This seems to be an ongoing debate that has a simple explanation (in my opinion)…
1. Start with the basic definition of forensics and move forward from there.
SOURCE: http://www.merriam-webster.com/dictionary/forensic
- Function: adjective
- Etymology: Latin forensis public, forensic, from forum forum
- Date: 1659
1: belonging to, used in, or suitable to courts of judicature or to public discussion and debate
2: argumentative, rhetorical
3: relating to or dealing with the application of scientific knowledge to legal problems
2. Let’s move on to define “computer forensics”
SOURCE: US CERT: http://www.us-cert.gov/reading_room/forensics.pdf
“We define computer forensics as the discipline that combines elements of law and and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.“
Remember that there are methodologies used in computer forensics which may be destructive, or not preserve the “original” because of the process used. There are also processes in traditional crime laboratories (DNA, biology, etc.) that also use destructive methodologies, leaving no way for a second examination to take place – even for the defense!
Why do we tend to think that if a tool is marketed as “forensic” – that in fact it is? Don’t we do verification and validation? What happens when we do a logical acquisition of a server? Is it not fact that we are leaving data behind and could be construed as “non-forensic” because it is not a true “bit-by-bit” image?
We all know that cellular telephones are devices that contain data. The only reason there is ANY debate is because companies have developed “forensic” products for these devices. The fact comes down to the examiner’s methodologies used to preserve, analyze, and present the evidence in a legal proceeding.
What we must do as examiners has been roughly outlined in a draft document that I had the honor to be invited to participate in authoring with Sam Brothers, Rick Ayers, and other forensic examiners with the Scientific Working Group on Digital Evidence this past January. The document is titled “Best Practices for Mobile Phone Examinations v1.0” and is available for download, review and your comments at http://swgde.org/documents.html.
There is no debate that cellular telephone data changes all the time. But, we as examiners must recognize that what we are most interested in on cellular telephones is user generated data. We want to see the call logs, text messages, photos, videos, dates and times of activities, etc. This data is written to the phone operating system and is usually retrievable through non-traditional methodologies.
There are also times that we will NOT be able to retrieve the information using “forensic” products, “non-forensic” products (to include flash boxes, bitpim), etc. Do we not oftentimes have “no choice” but to take pictures of the screens we manually navigate to document what the user did? What about if the screen is broken, and there is no way to create a “fraternal clone” 1 as we did back in 2004 when a phone was destroyed and thrown into a canal for a few days? The evidence is there – it is just a matter of documenting HOW you got what you got! At the “tip of the iceberg” is the chip-off technique that is destructive, yet has been used to pull data from phones when all else fails.
The SWGDE document referenced above should help anyone with questions on what is “acceptable” in this field – for now. SWGDE meets again next week to hopefully finalize this document. You still have a chance to submit your comments at their site. Unfortunately, I will not be at this meeting due to a prior teaching engagement. However, my senior examiner will be there, as well as Sam, Rick and others who read these postings.
Finally, another project I gave input on was the often debated certification at www.mfce.us. That’s my 2 cents on the subject…
Danny Garcia
Miami, Florida
http://www.twitter.com/danmiami
http://www.linkedin.com/garciadanny
——————-
Danny Garcia is a full time law enforcement officer since 1992 and is the supervisor of a forensic computer laboratory in Miami, Florida. He is also a contract instructor with Mobile Forensics, Inc.
1 Cindy Murphy coined the term “fraternal clone” and presented the information at the Mobile Forensics World Conference 2009
All materials contained in this document are protected by United States copyright law . You may not alter or remove any trademark, copyright or other notice from copies of the content.
CyberSpeak Podcast