Principles of Digital Forensics

Digital forensics as a sub-field of forensic science is guided by the scientific principles that govern the admissibility of evidence in a court of law. Schowski (2018) discussed the following principles of digital forensics:

● Evidence Exchange: Forensic investigation among other things seeks to establish factual conclusions that are informed by credible evidence. The Locard‟s exchange principle states that contact between entities will result in exchange that will leave a trace. For example, an offender may unknowingly leave finger prints at the crime scene. In the digital world, email correspondence and web browsing history are examples of these exchanges that can serve as digital evidence in digital forensic investigations.

● Forensic Soundness: Evidence is fundamental in investigations. Therefore, whether in the physical or digital worlds, evidence should be handled in such a manner that it admissibility in court is not hampered. Forensic soundness means

181

that digital evidence remains complete and materially unaltered by the use of technology or methodology. This implies that proper forensic techniques and consistent methodologies that are based on established scientific principles were employed in every investigation. However, human error is the major threat to forensic soundness of digital evidence.

● Authenticity and Integrity: Authenticity of digital evidence is maintained in order to show that the data is the same as when it was seized. Technically, there are instances when digital evidence cannot be compared to its original state, for example a random access memory (RAM) that is constantly changing. In such a case, a snap shot can be taken to show the state of the technology when it was seized. Legally speaking, authentication entails establishing to the legal system that: (a) content of the record has remained unchanged (b) Information in the record actually originate from its original source (c) Extraneous information about the record is accurate (.i.e. timestamp). In digital forensics, verifying integrity has to do with comparing the finger prints of digital evidence when it is first collected as well as throughout its life cycle.

● Chain of Custody: The chain of custody documents the transfer of ownership over digital evidence between entities. It can be used to validate the integrity of evidence that is presented during court trial. The absence of chain of custody can raise arguments that evidence has been compromised, altered, or improperly handled resulting in contamination. Minimum number of custody transfers is preferred as concerned individuals may be required to testify about the how they handled the evidence when it was in their custody.

According to Schowski (2018, pp.11-12) the G8 Subgroup, the Principles On Transborder Access to Stored Computer Data – Data Principles on Assessing Data Stored in a Foreign State which were approved by the G8, states several principles which

182

can assist law enforcement agencies in investigating technology enabled crimes in other countries. They are as follows:

● Preservation of stored data in a computer system.

– Each state shall ensure its ability to secure rapid preservation of data that is stored in a computer in particular data held by third parties such as service providers, and that is subject to short retention practices or is otherwise particularly vulnerable to loss or modification, for the purpose of seeking its access, search, copying, seizure or disclosure, and ensure that preservation is possible even if necessary only to assist another State.

– A State may request another State to secure rapid preservation of data stored in a computer system located in that other State.

– Upon receiving a request from another State, the requested State shall take all appropriate means, in accordance with its national law, to preserve such data expeditiously. Such preservation shall be for a reasonable time to permit the making of a formal request for the access, search,

copying, seizure or disclosure of such data.

● Expedited mutual legal assistance

– Upon receiving a formal request for access, search, copying, seizure or disclosure of data, including data that has been preserved, the requested State shall, in accordance with its national law, execute the request as expeditiously as possible, by:

• Responding pursuant to traditional legal assistance procedure

• Ratifying or endorsing any judicial or other legal authorization that was granted in the requesting State and, pursuant to traditional legal assistance procedures, disclosing any data seized to the requesting State.

• Using any other method of assistance permitted by the law of the requested State.

183

– Each State shall, in appropriate circumstances, accept and respond to legal assistance requests made under these Principles by expedited but reliable means of communications, including voice, fax or e-mail, with written confirmation to follow where required.

● Transborder access to stored data not requiring legal assistance

– Notwithstanding anything in these Principles, a State need not obtain authorization from another State when it is acting in accordance with its national law for the purpose of:

• Accessing publicly available (open source) data, regardless of where the data is geographically located.

• Accessing, searching, copying, or seizing data stored in a computer system located in another State, if acting in accordance with the lawful and voluntary consent of a person who has the lawful authority to disclose to it that data. The searching State should consider notifying the searched State, if such notification is permitted by national law and the data reveals a violation of criminal law or otherwise appears to be of interest to the searched State.

Given that cybercrime is largely transnational, international cooperation among nation-states is required to effectively prosecute cybercriminals. The above G8 principle deals with many critical areas that are involved in transnational cybercrime investigation such as the preservation of stored data in a computer system, expedited mutual legal assistance and transborder access to stored data not requiring legal assistance. The whole essence of these principles and similar ones that are contained in other international treaties is to ensure that cybercriminals are prosecuted as speedily as possible and that they do not find safe havens where they can hide.

184