ESSENTIALS OF
Management Information Systems 12e
KENNETH C. LAUDON AND JANE P. LAUDON
continued
Systems
CHAPTER 4 ETHICAL AND SOCIAL ISSUES IN INFORMATION SYSTEMS
CASE 3 Data Mining for Terrorists and Innocents
SUMMARY This case describes how data mining software, combined with Big Data collection from
the Internet, are used to identify potential terrorists. The PRISM program of the U.S.
National Security Agency (NSA) is an on-going effort to enable such Internet surveillance.
In some cases innocent people have been mistaken for terrorists, while sometimes a
terrorist plot is disrupted. The existence of the PRISM program was a national security
secret until its existence was revealed by Edward Snowden, a former NSA contractor.
There are two videos in this case:
(1) Data Mining for Terrorists and Innocents (L= 5:10)
URL http://www.youtube.com/watch?v=4lKpD7MC22I
(2) How Does the PRISM Program Work? (L=1:59)
URL https://www.youtube.com/watch?v=JR6YyYdF8ho
CASE Anti-terrorism agencies around the world have made effective use of new surveillance tech-
nologies that offer unprecedented abilities to identify and apprehend potential terrorists.
Today’s terrorists are by nature difficult to track, as disconnected groups of individuals can
use the Internet to communicate their plans with lower chance of detection. Anti-terrorist
technology has evolved to better handle this new type of threat.
But there are drawbacks to these new strategies. Often, innocent people may find their
privacy compromised or completely eliminated as a result of inaccurate information.
Surveillance technologies are constantly improving. While this makes it more difficult for
Chapter 4, Case 3 Data Mining for terrorists anD innoCents 2
continued
terrorists and other criminals to exchange information, it also jeopardizes our privacy, on
the Internet and elsewhere, going forward. For instance, it may be necessary to monitor the
phone calls of all American citizens, and visiting foreigners, in order to uncover a terrorist
plot. Is this reason for worry? Are comparisons to Orwell’s 1984 appropriate or overblown?
The first video displays both the positive and negative results of new advances in tech-
nology. The first segment describes a program called the Dark Web Project developed by
a team at the University of Tucson that combs the Internet in search of militant leaders
and their followers. The program creates profiles based on word length, punctuation,
syntax, and content, and displays information about the personality type of an individual
graphically.
The plotting of information on a graph represents whether the user is violent or militant,
inexperienced and seeking advice, or an opinion leader holding sway over many more
people. Programs like this have been adopted by many intelligence agencies worldwide,
who incorporate it into their arsenal of terrorist surveillance technologies.
It’s unclear if this project i.
ESSENTIALS OF Management Information Systems 12eKENNETH C..docx
1. ESSENTIALS OF
Management Information Systems 12e
KENNETH C. LAUDON AND JANE P. LAUDON
continued
Systems
CHAPTER 4 ETHICAL AND SOCIAL ISSUES IN
INFORMATION SYSTEMS
CASE 3 Data Mining for Terrorists and Innocents
SUMMARY This case describes how data mining software,
combined with Big Data collection from
the Internet, are used to identify potential terrorists. The
PRISM program of the U.S.
National Security Agency (NSA) is an on-going effort to enable
such Internet surveillance.
In some cases innocent people have been mistaken for terrorists,
while sometimes a
terrorist plot is disrupted. The existence of the PRISM program
was a national security
secret until its existence was revealed by Edward Snowden, a
former NSA contractor.
There are two videos in this case:
(1) Data Mining for Terrorists and Innocents (L= 5:10)
URL http://www.youtube.com/watch?v=4lKpD7MC22I
(2) How Does the PRISM Program Work? (L=1:59)
URL https://www.youtube.com/watch?v=JR6YyYdF8ho
2. CASE Anti-terrorism agencies around the world have made
effective use of new surveillance tech-
nologies that offer unprecedented abilities to identify and
apprehend potential terrorists.
Today’s terrorists are by nature difficult to track, as
disconnected groups of individuals can
use the Internet to communicate their plans with lower chance
of detection. Anti-terrorist
technology has evolved to better handle this new type of threat.
But there are drawbacks to these new strategies. Often, innocent
people may find their
privacy compromised or completely eliminated as a result of
inaccurate information.
Surveillance technologies are constantly improving. While this
makes it more difficult for
Chapter 4, Case 3 Data Mining for terrorists anD innoCents 2
continued
terrorists and other criminals to exchange information, it also
jeopardizes our privacy, on
the Internet and elsewhere, going forward. For instance, it may
be necessary to monitor the
phone calls of all American citizens, and visiting foreigners, in
order to uncover a terrorist
plot. Is this reason for worry? Are comparisons to Orwell’s
1984 appropriate or overblown?
The first video displays both the positive and negative results
of new advances in tech-
nology. The first segment describes a program called the Dark
3. Web Project developed by
a team at the University of Tucson that combs the Internet in
search of militant leaders
and their followers. The program creates profiles based on word
length, punctuation,
syntax, and content, and displays information about the
personality type of an individual
graphically.
