits. Some of the most popular digital signature techniques are RSA
(Rivest-Shamir-Adleman), DSA (Digital Signature Algorithm) and PGP (Hosmer 2002:2).
One of the prominent advantages of using a digital signature is that it binds the identity of the object to
the integrity operation. It also prevents unauthorised regeneration of the signature without compromising
the private key. Disadvantages are the slow process and the effort needed to protect the private key
(Hosmer 2002:2). In addition, digital signatures cannot show any time related information: e.g., it cannot
show that a record has not been altered since a specific point in time (Klaff 2008:Internet).
13.4.4.8 Control 8: Hashing Techniques
Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that
represents the original string. Hashing can be applied to either index or retrieve items in a database,
since it presents much faster in comparison with the original key (Information Provider Technologies
2003:Internet). It is a form of security, taking digital fingerprints to validate the authenticity of data. When
a document is securely hashed, the hashing value can legitimately determine whether a record has been
altered (Klaff 2008:Internet). The hashing method produces a fixed length large integer value, ranging
from 80 to 240 bits. This number represents the digital data. It is complicated to forge a hash value,
since it is difficult to construct new data resulting in the same hash (Hosmer 2002:2).
Some of the hashing techniques are SHA-1, MD5, MD4 and MD2. Hashing techniques are easy to use
and can detect both random errors and malicious alterations. On the other hand, it is necessary to
maintain secure storage of hash values. In addition, hashing techniques do not bind the object identity or
the time value with the hash value (Hosmer 2002:2).
13.4.4.9 Control 9: Timestamps
Timestamps address the time aspect of authenticity by binding a time value to electronic records.
However, there are a number of drawbacks associated with this system. Digital timestamping can be
employed to work in an organisation’s background to seal electronic records, making them resistant to
later tampering or alterations. Timestamps are secure, and can prove that electronic records are stored
in their original condition. Bodies such as the American National Standards Institute (ANSI) (Klaff
2008:Internet) regulate this.
According to Klaff (2008:Internet), the only solution available to address authenticity adequately whilst
remaining independent for any bias or compromise is digital timestamping using the hash-chain-link
method. These methods affixes a file-agnostic hash value (a hash value that is not directly associated
with the file extension) and secure timestamp to a digital record and then combine the hash, timestamp
and other traceable information to create a timestamp token. This token is then affixed to the record and
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 226 of 268 Chapter 13
archived on a secure third-party server to ensure that the token is removed from any potential bias or
internal force.
An additional layer of security and independence is added by linking the token of each electronic record
to a hash chain created from an unbroken chain of electronic files. This hash chain is then widely
published to guarantee that any third party, such as a judge, can validate the authenticity of the token
and confirm its integrity. The publication ensures that not even the individuals with access to the tokens
can alter the hash chain. The use of trusted timestamping largely eliminates the costly and lengthy
process of proving authenticity during a trial (Klaff 2008:Internet).
The ideal situation is to create a timestamp that is resistant to manipulation. These timestamps should
be able to bind securely to specific digital evidence and be verified by a third party. This process, however,
can become quite complex, considering the following:
• the binding of time with digital data must occur within a trusted computing environment;
• the clock used as source for time stamping should be accurately calibrated;
• the calibration of the local clock used as the source for time stamping must be auditable;
• the validation of the resulting timestamps must be verifiable by the issuer as well as by any third
party verifier (Hosmer 2002:4).
13.4.4.10 Control 10: Checksums
Checksums are an easy method of checking for errors in digital data. It involves applying a 16- or 32-bit
polynomial to each byte of digital data that requires protection. This results in a small integer value
(either 16 or 32 bits in length) that represents the concatenation of the data. This integer value must be
securely saved, and can be used at any future time to determine the integrity of the protected data. If the
results match, some level of integrity exists (Hosmer 2002:2).
In general, checksums are easy and fast to compute. It requires very little storage space and can
identify random errors. However, it presents low assurance against malicious attacks. Checksums are
simple to forge and requires diligent maintenance. As with the hashing algorithms, checksums do not
bind the identity or timestamp to the protected data (Hosmer 2002:2).
13.4.4.11 Summary of Component 4
Ensuring the authenticity of any evidence can be a very tiresome duty. This section looked at some
controls that may help investigators to prove authenticity. Figure 13-7 presents these controls graphically.
Once the investigator has considered how he/she will prove the evidence’s authenticity, the final problem
that can be encountered is the court’s reluctance to accept digital or electronic evidence. The next
section looks at court acceptance.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 227 of 268 Chapter 13
Component 4:
Authenticity
Checksums
Timestamps
Hashing techniques
Digital signatures
Evidential weight
Evidence produced as resultof accurate process or system
Public records
Circumstantial evidence
Comparison by expert witnesswith prior authenticated specimen
Expert witness testimony
Component 4:
Authenticity
Checksums
Timestamps
Hashing techniques
Digital signatures
Evidential weight
Evidence produced as resultof accurate process or system
Public records
Circumstantial evidence
Comparison by expert witnesswith prior authenticated specimen
Expert witness testimony
Figure 13-7: Controls for ensuring authenticity (Own compilation)
13.3.5 Component 5: Court acceptance
Computer technology and digital evidence have not always been accepted by the judicial system. Some
of the first electronic evidence was introduced to court in the early 1980s, although this practice only
became widely accepted in the 1990s (Gahtan 2005:Internet). With the technology changing constantly,
court officials need to stay up-to-date with new techniques and new technology practices. Without an
extensive knowledge of these developments, forensic investigators may have some trouble to introduce
digital evidence.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 228 of 268 Chapter 13
An investigator needs to possess a number of different core competencies in the Information Technology
field. Even within the smaller Digital Forensic discipline, the investigator needs to have a very extensive
knowledge to be regarded as an expert. In this context, it can be problematic when the judicial system,
expected to be experts on the legal aspects and processes, needs to be comfortable with the computer
technology as well.
It would be highly unlikely for the judges and lawyers to be experts on both legal aspects and computer
technology. However, they should be comfortable with the basic concepts, such as the range of OSs and
the most popular software applications (Janes 2000:44). In addition, expert witnesses need to be
competent enough to introduce new computer related concepts to the court and ensure that they accept
new and unfamiliar technologies.
13.3.5.1 Control 1: Awareness and education
In theory the easiest way to control the acceptance of new technological advances in court, is by properly
making the court and the judicial officers aware of the technology. The easiest way to do this is by
training them in the basic disciplines. Unfortunately, many judges and lawyers are very focused on the
law and the application thereof, with no sufficient knowledge of computers and the overlap between IT
and law. As a result, courts do not readily accept any technological advances.
To ensure that courts stay up-to-date with technological advances, academic institutions and legal
organisations need to ensure intermittent awareness campaigns to ensure that their students/employees
are aware of new technological developments. On a more active level, legal organisations should ensure
that employees all have a basic understanding of technology, and preferably attend a number of multi-
disciplinary courses.
13.3.5.2 Summary of Component 5
If the courts do not accept the electronic evidence, the Live Forensic Acquisition process has been done
in vain. Figure 13-8 presents this control graphically.
Component 5:
Court acceptance
Awareness and education
Component 5:
Court acceptance
Awareness and education
Figure 13-8: Controls for OS dependency (Own compilation)
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 229 of 268 Chapter 13
All five components of the Scope dimension of the Liforac model have been discussed and presented
visually in relation to the Liforac model.
13.4 Summary
Chapter 13 showed in more detail what the Scope dimension of the Liforac model entails. This chapter
focused solely on the possible practical problems that may be encountered, as highlighted in Figure
13-2. From preliminary research and the literature study presented in Chapter 5, the Scope dimension of
the Liforac model divides into five prominent practical problems: Gaining access to a suspect system,
Dependency on an operating system, Possible data modification, Proving authenticity and Ensuring
acceptance in court. These five components are developed in the remainder of the chapter. Each
component is presented visually in relation with the dimension, showing possible controls for each of the
identified problems.
Chapter 13 was the last of the dimension specific chapters. Chapter 14 will now present a completed
Liforac model. The chapter will combine the information presented in Chapters 10, 11, 12 and 13 to
present the completed Liforac model.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 231 of 268 Chapter 14
Chapter 14: Presenting the Final Liforac model
“The purpose of science is not to analyse or describe but to make useful models of the world. A model is useful if it allows us to get use out of it.”
- Edward de Bono
This study, Liforac - A Model For Live Forensic Acquisition, divides into four distinct parts. Figure 1-1
presents these four parts with four cylinders, indicating succession and progress from the bottom of the
figure to the top. In Chapter 14, the progression of the Liforac model proceeds to the final compilation of
the model at the end of Part 4: Possibility of Sound Live Acquisition. Figure 14-1 presents the same
figure presented as Figure Part 4-1. This figure shows that the development of the Liforac model is
nearly complete.
Figure 14-1: The Liforac model development study (Own compilation)
The final model, presented in Part 4, has four dimensions: Laws and regulations (Chapter 10), Timeline
(Chapter 11), Knowledge (Chapter 12) and Scope (Chapter 13). The first three parts contribute drivers
that are necessary to build the Liforac model. Chapter 14 will now present the complete Liforac model as
a single guideline framework.
14.1 Introduction
This research study addressed the research problem first mentioned in Paragraph 2.1. “… At present,
forensic investigators cannot be certain that a court of law will consider Live Forensic Acquisition
techniques to be forensically sound. Neither can forensic investigators be certain that the evidence
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 232 of 268 Chapter 14
acquired with Live Forensic Acquisition techniques are adequately comprehensive, compared with
evidence acquired with Dead Forensic Acquisition techniques, until further research have been done.”
