Comprehensive Integration Model Frame of Digital Forensic
- LanguageKorean
- Authors Heesung Tak, Wonsang Lee
- ISBN979-11-87160-08-3
- Date December 01, 2016
- Hit401
1. Purpose and Method
Digital forensic refers to technology-based methods and procedures for using digital equipment to elucidate and prove the facts about a certain act in court. To present digital data as legally valid evidence, its integrity, reliability, and authenticity needs to be ensured through technical means capable of addressing the physical and logical vulnerabilities of the digital data. Digital forensic is a comprehensive process consisting of the technical, procedural, and legal elements designed to maintain the evidentiary value of digital evidence across all stages from collection to disposal. In this sense, the field of digital forensic requires constant transformation in keeping with the advancement in the IT sector, and it should be open to new knowledge and technology. Digital forensic investigation, in particular, should be supported by a wide range of IT knowledge and technologies. To this end, a network of IT experts is required to grant instant access to knowledge and technologies required in the respective fields.
Korea has yet to develop common digital forensic guidelines for the relevant government agencies, with different agencies still operating different digital forensic systems under disparate guidelines. The lack of standardized procedures or good practices may give rise to issues with the reliability of digital forensic analysis in Korea. It means the hard-earned forensic data may not be used as evidence at all. In addition, the lack of cooperation between agencies with digital forensic systems vastly restricts their abilities to acquire and use the rapidly changing knowledge and technologies.
In light of the above, this Study seeks to review the digital forensic systems in use at different criminal justice agencies in Korea, identify issues from their practical usage, and shed light on the improvements for the systems. Ultimately, the Study relates itself to developing processes suitable for the shorter life cycles of IT technologies and the speed and confidentiality of forensic investigation. To this end, the Study also seeks to propose an integrated digital forensic process model that will expand Korea’s capabilities of digital crime investigations, by a comparative analysis of the digital forensic systems in the leading countries in the field, such as the United States and the United Kingdom. As for research methods, this Study first reviews the previous literatures on the basic framework of digital forensic, as well as the existing digital forensic process models. The Study also looks into the current digital forensic equipment and their operation at disparate government agencies in Korea, and explores the digital forensic processes required to handle digital evidence and their limitations through interviews with experts in the digital forensic field.
In addition, the digital forensic systems and processes in Korea are uated by comparing them with those of other countries-the United States, the United Kingdom, Germany, Netherlands, and the European Union-to come up with the future directions that may help establishing Korea’s own forensic process.
Lastly, the Study proposes a new model frame for digital forensic process that improves the legal reliability of digital evidence, by considering multiple ways to link the key functions of the integrated digital forensic process with the relevant certification standards, standardization guidelines, technical processes, and legal processes.
2. Need for a New Approach to Digital Forensic
Early discussions on digital forensic focused on the reliability of forensic tools and findings. The focus subsequently shifted to “Chain of Custody,” that is, proving the integrity of evidence by showing the continuity of the custody thereof. In recent years, discussions in the field shifted once again to the reliability of the overall digital forensic process. Technical advancement ironically led to more vulnerabilities in terms of securing the evidentiary value of digital data. The current situation warrants the need for scientific methods of proof capable of maintaining consistency and verifiability across different stages from collection to disposal of digital evidence. There has been a growing recognition of the need and significance of building a process to support the development and application those methods.
After the Federal Bureau of Investigation and other criminal justice agencies in the United States first began to investigate computer evidence in early 1984, the agencies realized that the processes and procedures selected for a specific investigation directly affects its outcome. This led to the adoption of official forensic processes by those agencies. The agencies realized early on that using an unsuitable process not only poses a risk of incomplete or invalid outcomes, but also leads to more serious risks of the evidence collected in arbitrary or unstructured manners not being admitted in courts.
As structured standard processes provide the appropriate mechanisms to be complied with by computer forensic investigators, a variety of new computer forensic investigation processes and improvements on existing models were developed and proposed in the past years.
As for the ways in which the digital forensic process models provide their procedural frames, some of them analyze the outcomes from the existing model and add new stages or break down existing ones, while others define their process frames by integrating or harmonizing the effective stages proposed by existing models. Digital forensic process models today increasingly rely on the concepts of integration and harmonization, and emphasizes compliance with procedural standards. An idea increasingly shared by the digital forensic community is that the use of standardized procedures increase the likelihood of digital evidence being admitted in courts, and minimizes human errors in the overall forensic investigation process.
3. Comparative Analysis of Digital Forensic Systems and Processes in Effect
The Supreme Prosecutor’s Office operates a national-level digital forensic center, where Digital Investigator Offices are tasked with performing digital forensic works. However, to meet the explosion of demands for digital forensic analysis, Digital Forensic Investigation Teams have been set up at seven district prosecutor’s offices to support evidence collection and forensic analysis.
The Prosecution uses a system called D-NET to meet its digital forensic needs. D-NET is a digital investigation network which establishes online connections between digital investigation teams to provide rapid support, while facilitating digital forensic analysis and ensuring thorough control of the evidence. D-NET consist of an integrated task management system for the Digital Forensic Investigation System (DFIS II), a digital evidence control system, an integrated digital evidence analysis system (IDEAS), and a remote digital investigation coordination system. The Prosecution has developed and revised numerous regulations, guidelines, and manuals to ensure the legality of its digital forensic works, such as the Regulation on Evidence Collection and Analysis by Digital Forensic Investigators (revised on July 16, 2015), the Guidelines on the Digital Forensic Exhibit Collection Procedure (revised on July 16, 2015), the Guidelines on the Operation of the National Digital Investigation Network (revised on July 16, 2015), and the Forensic Investigation Manual.
