Challenges of Digital Forensics
DFI Part - 5
“It is of the highest importance in the art of detection to be able to recognize, out of a several of facts, which are incidental and which vital” - Sherlock Holmes
Rightly said by Sherlock Holmes, because when you make mistakes in recognizing facts then it may lead to inconclusive case. So today, let’s look at challenges in the Digital forensics .
During the digital investigations, investigators face many challenges, including but not limited to :
- Legal Issues
- Challenges with acquisition
- Evidence type
- Data hiding and encryption techniques
- Size and distribution of the evidence.
Investigators need to ensure that evidence will be admissible or presentable in court. Guaranteeing admissibility starts with following the scope of a search warrant. For instance, the warrant may be issued for a particular device or a particular type of file within a computer. This means other collected artifacts are not included in the warrant and will be inadmissible. Unless included in another warrant.
The evidence may be in a device with unsupported interfaces or an operating system.
The evidence volume size is very large. Large size can lead acquisition run up to 2–3 days.
In some case, the investigator cannot power off the device or need to perform a remote acquisition.
Memory-only malware, these malicious programs load themselves into RAM, leaving no evidence of their existence on a hard disk. The solution is to capture the RAM of the system or to conduct live analysis of the system.
Keep in mind that acquiring RAM does not always get everything as it is constantly changing. Also, the live analysis could become very difficult if the device productivity and operations are still in use.
Type of Digital Evidence
With rapid changes in technology comes the possibility that the tools and methods used in current forensics investigations might not work in the future.
Digital devices are evolving on a yearly (some even less than that) basis with new versions and operating systems. With this comes a large variety of application versions and file formats used within each new version. Analyzing each application may require different tool !
Data Hiding and Encryption Techniques
The protection of personal data using various hiding techniques, such as encryption or steganography, is being used more and more by the average user, which adds another challenge for the analyst to retrieve digital artifacts.
Size and Distribution of Digital Evidence
It may be the biggest challenge for Digital Forensics Investigator who have to analyze a large amount of data within a limited time frame and sometimes even within limited resources !.
In some cases, you may encounter data with large size to analyze, and it is impossible to create a forensics image of this evidence. The solution is to define the relevant evidence to be collected or at least those that help in incriminating or exonerating the suspect.
Evidence Dynamic is any action that may modify, relocate, obscure, or erase the evidence from the time the evidence is transferred until the case ends. Either this action was intentional or accidental.
For example, a suspect may intentionally delete a file, overwrite data, or encrypt incriminating data. On the other hand, a system administrator may try to remediate an incident, but accidentally corrupt critical evidence. Other examples include but are not limited to mistakes done by forensics examiners or nature/weather.
At last before concluding i would just like to quote Sherlock Holmes again -
“It is the first quality of a criminal investigator that he should see through a disguise”.
That’s all for now, I will be coming up with more such short articles on Digital Forensics. Stay tuned …..