The plotting of information on a graph represents whether the
user is violent or militant,
inexperienced and seeking advice, or an opinion leader holding
sway over many more
people. Programs like this have been adopted by many
intelligence agencies worldwide,
who incorporate it into their arsenal of terrorist surveillance
technologies.
It’s unclear if this project infringes on freedom of speech and
individual privacy. On the
one hand, detection of a potential terrorist is potentially an
important method of deterring
future terrorist attacks. On the other hand, individuals who
haven’t done or said anything
wrong may be profiled and have their private conversations
exposed. An additional concern
is how to distinguish what kinds of speech are grounds for
surveillance.
The second segment of the video describes the plight of a
German sociology professor,
Andrej Holm, subjected to jail time and 24-hour surveillance
thanks to his supposed associa-
tion with a terror cell. Holm has written extensively on
gentrification, or the gap between
4. Chapter 4, Case 3 Data Mining for terrorists anD innoCents 3
continued
1. Does the Tucson data-mining project inappropriately violate
the privacy of Internet
users, or is it an acceptable tradeoff to more intelligently
combat terrorism? Explain your
answer.
2. Were the local police justified in their handling of Holm?
Why or why not? For whichever
view you take, briefly describe the opposing viewpoint.
3. Name the nine US Internet providers that were cooperating
with the PRISM program.
For each, describe some of the information which they could
uniquely provide.
4. Why did the Internet companies provide the government with
information on their
users?
5. Is the PRISM program a danger to American democracy?
Why, or why not?
VIDEO CASE
QUESTIONS
the rich and the poor. A radical group repeated some of his
themes in a letter claiming
responsibility for terror attacks arson of police vehicles. Police
also found that Holm had
spoken to one of the terrorists twice before. Local law
5. enforcement jailed him for three
weeks and subjected him to constant surveillance afterwards.
But Holm claims that he is a victim of unfortunate
circumstances, and the courts agreed,
ruling that his imprisonment was illegal. Holm’s phones were
tapped and his Internet usage
recorded, and while he’s been acquitted, he has no assurance
that the surveillance has
stopped.
The second video describes the National Security Agency
PRISM program for collecting
telephone metadata and Internet behavior on most of the
American and global population.
Because most global Internet traffic goes through servers and
routers in the United States,
the PRISM program essentially was able to surveil all Internet
traffic worldwide. Nine of
the largest telecommunications and Internet companies
cooperated with the government
program. Developed shortly after the World Trade Center
terrorist attack on September
11, 2001, and authorized by Congress as part of the Patriot Act
(October 2001), the PRISM
program was a closely held national security secret until
revealed by David Snowden, a
contract worker for the NSA who stole secret computer
documents describing the program
from the NSA and distributed them to newspapers worldwide.
Snowden escaped arrest in
the United States by fleeing eventually to Russia. He is
regarded by some as a traitor for
revealing national security secrets, and by others as a national
hero, a whistle blower, who
alerted the American public to what may be illegal activity by
8. R
C
H
PA
PER COMPETIT
IO
N
2010 ACS
2ndplace
METRICS-BASED
Risk Assessment
and Management
of DIGITAL FORENSICS
Mehmet Sahinoglu, MSgt Stephen Stockton, USAF (Ret.),
Capt Robert M. Barclay, USAF (Ret.), and Scott Morton
Driven by the ubiquity of computers in modern life and the
subsequent rise of
cybercriminality and cyberterrorism in the government and
defense industry,
digital forensics is an increasingly salient component of the
defense acquisi-
tion process. Though primarily located in the law enforcement
community,
digital forensics is increasingly practiced within the corporate
world for legal
and regulatory requirements. Digital forensics risk involves the
assessment,
9. acquisition, and examination of digital evidence in a manner
that meets legal
standards of proof and admissibility. The authors adopt a model
of digital
forensics risk assessment that quantifies an investigator’s
experience with
e Fleischer
eight crucial aspects of the digital forensics process. This
research adds the
concept of quantifying through a designed risk meter algorithm
to calculate
digital forensics risk indices. Numerical and/or cognitive data
were pains-
takingly collected to supply input parameters to calculate the
quantitative
risk index for the digital forensics process. Much needed risk
management
procedures and metrics are also appended.
Keywords: Cyberterrorism, cybercriminality, risk meter
154 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University
http://www.dau.mil
Digital forensics is a topic that has been popularized by
television pro-
grams such as CSI. Crime-solving glamour and drama aside, the
reality is
10. that the digita l forensics process is a highly technica l field
that depends
on the proper implementation of specif ic, well-accepted
protocols a nd
procedures. Inadequate forensic tools and technical
examination, as well
as lack of adherence to appropriate protocols and procedures,
can result
in evidence that does not meet legal standards of proof and
admissibility.
