Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Protecting the Integrity of Digital Evidence and Basic Human Rights During the Process of Digital Forensics
Stockholm University, Faculty of Social Sciences, Department of Computer and Systems Sciences. (Cyber Systems Security)
2015 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Scientific development and progress in the fields of computer science, information technology and their related disciplines, have transformed our world into a “digital world”. Omnipresent digital devices and e-services running on numerous versions of pervasive e-infrastructures generate a wealth of electronically stored information (ESI) from which we can extract a great deal of potential digital evidence.

Digital evidence is sometimes even more revealing than its traditional counterpart, but at the same time it is very fragile and volatile in nature. Preserving the integrity of digital evidence is therefore of major concern, especially when it comes from purportedly illegal, illicit and malicious activities. The acquisition and analysis of digital evidence are also crucial to the functioning of the digital world, regardless of the positive or negative implications of the actions and activities that generated the evidence. All stakeholders should have the right to be assured of the accuracy of the digital forensics process and the people involved in it. Currently they surrender these rights and have to trust the process and the individuals carrying it out. They do not have any guarantee that intentional or unintentional conduct or modification will not affect the outcome of the forensic process, which might compromise their other human rights as a consequence, such as their right to liberty and even their right to life. Protecting basic human rights by ensuring the correctness of the entire forensics process, and its output in the form of digital evidence, is thus a point of concern. The “right to a fair trial” given in Article 6 of the European Convention as an umbrella principle that affects the forensics process, is one example of the protection of basic human rights.

In digital forensics there are principles and models on the top (theoretical basis), acting as a platform on abstract and generic level, in the middle, there are policies and practices and at the bottom, there are technical procedures and techniques. During this research we worked to solve the above mentioned problems, concentrating on all three layers, by extending the abstract models, defining best practice, and by providing new technical procedures employing latest technology. Our work also helps to implement organisational policies.

The research was undertaken in two cycles, starting with an exploration of the theoretical basis and continuing to procedures and techniques. The methods used to preserve the integrity of digital evidence were explored and evaluated in the first cycle. A new technical model called PIDESC[1] was thus proposed. This can preserve the integrity of digital evidence by orchestrating both software- and hardware-based security solutions. The model was evaluated in terms of time and cost. The results suggest that the gains outweigh the additional cost and time. The increase in time is a constant negligible factor of only half a millisecond on average. In the next cycle we built on our knowledge and extended the theoretical basis on an abstract and generic level to preserve the integrity of digital evidence and to protect basic human rights as overarching umbrella principles (2PasU[2]). We then developed specific solutions, including a formal method to select the best mobile device forensics tool, and developed a guide for best practices to fulfil the requirements of preservation and protection. Finally, we mapped the solutions to the proposed extended model with 2PasU, putting all the research into its context in order to pave the way for future work in this domain.

[1] Protecting Digital Evidence Integrity by Using Smart Cards

[2] Preservation and Protection as Umbrella Principles

Place, publisher, year, edition, pages
Stockholm: Department of Computer and Systems Sciences, Stockholm University , 2015. , 116 p.
Series
Report Series / Department of Computer & Systems Sciences, ISSN 1101-8526 ; 15-010
National Category
Computer Science
Research subject
Computer and Systems Sciences
Identifiers
URN: urn:nbn:se:su:diva-116581ISBN: 978-91-7649-180-5 (print)OAI: oai:DiVA.org:su-116581DiVA: diva2:806849
Public defence
2015-06-05, L50, NOD-huset, Borgarfjordsgatan 12, Kissta, 13:00 (English)
Opponent
Supervisors
Note

At the time of the doctoral defense, the following paper was unpublished and had a status as follows: Paper 6: Submitted.

Available from: 2015-05-14 Created: 2015-04-22 Last updated: 2015-05-19Bibliographically approved
List of papers
1. Evaluation of Some Tools for Extracting e-Evidence from Mobile Devices
Open this publication in new window or tab >>Evaluation of Some Tools for Extracting e-Evidence from Mobile Devices
2011 (English)In: Application of Information and Communication Technologies (AICT), 2011, 1-6 p.Conference paper, Published paper (Refereed)
Abstract [en]