The study progressed through four distinct parts and 13 chapters to present a single comprehensive,
forensically sound Live Forensic Acquisition model - the Liforac model. Chapter 14 will now present this
model in its final form.
14.2 Constructing the Liforac model
This interactive display can be seen on the accompanying AutoRun CD, MMG PhD 2009. The display
consists of nine buttons that link to a number of additional research works or information supplementing
the Liforac study. Figure 14-2 shows the main menu of the accompanying CD.
Figure 14-2: Screenshot - Main menu of the Liforac study accompanying CD
The Study overview button (indicated by an arrow in Figure 14-3) links to a new page that provides a
brief synopsis of the Liforac study. This menu offers four process flow animations, to indicate the flow of
action or information in the objectives of the study, the Dead Forensic Acquisition process, the Live
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 233 of 268 Chapter 14
Forensic Acquisition process, as well as the generic Forensic Acquisition process. These animations do
not contribute new information to the study, but rather animate figures that were already presented in
earlier chapters of this study.
Figure 14-3: Screenshot - Menu options for Study overview
The Forensic tools button (indicated by an arrow in Figure 14-5 on page 234) links to an article that gives
more insight and details on the forensic tools discussed in Chapter 4 of the Liforac study. This article
addresses the increasing number of Digital Forensic tools available on the market and provides a basic
analysis of these tools to assist cyber investigator in selecting specific tools for their specific needs.
This article introduces a number of Digital Forensic investigative tools suitable for the Windows, Mac,
Linux and DOS platforms. It provides a brief overview of all the different platforms, and briefly compared
the abilities of forensic tools on these different platforms.
The WITSA report button (indicated by an arrow in Figure 14-5 on page 234) presents the full WITSA
report as compiled by McConnell International. This report contributes a number of astonishing statistics
in Chapters 7 and 8, and provides interesting reading material regarding cyber crime and cyber
legislation. This report analyses the state of the law in 52 countries around the world.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 234 of 268 Chapter 14
Figure 14-4: Screenshot - Menu option for Forensic tools
Figure 14-5: Screenshot - Menu option for WITSA report
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 235 of 268 Chapter 14
The Legislation button (indicated by an arrow in Figure 14-6) gives some background on cyber crime
legislation. It addresses the growing use of computers and Information Technology that necessitates
legislation to control crimes emerging from these circumstances. It also links to a sample search warrant,
as referred to in Chapter 13. This sample is a Kansas District Court search warrant of the Kansas criminal
division, indicating variable data with yellow highlights. It should give a clear indication of what information
are required in a search warrant. The sample search warrant is a lengthy document, emphasising the
importance of a complete document.
Figure 14-6: Screenshot - Menu options for Legislation
The Presenting evidence button (indicated by an arrow in Figure 14-7 on page 236) links to an article
that provides guidelines for forensic investigators that need to present evidence in court. Although this
article is written specifically for forensic investigators, many of these guidelines can also be applied to
other investigators that need to present evidence in court. This article has been submitted for review to
be published in an international business management journal.
The Liforac model button (indicated by an arrow in Figure 14-8 on page 236) links to the interactive part
of the study. This section demonstrates the Liforac model, with its four dimensions and briefly discusses
each dimension with its respective drivers. This button is the main graphical display often referred to
throughout the study.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 236 of 268 Chapter 14
Figure 14-7: Screenshot - Menu option for Presenting evidence
Figure 14-8: Screenshot - Menu option for Liforac model
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 237 of 268 Chapter 14
The Publications button (indicated by an arrow in Figure 14-9) links to a number of published papers and
conference proceedings generated from the Liforac model research. Since Live Forensics is a relatively
new discipline globally, and Digital Forensics itself has not yet proven itself suitably in South Africa, there
are numerous opportunities to publish and present information on this topic. This button links directly
with the next button, presented in Figure 14-10.
Figure 14-9: Screenshot - Menu options for Publications
The Presentations button (indicated by an arrow in Figure 14-10 on page 238) links to a number of
conference presentations, keynote addresses and media reports related to this study. Within the South
African context, both forensic scientists and the general public are keen to learn more about this
emerging criminal investigation methodology. All of these publications and presentations have been
published on the CSIR’s research space.
The Glossary button (indicated by an arrow in Figure 14-11 on page 238) links to the webpage designed
for the glossary of the study. This glossary can be viewed by selecting an alphabet number at the top of
the screen. The glossary is composed of words and terms originating from the Liforac study. It largely
consists of forensic related words and terms, but some ambiguous terms encountered in the study are
also included.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 238 of 268 Chapter 14
Figure 14-10: Screenshot - Menu options for Presentations
Figure 14-11: Screenshot - Menu option for Glossary
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 239 of 268 Chapter 14
14.3 Summary
Part 4 forms the crux of this investigation and brings together all the different aspects of the study. This
part comprises seven chapters of the study and presents the climax and conclusions of the study. Part 4
links the entire research study together, presenting the Liforac model for Live Forensic Acquisition
founded on the first three parts of the document. Chapter 14 wraps up the research aspects of the
Liforac model and presents the study as in interactive CD display.
Chapter 15 is the final chapter of the study, and concludes with the lessons learned and way forward.
This chapter also critical appraises the work done in the study, and states whether all the objectives set
out to do in Chapter 2 have been complied with.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 241 of 268 Chapter 15
Chapter 15: Closure
“Searching for traces is not, as much as one could believe it, an innovation of modern criminal jurists. It is an occupation probably as old as humanity. The principle is this one. Any action of an individual, and obviously, the violent action constituting a crime, cannot occur without leaving a mark. What is admirable is the variety of these marks. Sometimes they will be prints, sometimes
simple traces, and sometimes stains.”
- Dr. Edmond Locard
This study, Liforac – A Model For Live Forensic Acquisition, focused on the further development of the
Live Forensic discipline. The motivation of this study is based on the hypothesis that allows forensically
sound acquisition to stand fast in a court of law. This study showed that Live Forensic Acquisition is as
comprehensive as Dead Forensic Acquisition.
Chapter 2 argued that criminals are constantly pushing the boundaries of technology. They are now
using computers to extend the range of activities they can perform and create new innovative ways of
using technology. Accordingly, new types of crime surfaced in the virtual world, whilst traditional crimes
are committed using advanced technology. Both these phenomena lead to a dire need for advanced
cyber crime fighting techniques – Live Forensic Acquisition, as addressed by this research study.
15.1 Introduction
The research problem, introduced in Paragraph 2.1, states that the development of Live Forensic
Acquisition, albeit a remedy for the problems introduced by Dead Forensic Acquisition, introduces a
variety of additional difficulties, unique to the instance of Live Forensic Acquisition. These difficulties
affect the forensic soundness of Live Forensic Acquisition.
This research study discussed the development of a model for Live Forensic Acquisition - Liforac. The
Liforac model is a comprehensive model that presents all aspects related to Live Forensic Acquisition,
suggesting ways in which a Live Forensic Acquisition should take place to ensure forensic soundness
and address the research problem. The study is divided into four distinct parts, each part contributing
directly to the forensically sound Liforac model. The four parts of the study (originally presented in figure
1-1) in chronological order is:
• Part 1: Setting the Scene;
• Part 2: Live Forensic Acquisition;
• Part 3: Digital Forensics and the Judicial System; and
• Part 4: The Possibility of Sound Live Forensic Acquisition.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 242 of 268 Chapter 15
These four parts are designed to help with the development of the final forensically sound model,
presented in Chapter 14. The first three parts contributed drivers necessary to build the model, whilst the
last part focused on the actual development and construction of the model. The next section discusses
each of the 15 chapters to determine whether the study reached its goals and objectives.
15.2 Discussion of the Research Study
At present, forensic investigators cannot be certain that a court of law will consider Live Forensic Acquisition
techniques to be forensically sound. Neither can forensic investigators be certain that the evidence
acquired with Live Forensic Acquisition techniques are adequately comprehensive, compared with
evidence acquired with Dead Forensic Acquisition techniques, until further research have been done.
In view of that, this thesis developed a model that underwrites comprehensive forensically sound Live
Forensic Acquisition. Table 15-1 shows the four parts and 15 chapters of the study, with their respective
critical assessment.