Digital forensics risk arises, for example, when personnel lack
the proper
tools to conduct investigations, fail to process evidentiary data
properly, or
do not follow accepted protocols and procedures.
Assessing and quantifying digital forensics risk is the goal of
this article. To
do so, the authors utilize a digital forensics risk meter, based on
a series of
questions designed to assess respondents’ perceptions of digital
forensics
risk. Based on the responses, a digital forensics risk index will
be calculated.
Where this approach differs is that other approaches typically
provide gen-
eral guidance in the form of best practices, classification
schemes or, at best,
a checklist for digital forensics procedures, and do not provide
quantitative
tools (based on game theory) for risk management and
mitigation. Examples
of other such approaches follow:
11. 155Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
April 2016
• U.S. Department of Justice, Forensic Examination of Digital
Evidence: A Guide for Law Enforcement (general guidelines
and
worksheets) (U.S. Department of Justice, 2004)
• Error, Uncertainty, and Loss in Digital Evidence (cer tainty
levels) (Casey, 2002)
• Cyber Criminal Activity Analysis Models using Markov Chain
for Digital Forensics (suspicion levels) (Kim & In, 2008)
• Two-Dimensional Evidence Reliability Amplification Process
Model for D igital Forensics (ev idence reliabi lit y) (K hatir,
Hejazi, & Sneiders, 2008)
• Building a D igital Fore n sic Laborator y: Establishing and
Managing a Successful Facility (checklist) (Jones & Valli,
2011)
One approach that does employ quantification, Metrics for
Network Forensics
Conviction Evidence, is confined to network forensics—mostly
measuring
severity impact—and does not provide mitigation advice
(Amran, Phan,
& Parish, 2009). In that research article, the authors show “how
security
metrics can be used to sustain a sense of credibility to network
evidence
gathered as an elaboration and extension to an embedded feature
of Network
Forensics Readiness (NFR).” They then propose “a procedure of
12. evidence
acquisition in network forensics … then analyze a sample of a
packet data in
order to extract useful information as evidence through a
formalized intu-
itive model, based on capturing adversarial behavior and layer
analysis, …
apply the Common Vulnerability Scoring System—or CVSS
metrics to show
the severity of network attacks committed…”(p. 1).
The digital forensics risk meter presented in this article will
provide objec-
tive, automated, dollar-based risk mitigation advice for
interested parties
such as investigators, administrators, and officers of the court
to minimize
digital forensics risk. Figure 1 represents a decision tree
diagram to assess
risk; Figure 2 (with the Advice column on the right extracted
from Figure
B-1, Appendix B) represents sample mitigation advice generated
from the
respondents’ inputs. This article will not only present a
quantitative model,
but will generate a prototype numerical index that facilitates
appropriate
protocols and procedures to ensure that legal standards of proof
and admis-
sibility are met.
156 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University
13. http://www.dau.mil
FIGURE 1. DIGITAL FORENSICS RISK DIAGRAM
Protocols &
Procedures
Mission Statement
Personnel
Administrative
Service Request/Intake
Case Management
Evidence Handling/
Retention
Case Processing
Technical Procedures
Development
Case Assessment
Onsite
Location Assessment
Processing
Search Authority
Evaluation
36. 8
7
3
5
2
158 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University
http://www.dau.mil
F
IG
U
R
E
2
. M
E
D
IA
N
D
IG
IT
75. .
160 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University
http://www.dau.mil
Vulnerabilities, Threats, and
Countermeasures
Based on industry best practices guidelines, such as the U.S.
Department
of Justice (2004) Forensic Examination of Digital Evidence: A
Guide for Law
Enforcement, eight specific vulnerabilities are assessed:
1. Protocols and Procedures
2. Evidence Assessment
3. Evidence Acquisition
4. Evidence Examination
5. Documentation and Reporting
6. Digital Forensics Tools
7. Legal Aspects
8. Victim Relations
Within each vulnerability category, questions pertain to specific
threats and
76. countermeasures. For example, within the Evidence Acquisition
vulnera-
bility, respondents are asked questions regarding precautions,
protection,
a nd preser vation threats a nd countermea sures. Within the Ev
idence
Exa mination v ulnerability, respondents a re asked questions
rega rding
preparation, physica l extraction, logica l extraction, timeframe
ana lysis,
data hiding analysis, application/file analysis, and
ownership/possession
threats and countermeasures. Within the digital forensics Tools
vulnerabil-
ity, respondents are asked questions regarding hardware,
software, training,
and funding threats and countermeasures. Figure 1 details these
vulnera-
bilities and threats. The responses are then used to generate a
quantitative
Digital Forensics risk index.
Assessment Questions
Questions are designed to elicit responses regarding the
perceived risk
to proper Digital Forensics procedures, evidence
handling/examination,
admissibility, and other associated issues from particular
threats, as well
as the countermeasures the respondents may employ to
counteract those
161Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
77. April 2016
threats. For example, in the Evidence Examination
vulnerability, questions
regarding the data hiding analysis threat include both threat and
counter-
measure questions. Threat questions would include:
• Do file headers not correspond to file extensions?
