The need for knowledge sharing and standardization

Digital Investigation (2004) 1, 1e2

www.elsevier.com/locate/diin

EDITORIAL

The need for knowledge sharing and standardization It gives me great pleasure to welcome you to the inaugural issue of Digital InvestigationdThe International Journal of Digital Forensics & Incident Response. Digital Investigation is a new meeting ground for the diverse groups in our community to share knowledge in many forms including practitioner case studies, legal briefs, objective comparisons of tools, and peer-reviewed research. In this issue we hear from investigators, attorneys, computer security professionals, and researchers addressing a variety of current and future challenges. Computers have become the weapon of choice for many modern criminals. Thieves use computers to steal valuable information and large amounts of money from organizations and individuals alike. Sex offenders gain access to children through their computers and use them to produce and disseminate child pornography. Parolees are often not permitted mobile telephones or pagers because these devices are commonly used in drug dealing and organized crime. Additionally, employee disciplinary hearings and unfair dismissal claims can hinge on digital evidence, and digital discovery is now a routine part of civil disputes. Even when computers are not directly involved in the commission of a crime, they contain data that reflect the activities of those who use them. Data on personal computers, mobile devices, networks and embedded systems can help establish when events occurred, where victims and suspects were, with whom they communicated, and may even show their intent to commit a crime. In short, it is a rare investigation that does not produce some related digital evidence. The rapid increase in computer-related crime and the ubiquity of digital evidence has created a demand for people who are well versed in the related technical, investigative and legal issues. This sudden demand has resulted in the disorderly

eruption of a nebulous discipline that lacks standards or even clear definitions of fundamental terminology. Many computer security professionals and military personnel use the term computer forensics or digital forensics to refer to all aspects of investigating a security breach or attack whereas those in law enforcement only apply this term to situations when proper evidence handling procedures are employed. To complicate matters, there is disagreement over the role of server logs, network traffic, and other data on the Internet, resulting in terms such as network forensics and incident forensics. In addition to causing confusion, this lack of definitions hinders the development of tools that balance the need for rapid incident response with proper evidence handling, and allows unsafe practices to persist. Many organizations are accepting improper evidence handling in incident response because of inadequate tools and the loose definition of forensics in this area. Even some members of law enforcement do not treat evidence on networks with the same care as evidence on storage media in part because of tool limitations and because they do not include these data in their definition of forensics. These practices are unsafe because improperly handled evidence can lead to inaccurate conclusions and poor decisions that can cause more damage and liability than the incident or offense itself. Although some best practice guidelines and certification programs have been developed in certain areas, they have limited acceptance in the community. As a result, the best practices and training that are available to computer security professionals, law enforcement agents, consultants, attorneys and others who are involved in digital investigations have developed largely independently. The lack of generally required standards

1742-2876/$ - see front matter ª 2004 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2004.01.003

2

Editorial

of practice and training allows weaknesses to persist, resulting in incomplete evidence collection, documentation and preservation as well as errors in examination and interpretation of digital evidence. Until everyone involved in digital investigations, including computer security professionals and defense experts, has access to generally accepted, standardized training and certification programs they will not have the necessary competencies to avoid harmful mistakes. Additionally, without standards of practice, digital investigators do not have widely accepted rules to follow, making their work more difficult and making it is easier for attorneys to raise doubts in a case by exploiting the lack of consensus in the international community rather than faults in the investigation. Standards of practice are particularly important for aspects of digital investigation that are to become a discipline of forensic science. ‘‘The forensic sciences require adherence to standards of operation and of performance. These standards must be clearly enunciated and must be, at least in their basic form, the consensus of opinion of workers in that particular subject area. Stated differently, forensic scientists are not entitled to indulge whims in the conduct of their work. They must adhere to performance norms, which have been previously laid down. A forensic scientist who adopts an extreme position that runs counter to the flow of prevailing opinion on a subject, or who enters an area in which operational norms have not been established, has a burden even greater than usual to justify that position in the light of good scientific practice.’’ [Thornton J.I. (1997) ‘‘The General Assumptions and Rationale of Forensic Identification,’’ for David L. Faigman, David H. Kaye, Michael J. Saks, & Joseph Sanders, Editors, Modern Scientific Evidence: The Law and Science of Expert Testimony, Volume 2, St. Paul, MN: West Publishing Company]. Progress is being made to clarify definitions, develop generally required standards of practice and training, and improve tools and techniques. There are a number of organizations promoting definitions and standards (listed below). The

International Journal of Digital Evidence was established online to provide a platform for theory, research, policy and practice relating to digital evidence. Joining these efforts to advance the field, Digital Investigation has been formed to bring together the diverse groups in our community, including investigators, researchers, and attorneys in corporate, criminal and military settings. Using this venue to share our knowledge with others in the international community, we can collectively keep pace with, and contribute to, developments in this area. It is also our hope that challenges presented by practitioners in this journal will motivate researchers to focus on these areas, and that research published in this journal will help practitioners and tool developers produce practical solutions to these challenges.

Selection of organizations developing definitions and standards  Association of Chief Police Officers & National High-tech Crime Unit (http://www.nhtcu.org/ ACPO Guide v3.0.pdf)  American Society of Crime Laboratory Directors/Laboratory Accreditation Board (http:// www.ascld-lab.org/pdf/aslabrevisions.pdf)  Digital Forensics Research Workshop (http:// www.dfrws.org/)  European Network of Forensic Science Institutes Forensic Information Technology Working Group (http://www.enfsi.org/docs/FITWGBPM-001-003.pdf)  Forensic Science Service (http://www.forensic.gov.uk)  International Journal of Digital Evidence (http://www.ijde.org)  International Organization of Computer Evidence (http://www.ioce.org)  Scientific Working Group on Digital Evidence (http://www.swgde.org) Eoghan Casey Knowledge Solutions LLC 61535 S Hwy 97 #9-148 Bend, OR 97702 United States E-mail address: [email protected]