Table 15-1: Critical appraisal of the Liforac model development (Own compilation)
PPaarrtt//CChhaapptteerr CCoonntteennttss AAsssseessssmmeenntt
Chapter 1
Liforac - A Model
For Live Forensic
Acquisition
− introduces the study
Part 1
Setting the Scene − concise introduction to the field of Digital Forensics
− introduces important forensic concepts
Chapter 2
Introduction
− provides background knowledge
− lays out the objectives
− research methodology
− objectives and limitations
− Deliverable:
• Glossary
− Lists sub objectives
− Lists research problem
Chapter 3
The Digital
Forensic
Discipline
− introduces traditional and the Live Forensic Acquisition techniques
− comparison between techniques
− Digital Forensic principles
− step-by-step Forensic Acquisition process
− Deliverable:
• Glossary
− Links to sub objective A
− Addresses research problem
Part 2
Live Forensic
Acquisition
− focuses on the internal workings of the Live Forensic technology
− lay foundation of the application of Live Forensic Acquisition as sound practice
− familiarises the reader with the concept of forensic soundness and inadmissibility in a court of law
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 243 of 268 Chapter 15
PPaarrtt//CChhaapptteerr CCoonntteennttss AAsssseessssmmeenntt
Chapter 4
Forensic Tools
− literature survey of some of the popular Digital Forensic tools
− basic understanding of how Digital Forensics work and ways in which forensic tools can assist investigators
− identify current limitations in the Live Forensic discipline
− Deliverable:
• forensic tool assessment (CD)
− Links to sub objective A
− Addresses research problem
Chapter 5
Current
Application of Live
Forensics
− provides background knowledge on the developing Live Forensic technology
− looks at advances of Live Forensic Acquisition
− focuses on the problems that arise with the application of Live Forensics
− introduces forensic concepts such as evidential weight and validity of digital evidence
− discussion on currently applied software and hardware Live Forensic techniques
− Deliverables:
• current Live Forensic methods/techniques
• glossary
− Links to sub objective B
− Addresses research problem
Chapter 6
Forensically Sound
Live Forensic
Acquisition
Admissible in
Court
− focuses on the term forensic soundness
− measures different kinds of evidence retrieved through Live Forensic techniques
− identifies potential problems that may render digital evidence inadmissible in court
− compares Digital Forensics with Physiological Forensics
− discusses volatile nature of Digital Forensics
− Deliverable:
• Glossary
− Links to sub objective C
− Addresses research problem
Part 3
Digital Forensics
and the Judicial
System
− investigates the legalities of cyber crime and Digital Forensics
Chapter 7
Cyber Crime and
Criminals
− looks at the classification of cyber crime
− investigates the reasons for cyber crime
− investigates the occurrence of cyber crime
− defines the difference between cyber crime and crime committed in the real world
− lists famous court cases in which cyber crime played a major role
− Deliverable:
• cyber crime definition
− Links to sub objective D
Chapter 8
Cyber Crime Legal
Aspects
− identifies current global laws addressing cyber crime
− Deliverable:
• cyber crime
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 244 of 268 Chapter 15
PPaarrtt//CChhaapptteerr CCoonntteennttss AAsssseessssmmeenntt
Chapter 8
Cyber Crime Legal
Aspects
(continued)
− identifies a cyber crime framework
− identifies legal challenges regarding Forensic Acquisition
− discusses the legal acceptance of Digital Forensic evidence
legislation
• cyber crime framework
− Links to sub objective E
− Addresses research problem
Part 4
The Possibility of
Sound Live
Forensic Acquisition
− proposes the Liforac model
− presents the model dimension by dimension
Chapter 9
Building a Model
− presents the framework for the planned model for Live Forensic Acquisition
− defines a model and presents a visual representation of the generic model of this study
− Deliverable:
• model framework
− Addresses research problem
Chapter 10
Laws and
Regulations
Dimension
− looks in detail at the dimension concerning laws and regulations relevant to Digital Forensics
− shows the segregation of this dimension into:
• Common crime laws applicable to cyber crime
• Specific cyber laws
• Court cases and precedents
• Definition of court admissibility
− Deliverable:
• model dimension
− Addresses research problem
Chapter 11
Timeline
Dimension
− looks in detail at the sequential order in which investigators need to perform actions to ensure sound Live Forensic Acquisition
− shows the segregation of the Timeline
dimension into:
• implied and explicit processes
• three related timeframes
− Deliverable:
• model dimension
− Addresses research problem
Chapter 12
Knowledge
Dimension
− looks in detail at the training and skills needed by people involved in Live Forensic Acquisition
− shows the segregation of the Knowledge
dimension into:
• Law
• Forensic Sciences
• Social Sciences
• Information Systems
• World Security Trends and Events
• Computer Science
• New technology
− Deliverable:
• model dimension
− Addresses research problem
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 245 of 268 Chapter 15
PPaarrtt//CChhaapptteerr CCoonntteennttss AAsssseessssmmeenntt
Chapter 13
Scope Dimension
− looks in detail at the problems associated with Live Forensic Acquisition
− shows the segregation of this dimension:
• Gaining access to the suspect machine
• Dependency on the OS
• Data modification
• Authenticity
• Court acceptance
− Deliverable:
• model dimension
− Addresses research problem
Chapter 14
Presenting the
Final Liforac model
− presents the final model for complete, forensically sound Live Forensic Acquisition
− Deliverable:
• Liforac model
− Addresses research problem
Chapter 15
Closure
− concludes the study
− justifies the development of the Liforac
model for comprehensive, forensically
sound Live Forensic Acquisition
The original research objective (refer to Paragraph 2.2) is to develop a model that comprehensively
presents aspects related to Live Forensic Acquisition. This Liforac model is developed in such a way to
provide guidance to forensic investigators on four distinct levels (the four domains identified in the Liforac
model). The model suggests ways in which a Live Forensic Acquisition should take place to ensure
forensic soundness. From the information presented in Table 15-1, the conclusion is that this research
study completed the tasks set out in Chapter 2. Table 15-1 also clearly indicates which chapters
addressed the sub objectives specified in Figure 2-2.
The most important deliverable of this study is the Liforac model, although the accompanying CD also
presents a number of additional information sources that can be used by forensic investigators. The next
section looks at some of the problems encountered during this study.
15.3 Problems Encountered
Although the study addressed all the necessary issues to be regarded as a success in the development
of the Live Forensic discipline, a number of obstacles limited the study. Many of these limitations were
envisioned at the start of the study, whilst some were only realised during the research and development
stages.
Due to the nature of the field of study, the majority of the references are Internet-based. Digital Forensics,
and specifically the specialised Live Forensic discipline, is not as established in the security field. The
printed resources on this subject are very limited. Available resources are limited to either product fact
sheets or blogs maintained by so-called cyber experts. The fact sheets focus on selling the products and
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 246 of 268 Chapter 15
often present a more optimistic image than the real life products do. Blogs, on the other hand, presents
vivid real life encounters of Live Forensics, but are often opinionated and not scientific in nature.
Another source of information is personal interviews. However, the number of skilled South African
scientists available for interviews is very limited. By attending and presenting a paper at an international
forensic conference in Germany in September 2008, it was possible to set up a small network of contact
with some international forensic scientists. Most of these scientists are based in Germany and their
expertise in the field of forensics (especially Live Forensics) is far beyond the current South African
abilities and knowledge network.
The cost of software and training makes it near impossible to do a proper comparison between the
forensic tool suites. Most forensic organisations are equipped with only one, occasionally two, forensic
suites. The cost per person for specialised training, combined with the initial cost of the software, the
annual license fees and the maintenance of the forensic workstation makes a thorough forensic education
and practice near impossible. To counter this specific limitation, software-developing organisations in
Italy have developed OpenSource forensic tools (Forte 2008c:Presentation). However, at the time of
writing the functionality of these packages has not been tested thoroughly in comparison with
commercially available forensic suites.
Another problem encountered during this study was my lack of practical experience. Although I learned
a lot about both the theoretical and practical side of Digital Forensics, the actual practical application of
the research is very limited. Due to the sensitive nature of forensic investigations, it is not always
possible to observe real acquisitions and investigations. In the original planning of this study, I intended
to follow a number of court cases involving Digital Forensic evidence closely. The plan included developing
a case study and observing the court procedures. However, very few public cases involving Digital
Forensic evidence made it to South African courts during the research period.
These listed problems and limitations made for a very challenging study. Despite these problems, the
information gathered and the model developed is of great academic value. The next section looks at the
way forward with regard to research in the Live Forensic discipline and the Liforac model.
15.4 The Way Forward
The human dependency on computers allows the infiltration of computer technology in almost all aspects
of human life. Accordingly, where computers are involved, there will always be room for further research
and development.
This study presented information on a relatively new field of expertise. Accordingly, many of the topics
covered by this study can be further investigated in more depth. Not only will this study then serve as the
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 247 of 268 Chapter 15
starting point of a more extensive forensically sound Live Forensic Acquisition model, but it can also be
seen as a pioneering step in developing the Digital Forensic discipline. Compared to many international
countries, South African forensic scientists lack in knowledge and experience regarding both Digital
Forensics and Live Forensics.
Since the Live Forensic Acquisition technique is relatively new and unexplored, it is difficult to identify
appropriate measurement instruments beforehand. Possible future work can look at identifying these
measurement instruments. Chapter 8 of this study touched on Digital Forensic Governance, another
new area that needs more in-depth investigation.
One of the main problems encountered during the Live Forensic process, is slurred images (discussed in
Paragraph 5.2.3). The research done to develop the Liforac model did not result in a solution for this
problem. Future research into this aspect can greatly enhance the efficiency of the discipline.
The links made between Digital Forensics and Heisenberg’s uncertainty principle, as well as Digital
Forensics and Hertzberg’s motivation/hygiene theory also warrant further research. This thesis briefly
touched on both relationships, but the additional research may prove vital to the further development of
the discipline.
This study developed the Liforac model within the context of the South African environment and
legislation. Further research may be done to establish the applicability of this model in an international
context.
Despite a number of limitations and practical problems, the study allows for future research topics. The
Digital Forensic discipline still has a number of aspects that can be investigated and researched.
15.5 Summary
The development of the Live Forensic discipline and the Live Forensic Acquisition technique instigated
the development of a method that allows forensically sound acquisition to stand fast in a court of law.
This study showed that Live Forensic Acquisition is as comprehensive as Dead Forensic Acquisition, by
considering the general Digital Forensic discipline, forensic tools, practical problems experienced during
acquisition, legal aspects and cyber crimes.
Considering the study as a whole, it successfully completed all the objectives set out to present a
forensically sound Live Forensic Acquisition model. This study concludes with the observation that Digital
Forensics allows individuals to analyse data from the past - not only is this a great opportunity for forensic
scientists, but it is a serious responsibility that needs to be handled with sufficient respect and awe.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 248 of 268 References
References
AC see ASSOCIATED CONTENTS ASSOCIATION (AC)
ACPO see ASSOCIATION OF CHIEF POLICE OFFICERS (ACPO)
AFENTIS. Information Insurance. s.a. Digital evidence case preparation. URL: http://www.afentis.
com/digital_ evidence_case_prep_part2.html Date of access: 17 March 2008.