• Did the suspect encrypt or password-protect data?
• Are hidden messages present?
• Are host-protected areas (HPA) present?
Countermeasure questions would include:
• Did the examiner correlate file headers to the corresponding
file extensions to identify any mismatches that may indicate
the user intentionally hid data?
162 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University
http://www.dau.mil
• Did t he exa m i ner ga i n access to a l l pa ssword-protected,
encr y pted, a nd compressed f i les, wh ich may i nd icate a n
attempt to conceal the data from unauthorized users?
• Did the examiner conduct a thorough stenographic analysis?
78. • Did the examiner gain access to HPAs that may indicate an
attempt to conceal data?
Sa mple v u l nera bi l it y ( E v idence A cqu i sit ion) a s ses
sment ques t ion s
employed in the dig ita l forensics risk meter a re found in
Appendi x A .
Appendi x A a lso cla rif ies a nd precludes conf usion bet ween
Ev idence
Acquisition and materiel acquisition. The first proactive step in
any digi-
tal forensic investigation is acquisition. The inherent problem
with digital
media is that it is readily modified just by accessing files.
Working from
a copy is one of the fundamental steps to making a forensic
investigation
auditable and acceptable to a court (Acquisition, n.d.).
Risk Calculation and Risk Management
through Surveys
Based on their experience, the respondents a nswer yes or no to
the
survey questions. These responses are then used to calculate
residual risk.
Employing a game-theoretical mathematical approach, the
calculated risk
index is used to generate an optimization or lowering
of risk to desired levels (Sa hinoglu, 2007, 2016).
A more deta iled set of mitigation advice will be
generated to show interested parties (such as inves-
tigators, administrators, and officers of the court)
where risk can be reduced to optimized or desired
levels. An example of such risk reduction is shown
in Fig ure 2, f rom 45.8 percent to 35.8 percent ,
79. which represents the media n response from the
study participants (Sahinoglu, Cueva-Parra, & Ang,
2012). Figure 2 is an actual screenshot of a results
table, representing the median digital forensics risk
meter results displaying threat, countermeasures,
residua l risk indices, optimization options, a nd
risk mitigation advice. For this study, a random
sample of responses from 27 survey par-
ticipants was analyzed; their residual
163Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
April 2016
risk results are tabulated and presented in Appendix B. The
survey portfo-
lio used in this assessment and upon which this research article
is based
showed the complexity of the digital forensics field,
encompassing tools,
procedures, specific training, budget, and trial.
Dig ita l forensics has two crucia l phases (Appendix A). The f
irst phase
included a ll the forensics involved with the collection of data,
while the
second phase concerns defending the data collected, the means
by which
the data were collected, a nd cha in of custody applied from the
origina l
collection until court (Sahinoglu, Stockton, Morton, Barclay, &
Eryilmaz,
2014). The initial goal was to obtain survey input from local
city leaders in
80. Montgomery, Alabama. Although individuals from the
Governor’s Office,
Montgomery Police Department, and District Attorney’s office
were will-
ing to assist, our short timeframe and their busy schedules
prevented their
offices from providing input to the digital forensics survey.
Fortunately, the
authors had contacts at other law enforcement offices, which
agreed to make
personnel available for the survey and eventual follow-up.
Eventually, three
law enforcement offices and one special investigation/training
organization
participated and provided valuable input.
Our first objective was to explain the purpose of the survey and
the potential
value the combined results could offer each of the offices. At
each location,
participants included investigators, initia l responders, digita l
forensics
specia lists, a nd lega l exper ts (i.e., District Attorney Off ice
personnel).
The ra nge of exper tise of the pa r ticipa nts was inva luable, as
each pro-
vided insight into an aspect of the survey that is often
unique to a position within a department. Because
of this range of expertise, the authors are confident
they were able to capture the three main components
of the sur vey por tion of the R isk-o-Meter (RoM).
Perspectives from collection of evidence, packaging
of evidence for trial, and presentation of evidence at
trial were all given. Although the special investiga-
tion/training organization had many fewer survey
81. participants, they did offer a unique perspective, as
they represented a n orga nization that focuses on
training digital forensics experts for the military.
The resu lts were t hen r un for each pa r ticipa nt ,
determining the Initia l Repair Cost to Mitigate.