In a digital world, even illegal behaviour and/or crimes may be termed as digital. This world is increasing becoming mobile, where the basic computation and communication entities are Small Scale Digital Devices (SSDDs or S2D2s) such as ordinary mobile phones, personal digital assistants, smart phones and tablets. The need to recover data, which might refer to unlawful and unethical activities gave rise to the discipline of mobile forensics, which has become an integral part of digital forensics. Consequently, in the last few years there is an abundance of mobile forensics tools, both commercial and open-source ones, whose vendors and developers make various assertions about the capabilities and the performance of their tools. The complexity and the diversity of both mobile devices and mobile forensics tools, coupled with the volatile nature of the digital evidence and the legal requirements of admissibility makes it difficult for forensics investigators to select the right tool. Hence, we have evaluated UFED Physical Pro 1.1.3.8 and XRY 5.0 following “Smartphone Tool Specifications Standard” developed by NIST, in order to start developing a framework for evaluating and referencing the “goodness” of the mobile forensic tools. The experiments and the results of the research against the core smart phone tool specifications and their associated test findings are presented in such a way that it should make it easier for the prospective mobile forensic examiner select the most adequate tool for a specific case.

Keyword
mobile forenscis, digital evidence, extraction tools, e-Evidence
National Category
Information Systems
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-67126 (URN)10.1109/ICAICT.2011.6110999 (DOI)978-1-61284-831-0 (ISBN)
Conference
The 5th International Conference on Application of Information and Communication Technologies (AICT), Azerbaijan, Baku, 12-14 October 2011
Available from: 2011-12-26 Created: 2011-12-26 Last updated: 2015-05-05Bibliographically approved
2. Evaluation of Security Methods for Ensuring the Integrity of Digital Evidence
Open this publication in new window or tab >>Evaluation of Security Methods for Ensuring the Integrity of Digital Evidence
2011 (English)In: Innovations 2011  : 2011 International Conference on Innovations in Information Technology, Abu Dhabi: IEEE Computer Society, 2011, 220-225 p.Conference paper, Published paper (Other academic)
Abstract [en]

The omnipresence of e-services running on various instances of pervasive e-infrastructures that are fundamental to the contemporary information society generates an abundance of digital evidence. The evidence in a digital form stems from a myriad of sources ranging from stand alone computers and their volatile and non-volatile storages, to mobile small scale digital devices, network traffic, ever-present applications comprising social networks, ISP records, logs, Web pages, databases and both global and local information systems. The acquisition and the analysis of this evidence is crucial to understanding and functioning of the digital world, regardless of the positive or negative implications of the actions and the activities that generated the evidence. In the case of the later, when the evidence comes from illegal, illicit and malicious activities, the protection of digital evidence is of major concern for the law enforcement and legal institutions, namely for investigators and prosecutors. To protect the integrity of the digital evidence, a number of security methods are used. These methods differ in terms of performance, accuracy, security levels, computational complexity, potential errors and the statistical admissibility of the produced results, as well as the vulnerabilities to accidental or malicious modifications. The work presented deals with the evaluation of these security methods in order to study and understand their ”goodness” and suitability to protect the integrity of the digital evidence. The immediate outcome of the evaluation is a set of recommendations to be considered for selecting the right algorithm to protect integrity of the digital evidence in general.

Place, publisher, year, edition, pages
Abu Dhabi: IEEE Computer Society, 2011
National Category
Information Science
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-64340 (URN)10.1109/INNOVATIONS.2011.5893821 (DOI)978-1-4577-0311-9 (ISBN)
Conference
International Conference on Innovations in Information Technology (IIT), Abu Dhabi, 25-27 April 2011
Available from: 2011-11-17 Created: 2011-11-17 Last updated: 2015-04-24Bibliographically approved
3. Protecting Digital Evidence Integrity by Using Smart Cards: Revised Selected Papers
Open this publication in new window or tab >>Protecting Digital Evidence Integrity by Using Smart Cards: Revised Selected Papers
2010 (English)In: Digital Forensics and Cyber Crime: Revised Selected Papers / [ed] Ibrahim Baggili, Springer Berlin/Heidelberg, 2010, 110-119 p.Conference paper, Published paper (Refereed)
Abstract [en]

RFC 3227 provides general guidelines for digital evidence collection and archiving, while the International Organization on Computer Evidence offers guidelines for best practice in the digital forensic examination. In the light of these guidelines we will analyze integrity protection mechanism provided by EnCase and FTK which is mainly based upon Message Digest Codes (MDCs). MDCs for integrity protection are not temper proof, hence they can be forged. With the proposed model for protecting digital evidence integrity by using smart cards (PIDESC) that establishes a secure platform for digitally signing the MDC (in general for a whole range of cryptographic services) in combination with Public Key Cryptography (PKC), one can show that this weakness might be overcome.