ALINK, W., BHOEDJANG, R.A.F., BONCZ, P.A. & DE VRIES, A.P. 2006. XIRAF - XML-based
indexing and querying for digital forensics. Digital investigation, 3, Suppl. 1:50-58.
AMENYA, M. 2004. Recovering, examining and presenting computer forensic evidence in court. URL:
www.csam.montclair.edu/~robila/SECURITY/F2004_P/P6/finalcomputerforensics.doc Date of access:
9 June 2008.
ASSOCIATED CONTENTS ASSOCIATION. 2007. The Univac was the first commercial computer
circa 1950. Associated content - the people’s media company. URL: http://www. Associated
content.com/article/380960/the_univac_was_the_first_commercial.html Date of access: 4 April 2008.
ASSOCIATION OF CHIEF POLICE OFFICERS. 2007. Good practice guide for computer-based electronic
evidence. London: 7Safe.
AUSTRALIAN GOVERNMENT. 2008. How do I protect and handle magnetic media? URL: http://www.
naa.gov.au/records-management/secure-and-store/physical-preservation/faq/magnetic-tape.aspx Date of
access: 25 February 2008.
BAGGILI, I. 2006. Search and seizure from a digital perspective: a reflection on Kerr’s Harvard Law -
review article. URL: http://www.forensicfocus.com/downloads/ReflectionOnKerr.pdf Date of access: 22
August 2008.
BATTISTONI, R., DI PIETRO, R., DI BIAGIO, A., FORMICA, M. & MANCINI, L.V. 2008. A live digital
forensic system for windows networks. IFIP-SEC 2008. URL: http://www.slideshare.net/rbattistoni/live-
digital-forensic-foxp Date of access: 31 July 2009.
BEDFORD, M. 2005. Methods of discovery and exploitation of host protected areas on IDE storage
devices that conform to ATAPI-4. Digital investigation, 2(4):268-275.
BEJTLICH, R. 2006. Forensically sound evidence. Tao security. URL: http://taosecurity.blogspot.com/
2006/08/forensically-sound-evidence.html Date of access: 20 March 2008.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 249 of 268 References
BERGHEL, H. 2003. Malware month. Digital village, 46(12):15-19.
BHASKAR, R. 2006. State and local law enforcement is not ready for a Cyber Katrina.
Communications of the ACM, 49(2):81-84.
BRENNER, S.W. 2004. Toward a criminal law for cyberspace: product liability and other issues.
Journal of technology law and policy, 5, Art. 1:9-17.
BRIGHTFORENSICS. 2009. Helix 3 enterprise. URL: http://www.brightforensics.com/h3e.php Date of
access: 30 July 2009.
BROUCEK, V. & TURNER, P. 2002. Bridging the divide: rising awareness of forensic issues amongst
systems administrators. 3rd International System Administration and Networking Conference, May 27-
31, Maastricht, The Netherlands. p. 42-49.
BROWN, C.L.T. 2005a. Computer evidence: collection and preservation. Charles River Media. URL:
http://www.charlesriver.com/resrcs/chapters/1584504056_1stChap.pdf Date of access: 18 April 2008.
BROWN, C.L.T. 2005b. Benefits and techniques for live investigations. HTCIA International. URL:
http://toorcon.techpathways.com/uploads/HTCIA2005-LiveInvestigations.pdf Date of access: 17 August 2008.
BRUNGS, A. & JAMIESON, R. 2005. Identification of legal issues for computer forensics. Information
systems management, 22(2):57-66.
BUSINESS WIRE. 2005. Experts available to discuss increased use of digital evidence in courts. URL:
http://findarticles.com/p/articles/mi_m0EIN/is_2005_Jan_31/ai_n9491984 Date of access: 18 March 2008.
CARRIER, B.D. & GRAND, J. 2003. A hardware-based memory acquisition procedure for digital
investigations. Digital investigation, 1(1):50-60.
CARRIER, B.D. 2006. Basic digital forensic investigation concepts. URL: http://www.digital-evidence.
org/di_basics.htm Date of access: 16 January 2008.
CARVEY, H. 2005. Windows forensics and incident recovery. Cape Town: Addison-Wesley.
CARVEY, H. 2007. Thoughts on live forensic acquisition. URL: http://windowsir.blogspot.com/2007/
06/thoughts-on-live-acquisition.html Date of access: 10 January 2008.
CASEY, E. 2000. Digital evidence and computer crime: forensic science, computers and the internet.
San Diego: Academic Press.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 250 of 268 References
CASEY, E. 2004a. Digital evidence and computer crime: forensic science, computers and the internet.
2nd ed. San Diego: Academic Press.
CASEY, E. 2004b. Tool review: remote forensic preservation and examination tools. Digital investigation,
1:274-297.
CASEY, E. 2007. What does “forensically sound” really mean? Digital investigation, 4(2):49-50.
CHEESEMAN, H.R. 2005. Contemporary business and online commerce law. 5th ed. Reihe: Prentice
Hall.
CHIZOBA, O.M. 2005. Cyber crime. URL: www.takingitglobal.org/action/projects/download.html/
4926/CYBER%20CRIME%20ABUJA.doc Date of access: 4 April 2008.
CHURCH, C.A. 2007. Long term hard drive storage and data integrity. URL: http://photo.net/bboard/q-
and-a-fetch-msg?msg_id=00NXpz Date of access: 25 February 2008.
CIARDHUÁIN, S.O. 2004. An extended model of cybercrime investigations. International journal of
digital evidence, 3(1):1-22.
CLARKE, R. 2004. Maroochy sewage cyber-terrorism. URL: http://mailman.anu.edu.au/pipermail/link/
2004-April/056025.html Date of access: 14 July 2009.
COETZEE, R. 2009. Personal interview on 13 August 2009. (Senior manager: Digital Forensic
Support Services.)
COHEN, F. 2006. Challenges to digital forensic evidence. Cyber Crime Summit. URL: http://all.net/
Talks/CyberCrimeSummit06.pdf Date of access: 28 August 2008.
COMPUTER FORENSICS TOOLKIT. 2005. Computer forensics checklists. URL: http://computer-
forensics.privacyresources.org/forensic-checklists.htm Date of access: 26 February 2008.
COMPUTER HISTORY MUSEUM. 2009. First data storage mechanism. URL: http://www.coe.uh.edu/
courses/cuin7317/students/museum/slong.html Date of access: 18 August 2009.
COMPUTER NETWORK DEFENCE. 2007. Anti-forensic tools. URL: http://www.networkintrusion.co.uk
/foranti.htm Date of access: 20 June 2008.
CONSTITUTIONAL COURT. s.a. The Constitution – Constitution of the Republic of South Africa. URL:
http://www.constitutionalcourt.org.za/site/constitution/english-web/schedules.html#s6 Date of access: 11
February 2010.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 251 of 268 References
COREN, M. 2005. Digital evidence: today’s fingerprints. CNN. URL: http://www.cnn.com/2005/LAW/
01/28/digital.evidence/index.html Date of access: 17 March 2008.
CRANTON, T. 2008. Microsoft calls on global public-private partnerships to help in the fight against
cybercrime. URL: http://www.microsoft.com/presspass/features/2008/apr08/04-28crantonqa.mspx Date
of access: 2 June 2008.
CYBER FORENSICS. 2007. Cyber forensics investigation. URL: http://www.cyber-forensics.ltd.uk/
Date of access: 2 June 2008.
CYBERANGELS. 2007. A program of guardian angels. URL: http://www.cyberangels.org Date of
access: 25 June 2008.
DANIEL, L. 2006. Digital forensics. URL: http://www.aoc.state.nc.us/www/ids/Defender%20Training/
2006%20Investigators%20Conference/Computer%20Forensics%20Prsentation.pdf Date of access:
17 March 2008.
DAUBERT v. MERRELL DOW PHARMACEUTICALS, Inc. 1993. 509 U.S. 579, 589. URL: http://caselaw.
lp.findlaw.com/scripts/getcase.pl?court=US&vol=509&invol=579 Date of access: 18 August 2009.
DIBS USA Inc. 2008. Computer forensic equipment. URL: http://www.dibsusa.com/products/
products.asp Date of access: 5 June 2008.
DSTV. 2008. Shark episode 15: One hit wonder. Originally aired on 13 May 2008 on CBS. Aired in
South Africa on 12 December 2008 at 19:30 on MNET.
DU BOIS, F. 2007. Wille's principles of South African law. 9th ed. Cape Town: Juta & Co.
EHRLICH, D. 2002. Instructional design, 2. URL: http://www.neiu.edu/~dbehrlic/hrd408/glossary.htm
Date of access: 23 April 2008.
FBI see FEDERAL BUREAU OF INVESTIGATION
FEDERAL BUREAU OF INVESTIGATION (FBI). 2007. Digital forensics: it’s a bull market. URL:
http://www.fbi.gov/page2/ may07/rcfl050707.htm Date of access: 18 March 2008.
FEI, B.K.L. 2007. Data visualisation in digital forensics. Pretoria: University of Pretoria. URL:
http://upetd.up.ac.za/thesis/submitted/etd-03072007-153241/unrestricted/dissertation.pdf Date of
access: 17 January 2008.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 252 of 268 References
FISHEL, J. & GRIFFIN, J. 2008. Military looking abroad for source of cyber attack on Pentagon. URL:
http://www.foxnews.com/politics/2008/11/21/source-cyber-attack-pentagon-come-china/ Date of access:
28 November 2008.
FORTE, D.V. 2008a. Volatile data vs. data at rest: the requirements of digital forensics. Network
security, 6:13-15.
