Digital Forensics: Challenges & Recommendations

Welcome to the fun world of Digital Forensics! *ahem* It’s even more fun on the Cloud.

Gathering evidence is a crucial part of digital forensics, cloud or otherwise. Therefore, it is important to identify challenges before you begin the process. Key challenges to keep in mind are –

• The seizure of servers containing files from many users creates privacy issues.
• The trustworthiness of evidence is based in part on the cloud provider.
• Investigators are in part dependent on cloud providers to acquire evidence.
• The technician collecting data may not be qualified for forensic acquisition.
• Unknown location of the physical data can hinder investigations.

The process of evidence gathering is a long and strenous process. Here are some recommendations that might be helpul –

• Throughout the process, keep a detailed log of every step that was taken to collect the data, including information about each tool used in the process. The documentation allows other security professionals to repeat the process later if needed.
• Use photographic evidence to provide visual reminders of the computer setup and peripheral devices.
• Before touching a system, make a note of or photograph any pictures, documents, running programs, and other relevant information displayed on the monitor. If a screensaver is active, that should be documented as well because it may be password protected.
• If possible, designate one person on the scene as the evidence custodian. This person should have the sole responsibility to photograph, document, and label every item that is collected and record every action that was taken along with the name of who performed the action, where it was performed, and at what time.
• Since the evidence may not be needed for legal proceedings for an extended time, proper documentation enables you to remember exactly what was done to collect data and can be used to refute claims of mishandling.

Next article in series – Digital Forensics: E-Discovery