Place, publisher, year, edition, pages
Springer Berlin/Heidelberg, 2010
Series
Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, ISSN 1867-8211 ; 53
Keyword
Digital Evidence, Integrity Protection, Smart Card, Message Digest, Digital Signature, Forensics Examination Tools and Procedures.
National Category
Information Science
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-51978 (URN)10.1007/978-3-642-19513-6_9 (DOI)978-3-642-19512-9 (ISBN)978-3-642-19513-6 (ISBN)
Conference
Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010
Available from: 2011-01-12 Created: 2011-01-12 Last updated: 2015-04-24Bibliographically approved
4. Extended Abstract Digital Forensics Model with Preservation and Protection as Umbrella Principles
Open this publication in new window or tab >>Extended Abstract Digital Forensics Model with Preservation and Protection as Umbrella Principles
2014 (English)In: Procedia Computer Science, ISSN 1877-0509, E-ISSN 1877-0509, Vol. 35, 812-821 p.Article in journal (Refereed) Published
Abstract [en]

In this research, a literature review was conducted where twenty (n=20) frameworks and models highlighting preservation of the integrity of digital evidence and protection of basic human rights during digital forensic investigations were studied. The models not discussing the process at an abstract level were excluded. Therefore, thirteen (n=13) of the studied models were included in our analysis. The results indicated that published abstract models lack preserving the integrity of digital evidence and protecting the basic human rights as explicit overarching umbrella principles. To overcome this problem, we proposed an extension to Reith’s abstract digital forensics model explicating preservation of integrity and protection of human rights as two necessary umbrella principles.

Keyword
Digital Evidence, Digital Forensics, Digital Forensics Process Models, Preserving the Integrity of Digital Evidence, Protecting the Basic Human Rights, Abstract digital forensic models, Abstraction
National Category
Information Systems
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-110987 (URN)10.1016/j.procs.2014.08.246 (DOI)000345394100084 ()
Conference
18th Annual International Conference on Knowledge-Based and Intelligent Information and Engineering Systems (KES), Gdynia, Poland, September 15-17, 2014
Available from: 2014-12-19 Created: 2014-12-19 Last updated: 2017-12-05Bibliographically approved
5. Evaluating and Comparing Tools for Mobile Device Forensics Using Quantitative Analysis
Open this publication in new window or tab >>Evaluating and Comparing Tools for Mobile Device Forensics Using Quantitative Analysis
2013 (English)In: Digital forensics and cyber crime, ICDF2C 2012 / [ed] Rogers, M.; Seigfried Spellar, K. C., New York: Springer, 2013, 264-282 p.Conference paper, Published paper (Refereed)
Abstract [en]

In this paper we have presented quantitative analysis technique to measure and compare the quality of mobile device forensics tools while evaluating them. For examiners, it will provide a formal mathematical base and an obvious way to select the best tool, especially for a particular type of digital evidence in a specific case. This type of comparative study was absent in both NIST's evaluation process and our previous work (Evaluation of Some Tools for Extracting e-Evidence from Mobile Devices). We have evaluated UFED Physical Pro 1.1.3.8 and XRY 5.0. To compare the tools we have calculated Margin of Error and Confidence Interval (CI) based on the proportion of successful extractions from our samples in different scenarios. It is followed by hypothesis testing to further strengthen the CI results and to formally compare the accuracy of the tools with a certain level of confidence.

Place, publisher, year, edition, pages
New York: Springer, 2013
Series
Lecture Notes of the Institute for Computer Sciences Social Informatics and Telecommunications Engineering, ISSN 1867-8211 ; 114
Keyword
Digital Forensics, Mobile Device Forensics and tools, e-Evidence, Evaluation, Confidence Interval, Hypothesis Testing and Quantitative Analysis
National Category
Information Systems
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-106123 (URN)000337317600017 ()978-3-642-39891-9 (ISBN)978-3-642-39890-2 (ISBN)
Conference
4th Annual International ICST Conference on Digital Forensics and Cyber Crime (ICDF2C), OCT 25-26, 2012, Lafayette, IN
Note

AuthorCount:3;

Available from: 2014-07-22 Created: 2014-07-21 Last updated: 2015-05-05Bibliographically approved
6. A method and a case study for the selection of the best available tool for mobile device forensics using decision analysis
Open this publication in new window or tab >>A method and a case study for the selection of the best available tool for mobile device forensics using decision analysis
2016 (English)In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 16, S55-S64 p.Article in journal (Refereed) Published
Abstract [en]