FORTE, D.V. 2008b. Computer forensics: are you qualified? Computer fraud & security, 1:18-20.
FORTE, D.V. 2008c. Advances in digital investigations: research, open source and commercial tools.
(ISSA Conference 2008, 7-9 July 2008. Johannesburg, South Africa. p. 1.)
FRENCH, E. 2008. Will technology take over the world? URL: http://www.helium.com/items/609726-
will-technology-take-over-the-world Date of access: 28 November 2008.
FROWEN, A. 2009. Cloud computing and computer forensics. URL: http://www.articlesnatch.com/
Article/Cloud-Computing-And-Computer-Forensics/663389 Date of access: 10 February 2010.
GAHTAN, A.M. 2005. Computer technology invades litigation practice. URL: http://www.gahtan.com/
alan/articles/ctechlit.htm Date of access: 30 June 2008.
GALLO, V. 2008. Stand clear of the computer! DeticaForensics. URL: http://www.deticaforensics.com/
images/pdfs/LivePresentation.pdf Date of access: 30 July 2009.
GARDNER, R. 2000. Notification of judgement: Kilgore v. Boyd (U.S.). URL: http://www.fact.on.ca/
Info/pas/pasnote.htm Date of access: 26 March 2008.
GHELANI, S. 2006. Chain of custody: a suspect’s chargesheet. URL: http://www.niiconsulting.com/
checkmate/2006/02/chain-of-custody-a-suspects-chargesheet/ Date of access: 25 February 2008.
GIORDANO, J. & MACIAG, C. 2002. Cyber forensics: a military operations perspective. International
journal of digital evidence, 1(2):1-13.
GLEASON, B.J. 2007. Digital evidence and computer crime. URL: http://thinairlabs.com/ifsm498x/
ifsm498x_01_p9.pdf Date of access: 8 September 2009.
GRANCE, T., KENT, K. & KIM, B. 2004. Computer security incident handling guide: Recommendations
of the National Institute of Standards and Technology. National Institute of Standards and Technology.
Special Publication 800-61. Technology Administration. U.S. Department of Commerce. URL:
http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf Date of access: 17 January 2008.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 253 of 268 References
GROBLER, C.P. & LOUWRENS, C.P. 2009. High-level integrated view of digital forensics. (ISSA 2009
Conference, 6-8 July 2009, University of Johannesburg, South Africa. p. 1.)
HAGGERTY, J. & TAYLOR, M. 2006. Managing corporate computer forensics. Computer fraud &
security, 6:14-16.
HALDERMAN, J.A., SCHOEN, S.D., HENINGER, N.A., CLARKSON, W., PAUL, W., CALANDRINO,
J.A., FELDMAN, A.J., APPELBAUM, J. & FELTEN, E.W. 2008. Lest we remember: cold boot attacks
on encryption keys. (Proceedings 2008 USENIX Security Symposium. 16 p.)
HARGREAVES, C. & CHIVERS, H. 2007. Potential impacts of Windows Vista on digital investigations.
ForensicFocus. URL: http://www.forensicfocus.com/downloads/potential-impact-windows-vista.pdf Date
of access: 25 August 2008.
HARRIS, G. 2008. US accuses Gary McKinnon of hacking crime. Times online. URL: technology.
timesonline.co.uk/tol/news/tech_and_web/article4186428.ece Date of access: 25 June 2008.
HEISENBERG, W. 1930. Physikalische Prinzipien der Quantentheorie. Leipzig: Hirzel. English
translation: The physical principles of quantum theory. Chicago, Ill.: University of Chicago Press.
HG.ORG. Worldwide Legal Directories. 2008. Criminal law: penal law. URL: http://www.hg.org/
crime.html Date of access: 30 October 2008.
HILL, J. 2008. Some BU students’ social security info e-mailed to others. Pressconnects.com. URL:
http://www.pressconnects.com/apps/pbcs.dll/article?AID=/20080317/NEWS01/803170361 Date of access:
25 March 2008.
HILLEY, S. 2007. Anti-forensics with a small army of exploits. Digital investigation, 4(1):13-15.
HOSMER, C. 2002. Proving the integrity of digital evidence with time. International journal of digital
evidence, 1(1):1-7. URL: http://www.utica.edu/academic/institutes/ecii/publications/articles/9C4EBC25-
B4A3- 6584-C38C511467A6B862.pdf Date of access: 25 March 2008.
HULME, G. 2008. Medical records for 2500 study participants are stolen. Information week. URL:
http://www.informationweek.com/blog/main/archives/2008/03/medical_records.html Date of access: 25
March 2008.
IACIS see INTERNATIONAL ASSOCIATION OF COMPUTER INVESTIGATIVE SPECIALISTS (IACIS)
ICRC see INTERNATIONAL COMMITTEE OF THE RED CROSS (ICRC)
IMDB see INTERNET MOVIE DATABASE (IMDB)
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 254 of 268 References
INFORMATION AGE. 2006. Court is in session. URL: http://www.information-age.com/articles/
284751/court-is-in-session.thtml Date of access: 23 June 2008.
INFORMATION PROVIDER TECHNOLOGIES. 2003. Ask the deacon. URL: http://www.infoprovider.
com/infobase/h.html Date of access: 30 June 2008.
INTERACTIVE ADVERTISING BUREAU. 2008. Glossary. URL: http://www.iab.net/resources/
glossary_d.asp Date of access: 24 June 2008.
INTERNATIONAL ASSOCIATION OF COMPUTER INVESTIGATIVE SPECIALISTS. 2007. IACIS, The
International Association of Computer Investigative Specialists. URL: http://www.cops.org/ Date of
access: 11 August 2008.
INTERNATIONAL COMMITTEE OF THE RED CROSS. 2005. International Humanitarian Law: Treaties
and documents. URL: http://www.icrc.org/ihl.nsf/WebART/585-22?OpenDocument Date of access: 15
January 2008.
INTERNATIONAL STANDARDS ORGANISATION. 2009. ISO/IEC JTC 1/SC 27 N7570. Text for ISO/IEC
1st WD 27037: Guidelines for identification, collection and/or acquisition and preservation of digital evidence.
Working draft.
INTERNET MOVIE DATABASE. 2008. Internet movie database. URL: www.imdb.com Date of
access: 28 November 2008.
INTERPOL. 2007. Cyber-crime. URL: http://www.interpol.int/Public/ICPO/FactSheets/FHT02.pdf Date
of access: 17 January 2008.
ISO see INTERNATIONAL STANDARDS ORGANISATION
JANES, S. 2000. The role of technology in computer forensic investigations. Information security
technical report, 5(2):43-50.
JISC LEGAL. 2005. IT law for FE and HE senior management. JISC Legal. URL: www.jisclegal.ac.
uk/pdfs/itlawforseniorman.pdf Date of access: 10 January 2008.
JONES, R. 2004. Your day in court: the role of the expert witness. Digital investigation,1(4):273-278.
JONES, R. 2007. Safer Live Forensic acquisition. University of Kent at Canterbury. URL: http://www.cs.
kent.ac.uk/pubs/ug/2007/co620-projects/forensic/report.pdf Date of access: 11 January 2008.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 255 of 268 References
JONES, S. & FOX, S. 2009. Generations online in 2009. Pew Internet & American Life Project. URL:
http://www.pewinternet.org/~/media//Files/Reports/2009/PIP_Generations_2009.pdf Date of access: 17
August 2009.
KABAY, M.E. 2002. Salami fraud. Network World Fusion. URL: http://www.networkworld.com/
newsletters/sec/2002/01467137.html Date of access: 25 June 2008.
KJAERLAND, M. 2006. A taxonomy and comparison of computer security incidents from the commercial
and government sectors. Computers & security, 25(7):522-538.
KLAFF, T. 2008. An authentic challenge. Computer technology review. URL: http://www.wwpi.com/index.
php?option=com_content&task=view&id=4092&Itemid=44 Date of access: 23 June 2008.
KNPA see KOREAN NATIONAL POLICE AGENCY
KOREAN NATIONAL POLICE AGENCY. 2007. Criminal investigation. Korean National Police Agency.
URL: http://www.police.go.kr/KNPA/statistics/st_investingation_02.jsp Date of access: 1 April 2008.
KRUSE II, W.G. & HEISER, J.G. 2002. Computer forensics: incident response essentials. Boston,
Mass.: Addison-Wesley.
LANDON, T. 2006. The broker who fell to earth. New York Times. URL: http://www.nytimes.com/
2006/10/13/business/13martha.html?_r=1 Date of access: 18 August 2009.
LAUBSCHER, R., OLIVIER, M.S., VENTER, H.S., RABE, D.J. & ELOFF, J.H.P. 2005. Computer
forensics for computer-based assessment: the preparation phase. Pretoria: University of Pretoria. URL:
http://icsa.cs.up.ac.za/issa/2005/Proceedings/Research/100_Article.pdf Date of access: 16 January
2008.
LECTRIC LAW LIBRARY. 2005. The Lectric Law Library’s Lexicon on Precedent. URL: http://www.
lectlaw.com/def2/p069.htm Date of access: 30 October 2008.
LEIGLAND, R. & KRINGS, A.W. 2004. A formalisation of digital forensics. International journal of
digital evidence, 3(2):1-32.
LEXISNEXIS. 2007. Lorraine v. Markel: Electronic evidence 101. URL: http://lexisnexis.com/applied
discovery/LawLibrary/whitePapers/ADI_WP_LorraineVMarkel.pdf Date of access: 23 June 2008.
LEXISNEXIS. 2008. Preserving chain of custody in e-discovery. URL: http://www.lexisnexis.com/
applieddiscovery/clientResources/techTips9.asp Date of access: 25 February 2008.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 256 of 268 References
LOUWRENS, C.P. 2009a. Introduction to computer forensics. Johannesburg: University of
Johannesburg. (Lecture notes: IT00027 Electronic Commerce A.)
LOUWRENS, C.P. 2009b. Forensic methodology. Personal interview on 22 July 2009. (Group Risk
Services.)
MAAT, S.M. 2004. Cyber crime: a comparative law analysis. Pretoria: University of South Africa. URL:
http://etd.unisa.ac.za/ETD-db/theses/available/etd-08172005-103637/unrestricted/00front.pdf Date of access:
14 January 2008.
MANDIA, K., PROSISE, C. & PEPE, M. 2003. Incident response & computer forensics. 2nd ed. New
York: McGraw-Hill.
MARKET SHARE. 2009. Operating system market share. URL: http://marketshare.hitslink.com/
operating-system-market-share.aspx?qprid=8&qptimeframe=Y&qpsp=2009&qpmr=100&qpdt=1&qpct=3
Date of access: 14 August 2009.
MARKOFF, J. 2008. Internet attacks grow more potent. New York Times. URL: http://www.
nytimes.com/2008/11/10/technology/internet/10attacks.html?_r=2&th=&oref=slogin&emc=th&pagewante
d=print&oref=slogin Date of access: 10 November 2008.
McMILLAN, R. 2008. Internet fraud dupes men more often than women. IDG News Service. URL:
http://www.pcworld.com/article/id,144129-page,1/article.html Date of access: 9 April 2008.
MD5. Computer forensic solutions. 2008. ProDiscover. URL: http://www.md5.uk.com/?page=
ProDiscover Date of access: 21 January 2008.
MICROSOFT. 2008a. How to read the small memory dump files that Windows creates for debugging.
URL: http://support.microsoft.com/kb/315263 Date of access: 2 April 2008.
MICROSOFT. 2008b. FAQ: Computer Online Forensic Evidence Extractor (COFEE). URL:
http://www. microsoft.com/industry/government/news/cofee_faq.mspx Date of access: 2 June 2008.
MICROSOFT DEVELOPER NETWORK. 2009. How to detect install is running on a VM? URL:
http://social.msdn.microsoft.com/Forums/en-US/winformssetup/thread/55bbcf5d-9396-4904-bc03-
b1c2d4647657 Date of access: 20 September 2009.
MIRRIAM-WEBSTER. 2008. Forensic. Merriam-Webster Online Dictionary. URL: http://www.
merriam-webster.com/dictionary/forensic Date of access: 4 September 2008).
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 257 of 268 References
MOBLEY, P.T. 2001. Computer forensics: the investigator’s perspective. (Black Hat Conference, Las
Vegas.) URL: http://www.blackhat.com/presentations/win-usa-01/Mobley/bh-win-01-mobley.ppt Date of
access: 23 July 2009.
MSDN see Microsoft Developer Network
MURR, M. s.a. Windows incident response: What is “forensically sound”? URL: http://windowsir.
blogspot.com/2006/08/what-is-forensically-sound.html Date of access: 4 August 2008.
MY OPERA. 2008. Microsoft device helps police pluck evidence from cyberscene of crime. URL:
http://my.opera.com/cwbywz/blog/show.dml/2062359 Date of access: 2 June 2008.
NAIDOO, N. 2008. Govt move on cyber fraud. URL: http://www.witness.co.za/?showcontent&global[_id]=
8853 Date of access: 25 June 2008.
NARE, S. 2008. Forensic methodology. Personal interview on 10 September 2008. (Cyber security
specialist.)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST). 2003a. Hardware Write Blocker
Device (HWB) specification. National Institute of Standards and Technology. URL:
http://www.cftt.nist.gov/HWB-posted.pdf Date of access: 26 February 2008.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST). 2003b. Software write block
tool specification & test plan. National Institute of Standards and Technology. URL:
http://www.cftt.nist.gov/documents/SWB-STP-V3_1a.pdf Date of access: 26 February 2008.
NET INDUSTRIES. 2008. Frye v. United States. URL: http://law.jrank.org/pages/12871/ Frye-v-United-
States.html Date of access: 17 April 2007.
NETSCANTOOLS. 2008. NetBIOS info: basic tool description. URL: http://www.netscantools.com/
nstpro_netbios_info_basic.html Date of access: 3 April 2008.
NEWELL, M.W. 2005. Preparing for the Project Management professional certification exam. 3rd ed.
New York: American Management Association.
NEWS24. 2007. Huge growth in cyber crime. URL: http://www.news24.com/News24/South_Africa/
News/0,,2-7-1442_2220842,00.html Date of access: 7 April 2009.
NIKKEL, J. 2006. Improving evidence acquisition from live network sources. Digital forensics, 3(2):89-96.
NIST see NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 258 of 268 References
NMS FOUNDATION. 2007. Education project evaluation. URL: http://sanctuaries.noaa.gov/education/
evaluation/glossary.html Date of access: 23 April 2008.
NOVA. 2006. Glossary. Australian Academy of Science. URL: http://www.science.org.au/nova/092/
092glo.htm Date of access: 23 April 2008.
NYKODYM, N., TAYLOR, R. & VILELA, J. 2005. Criminal profiling and insider cyber crime. Digital
investigation, 2(4):261-267.
O’NEAL, M. 1997. GIMP plug-ins: blur and randomize. URL: http://www.rru.com/~meo/gimp/
randomize.html Date of access: 20 June 2008.
ORBITRON. 2007. New intelligent computer software that substantially improves crime and terrorism
detection. URL: http://www.orbitrontech.com/coplink.html Date of access: 17 March 2008.
PARALAN. 2007. Computer forensic protection: SCSI write blocker - models SR14A and SR15A.
SCSI forensics. URL: http://www.paralan.com/sr14.html Date of access: 26 February 2008.
PATI, P. 2003. Cyber crime. URL: http://www.naavi.org/pati/pati_cybercrimes_dec03.htm Date of
access: 15 January 2008.
PATRIOT MEMORY. 2009. Solid State Drives (SSD). Warp series SSD v2. URL: http://www.patriot
memory.com/products/groupdetailp.jsp?prodgroupid=83&prodline=8&group=Warp%20Series%20SSD
%20v2&catid=21 Date of access: 28 July 2009.
PAULI, D. 2008. Number of viruses to top 1 million by 2009. ComputerWorld Malaysia. URL:
http://computerworld.com.my/ShowPage.aspx?pagetype=2&articleid=7995&pubid=4&issueid=133
Date of access: 8 April 2008.
PC MAGAZINE. 2008. Definition of: memory dump. URL: http://www.pcmag.com/encyclopedia_term/
0,2542,t=memory+dump&i=46770,00.asp Date of access: 2 April 2008.
PEOPLE’S DAILY ONLINE. 2008. Uma Thurman stalker convicted of harassment. URL: http://english.
peopledaily.com.cn/90001/90782/6405835.html Date of access: 25 June 2008.
PEROLD, D. 2008. Methodology of building a model. Personal interview on 12 June 2008. (Principle
project manager.)
PHAIR, N. 2007. Behind the mask. URL: http://smallbusiness.smh.com.au/starting/legal/behind-the-
mask-901523903.html Date of access: 28 January 2008.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 259 of 268 References
PLANET INDIA. 2001. Introduction to cyber crime. URL: http://cybercrime.planetindia.net/intro.htm
Date of access: 4 April 2008.
PMI EVIDENCE TRACKER. s.a. PMI Evidence Tracker. URL: http://www.evtracker.com Date of
access: 25 February 2008.
POLICEONE.COM. 2008. Volatility of digital evidence. http://www.evtracker.com: http://www.policeone.
com/police-products/investigation/tips/1655664-Volatility-of-digital-evidence/ Date of access: 27 July 2009.
POLLITT, M. & WHITLEDGE, A. 2006. Exploring big haystacks. (In Olivier, M. & Shenoi, S., eds.
International Federation for Information Processing: Advances in digital forensics, v. 2. New York:
Springer. p. 4.)
POPA, B. 2008. Arrested security flaw merchant comes back online - Roberto Preatoni brings
WabiSabiLabi back in the spotlights. URL: http://news.softpedia.com/news/Arrested-Security-Flaw-
Merchant-Comes-Back-Online-83142.shtml Date of access: 26 June 2008.
PRESERVATION101. 2006. Deterioration of film and electronic media. URL: http://www.
preservation101.org/session3/expl_iv_op-substrate.asp Date of access: 28 July 2009.
REDHAT. 2009. LINUX 9. Chapter 3. Redundant Array of Independent Disks (RAID). URL:
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/ch-raid-intro.html Date of access:
29 July 2009.
ROBBINS, J. 1994. Federal guidelines for searching and seizing computers. The Bureau of National
Affairs Publication. Criminal law reports, 56(12), December 21. US Department of Justice. Criminal
Division. Office of Professional Development and Training.
ROCHA, S. 2006. For Laci. New York: Crown.
ROGERS, M.K. & SEIGFRIED, K. 2004. The future of computer forensics: a needs analysis survey.
Computers and security, 23(1):12-16.
ROMANO, BJ. 2008. Looking for answers on Microsoft’s COFEE device. Seattle Times. URL:
http://blog.seattletimes.nwsource.com/techtracks/2008/04/looking_for_answers_on_microsofts_cofee
_device.html Date of access: 2 June 2008.
RONDGANGER, L. 2008. Hacker with a conscience. URL: http://www.iol.co.za/index.php?from=
rss_Top%20Stories&set_id=1&click_id=13&art_id=vn20080703061212942C901462 Date of access: 23
January 2009.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 260 of 268 References
RYAN, D.J. & SHPANTZER, G. 2005. Legal aspects of digital forensics. URL: http://www.sabcnews.
com/south_africa/crime1justice/0,2172,79940,00.html Date of access: 25 June 2008.