The Digital Forensic Center at the Police Agency first began as a technical support team within the Counter-Cyber Terrorism Center. The team was reorganized into the Digital Forensic Team in 2010, and further expanded into the Digital Forensic Center with the foundation of the Cyber Security Bureau in 2014. Article 27-4 of the Rules on Roles and Responsibilities of the Police Agency breaks down the roles in the Digital Forensic Center into Digital Forensic Planning, Technique Development, Mobile Forensic, and Computer Forensic. According to the Rules, the Center carries out a wide range of tasks including policymaking and support, IT environment analysis, development of new tracking techniques, tool development, development of analysis techniques for mobile devices, and development of evidentiary analysis of digital devices.
The regulation providing for the digital forensic procedures for the Police is the Rules on the Collection and Handling of Digital Exhibits,747) and the Digital Evidence Collection Guide for On-site Investigation and the Standard Guidelines for Digital Evidence Processing also provide guidance.
The researcher also interviewed digital forensic experts in individual or group interviews to find out the issues and limitations of the current digital forensic practices as experienced by the experts in their lines of work, and their general perception of digital forensic processes in Korea.
Interviews with individual digital forensic experts were carried out by personally visiting their offices. Group interviews were conducted with experts tasked with performing or supporting digital forensic works at government agencies, universities, and private organizations (law firms, digital forensic firms, etc.). Six experts from three government agencies were interviewed individually, and the group interviews were attended by fifteen experts.
The interview questions consisted of the structure of digital forensic works in the respective agencies, the overall digital forensic procedures, related guidelines, digital forensic tools, digital forensic experts, and their preparation by revision of the Criminal Procedure Act.
The interviewed experts pointed out the following limitations of the current digital forensic processes.
Firstly, the field of digital forensic suffers from a lack of forensic experts. The findings from the interviews suggest that the lack of experts is one of the major obstacles to meeting the requirements of procedural standards regarding digital forensic. Despite the increased demand for seizure and search of digital evidence from the field, the supply of experts dedicated to digital forensic investigation has remained at the same level, with some agencies even downsizing their forensic workforce. The lack of experts also makes it difficult to secure the reliability of the analysis results, by restricting the crossverification of the analysis carried out by one forensic investigation by another.
The second limitation is related with the reliability of digital forensic tools. The interviews showed that most digital forensic experts - both on the field and in the academia - are keenly aware of the need to verify the digital forensic tools. With the current absence of any official procedure or body to confirm and verify the functional requirements for commercial tools and self-developed tools alike, the experts using those tools often find it difficult to trust the reliability and accuracy of those tools. As for the certification of digital forensic tools, the interviews experts pointed to the need for the adoption of a credible certification body. While the current level of IT expertise in Korea makes it possible to build a system to verify the accurate implementation of functional requirements for digital forensic tools, according to the experts, a private certification system is likely to give rise to questions about the credibility and expertise of those systems.
Thirdly, most government agencies are lacking in terms of the awareness on the standardization of digital forensic processes. The issue of digital forensic process standardization is seldom discussed in Korea, unlike Europe, the United States, and other leading countries in the field. Experts tasked with digital forensic analysis are not keen on the need for standardizing the processes. Most experts express reservations about ISO certification, arguing that the requirements for ISO certification do not readily lend themselves to the actual digital forensic practices in Korea. Most of the interviewees were found to have given little thought to the issue. To the contrary, many interviewees argued that the processes currently in effect are fully capable of maintaining chain of custody, and standardization is not crucial in Korean courts because they seldom touch on the issue of process standards and certification.
Fourthly, Article 313 (2) of the Criminal Procedure Act as revised on May 29, 2016 provides that, even if a person who made a statement denies the authenticity of the statement before or during the trial, the statement is admissible as evidence if its authenticity is proven based on objective digital forensic data and assessments based on scientific analysis. The revised provision opens up new issues to be discussed in the future, such as the competence of digital forensic experts, verification of analysis results, and the proof of scientific analysis that provided the basis for the digital forensic data presented. Regarding this issue, forensic experts in government agencies are considering the related issues such as the need for court testimony training, verification of the reliability of scientific technologies applied to digital forensic, and the method to prove the reliability of analysis results. However, no meaningful preparation has been made regarding the said issues.
4. Digital Forensic Systems and Processes in Leading Countries
In the United States, the National Institute of Justice (NIJ), the Regional Computer Forensic Laboratory (RCFL) and the Defense Computer Forensic Laboratory (DCFL) are the leading organizations in the digital forensic field. These agencies either acquired an ISO 17025 certification, or is in the process of acquiring one. Guidelines and guides on digital forensic works include: Electronic Crime Scene Investigation: A Guide for first Responders, Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors, and Forensic Examination of Digital Evidence: A Guide for Law Enforcement.
In the United Kingdom, after the closure of the Forensic Science Service (FSS), digital forensic works were largely taken up by private forensic service firms and the Science Investigation Center of the Police. The transition gave rise to issues with acquiring ISO 17025 certification, and the Forensic Science Regulator (FSR) was created to provide advices and guidelines for forensic service providers to follow common standards. The FSR enacted the Code of Practice and Conduct. The Code follows the ISO/IEC 17025 standard, and specifies the requirements for a management system where forensic service providers can prove their capability to provide consistent results and services that satisfy the needs of customers in the criminal justice system. The United Kingdom also specifies the basic principles on digital evidence and the components of their digital forensic processes through the Good Practice Guide for Digital Evidence published by the Association of Chief Police Officers ACPO), Crime Business Area.
The European Union operates the European Network of Forensic Science Institutes (ENFSI) to share and exchange expert knowledge in the forensic field. The Network consists of two standing committees, Quality & Competence Committee and Research & Development Committee. The former develops policies for improving competence and competitiveness, provide advice to expert working groups and members centers, and provide other services related with best practices and the application of international standards. The Research & Development committee comes up with the research & development policies for the ENFSI, provide R&D advices to expert working groups and members centers, and promotes joint research projects between research centers.748) The ENFSI has 17 expert working groups. Of the groups, the Forensic Information Technology (FIT) Group developed and distributed a digital forensic manual titled “Best Practice Manual for the Forensic Examination of Digital Technology”. The Manual lays out the frameworks for the relevant procedures, quality improvement principles, and approaches to training procedures and forensic investigation, for the member centers of the ENFSI. The manual supports the application of internationally standardized procedures that considers the unique needs of different regions. In addition, the Guidelines on Digital Forensic Procedures for OLAF staff, Electronic evidence - a basic guide for First Responders is a digital forensic guide prepared for application in European countries.