This was determined by using a Criticality
of 1.0, Equipment Cost of $0.0, and a
164 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University
http://www.dau.mil
Production Cost of $1,000. The median of all results was
determined and
then optimized through the RoM to determine the best “bang for
the buck”
that would reduce the participant’s Total Residual Risk by 10
percent. The
initial Total Residual Risk for the median participant was 45.8
percent, with
an Expected Cost of Loss (ECL) of $458.34. Once optimized,
the Total Risk
was reduced to 35.8 percent, and the ECL was reduced by $100
to a total
ECL of $358.34 (Fig ure 2). The first optimized solution was to
increase
the countermeasure (CM) capacity for the “Examiner Notes”
threat for
the Documentation and Reporting vulnerability from 45.0
percent to 72.17
percent, for an improvement of 27.17 percent. The second
82. optimized solution
was to increase the CM capacity for the “Victim Rights and
Support” threat
for the Victim Relations vulnerability from 72.50 percent to
99.92 percent,
for an improvement of 27.42 percent.
Table B-2 in Appendix B depicts
a s e t o f c o n s t r a i n e d l i n e a r
equations used within the body
of t he r isk meter ’s innovative
second-sta ge sof t wa re for the
ga me -t heoret ic opt i m i z at ion
necessar y to create the Advice
column (shown on the right in
Figure 2). The Advice column’s
original survey calculations are
depicted in Fig ure B -1, which
displays company ECSO8: 14th
Ranked Overall Median Survey.
This is followed by Figure B-2,
which displays company OPD1’s
Group Media n Sur vey Ta ker’s
Origina l Sur vey Outcome; while Fig ure B-3 displays company
AUPD5’s
Group Median Survey Taker’s Original Survey Outcome. In
each case, the
company representative seemed impressed with the results and
noted the
results for possible future implementation. One organization
actually com-
mented that they had already begun looking into increases in at
least one
CM that was identified by the optimization. Clearly, this
episode validated
83. the tool and its usefulness in their eyes.
165Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
April 2016
Discussion and Conclusions
The advantages of conducting business on the Internet have
been well
documented. Conducting business online is frequently faster and
cheaper
than utilizing traditional methods. However, this comes with the
digital
forensics-related vulnerabilities and pertinent threats that tend
to convert
the positive adva ntages to clea r disadva ntages as a result of
fraud a nd
wrongdoing. With the advent of the Internet and burgeoning
information
systems, digital forensics has gained worldwide momentum. In
every envi-
ronment, the content of digital information relative to criminal
undertakings
and investigations alike has vastly increased, growing
disproportionately
to the capacities of state and local governments, as well as
federal agencies
and military components. The risk assessment, risk mitigation,
or general
risk management that involve planned investment policy in
order of priority,
with a sound and auditable, cost-effective approach, are missing
links. The
84. proposed digital forensics risk meter is an innovative initiative
that provides
a quantitative assessment of risk to the user as well as
recommendations
for mitigating that risk. This approach will be a highly useful
tool to inter-
ested parties such as investigators, company or system
administrators, and
officers of the court seeking to minimize and thereby mitigate
digital foren-
sics risk by leveraging and introducing early, preventive CMs
identified as
an outcome of this dynamic closed-end survey.
Additional future research by the principal author will involve
the addition
of cloud computing concerns such as service provider
cooperation and data
accessibility, as well as the incorporation of new questions so
as to better
refine user responses and subsequent calculation of risk and
mitigation rec-
ommendations. Minimization or mitigation of digita l forensics
risk will
greatly facilitate the success of digital forensics investigations,
ensuring that
legal standards of proof and admissibility are ultimately met.
The digital
forensics risk meter tool provides the means to identify areas
where risk can
This approach will be a highly useful tool to interested
parties such as investigators, company or system admin-
istrators, and officers of the court seeking to minimize
and thereby mitigate digital forensics risk by leveraging
and introducing early, preventive CMs identified as an
85. outcome of this dynamic closed-end survey.
166 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University
http://www.dau.mil
be minimized, as well as giving the objective, dollar-based
mitigation advice
to do just that. This aspect of objective quantifiable risk
assessment and man-
agement will add to the trustworthiness of acquisition practices
in terms of
dependable Internet communications involving great quantities
of materiel
and their budgetary repercussions.
Limitations and Future Research
The limitations are obvious due to input data deficiency, but
methods
such as the one proposed in this article are a good way to start
due to the
objective, hands-off, automated, cost-effective treatment of the
problem at
hand. Sound assessment of digital forensics risk can result when
informa-
tion entered, from learned respondents, is as close to the truth
as feasibly
possible. The discussion that follows clarifies how this
proposed work is
directly relevant to acquisition reisk mitigation if applied
appropriately
within a system.
86. This research article is not focused on the usual law
enforcement or digi-
tal-policing procedures, but is directed towards greater
awareness for the
in-house (e.g., acquisition community) workforce as they
manage already
existing risk assessment and risk management algorithms. By
leveraging
the countermeasures outlined in this article (in particular, the
Advice col-
umn in Figure 2, which employs probability-estimation and
game-theoretic
risk computing), the authors anticipate that acquisition
practitioners can
better preclude future digital forensics breaches by taking
timely CMs.
Law enforcement, in cooperation with the defense acquisition
community,
is increasingly becoming an important player in digital
forensics, thereby
lending increased scrutiny in this vital area. Law enforcement is
more aware
of evidence such as drug cartel activity and money laundering
through all
avenues such as export, import, and domestic acquisition
activities. Even
in homicide cases, much useful evidence can be deduced by
using digital
forensics information. In addition, digital forensics sciences not
only can
break a difficult case, but can do so quickly and inexpensively
compared to
police detectives’ usual time-tested, but tedious practices. The
proposed
87. risk meter software and its algorithm can successfully lead the
way toward
navigating the stages of cost-effective risk assessment and
management.
In conclusion, the best “bang for the buck” derives from simple
usability
and scientific objectivity.
167Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
April 2016
References
Acquisition. (n.d.). In Wikibooks. Retrieved from
https://en.wikibooks.org/wiki/
Introduction_to_Digital_Forensics/Acquisition
Amran, A. R., Phan, R. C. W., & Parish, D. J. (2009). Metrics
for network
forensics conviction evidence. Proceedings of the International
Conference
for Internet Technology and Secured Transactions (ICITST),
Institute of
Electrical and Electronics Engineers (pp. 1–8), London,
England. doi: 10.1109/
ICITST.2009.5402640
Casey, E. (2002, Summer). Error, uncertainty, and loss in
digital evidence.
International Journal of Digital Evidence, 1(2). Retrieved from
https://utica.
edu/academic/institutes/ecii/publications/articles/A0472DF7-
88. ADC9-7FDE-
C80B5E5B306A85C4.pdf
Jones, A., & Valli, C. (2011). Building a digital forensic
laboratory: Establishing and
managing a successful facility, Burlington, MA: Butterworth
Heinemann &
Syngress.
Khatir, M., Hejazi, S. M., & Sneiders, E. (2008). Two-
dimensional evidence reliability
amplification process model for Digital Forensics. Proceedings
of the IEEE
Third International Annual Workshop on Digital Forensics and
Incidents Analysis
(WDFIA 2008) (pp. 21–29), Malaga, Spain. doi:
10.1109/WDFIA.2008.11
Kim, D. H., & In, H. P. (2008). Cyber criminal activity analysis
models using Markov
chain for Digital Forensics. Proceedings of the 2nd International
Conference
on Information Security and Assurance (pp. 193–198), Busan,
Korea. doi: 1109/
ISA.2008.90
Sahinoglu, M. (2007). Trustworthy computing: Analytical and
quantitative engineering
evaluation. Hoboken, NJ: John Wiley.
Sahinoglu, M. (2016). Cyber-risk informatics: Engineering
evaluation with data science.
Hoboken, NJ: John Wiley.
Sahinoglu, M., Cueva-Parra, L., & Ang, D. (2012, May-June).
Game-theoretic computing
89. in risk analysis. Wiley Interdisciplinary Reviews:
Computational Statistics, 4(3),
227–248. doi: 10.1002/wics.1205. Retrieved from
http://authorservices.wiley.com/
bauthor/onlineLibraryTPS.asp?DOI=10.1002/wics.1205&Article
ID=961931
Sahinoglu, M., Stockton, S., Morton, S., Barclay, R., &
Eryilmaz, M. (2014, November
20). Assessing Digital Forensics risk: A metric survey
approach. Proceedings of
the SDPS 2014 Malaysia, 19th International Conference on
Transformative Science
and Engineering, Business and Social Innovation, Sarawak,
Malaysia. Retrieved
from
https://www.researchgate.net/publication/268507819_ASSESSI
NG_
DIGITAL_FORENSICS_RISK_A_METRIC_SURVEY_APPRO
ACH
U.S. Department of Justice. (2004). Forensic examination of
digital evidence: A guide
for law enforcement. Retrieved from
https://www.ncjrs.gov/pdffiles1/nij/
199408.pdf
168 Defense ARJ, April 2016, Vol. 23 No. 2 : 152–177
A Publication of the Defense Acquisition University
http://www.dau.mil
Appendix A
Sample Vulnerability (Evidence Acquisition, Documentation
90. and Reporting, and Victim Relations) Assessment Questions
(in XML format) and Survey Template
<survey>
<vulnerability title= “Evidence Acquisition” level= “0”>
<vQuestion> Are special precautions not taken to preserve
digital evidence?
</vQuestion>
<vQuestion> Was write protection not utilized to preserve and
protect
original evidence? </vQuestion>
<vQuestion> Was digital evidence not secured in accordance
with
departmental guidelines? </vQuestion>
<vQuestion> Was speed the primary concern when it came to
acquiring
digital evidence? </vQuestion>
<threat title = “Precautions”>
<tQuestion> Was evidence on storage devices destroyed or
altered?
</tQuestion>
<tQuestion> Was equipment damaged by static electricity and
magnetic
fields? </tQuestion>
<tQuestion> Was the original internal configuration of storage
devices and
hardware unnoted? </tQuestion>
<tQuestion> Were investigators unable to provide drive
attributes?