SABC NEWS. 2004. Joburg man found guilty of Edgars computer crash virus. URL:
http://www.forensics-intl.com/safeback.html Date of access: 22 January 2008.
SANETT, S. & PARK, E. 2002. Authenticity as a requirement of preserving digital data and records.
IASSIST quarterly, Winter. URL: http://iassistdata.org/publications/iq/iq24/iqvol241sanett.pdf Date of
access: 23 June 2008.
SAPS see SOUTH AFRICAN POLICE SERVICES
SCALET, S.D. 2005. How to keep a digital chain of custody. URL: http://www.csoonline.com/read/
120105/ht_custody.html Date of access: 25 February 2008.
SETH, K. 2007. Cyber crimes and the arm of law: an Indian perspective. URL: http://www.Seth
associates.com/pdfs/Presentation-cyst%202007-final.ppt#257, 1, Cyber security and threats- CyST’2007
Date of access: 28 January 2008.
SEVASTOPULO, D. 2007. Chinese hacked into Pentagon. URL: http://www.ft.com/cms/s/
0/9dba9ba2-5a3b-11dc-9bcd-0000779fd2ac.html?nclick_check=1 Date of access: 28 November 2008.
SHARMA, S. 2008. Will technology take over the world? Available from: http://www.helium.com/
items/270830-will-technology-take-over-the-world Date of access: 28 November 2008.
SHELAR, J. 2007. Cyber crime cases prove a virtual waste. Daily news analysis. URL: http://www.
dnaindia.com/report.asp?newsid=1141488 Date of access: 17 January 2008.
SHELTON, D.E. 2006. Technology, popular culture, and the court system: strange bedfellows? In
National Center for State Courts. Future trends in State Courts. p. 63-66.
SHEMA, M. & JOHNSON, B.C. 2004. Anti-hacker toolkit. 2nd ed. New York: McGraw-Hill.
SHINDER, D.L. 2002. Scene of the cybercrime: computer forensics handbook. Rockland, Mass.:
Syngress Media.
SIGCSE see SPECIAL INTEREST GROUP ON COMPUTER SCIENCE EDUCATION (SIGCSE)
SOUTH AFRICA. 2002. Electronic Communications and Transactions Act, No. 25 of 2002.
Government Gazette URL: http://www.info.gov.za/view/DownloadFileAction?id=68060 Date of access:
11 August 2009.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 261 of 268 References
SOUTH AFRICAN POLICE SERVICES (SAPS). 2007. Learning programme - division training:
investing in human capital. Module 1: Cyber forensic first responder learner guide. Pretoria: SAPS.
SPAFFORD, E. 2006. Some challenges in digital forensics. (In Olivier, M. & Shenoi, S., eds.
International federation for information processing: advances in digital forensics, 2. New York: Springer.
p. 4.)
SPECIAL INTEREST GROUP ON COMPUTER SCIENCE EDUCATION (SIGCSE). 2001. Overview of
the CS body of knowledge. ACM Special Interest Group on Computer Science Education. URL:
http://www.sigcse.org/cc2001/cs-overview-bok.html Date of access: 10 November 2008.
STEVENS, M.W. 2004. Unification of relative time frames for digital forensics. Digital investigation,
1(3):225-239.
STIENNON, R. 2007. What’s driving cyber crime? URL: http://www.esecurityplanet.com/article.
php/3664861 Date of access: 8 April 2009.
STIMMEL, C.L. 2008. Best practices for computer forensics in the field. URL: http://ezinearticles.com/?
Best-Practices-for-Computer-Forensics-in-the-Field&id=124243 Date of access: 10 January 2008.
STOCKDALE, J.E. & GRESHAM, P.J. 1995. The presentation of police evidence in court. Home Office
Police Research Group. London: Crown. (Police Research Series, paper 15.)
SWATKAT. 2005. Swatkat’s rants. URL: http://swatrant.blogspot.com/2005/12/notmyfault-fault-maker.
html Date of access: 2 April 2008.
TAUB, E.A. 2006. Deleting may be easy, but your hard drive still tells all. New York Times News
Service. URL: http://www.theglobeandmail.com/servlet/story/RTGAM.20060406.gtforensicapr6/BNStory/
Technology/ERIC+A.+TAUB Date of access: 17 March 2008.
TAYLOR, C., ENDICOTT-POPOVSKY, B. & FRINCKE, D.A. 2007. Specifying digital forensics: a
forensics policy approach. Digital investigation, 4, Suppl. 1:101-104.
TEATHER, D. 2002. Melissa virus creator jailed. URL: http://www.guardian.co.uk/technology/2002/
may/02/viruses.security Date of access: 25 June 2008.
TICEHURST, J. 2000. Cyber criminals are getting away with it. URL: http://www.vnunet.com/vnunet/
news/ 2114242/cybercriminals-getting-away Date of access: 7 April 2008.
TRAYNOR, I. 2007. Russia accused of unleashing cyberwar to disable Estonia. URL: http://www.
guardian.co.uk/world/2007/may/17/topstories3.russia Date of access: 28 November 2008.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 262 of 268 References
TRENCH, R.L. 1994. Chain of custody: keeping track of property and evidence. International association
for property and evidence, Inc. Evidence Log, 94(4).
UMBC see UNIVERSITY OF MARYLAND. Baltimore County.
UNIBLUE. 2007. cmd.exe - cmd - process information. URL: http://www.liutilities.com/products/wintasks
pro/processlibrary/cmd/ Date of access: 3 April 2008.
UNITED STATES COMPUTER EMERGENCY RESPONSE TEAM (US-CERT). 2005. Computer forensics.
URL: http://www.us-cert.gov/reading_room/forensics.pdf Date of access: 20 March 2008.
UNITED STATES COMPUTER EMERGENCY RESPONSE TEAM (US-CERT). 2007. Quarterly trends
and analysis report. URL: http://www.us-cert.gov/press_room/trendsandanalysisQ107.pdf Date of
access: 17 January 2008.
UNIVERSITY OF EDINBURGH. 2004. Electronic records and legal admissibility. URL: http://www.
recordsmanagement.ed.ac.uk/InfoStaff/RMstaff/LegalAdmiss/legaladmiss.htm Date of access: 23 June
2008.
UNIVERSITY OF MARYLAND. Baltimore County (UMBC). 2008. What is an Information System (IS).
University of Maryland, Baltimore County. URL: http://www.is.umbc.edu/aboutIS.asp Date of access:
10 November 2008.
USBORNE, D. 1996. US takes on the ‘cyber-terrorists’. BNET Business Network. URL:
http://findarticles.com/ p/articles/mi_qn4158/is_19960607/ai_n14048381 Date of access: 26 June 2008.
US-CERT see UNITED STATES COMPUTER EMERGENCY RESPONSE TEAM (US-CERT)
VAMOSI, R. 2008. Microsoft serves law enforcement free COFEE. URL: http://news.cnet.com/ 8301-
10789_3-9932600-57.html Date of access: 2 June 2008.
VIDAS, T. 2006. Forensic Analysis of Volatile Data Stores. CERT Conference. URL: http://www.
certconf.org/presentations/2006/files/RB3.pdf Date of access: 27 March 2008.
WANG, Y., CANNADY, J. & ROSENBLUTH, J. 2005. Foundations of computer forensics: a technology
for the fight against computer crime. Computer law & security report, 21:119-127.
WATSON, L.M. 2004. Anticipating electronic discovery in commercial cases: a guide for corporate and
in-house counsel. Michigan bar journal, May. URL: http://www.michbar.org/journal/pdf/pdf4article702.pdf
Date of access: 18 March 2008.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 263 of 268 References
WEISE, J. & POWELL, B. 2005. Using computer forensics when investigating system attacks. URL:
http://www.sun.com/blueprints Date of access: 27 February 2008.
WHITE, S. 2005. A brief history of computing: operating systems. URL: http://trillian.randomstuff.
org.uk/~stephen/history/timeline-OS.html Date of access: 14 August 2009.
WIKIPEDIA. 2008. Abstract model. Wikipedia, the free encyclopaedia. URL: http://en.wikipedia.
org/wiki/Model_ (Abstract.) Date of access: 23 April 2008.
WIKIRANK. 2009. Optical media preservation. URL: http://wikirank.com/en/Optical_media_ preservation
Date of access: 28 July 2009.
WIKTIONARY. 2008. Rootkit. URL: http://en.wiktionary.org/wiki/rootkit Date of access: 30 July 2009.
WILDING, E. 2002. Caught red handed: you can shred but you can’t hide. Computer fraud & security.
2002(8):4-5.
WILLIAMS, P. 2006. MySpace, Facebook attract online predators: experts say be careful what you
post online – somebody is always watching. Nightly News. URL: http://www.msnbc.msn.com/
id/11165576/ Date of access: 15 December 2008.
WOOD, S.W. 2008. A forensic computing framework to fit any legal system. (4th International
Conference on IT Incident Management & IT Forensics, 23-25 September 2008. Mannheim, Germany.)
WORDNET. 2008. Model. URL: http://wordnet.princeton.edu/perl/webwn Date of access: 23 April
2008.
WORDNET. 2009a. Dimension. URL: http://wordnetweb.princeton.edu/perl/webwn?s=dimension Date
of access: 6 January 2009.
WORDNET. 2009b. Escrow. URL: http://wordnetweb.princeton.edu/perl/webwn?s=escrow Date of
access: 28 July 2009.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 264 of 268 Publications and Presentations
Publications and Presentations
Goodbye Columbo, hallo cyber cops....