The construction of digital forensic systems in the leading countries provide several implications for the corresponding efforts in Korea, which can be summarized in four parts. First, digital forensic needs to be performed in compliance with the international standards. The United States and European Countries carry out digital forensic works in accordance with the ISO standards and the Europe-specific ENFSI standards. The Europe Union mandates the application of and compliance with ISO standards in its digital forensic guidelines. Applying the standards specified in the digital forensic guidelines assures the quality of digital forensic analysis regardless of which agency performs the analysis, and courts will also see no problem in admitting them as evidence. Such application is also critical for using the analysis results in courts of other countries. For these reasons, digital forensic practices need to be aligned with the relevant international standards. Secondly, digital forensic bodies need to come up with the models that lend themselves to the specific needs of the bodies. However, these models need to be built through the customization of the relevant international and local standards, rather than creating a model which only suits their needs. A process model for Korea would ideally be based on the ENFSI or the US standards, as Korea has no local standards in this area.
5. Need for Integration of Digital Forensic Process
A digital forensic process should go further than an ordering of digital forensic works; it needs to accurately record the movement of digital evidence through each stage of policies and systems applicable to the entire process, and incorporate the standardization requirements for the components of each stage. These efforts are required to maintain the suitable quality of the processes and procedures used in digital forensic works, and provide the courts with reliable analysis results. To this end, an integrated forensic process capable of managing and controlling the overall forensic works is required. The rationale for an integrated management and control of digital forensic procedures can be summarized as follows.
Firstly, when investigating a case involving digital evidence, investigators with legal knowledge and investigation experiences need to cooperate and collaborate with digital forensic investigators (analysts) with scientific knowledge and technical experience. Otherwise, the reliability of the evidence and the investigative procedures would be questioned. To ensure organic collaboration and mutual cooperation/support between the legal processes and the technical processes, the governance framework for digital forensic works inside investigative agencies need to be expanded to incorporate conventional investigation works into the digital forensic processes, thereby establishing feedbacks and interfaces between the processes at each stage within consistent policy/technical frames.
Secondly, the forensic processes need to adopt standardized criteria to verify the personal and technical quality required for digital forensic processes, so as to produce reliable results through those processes and maintain the evidentiary value of the acquired digital information.
Thirdly, the integration of digital forensic processes should ultimately lead to the acquisition of the certification of the digital forensic lab itself. This issues spans across the overall procedural requirements for digital forensic labs
- procedural connectedness, tools and analysts. Acquiring a certification for a digital forensic lab would mean the verification of its procedures, tools, and personnel, which in turn means the reliability of the digital forensic works carried out by the lab. In this sense, certification of a digital forensic lab is one of the most fundamental issues, which makes it all the more difficult to tackle.
6. Preliminary Considerations for the Integration of Digital Forensic Processes.
The overall processes of collecting, selecting, and analyzing digital data require technical knowledge, experience, and expertise based on scientific knowledge. To translate such scientific and technical expertise into reliability in the legal context, the digital evidence need to be subject to a separate judicial assessment, on the assumption that the science and technologies applied to the assessment are sound. Digital evidence are produced using certain tools suitable for digital technologies. Therefore, their reliability can be determined only based on the understanding of the scientific methods and technical principles applied to the overall processes of converting the exhibits to recognizable data, and presenting them to a court in a format that allows for proving the charges. While it would be unreasonable to expect judges, who lack the understanding of the science and technical methods involved, to determine the accuracy of those science and methods, they need to at least determine whether the science and methods satisfy the criteria regarding scientific soundness or their validity as applied technologies.
The advancement of digital technologies has accelerated the development of digital forensic technologies, and diversified their technical applications. These circumstances may give rise to the question of how we can expect to determine the legal credibility of a certain tool, expert, or process without subjecting them to official verifications. In addition, as explained above, the revision of the Criminal Procedure Act opened a way to prove a fact with digital forensic data based on scientific analysis. Therefore, the credibility of the scientific analysis needs to be substantiated in addition to the credibility of the digital forensic data themselves. This warrants the need for discussions on how to set up the legal tests for these issues in courts.
7. A Model Frame for the Integration of Digital Forensic Processes.
Ensuring the consistency and credibility of digital forensic processes should be preceded by building an integrated management system commonly applicable to the overall operation of the processes. The management system should have the capabilities to control and manage major factors that may affect the accuracy and credibility of the results from the digital forensic processes: the accuracy of ed procedures, personnel training, maintenance and improvement of the processes, environmental conditions for forensic works, and hardware, software, and equipment used for forensic works in the forensic body.
The integrated management system should be applicable to all areas and activities of a digital forensic body. The integrated management system represents a standardized operation procedure that incorporates all guidelines, procedures, regulations, standards, and certifications of a digital forensic body, and a consistent support for ensuring the reliability of digital evidence. This approach allows for the integrative management of digital forensic processes and procedures under a coherent system, and effective coordination of different areas of works, thereby ensuring the forensic processes are operated, reviewed, maintained, and controlled in a way suited to the related works.
A digital forensic body needs to abide by the following principles in building an integrated management system for digital forensic processes.
First, a digital evidence may not be altered across the overall digital forensic processes.
Second, qualifications and training records should be maintained for all personnel tasked with digital forensic works.
Third, all actions taken regarding a digital evidence should be thoroughly recorded.
Fourth, all laws and principles governing digital evidence should be complied with.
In addition, as each digital forensic body needs to comply with the specific requirements of ISO certifications, these standards need to be maintained and managed through the integrated management system.