</tQuestion>
<threat title = “Protection”>
<tQuestion> Was CMOS/BIOS information not captured?
</tQuestion>
<tQuestion> Was the computer’s functionality and the forensic
92. brought
many benefits to technologically-advanced societies. As a
result,
commercial transactions and governmental services have rapidly
grown, revolutionising the life styles of many individuals living
in
these societies. While technological advancements undoubtedly
present many advantages, at the same time they pose new
security
threats. As a result, the number of cases that necessitate Digital
Forensic Investigations (DFIs) are on the rise, culminating in
the
creation of a backlog of cases for law enforcement agencies
(LEAs)
worldwide. Therefore, it is of paramount importance that new
research
approaches be adopted to deal with these security threats. To
this end,
this paper evaluates the existing set of circumstances
surrounding the
field of Digital Forensics (DF). Our research study makes two
important contributions to the field of DF. First, it analyses the
most
difficult technical challenges that need to be considered by both
LEAs
and Digital Forensic Experts (DFEs). Second, it proposes
important
specific future research directions, the undertaking of which can
assist
both LEAs and DFEs in adopting a new approach to combating
cyber-
attacks.
Keywords—digital forensics, IoT forensics, cloud forensics,
cybersecurity, digital investigation, encryption, anti-forensics
93. I. INTRODUCTION
In recent years, we have witnessed rapid advancements in
Information and Communication Technology (ICT) features.
Technologies such as communication networks, mobile devices,
Internet of Things (IoT) solutions, Cloud-Based Services
(CBSs), Cyber-Physical Systems (CPSs) have brought many
benefits to technologically-advanced societies [1, 2, 3]. As a
result, commercial transactions and governmental services have
rapidly grown, revolutionising the life styles of many
individuals living in these societies. While technological
advancements undoubtedly present many advantages, at the
same time they pose new cybersecurity threats which have
significant impacts on a variety of domains such as government
systems, enterprises, ecommerce, online banking, and critical
infrastructure. According to an official survey conducted by The
Office for National Statistics [4], there were an estimated 3.6
million cases of fraud and two million computer misuse
offences
in a year. Although there is a variety of reasons for conducting
cybercrimes, the motivation is often for financial gain. The
fundamental issue associated with cybercrime consists of
damage to reputation, monetary loss, in addition to impacts on
the confidentiality, integrity and availability of data.
By exploiting technology, cybercriminals, for instance, will
be able to turn IoT nodes into zombies (using malicious
software), carry out distributed denial of service (DDoS) attacks
(engineered through botnets), and create and distribute malware
aimed at specific appliances (such as those affecting VoIP
devices and smart vehicles) [1, 2], [5, 6, 7, 8, 9]. Other
challenges resulting from such technological advancements
include, but are not limited to: high volume of data,
heterogeneous nature of digital devices, advanced hardware and
software technologies, anti-forensic techniques, video and rich
94. media, whole drive encryption, wireless, virtualisation, live
response, distributed evidence, borderless cybercrime and dark
web tools, lack of standardised tools and methods, usability and
visualisation. The deployment of IP anonymity and the ease
with
which individuals can sign up for a cloud service with minimum
information can also pose significant challenges in relation to
identifying a perpetrator [2], [5], [8], [9, 10].
As a result, the number of cases that necessitate DFIs are on
the rise, culminating in the creation of a backlog of cases for
LEAs worldwide [11, 12]. Therefore, given the discussion
above, it is of paramount importance that new research
approaches be created to deal with the aforementioned security
challenges. To this end, we evaluate the existing set of
circumstances surrounding the field of DF. Our research study
makes two important contributions to the field of DF. First, it
analyses the most difficult mid and long-term challenges that
need to be considered by both LEAs and DFEs. Second, it
proposes important specific future research directions, the
undertaking of which can assist both LEAs and DFEs in
adopting a new approach to combating cyber-attacks.
II. CHALLENEGES
As the field of DF continues to evolve, its development is
severely challenged by the growing popularity of digital devices
and the heterogeneous hardware and software platforms being
utilised [2], [13, 14]. For instance, the increasing variety of file
formats and OSs hampers the development of standardised DF
tools and processes [15]. Furthermore, the emergence of
smartphones that increasingly utilise encryption renders the
acquisition of digital evidence an intricate task. Additionally,
95. advancements in cybercrime have culminated in the substantial
challenge of business models, such as Crime as a Service
(CaaS), which provides the attackers with easy access to the
tools, programming frameworks, and services needed to conduct
cyberattacks [2]. The following sub-sections analyse the key
issues that pose significant challenges to the field of DF.