Author(s): Barry Bateman (Photo: Etienne Creux)
Date: 27 August 2008
Type: Pretoria News article, p2
http://hdl.handle.net/10204/2761
ISBN: 9771016365001
1
Abstract: Council for Scientific and Industrial Research cyber security researcher Marthie
Lessing1 explains in her doctoral paper the difference between “dead” and “live”
forensics.
Live Forensic Acquisition as Alternative to Traditional Forensic Processes
Author(s): Marthie Lessing (presenter), Basie von Solms
Date: 23 – 25 September 2008
Type: Conference
Mannheim, Germany: IT Management and IT Forensics (Refereed and Published).
Presentation (TOdB Pub number: CSIR/DPSS/S&S/EXP/2008/0036/A)
ISBN: 978-3-88579-234-5
2
Abstract: The development of live forensic acquisition in general presents a remedy for some
of the problems introduced by traditional forensic acquisition. However, this live
forensic acquisition introduces a variety of additional problems, unique to this
discipline. This paper presents current research with regard to the forensic
soundness of evidence retrieved through live forensic acquisition. The research is
based on work done for a PhD Computer Science at the University of Johannesburg.
Using the dead to create a live model: digital forensics in comparison
Author(s): Marthie Lessing (presenter), Prof SH von Solms
Date: 14 October 2008
3
Type: Project Day
Auckland Park, South Africa: University of Johannesburg Information Technology
Project Day
Poster (TOdB Pub number: CSIR/DPSS/S&S/EXP/2008/0403/A)
1 The author’s maiden name is Lessing, changed in March 2009 to Grobler
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 265 of 268 Publications and Presentations
Die voordeel van gekoppelde verkryging van forensiese digitale data bo die tradisionele
ontkoppelde verkryging van forensiese digitale data
Author(s): MM Lessing (presenter)
Date: 31 October 2008
Type: Simposium
Auckland Park, Johannesburg: Die Suid-Afrikaanse Akademie vir Wetenskap en
Kuns, Studentesimposium 2008
Presentation (TOdB Pub number: CSIR/DPSS/S&S/EXP/2008/0404/A)
4
Abstract: Digitale Forensika behels spesialistegnieke om forensiese data van een rekenaar
na ‘n ander te kopieer, sodat dit as getuienis in 'n hof voorgelê kan word.
Deskundiges stel twee moontlikhede voor: ontkoppelde forensiese en gekoppelde
forensiese metodes.
Ontkoppelde forensiese metodes fokus op die verkryging van elektroniese bewys-
stukke van 'n ontkoppelde rekenaar. Hierdie tegniek verseker dat die ondersoek-
beampte 'n volledige kopie van die hardeskyf kan maak, sonder die moontlikheid
van dataveranderings. Gekoppelde forensiese metodes is 'n nuwer, kontroversiële
tegniek wat behels dat die ondersoekbeampte fisies op 'n aangeskakelde rekenaar
werk. Die ondersoekbeampte kan die rekenaar se lees-skryf-geheue (RAM)
kopieer, maar dit stel die moontlikheid daar vir onwillekeurige dataveranderings.
Gekoppelde forensies is oorspronklik ontwikkel om die probleme wat ontkoppelde
forensies mee bring, te oorbrug. Alhoewel hierdie tegniek baie moeiliker is om
suksesvol toe te pas, is die elektroniese bewysstukke baie meer omvangryk.
Voorlopige navorsing blyk positief te wees teenoor die bevordering van gekoppelde
forensies.
Between life and death: problems with live forensics between life and death
Author(s): Marthie Lessing (presenter)
Date: 12 - 13 November 2008
5
Type: Keynote address
Johannesburg, South Africa: Practicing Innovation in Digital Forensics Management
Keynote address (TOdB Pub number: CSIR/DPSS/S&S/EXP/2008/0413/A)
Modelling Live Forensic Acquisition
Author(s): MM Grobler (presenter), SH von Solms
Date: 25 – 26 June 2009
6
Type: Conference
University of Piraeus, Greece: Workshop on Digital Forensics & Incident Analysis –
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 266 of 268 Publications and Presentations
WDFIA 2009 (Refereed and Published)
Presentation (TOdB Pub number: CSIR/DPSS/CCIW/EXP/2009/0015/A)
ISBN: 978-1-84102-230-7
Abstract: This paper discusses the development of a South African model for Live Forensic
Acquisition - Liforac. The Liforac model is a comprehensive model that presents a
range of aspects related to Live Forensic Acquisition. The model provides forensic
investigators with guidelines on how to proceed during an investigation. It provides
forensic investigators with a robust foundation to understand what needs to happen
during an investigation, the order in which these actions need to take place and the
reasoning behind these actions. It supports forensic soundness.
A Best Practice Approach to Live Forensic Acquisition
Author(s): MM Grobler (presenter), SH von Solms
Date: 6 – 8 July 2009
Type: Conference
Johannesburg, South Africa: ISSA (Refereed and Published)
Presentation (TOdB Pub number: CSIR/DPSS/CCIW/EXP/2009/0016/A)
ISBN: 978-1-84102-230-7
7
Abstract: The development of the Live Forensic discipline instigates the development of a
method that allows forensically sound acquisition to stand fast in a court of law. The
study presents the development of a comprehensive model for forensically sound
Live Forensic Acquisition, the Liforac model.
The Liforac model presents a number of concepts that are already available within
the Cyber Forensics discipline, combined as a single document. It composes four
distinct dimensions: Laws and regulations, Timeline, Knowledge and Scope. These
dimensions combine to present a wide-ranging model to guide First Responders
and forensic investigators in acquiring forensically sound digital evidence. The
dimensions were identified as part of an intense research study on the current
application of Live Forensics and the associated problems and suggested controls.
The Liforac model is an inclusive model that presents all aspects related to Live
Forensic Acquisition, suggesting ways in which a Live Forensic Acquisition should
take place to ensure forensic soundness. At the time of writing, this Liforac model is
the first document of this nature that could be found for analysis. It serves as a
foundation for future models that can refine the current processes.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 267 of 268 Publications and Presentations
ISO/IEC 27037: Guidelines for identification, collection and/or acquisition and preservation of
digital evidence
Co-editor(s): Marthie Grobler and Sivanathan Subramaniam
Date: Planned publication in 2011
Type: International standard still under development
http://www.iso.org/iso/ catalogue_detail.htm? csnumber=44381
Version: ISO/IEC JTC 1/SC 27/WG 4 N47570
8
Abstract: In responding to serious information security incidents, a post-event response is
required to investigate the incidents. The process of the investigation emphasizes
the integrity of the digital evidence and the right procedure in obtaining the digital
evidence to ensure its admissibility in meeting its purposes.
Due to fragility of the digital evidence, a proper procedure needs to be carried out with
due care to ensure the integrity of evidentiary value is preserved. Key components
that give credibility in the investigation are the methodology applied during the process
and individuals who are qualified in performing the tasks using the methodology.
There should be a proper procedure used to ensure the practice is credible, and
that the individuals performing the tasks have met a certain certification criteria.
It becomes a great concern to many when incidents occurred involved cross-border
jurisdictions. This has prompted for this International Standard to be developed to be
used not only for legal proceedings, but also for disciplinary procedures and other
related purposes in handling digital evidence.
This International Standard provides guidance for individuals; digital evidence first
responders who perform required tasks in the investigation including identifying,
collecting and/or acquiring and preserving of digital evidence. This International
Standard is relevant to ensure digital evidence is managed in accordance with
acceptable and practical ways that are acceptable worldwide with the objective to
preserve its integrity.
This standard should not replace specific legal requirements of a particular
jurisdiction. Instead, this standard may serve as a practical guideline for Digital
Evidence First Responder in investigations involving digital evidence and may
facilitate exchange of digital evidence between jurisdictions.
The International standard will not mandate the use of particular tools or methods. It
does not also include matters pertaining to analysis of digital evidence, or weight,
admissibility, relevance, and other judicially-controlled limitations on the use of digital
evidence in courts of law.
This proposed standard complements ISO/IEC 27001 and ISO/IEC 27002, and in
particular the control requirements concerning digital evidence acquisition by
providing additional implementation guidance. In addition, the standard will have
applications in contexts independent of ISO/IEC 27001 and ISO/IEC 27002.
Liforac - A Model For Live Forensic Acquisition
Martha Maria Grobler 268 of 268 Publications and Presentations
9 Fusing business, science and law: presenting digital evidence in court
Author(s): MM Grobler, SH Von Solms
Date: November 2009
Type: Journal
Source: Journal of Contemporary Management, Vol. 6
Pages: 375-389
ISSN: 1815 7440
Index: Sabinet Online
Abstract: With the explosion of digital crime, science becomes more frequently applied in
court. Criminals are exploiting the same technological advances that have helped
Law Enforcement to progress; these exploits are often at the expense of
businesses. The purpose of the article is to make business managers aware of
the intricate relationship between business, science and the law.
Businesses are regularly the target of digital crime and should be proactive in
their forensic readiness. Scientists often present the evidence themselves, and
need to be comfortable explaining technical principles to non-technical
individuals. The legal system need to fairly arbitrate crime and presented
evidence, integrating both business and scientific principles to ensure a fair
ruling. It is necessary to bridge the gap between these disciplines to ensure the
successful presentation of digital evidence in court.
Digital Forensics is a contemporary management issue that should be embraced as
vantage point within the business world. It is not only IT specialists that can be
called to testify on digital incidents in a court of law, but any manager or senior
employee and these individuals should be adequately prepared for this. Business,
science and law should therefore find a compromise to ensure that the presentation
of digital evidence in court benefits all the disciplines involved.