While the integrated management system comprehensively manages the policy and procedure requirements for the overall digital forensic processes, the process coordination system represents a more detailed and working-level coordination process under those policy and management requirements. In other words, a digital forensic body needs to develop a standardized work process which organically coordinates between the legal, technical, and policy sectors across the handling of cases involving digital evidence, and prepare a system where the different sections aid and support one another, and provide mutual feedbacks. The first step towards such development involves the coordination between the technical processes and legal processes. Also required is a authority control system and a feedback system between different forensic processes and works.
The specific considerations for the key processes are as follows. In the preparation and collection stages, a digital forensic body needs to establish the procedures for compliance with due procedure, packaging, transportation, and preservation of evidence. The analysis and extraction stages required the maintenance of digital forensic analysts’ competences and expertise, as well as digital forensic tools and methodologies. The analysis outcomes should be verified and translated into a credible report in the presentation stage. The last stage, the court testimony stage, requires training forensic analysts for testimonies at courts and effective ways of testimony, so as to prevent the credibility of the outcomes from being undermined.
8. Policy Proposals for the Integration of Digital Forensic Processes
A. Proposals from the Forensic and Technical Perspective
A digital forensic body needs an integrated management system to carry out the overall legal, technical digital forensic procedures under coherent processes. In order to maintain the quality of forensic services, secure the integrity of evidence through the chain of custody, and ensure the reliability of the digital forensic as a whole, the system should be supported a number of sub-systems including the quality management system, the process coordination system, and the standard operation policy system. While the integrated management system offers the policy/management frames for process integration, the working-level integration of forensic processes is achieved through the process coordination system. Specifically, a network of processes needs to be established for each stage under the process coordination system, which will create a virtuous cycle of preparation, collection, investigation/analysis, presentation, testimony, and preservation/maintenance.
In order to ensure that digital forensic is accepted as credible technologies and procedures by the courts, the digital forensic community should begin discussing the need for certification under international standards, and the use of standardized guidelines for forensic processes. Considering the current circumstances surrounding Korean digital forensic today, even the key digital forensic bodies would experience difficulties with acquiring ISO certifications. However, considering the need to expand on the efforts to establish the technical and procedural standards for digital forensic in the future, and the requirements for accuracy and credibility for digital forensic data under the revised Criminal Procedure Act, acquisition of ISO certifications is absolutely necessary.
There is currently no procedure to test and officially verify whether the various digital forensic tools in use today satisfy their functional requirements and produce accurate results. Therefore, except for a number of internationally accepted tools, any tool can be subject to questions about their accuracy and reliability in courts. The same goes to the reliability of the digital evidence produced using those tools. There is no such thing as a “perfect tool.” Therefore, the verification of digital forensic tools need to focus on whether the inherent defect and error of a tool is within the permissible range for the purpose of ensuring the credibility of the analysis results. A viable and ideal course of action is to develop a digital forensic tool verification methodology based on the CFTT project of the NIST, and build public trust toward the digital forensic tools by publicly announcing the tests results.
Another criteria for determining the legal credibility of digital forensic is whether the forensic works are carried out by personnel with suitable expertise and skills. The digital forensic field in Korea still lacks a national-level agency tasked with verifying the competences of forensic experts. The only certification currently available in the country is the Digital Forensic Expert Qualification Test, a private-led qualification program accredited by the government. Although it has been accredited by the government, the qualification and the test contents are comprised of contents developed by the organization implementing the program, without any wide acceptance from the related fields or the application of certified criteria. This led to some questions about the credibility of the certification. Therefore, to ensure the public credibility of forensic experts as well as the credibility of the certifications, the government needs to set up a Certification Committee for Forensic Experts (tentative title) tasked with establishing the technical, legal, and ethical requirements for experts across diverse forensic areas, and have private certification bodies at least adopt the verification system for standard competence items proposed by the Committee.
B. Proposals from the Policy Perspective
Gaps between government agencies in collecting and handling digital forensic evidence may lead to issues of chain of custody. Even if the agency that collected the evidence maintained a suitable chain of custody, its reliability may be questioned if the subsequent agencies lack a suitable preservation procedure or the authorities for the analysis processes are not controlled properly. For this reason, forensic works at agencies authorized to conduct investigations need to be standardized in terms of the collection and handling of digital evidence, and a standardized method is required to prevent the discontinuation of the chain of custody for digital evidence handled by more than one agency.
In addition, the content of the evidence produced by a digital forensic analyst needs to be reviewed for their technical, legal, and procedural accuracy before presenting it to the court. In the final review of a digital forensic report, verification of technical accuracy holds the highest significance. If a technically produced result cannot be replicated by the other party, or the other party argues that the result was derived erroneously, the legal reliability of the evidence may be excluded even if the evidence itself holds an absolute importance in the case. Therefore, all final results produced by a digital forensic analyst should ideally be re-tested by a peer.
The Daubert test is most frequently cited as a test to determine the admissibility of scientific evidence. However, the case is not widely discussed in relation to digital forensic. However, Article 313 (2) of the Criminal Procedure Act as revised on May 29, 2016 provides that, even if a person who made a statement denies the authenticity of the statement before or during the trial, the statement is admissible as evidence if its authenticity is proven based on objective digital forensic data and assessments based on scientific analysis. This may result in the need for legal review of digital forensic data in some cases. That is, the authenticity of digital evidence can be proven only if the reliability and accuracy of digital forensic data is proven in the first place. The reliability and accuracy of digital forensic data based on scientific analysis would need to be supported by the testimony of the forensic analyst. This leads to the need for setting up the legal test for the admissibility of expert testimony on scientific evidence. The Supreme Court of the United States consistently held that the Daubert test also applies to the results produced from digital forensic tools. Then, it follows that the soundness and effectiveness of the methods and technologies used to extract, analyze, and restore digital evidence, and the reliability of the resulting evidence, need to be legally reviewed under the Daubert test. However, some of the criteria under the Daubert test do not readily fit the nature of digital forensic. Therefore, the general test applicable to scientific evidence in general needs to be differently applied and interpreted for the digital forensic field.