The omnipresence of mobile devices (or small scale digital devices – SSDD) and more importantly the utility of their associated applications for our daily activities, which range from financial transactions to learning, and from entertainment to distributed social presence, create an abundance of digital evidence for each individual. Some of the evidence may be a result of illegal activities that need to be identified, understood and eventually prevented in the future. There are numerous tools for acquiring and analyzing digital evidence extracted from mobile devices. The diversity of SSDDs, types of evidence generated and the number of tools used to uncover them posit a rather complex and challenging problem of selecting the best available tool for the extraction and the subsequent analysis of the evidence gathered from a specific digital device. Failing to select the best tool may easily lead to incomplete and or improper extraction, which eventually may violate the integrity of the digital evidence and diminish its probative value. Moreover, the compromised evidence may result in erroneous analysis, incorrect interpretation, and wrong conclusions which may eventually compromise the right of a fair trial. Hence, a digital forensics investigator has to deal with the complex decision problem from the very start of the investigative process called preparatory phase. The problem could be addressed and possibly solved by using multi criteria decision analysis. The performance of the tool for extracting a specific type of digital evidence, and the relevance of that type of digital evidence to the investigative problem are the two central factors for selecting the best available tool, which we advocate in our work. In this paper we explain the method used and showcase a case study by evaluating two tools using two mobile devices to demonstrate the utility of our proposed approach. The results indicated that XRY (Alt1) dominates UFED (Alt2) for most of the cases after balancing the requirements for both performance and relevance.

Keyword
Digital forensics, Mobile device forensics, Mobile device forensics tools, Evaluation, Multi-criteria decision analysis, Digital evidence, Digital investigation, Expected utility, Total ranking, Hypothesis testing
National Category
Computer Science
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-116579 (URN)10.1016/j.diin.2016.01.008 (DOI)
Available from: 2015-04-21 Created: 2015-04-21 Last updated: 2017-07-27Bibliographically approved
7. Quantifying relevance of mobile digital evidence as they relate to case types: a survey and a guide for best practices
Open this publication in new window or tab >>Quantifying relevance of mobile digital evidence as they relate to case types: a survey and a guide for best practices
2014 (English)In: The Journal of Digital Forensics, Security and Law, ISSN 1558-7215, E-ISSN 1558-7223, Vol. 9, no 3, 19-44 p.Article in journal (Refereed) Published
Abstract [en]

In this work, a survey was conducted to help quantify the relevance of nineteen types of evidence (such as SMS) to seven types of digital investigations associated with mobile devices (MD) (such as child pornography). 97 % of the respondents agreed that every type of digital evidence has a different level of relevance to further or solve a particular investigation. From 55 serious participants, a data set of 5,772 responses regarding the relevance of nineteen types of digital evidence for all the seven types of digital investigations was obtained. The results showed that (i) SMS belongs to grade “A” type of digital evidence for all the seven types of investigations, (ii) MMS belongs to grade “A” type of digital evidence for all the types of digital investigations except espionage and eavesdropping where it is grade “B”, (iii) Phonebook and Contacts is grade “A” type of digital evidence for all types of digital investigations except child pornography where it is grade “B”, (iv) Audio Calls is grade “A” type of digital evidence for all types of digital investigations except credit card fraud and child pornography where it is grade “B” and (v) Standalone Files are grade “E” type of digital evidence for most of the digital investigations. The size of the response data set was fairly reasonable to analyze and then define; by generalization, relevance based best practices for mobile device forensics, which can supplement any forensics process model, including digital triage. For the reliability of these best practices, the impact of responses from the participants with more than five years of experience was analyzed by using one hundred and thirty three (133) instances of One-Way ANOVA tests. The results of this research can help investigators concentrate on the relevant types of digital evidence when investigating a specific case, consequently saving time and effort.

Keyword
Digital Evidence, Digital Forensics, Mobile Device Forensics, Digital Triage, Relevance of Digital Evidence, Best Practices for Mobile Device Forensics
National Category
Information Systems
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-111092 (URN)
Available from: 2014-12-22 Created: 2014-12-22 Last updated: 2017-12-05Bibliographically approved

Open Access in DiVA

fulltext(8691 kB)997 downloads
File information
File name FULLTEXT02.pdfFile size 8691 kBChecksum SHA-512
3bfd399fc806f74c5f08220895890688557689267435da17454407c066799fc4c0e095e7e2de8beec2740444f30e81853c699823b560e0f653327ab22a256c35
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Saleem, Shahzad
By organisation
Department of Computer and Systems Sciences
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 997 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 1611 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf