Elsevier

Digital Investigation

Volume 1, Issue 1, February 2004, Pages 61-68
Digital Investigation

Building theoretical underpinnings for digital forensics research

https://doi.org/10.1016/j.diin.2003.12.004Get rights and content

Abstract

In order for technical research in digital forensics to progress a cohesive set of electronic forensics characteristics must be specified. To date, although the need for such a framework has been expressed, with a few exceptions, clear unifying characteristics have not been well laid out. We begin the process of formulating a framework for digital forensics research by identifying fundamental properties and abstractions.

Introduction

Research is often done independent of practice, with an aim toward clarifying the terrain or advancing the boundaries of a particular discipline. While this is perfectly acceptable, in the case of digital forensics it is highly useful for researchers to understand the context in which their research may be applied. This is especially true when research leads to the development of forensics tools intended for use in criminal and civil investigations since tools developed for processing digital evidence may themselves come under scrutiny and their use may be restricted. For example, if digital evidence is presented in court then producing evidence may not be good enough. It may also be important to address the admissibility and reliability of the evidence including the methods and tools used to find and process it.

Our goal is to define a set of properties and terms that can be used as organizing principles for the development and evaluation of research in digital forensics. The primary properties discussed are: integrity, authentication, reproducibility, non-interference and minimization. These are proposed as abstractions that can be used to frame questions, model behavior and evaluate procedures. In addition, we see these as highly useful for the development of forensic tools.

In Reith et al. (2002) an abstract model of the digital forensic procedure is given with one goal being “a consistent and standardized framework for digital forensic tool development.” Their model focuses on key features of the process used to collect, examine, analyze and present digital evidence. Unlike the model in Reith et al. (2002), the framework laid out here does not parallel the steps of the investigative process. The model presented is more closely related to that used in computer security research in that we attempt to abstract a context for digital forensics and give properties that are inherent in investigative best practices. In a related work, Carrier gives abstractions that can be used to describe the purposes and goals of digital forensic analysis tools (Carrier, 2003). By using the theory of abstraction layers, Carrier looks at specific issues of evidence collection and analysis that are closely related to concepts presented here.

The motivation for this work comes from several sources. The first Digital Forensics Research Workshop (DFRWS), held in 2001, had as a stated goal “to start a meaningful dialog for defining the field of Digital Forensic Science” (Palmer, 2001). To this end, attendees listed five characteristics that digital forensic science must further develop, including the development of theoretic principles that attempt to explain how things work and the development of abstractions and models that can be used to guide research. The efforts carried out by the first DFRWS mark a beginning of a process and demonstrate the need for further work in this area. Both the second meeting of DFRWS in 2002 and a document produced in June 2002 by the Institute for Security Technology Studies at Dartmouth College (ISTS, 2002) focus primarily on forensics tools, although the need for foundational work is stressed by both groups. Also in National Center for Forensic Science (2003), guidelines for presenting digital evidence in the courtroom are given, including a section on evidentiary considerations discussing digital evidence and a section on data integrity. This paper discusses similar issues but from the viewpoint of tools development and research. Both the Scientific Working Group on Digital Evidence (2000) and the International Organization on Computer Evidence (2000) have also done foundational work especially as it relates to the practice of digital forensics.

Section “Overview” gives an intuitive framework for modeling some of the characteristics of digital forensics. Section “Initial framework” expands and refines the concepts used for expressing this framework.

Section snippets

Overview

In the same way that system security is evaluated relative to a specific security policy, digital forensics is done in an investigative context. In forensics, information is gathered to serve a specific objective, and that objective directly relates to the environment in which the investigation takes place. For example law enforcement gathers information to serve as evidence in support of a criminal investigation. Within the military community, the same objectives may exist, but the set of laws

Initial framework

This section expands on and refines the intuitions presented in section “Overview”.

What's the point

The intention of this paper is to show that researchers can now ask questions such as:

  • Under what constraints (rules, laws, resources, etc.) can a specific tool be used?

  • For a particular tool or circumstance, can integrity (or any other property) be provided on the data that are processed? If so, is this provable? If not, is this provably so?

  • Are the results obtained by using a tool reproducible? If not, is it possible or provably impossible to get reproducibility.

The goal is to frame

Acknowledgements

Thanks go to Special Agent Mark Pollitt for his insight on digital forensics, especially legal concepts (although any errors are mine) and for his knowledge of the history of the field.

Dr. Sarah Mocas is an Assistant Professor of Computer Science at Portland State University and a member of the PSU/CS Center for Information Assurance. She received her Ph.D. in Computer Science from Northeastern University in 1993. Her research interests include computational complexity theory, the examination of complexity theoretic assumption for cryptography, and digital forensics. She participates in an Oregon coalition working to advance the practice of digital forensics. Her activities

References (19)

  • B Carrier

    Defining digital forensic examination and analysis tools using abstraction layers

    Int J Digit Evid

    (2003)
  • E Casey

    Error, uncertainty and loss in digital evidence

    Int J Digit Evid

    (2002)
  • De Vel Olivier, Corney Malcolm, Anderson Alison, Mohay George. Language and gender analysis of e-mail authorship for...
  • Duren, Hosmer C. Can digital evidence endure the test of time? In: Proceedings of the Second Digital Forensic Research...
  • J Giordano et al.

    Cyber forensics: a military operations perspective

    Int J Digit Evid

    (2002)
  • Institute for Security Technology Study

    Law enforcement tools and technologies for investigating cyber attacks: a national needs assessment

    (2002)
  • International Organization on Computer Evidence

    International principles for computer evidence

    Forensic Sci Commun

    (April 2000)
  • C.E Landwehr

    Computer security

    Int J Inf Secur

    (2001)
  • Lyle James. NIST CFTT: testing disk imaging tools. In: Proceedings of Second Digital Forensic Research Workshop 2002;...
There are more references available in the full text version of this article.

Cited by (31)

  • Reliability assessment of digital forensic investigations in the Norwegian police

    2022, Forensic Science International: Digital Investigation
  • Digital evidence: Unaddressed threats to fairness and the presumption of innocence

    2021, Computer Law and Security Review
    Citation Excerpt :

    The investigator is guided by law enforcement objectives, while forensic scientists apply scientific methods and aim at impartiality. However, a consistent body of digital forensics literature departed from this legal and regulatory tradition by introducing the term “digital forensic investigation” (DFI) (Carrier, 2006; Ieong, 2006; Kohn, Eloff and Eloff, 2013; Montasari, 2016). Often the term “digital investigators” is used in the sense of digital forensic scientists (van Baar et al., 2014).

  • Network forensics

    2013, Managing Information Security, 2nd Edition
  • Trust in digital records: An increasingly cloudy legal area

    2012, Computer Law and Security Review
    Citation Excerpt :

    For this, one cannot rely on file size, dates or other file properties, but needs audit logs and strong methods like Checksum and HASH Algorithms. A second type of integrity digital forensics experts are concerned with is duplication integrity, that is, the fact that, given a data set, the process of creating a duplicate of the data does not modify the data either intentionally or accidentally, and the duplicate is an exact bit copy of the original data set (Mocas, 2004). This type of integrity is extremely important because one can only preserve digital records by reproducing them.

  • Digital forensics research: The next 10 years

    2010, Digital Investigation
    Citation Excerpt :

    In general, it seems that very few DF systems designers build upon previous work—instead, each new project starts afresh. Following the first DFRWS, Mocas proposed a framework to help build “theoretical underpinnings for digital forensics research (Mocas, 2004).” The purpose of the framework was to “define a set of properties and terms that can be used as organizing principles for the development and evaluation of research in digital forensics.”

View all citing articles on Scopus

Dr. Sarah Mocas is an Assistant Professor of Computer Science at Portland State University and a member of the PSU/CS Center for Information Assurance. She received her Ph.D. in Computer Science from Northeastern University in 1993. Her research interests include computational complexity theory, the examination of complexity theoretic assumption for cryptography, and digital forensics. She participates in an Oregon coalition working to advance the practice of digital forensics. Her activities include expanding educational opportunities in forensics, assisting Hillsboro Police Department, Hillsboro, OR, in building a Police Reserves Specialist Program, and serving as a volunteer reservist specializing in digital forensics.

View full text