Digital forensic refers to technology-based methods and procedures for using digital equipment to elucidate and prove the facts about a certain act in court. To present digital data as legally valid evidence, its integrity, reliability, and authenticity needs to be ensured through technical means capable of addressing the physical and logical vulnerabilities of the digital data. Digital forensic is a comprehensive process consisting of the technical, procedural, and legal elements designed to maintain the evidentiary value of digital evidence across all stages from collection to disposal. In this sense, the field of digital forensic requires constant transformation in keeping with the advancement in the IT sector, and it should be open to new knowledge and technology. Digital forensic investigation, in particular, should be supported by a wide range of IT knowledge and technologies. To this end, a network of IT experts is required to grant instant access to knowledge and technologies required in the respective fields.
Korea has yet to develop common digital forensic guidelines for the relevant government agencies, with different agencies still operating different digital forensic systems under disparate guidelines. The lack of standardized procedures or good practices may give rise to issues with the reliability of digital forensic analysis in Korea. It means the hard-earned forensic data may not be used as evidence at all. In addition, the lack of cooperation between agencies with digital forensic systems vastly restricts their abilities to acquire and use the rapidly changing knowledge and technologies.
In light of the above, this Study seeks to review the digital forensic systems in use at different criminal justice agencies in Korea, identify issues from their practical usage, and shed light on the improvements for the systems. Ultimately, the Study relates itself to developing processes suitable for the shorter life cycles of IT technologies and the speed and confidentiality of forensic investigation. To this end, the Study also seeks to propose an integrated digital forensic process model that will expand Korea’s capabilities of digital crime investigations, by a comparative analysis of the digital forensic systems in the leading countries in the field, such as the United States and the United Kingdom. As for research methods, this Study first reviews the previous literatures on the basic framework of digital forensic, as well as the existing digital forensic process models. The Study also looks into the current digital forensic equipment and their operation at disparate government agencies in Korea, and explores the digital forensic processes required to handle digital evidence and their limitations through interviews with experts in the digital forensic field.
In addition, the digital forensic systems and processes in Korea are uated by comparing them with those of other countries-the United States, the United Kingdom, Germany, Netherlands, and the European Union-to come up with the future directions that may help establishing Korea’s own forensic process.
Lastly, the Study proposes a new model frame for digital forensic process that improves the legal reliability of digital evidence, by considering multiple ways to link the key functions of the integrated digital forensic process with the relevant certification standards, standardization guidelines, technical processes, and legal processes.
2. Need for a New Approach to Digital Forensic
Early discussions on digital forensic focused on the reliability of forensic tools and findings. The focus subsequently shifted to “Chain of Custody,” that is, proving the integrity of evidence by showing the continuity of the custody thereof. In recent years, discussions in the field shifted once again to the reliability of the overall digital forensic process. Technical advancement ironically led to more vulnerabilities in terms of securing the evidentiary value of digital data. The current situation warrants the need for scientific methods of proof capable of maintaining consistency and verifiability across different stages from collection to disposal of digital evidence. There has been a growing recognition of the need and significance of building a process to support the development and application those methods.
After the Federal Bureau of Investigation and other criminal justice agencies in the United States first began to investigate computer evidence in early 1984, the agencies realized that the processes and procedures selected for a specific investigation directly affects its outcome. This led to the adoption of official forensic processes by those agencies. The agencies realized early on that using an unsuitable process not only poses a risk of incomplete or invalid outcomes, but also leads to more serious risks of the evidence collected in arbitrary or unstructured manners not being admitted in courts.
As structured standard processes provide the appropriate mechanisms to be complied with by computer forensic investigators, a variety of new computer forensic investigation processes and improvements on existing models were developed and proposed in the past years.
As for the ways in which the digital forensic process models provide their procedural frames, some of them analyze the outcomes from the existing model and add new stages or break down existing ones, while others define their process frames by integrating or harmonizing the effective stages proposed by existing models. Digital forensic process models today increasingly rely on the concepts of integration and harmonization, and emphasizes compliance with procedural standards. An idea increasingly shared by the digital forensic community is that the use of standardized procedures increase the likelihood of digital evidence being admitted in courts, and minimizes human errors in the overall forensic investigation process.
3. Comparative Analysis of Digital Forensic Systems and Processes in Effect
The Supreme Prosecutor’s Office operates a national-level digital forensic center, where Digital Investigator Offices are tasked with performing digital forensic works. However, to meet the explosion of demands for digital forensic analysis, Digital Forensic Investigation Teams have been set up at seven district prosecutor’s offices to support evidence collection and forensic analysis.
The Prosecution uses a system called D-NET to meet its digital forensic needs. D-NET is a digital investigation network which establishes online connections between digital investigation teams to provide rapid support, while facilitating digital forensic analysis and ensuring thorough control of the evidence. D-NET consist of an integrated task management system for the Digital Forensic Investigation System (DFIS II), a digital evidence control system, an integrated digital evidence analysis system (IDEAS), and a remote digital investigation coordination system. The Prosecution has developed and revised numerous regulations, guidelines, and manuals to ensure the legality of its digital forensic works, such as the Regulation on Evidence Collection and Analysis by Digital Forensic Investigators (revised on July 16, 2015), the Guidelines on the Digital Forensic Exhibit Collection Procedure (revised on July 16, 2015), the Guidelines on the Operation of the National Digital Investigation Network (revised on July 16, 2015), and the Forensic Investigation Manual.
The Digital Forensic Center at the Police Agency first began as a technical support team within the Counter-Cyber Terrorism Center. The team was reorganized into the Digital Forensic Team in 2010, and further expanded into the Digital Forensic Center with the foundation of the Cyber Security Bureau in 2014. Article 27-4 of the Rules on Roles and Responsibilities of the Police Agency breaks down the roles in the Digital Forensic Center into Digital Forensic Planning, Technique Development, Mobile Forensic, and Computer Forensic. According to the Rules, the Center carries out a wide range of tasks including policymaking and support, IT environment analysis, development of new tracking techniques, tool development, development of analysis techniques for mobile devices, and development of evidentiary analysis of digital devices.
The regulation providing for the digital forensic procedures for the Police is the Rules on the Collection and Handling of Digital Exhibits,747) and the Digital Evidence Collection Guide for On-site Investigation and the Standard Guidelines for Digital Evidence Processing also provide guidance.
The researcher also interviewed digital forensic experts in individual or group interviews to find out the issues and limitations of the current digital forensic practices as experienced by the experts in their lines of work, and their general perception of digital forensic processes in Korea.
Interviews with individual digital forensic experts were carried out by personally visiting their offices. Group interviews were conducted with experts tasked with performing or supporting digital forensic works at government agencies, universities, and private organizations (law firms, digital forensic firms, etc.). Six experts from three government agencies were interviewed individually, and the group interviews were attended by fifteen experts.
The interview questions consisted of the structure of digital forensic works in the respective agencies, the overall digital forensic procedures, related guidelines, digital forensic tools, digital forensic experts, and their preparation by revision of the Criminal Procedure Act.
The interviewed experts pointed out the following limitations of the current digital forensic processes.
Firstly, the field of digital forensic suffers from a lack of forensic experts. The findings from the interviews suggest that the lack of experts is one of the major obstacles to meeting the requirements of procedural standards regarding digital forensic. Despite the increased demand for seizure and search of digital evidence from the field, the supply of experts dedicated to digital forensic investigation has remained at the same level, with some agencies even downsizing their forensic workforce. The lack of experts also makes it difficult to secure the reliability of the analysis results, by restricting the crossverification of the analysis carried out by one forensic investigation by another.
The second limitation is related with the reliability of digital forensic tools. The interviews showed that most digital forensic experts - both on the field and in the academia - are keenly aware of the need to verify the digital forensic tools. With the current absence of any official procedure or body to confirm and verify the functional requirements for commercial tools and self-developed tools alike, the experts using those tools often find it difficult to trust the reliability and accuracy of those tools. As for the certification of digital forensic tools, the interviews experts pointed to the need for the adoption of a credible certification body. While the current level of IT expertise in Korea makes it possible to build a system to verify the accurate implementation of functional requirements for digital forensic tools, according to the experts, a private certification system is likely to give rise to questions about the credibility and expertise of those systems.
Thirdly, most government agencies are lacking in terms of the awareness on the standardization of digital forensic processes. The issue of digital forensic process standardization is seldom discussed in Korea, unlike Europe, the United States, and other leading countries in the field. Experts tasked with digital forensic analysis are not keen on the need for standardizing the processes. Most experts express reservations about ISO certification, arguing that the requirements for ISO certification do not readily lend themselves to the actual digital forensic practices in Korea. Most of the interviewees were found to have given little thought to the issue. To the contrary, many interviewees argued that the processes currently in effect are fully capable of maintaining chain of custody, and standardization is not crucial in Korean courts because they seldom touch on the issue of process standards and certification.
Fourthly, Article 313 (2) of the Criminal Procedure Act as revised on May 29, 2016 provides that, even if a person who made a statement denies the authenticity of the statement before or during the trial, the statement is admissible as evidence if its authenticity is proven based on objective digital forensic data and assessments based on scientific analysis. The revised provision opens up new issues to be discussed in the future, such as the competence of digital forensic experts, verification of analysis results, and the proof of scientific analysis that provided the basis for the digital forensic data presented. Regarding this issue, forensic experts in government agencies are considering the related issues such as the need for court testimony training, verification of the reliability of scientific technologies applied to digital forensic, and the method to prove the reliability of analysis results. However, no meaningful preparation has been made regarding the said issues.
4. Digital Forensic Systems and Processes in Leading Countries
In the United States, the National Institute of Justice (NIJ), the Regional Computer Forensic Laboratory (RCFL) and the Defense Computer Forensic Laboratory (DCFL) are the leading organizations in the digital forensic field. These agencies either acquired an ISO 17025 certification, or is in the process of acquiring one. Guidelines and guides on digital forensic works include: Electronic Crime Scene Investigation: A Guide for first Responders, Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors, and Forensic Examination of Digital Evidence: A Guide for Law Enforcement.
In the United Kingdom, after the closure of the Forensic Science Service (FSS), digital forensic works were largely taken up by private forensic service firms and the Science Investigation Center of the Police. The transition gave rise to issues with acquiring ISO 17025 certification, and the Forensic Science Regulator (FSR) was created to provide advices and guidelines for forensic service providers to follow common standards. The FSR enacted the Code of Practice and Conduct. The Code follows the ISO/IEC 17025 standard, and specifies the requirements for a management system where forensic service providers can prove their capability to provide consistent results and services that satisfy the needs of customers in the criminal justice system. The United Kingdom also specifies the basic principles on digital evidence and the components of their digital forensic processes through the Good Practice Guide for Digital Evidence published by the Association of Chief Police Officers ACPO), Crime Business Area.
The European Union operates the European Network of Forensic Science Institutes (ENFSI) to share and exchange expert knowledge in the forensic field. The Network consists of two standing committees, Quality & Competence Committee and Research & Development Committee. The former develops policies for improving competence and competitiveness, provide advice to expert working groups and members centers, and provide other services related with best practices and the application of international standards. The Research & Development committee comes up with the research & development policies for the ENFSI, provide R&D advices to expert working groups and members centers, and promotes joint research projects between research centers.748) The ENFSI has 17 expert working groups. Of the groups, the Forensic Information Technology (FIT) Group developed and distributed a digital forensic manual titled “Best Practice Manual for the Forensic Examination of Digital Technology”. The Manual lays out the frameworks for the relevant procedures, quality improvement principles, and approaches to training procedures and forensic investigation, for the member centers of the ENFSI. The manual supports the application of internationally standardized procedures that considers the unique needs of different regions. In addition, the Guidelines on Digital Forensic Procedures for OLAF staff, Electronic evidence - a basic guide for First Responders is a digital forensic guide prepared for application in European countries.
