Overview

Digital Forensics on some cases is also referred as computer forensics or cyber-forensics. This integrates the fields of computer science and law to investigate crime.

Technology is advancing continuously, think of this, in the year 1996 we had Floppy disks as storage devices with a capacity of not more than 12 MB (megabytes), two decades later, we now have smaller devices with a capacity 1000 times than the older storage devices.

New advancements and improvement in the digital storage space means more potential data retained for the forensics investigators to examine. Although, there is another flip side when we talk about tech advancements; there are problems which arise when new file-systems, stronger encryption standards and newer storage mediums are developed.

Unquestionably, advances in technology increase the potentiality and renovate the methodology of traditional criminal behavior. It means forensic investigators have to study these new tech improvements and find a way of getting the stored/deleted data in a correct way.

When Digital Forensic meets the Law

For a digital evidence to be legally admissible in court, investigators must follow proper legal procedures when recovering and analyzing data from victim’s digital device(s).

The inability of law to keep pace with technological advancements in some cases limit the use of computer forensic evidence in court. Some of these laws are written without consulting computer forensics experts and are often not reviewed; not reliably adequate in assessing the techniques used in a digital system/device search.

Article 19 did a very interesting legal analysis of the Kenya’s “Cyber-crime and Computer Related Crimes Bill” . From their final report and recommendations, it is conclusively right to say there is need to review these bills & laws that involve use of digital evidence in court. We need to unite our legislators, law enforcement agencies & privacy advocates groups together and come up with sound Standard Operation Procedures (SOPs) for Forensics examiners as well as laws that can assist in having a fair unbiased trials.

Our prosecutors and lawyers need to understand these forensics techniques used in acquiring digital evidence and be able to ask critical questions before making any decision. Our Law schools on the other hand, need to address some of these issues by reviewing their course works and subjecting the scholars into an introductory lesson to digital forensic.

Capacity building should be provided to our judges & legislators so as to assist law enforcement agencies in the area of computer-related crime. We can only have a fair judgment when our Judges have enough information pertaining a case and the presented evidence.

To be a source of trusted digital evidence, our law enforcement agencies need proper access to latest forensic gadgets, hardware and tools to enhance their investigative capabilities. They should be provided with new training(s) at least twice a year, there is much to learn considering the new smart phones, tablets and other devices being rolled out to the public by competing hardware manufacturing companies.

Privacy concerns is another issue while dealing with forensics. There is a thin line between suspect’s human rights and extent of what forensics activities should engage. For instance, if a phone is seized from a suspect, then a new SMS is received. Should the new message be a subject of review or not? Some privacy advocates can argue out that that is a breach of human rights. Also, as free encryption and anonymity tools/skills increase, technology may be (ab)used by helping criminals hide their actions (like the recent FBI & Apple debate) .

To tackle these problems, we need policies, protocols and developed by both law enforcement agencies & legislators. They should stipulate accepted procedures of acquiring evidence and clear out conflicting laws that may obstruct the use of digital evidence in court. These policies and procedures should be unbiased and neutral.

Who is a Qualified Forensic Examiner ?

To determine whether a person qualifies as a forensic examiner (also refereed as an expert witness), and whether their testimony is admissible, involves a process of examination, cross-examination, and being recognized by the court.

The attorney calling the potential expert witness should generally read his or her qualifications into the record, and/or may ask a series of questions.These questions are designed to show the person’s credentials as an expert. Such questions might include:

• What degrees, diplomas, or certificates do you have?
• What positions have you held in the field?
• What lectures or courses have you taught in this field?
• What additional training or courses related to this field have you taken?
• What memberships in organizations related to this field do you have?
• What books or papers have you written pertaining to the field?
• What is your past experience as an expert witness in this field?

However, in looking at these questions, a forensic examiner doesn't need to have a positive answer to every one. The key factor is the overall expertise, not whether the forensic examiner have an impressive answer to each and every one of these questions. After all, the first time anyone testifies in court, the answer to whether you have testified before is a resounding “no.”

Generally a good forensic examiner or witness expert in court should have the following qualities:

1. Trained in the use of forensics tools and procedures.
2. Should have experience in conducting forensics examinations.
3. Have ethical morals for unbiased analysis of evidence & truthful reporting.
4. Inquisitive nature to discover information and for thinking outside of the box.
5. Methodical in examination and documentation procedures.

Which Tools to Use?

Computer Forensics Tool Testing (CFTT) Project and National Institute of Standards and Technology (NIST) describe some forensically sound tools and methods forensic examiners can adapt. They describe tools and methods known and verified to acquire electronic information in a manner that ensures the information is “as originally discovered” and is reliable enough to be admitted into evidence.

Some Forensic Tools can sometimes add information to digital evidence, this new information must be discernible from the original evidence! The process of acquiring electronic information should be in a manner that ensures it is “as originally discovered” and is reliable enough to be admitted into evidence.

Below are resources to help law enforcement agencies decide on which tools to use:

1. National Institute of Standards and Technology (NIST)

   • http://www.cftt.nist.gov/
   • http://www.cftt.nist.gov/CFTT-Booklet-08112015.pdf

2. Computer Forensics Tool Testing Handbook

   • http://www.nist.gov/itl/ssd/cs/cftt/upload/CFTT-Booklet-Revised-02012012.pdf

Conclusions and Future Issues

The use of digital evidence has been hindered by lack of nomenclature, due primarily to the reluctance of the courts to interpret emerging legislative actions. There is no clear defined procedures and laid out framework to help our investigators, prosecutors and courts determine the legality of either questioned behavior or law enforcement actions.

There is a shift from traditional form of crime to usage of digital devices such as computers and mobile phones in committing offenses… For instance, terrorist use on-line social media platform for recruitment and communication. Criminalizing terrorist acts using digital evidence without a clear stipulated procedure, means either the suspect or a law enforcement agency evidence might be favored by the court.

For a fair trail using digital evidence in our courts of law, we should have a legal framework (which on the developing stages involved the legislators, forensics experts from our law enforcement agencies and privacy advocates groups). Our examiners should have modern forensic laboratories with enhanced investigative capabilities.

Future issues (to be considered):

1. Developing international cooperation.
2. Developing relationships between investigative agencies & the private Sector.
3. Establishing accountability for tech users (or should I say abusers?).
4. Increasing inter-agency and inter-departmental cooperation.