The construction of digital forensic systems in the leading countries provide several implications for the corresponding efforts in Korea, which can be summarized in four parts. First, digital forensic needs to be performed in compliance with the international standards. The United States and European Countries carry out digital forensic works in accordance with the ISO standards and the Europe-specific ENFSI standards. The Europe Union mandates the application of and compliance with ISO standards in its digital forensic guidelines. Applying the standards specified in the digital forensic guidelines assures the quality of digital forensic analysis regardless of which agency performs the analysis, and courts will also see no problem in admitting them as evidence. Such application is also critical for using the analysis results in courts of other countries. For these reasons, digital forensic practices need to be aligned with the relevant international standards. Secondly, digital forensic bodies need to come up with the models that lend themselves to the specific needs of the bodies. However, these models need to be built through the customization of the relevant international and local standards, rather than creating a model which only suits their needs. A process model for Korea would ideally be based on the ENFSI or the US standards, as Korea has no local standards in this area.
5. Need for Integration of Digital Forensic Process
A digital forensic process should go further than an ordering of digital forensic works; it needs to accurately record the movement of digital evidence through each stage of policies and systems applicable to the entire process, and incorporate the standardization requirements for the components of each stage. These efforts are required to maintain the suitable quality of the processes and procedures used in digital forensic works, and provide the courts with reliable analysis results. To this end, an integrated forensic process capable of managing and controlling the overall forensic works is required. The rationale for an integrated management and control of digital forensic procedures can be summarized as follows.
Firstly, when investigating a case involving digital evidence, investigators with legal knowledge and investigation experiences need to cooperate and collaborate with digital forensic investigators (analysts) with scientific knowledge and technical experience. Otherwise, the reliability of the evidence and the investigative procedures would be questioned. To ensure organic collaboration and mutual cooperation/support between the legal processes and the technical processes, the governance framework for digital forensic works inside investigative agencies need to be expanded to incorporate conventional investigation works into the digital forensic processes, thereby establishing feedbacks and interfaces between the processes at each stage within consistent policy/technical frames.
Secondly, the forensic processes need to adopt standardized criteria to verify the personal and technical quality required for digital forensic processes, so as to produce reliable results through those processes and maintain the evidentiary value of the acquired digital information.
Thirdly, the integration of digital forensic processes should ultimately lead to the acquisition of the certification of the digital forensic lab itself. This issues spans across the overall procedural requirements for digital forensic labs
- procedural connectedness, tools and analysts. Acquiring a certification for a digital forensic lab would mean the verification of its procedures, tools, and personnel, which in turn means the reliability of the digital forensic works carried out by the lab. In this sense, certification of a digital forensic lab is one of the most fundamental issues, which makes it all the more difficult to tackle.
6. Preliminary Considerations for the Integration of Digital Forensic Processes.
The overall processes of collecting, selecting, and analyzing digital data require technical knowledge, experience, and expertise based on scientific knowledge. To translate such scientific and technical expertise into reliability in the legal context, the digital evidence need to be subject to a separate judicial assessment, on the assumption that the science and technologies applied to the assessment are sound. Digital evidence are produced using certain tools suitable for digital technologies. Therefore, their reliability can be determined only based on the understanding of the scientific methods and technical principles applied to the overall processes of converting the exhibits to recognizable data, and presenting them to a court in a format that allows for proving the charges. While it would be unreasonable to expect judges, who lack the understanding of the science and technical methods involved, to determine the accuracy of those science and methods, they need to at least determine whether the science and methods satisfy the criteria regarding scientific soundness or their validity as applied technologies.
The advancement of digital technologies has accelerated the development of digital forensic technologies, and diversified their technical applications. These circumstances may give rise to the question of how we can expect to determine the legal credibility of a certain tool, expert, or process without subjecting them to official verifications. In addition, as explained above, the revision of the Criminal Procedure Act opened a way to prove a fact with digital forensic data based on scientific analysis. Therefore, the credibility of the scientific analysis needs to be substantiated in addition to the credibility of the digital forensic data themselves. This warrants the need for discussions on how to set up the legal tests for these issues in courts.
7. A Model Frame for the Integration of Digital Forensic Processes.
Ensuring the consistency and credibility of digital forensic processes should be preceded by building an integrated management system commonly applicable to the overall operation of the processes. The management system should have the capabilities to control and manage major factors that may affect the accuracy and credibility of the results from the digital forensic processes: the accuracy of ed procedures, personnel training, maintenance and improvement of the processes, environmental conditions for forensic works, and hardware, software, and equipment used for forensic works in the forensic body.
The integrated management system should be applicable to all areas and activities of a digital forensic body. The integrated management system represents a standardized operation procedure that incorporates all guidelines, procedures, regulations, standards, and certifications of a digital forensic body, and a consistent support for ensuring the reliability of digital evidence. This approach allows for the integrative management of digital forensic processes and procedures under a coherent system, and effective coordination of different areas of works, thereby ensuring the forensic processes are operated, reviewed, maintained, and controlled in a way suited to the related works.
A digital forensic body needs to abide by the following principles in building an integrated management system for digital forensic processes.
First, a digital evidence may not be altered across the overall digital forensic processes.
Second, qualifications and training records should be maintained for all personnel tasked with digital forensic works.
Third, all actions taken regarding a digital evidence should be thoroughly recorded.
Fourth, all laws and principles governing digital evidence should be complied with.
In addition, as each digital forensic body needs to comply with the specific requirements of ISO certifications, these standards need to be maintained and managed through the integrated management system.
While the integrated management system comprehensively manages the policy and procedure requirements for the overall digital forensic processes, the process coordination system represents a more detailed and working-level coordination process under those policy and management requirements. In other words, a digital forensic body needs to develop a standardized work process which organically coordinates between the legal, technical, and policy sectors across the handling of cases involving digital evidence, and prepare a system where the different sections aid and support one another, and provide mutual feedbacks. The first step towards such development involves the coordination between the technical processes and legal processes. Also required is a authority control system and a feedback system between different forensic processes and works.
The specific considerations for the key processes are as follows. In the preparation and collection stages, a digital forensic body needs to establish the procedures for compliance with due procedure, packaging, transportation, and preservation of evidence. The analysis and extraction stages required the maintenance of digital forensic analysts’ competences and expertise, as well as digital forensic tools and methodologies. The analysis outcomes should be verified and translated into a credible report in the presentation stage. The last stage, the court testimony stage, requires training forensic analysts for testimonies at courts and effective ways of testimony, so as to prevent the credibility of the outcomes from being undermined.
8. Policy Proposals for the Integration of Digital Forensic Processes
A. Proposals from the Forensic and Technical Perspective
A digital forensic body needs an integrated management system to carry out the overall legal, technical digital forensic procedures under coherent processes. In order to maintain the quality of forensic services, secure the integrity of evidence through the chain of custody, and ensure the reliability of the digital forensic as a whole, the system should be supported a number of sub-systems including the quality management system, the process coordination system, and the standard operation policy system. While the integrated management system offers the policy/management frames for process integration, the working-level integration of forensic processes is achieved through the process coordination system. Specifically, a network of processes needs to be established for each stage under the process coordination system, which will create a virtuous cycle of preparation, collection, investigation/analysis, presentation, testimony, and preservation/maintenance.
In order to ensure that digital forensic is accepted as credible technologies and procedures by the courts, the digital forensic community should begin discussing the need for certification under international standards, and the use of standardized guidelines for forensic processes. Considering the current circumstances surrounding Korean digital forensic today, even the key digital forensic bodies would experience difficulties with acquiring ISO certifications. However, considering the need to expand on the efforts to establish the technical and procedural standards for digital forensic in the future, and the requirements for accuracy and credibility for digital forensic data under the revised Criminal Procedure Act, acquisition of ISO certifications is absolutely necessary.
There is currently no procedure to test and officially verify whether the various digital forensic tools in use today satisfy their functional requirements and produce accurate results. Therefore, except for a number of internationally accepted tools, any tool can be subject to questions about their accuracy and reliability in courts. The same goes to the reliability of the digital evidence produced using those tools. There is no such thing as a “perfect tool.” Therefore, the verification of digital forensic tools need to focus on whether the inherent defect and error of a tool is within the permissible range for the purpose of ensuring the credibility of the analysis results. A viable and ideal course of action is to develop a digital forensic tool verification methodology based on the CFTT project of the NIST, and build public trust toward the digital forensic tools by publicly announcing the tests results.
Another criteria for determining the legal credibility of digital forensic is whether the forensic works are carried out by personnel with suitable expertise and skills. The digital forensic field in Korea still lacks a national-level agency tasked with verifying the competences of forensic experts. The only certification currently available in the country is the Digital Forensic Expert Qualification Test, a private-led qualification program accredited by the government. Although it has been accredited by the government, the qualification and the test contents are comprised of contents developed by the organization implementing the program, without any wide acceptance from the related fields or the application of certified criteria. This led to some questions about the credibility of the certification. Therefore, to ensure the public credibility of forensic experts as well as the credibility of the certifications, the government needs to set up a Certification Committee for Forensic Experts (tentative title) tasked with establishing the technical, legal, and ethical requirements for experts across diverse forensic areas, and have private certification bodies at least adopt the verification system for standard competence items proposed by the Committee.
B. Proposals from the Policy Perspective
Gaps between government agencies in collecting and handling digital forensic evidence may lead to issues of chain of custody. Even if the agency that collected the evidence maintained a suitable chain of custody, its reliability may be questioned if the subsequent agencies lack a suitable preservation procedure or the authorities for the analysis processes are not controlled properly. For this reason, forensic works at agencies authorized to conduct investigations need to be standardized in terms of the collection and handling of digital evidence, and a standardized method is required to prevent the discontinuation of the chain of custody for digital evidence handled by more than one agency.
In addition, the content of the evidence produced by a digital forensic analyst needs to be reviewed for their technical, legal, and procedural accuracy before presenting it to the court. In the final review of a digital forensic report, verification of technical accuracy holds the highest significance. If a technically produced result cannot be replicated by the other party, or the other party argues that the result was derived erroneously, the legal reliability of the evidence may be excluded even if the evidence itself holds an absolute importance in the case. Therefore, all final results produced by a digital forensic analyst should ideally be re-tested by a peer.
The Daubert test is most frequently cited as a test to determine the admissibility of scientific evidence. However, the case is not widely discussed in relation to digital forensic. However, Article 313 (2) of the Criminal Procedure Act as revised on May 29, 2016 provides that, even if a person who made a statement denies the authenticity of the statement before or during the trial, the statement is admissible as evidence if its authenticity is proven based on objective digital forensic data and assessments based on scientific analysis. This may result in the need for legal review of digital forensic data in some cases. That is, the authenticity of digital evidence can be proven only if the reliability and accuracy of digital forensic data is proven in the first place. The reliability and accuracy of digital forensic data based on scientific analysis would need to be supported by the testimony of the forensic analyst. This leads to the need for setting up the legal test for the admissibility of expert testimony on scientific evidence. The Supreme Court of the United States consistently held that the Daubert test also applies to the results produced from digital forensic tools. Then, it follows that the soundness and effectiveness of the methods and technologies used to extract, analyze, and restore digital evidence, and the reliability of the resulting evidence, need to be legally reviewed under the Daubert test. However, some of the criteria under the Daubert test do not readily fit the nature of digital forensic. Therefore, the general test applicable to scientific evidence in general needs to be differently applied and interpreted for the digital forensic field.
File
-
1. 디지털_포렌식.pdf
(2.57MB / Download:848)
Download