A. Cloud Forensics
The cloud computing paradigm presents many benefits both
to the organisations and individuals. One of such advantages
relates to the manner in which data is managed by the cloud
infrastructure. For instance, data is spread between various data
centres to improve performance and facilitate load-balancing,
scalability, and deduplication features. Because of this, data
requires an efficient indexing so that retrieval and optimisation
performance can take place to evade duplication that often
contributes to the expansion of storage needs. As a result,
evidence left by adversaries is more difficult to eliminate since
it can be copied in various locations, rendering the acquisition
of evidence and its examination easier to perform.
However, despite its many benefits, cloud computing poses
significant challenges to the LEAs and DFEs from a forensic
perspective. These include, but are not limited to, problems
associated with the absence of standardisation amongst different
CSPs, varying levels of data security and their Service Level
Agreements [5], [16, 17], multiple ownerships, tenancies, and
jurisdictions. Moreover, the distributed nature of cloud
computing services presents a variety of challenges to LEAs as
data often resides in a number of different jurisdictions. In
contrast with traditional DF in which data is held on a single
device, within cloud environments data is often spread over
multiple different nodes. As a result, LEAs need to rely on local
laws to be able to conduct digital evidence acquisition [1], [7],
[18]. Therefore, the discrepancy in the legal systems of
96. different
jurisdictions combined with the lack of cooperation between
CSPs also poses significant challenges from a DF perspective.
In addition, existing DF models, frameworks, methodologies
and tools are mainly intended for off-line investigations,
designed on the premise that data storage under investigation is
within the LEAs’ control [19]. However, performing DFIs
within a cloud environment is increasingly challenging as
digital
evidence is often short-lived and stored on media beyond the
control of DFEs [1]. Anonymising tools and distributed data
storage in cloud services also enable criminals to cover their
malicious activities more easily. Furthermore, the use of
features
such as IP anonymity and the ease with which one can sign up
for a cloud service with minimal information make it almost
impossible to identify criminals in cloud environments [1], [7,
8]. Another challenge for DF is the availability of different
models for delivering cloud services (CSs). Specifically,
investigating the data of an infrastructure-as-a-service (IaaS)
user can be done without too many restrictions, but in the case
of customers using software-as-a-service (SaaS) resources,
access to information might be minimal or entirely absent.
Last, but not least, accessing a software application through
a cloud computing system often leaves traces of evidence in
various places on the OS, such as registry entries or temporary
Internet files. However, evidence is lost once the user has
exited
the virtual environment as virtualisation sanitises traces of
leftover artefacts. As a result, virtualisation limits the
traditional
examination of the leftover artefacts, rendering digital evidence
traditionally stored on hard drives potentially unrecoverable
97. [20,
21]. Therefore, cloud-based forensic investigations pose
significant challenges related to the identification and
extraction
of evidential artefacts.
B. Network Forensics
A Network Forensic Investigation (NFI) pertains to the
acquisition, storage and examination of network traffic
(encapsulated in network packets) generated by a host, an
intermediate node, or the whole portion of a network in order to
establish the source of a security attack. Network traffic objects
that require analysis consist of protocols used, IP addresses,
port
numbers, timestamps, malicious packets, transferred files, user-
agents, application server versions, and operating system
versions, etc. This data can be acquired from different types of
traffic.
Similar to any other sub-fields of DF, NF poses various
challenges to DFEs and LEAs. One of the challenges concerns
traffic data sniffing. Contingent on the network set up and
security measures where the sniffer is installed, the tool is
likely
not to capture all intended traffic data. However, this challenge
can be addressed by utilising a span port on network devices in
various places in the network. Another challenge for NF is that
an attacker might be able to encrypt the traffic by utilising a
SSL
VPN connection. In this case, although the address and port will
still be visible to DFEs, data stream will not be available.
Therefore, additional analysis will need to be carried out so as
to establish penetrated data.
Another challenge is determining the source of an attack
98. since an attacker may use a zombie machine, an intermediate
host to perform an attack, or simply use a remote proxy server.
The deployment of such methods by an attacker makes it very
difficult for DFEs to determine the source of the attack.
However, this can be remedied by examining each packet only
in a basic manner in memory and storing only certain data for
future examination. Notwithstanding that this approach
necessitates less amounts of storage, it often requires a faster
processor to be able to manage the incoming traffic. To capture
and analyse evidential network data, DFEs need to use a number
of commercial and open-source security applications such as
tcpdump and windump. Additionally, ensuring the privacy of
legitimate end users is another challenging factor in NF as all
packet data including that of the end user is captured during an
investigation.
C. Internet of Things (IoT) Forensics
The Internet of Things (IoT) which is supported by the cloud,
big data and mobile computing often connects anything and
everything ‘online’. The IoT represents the interconnection of
uniquely identifiable embedded computing devices within the
current Internet infrastructure. Some IoT devices are ordinary
items with built-in Internet connectivity, whereas some are
sensing devices developed specifically with IoT in mind. The
IoT covers technologies, such as: unmanned aerial vehicles
(UAVs), smart swarms, the smart grid, smart buildings and
home appliances, autonomous cyber-physical and cyber-
biological systems, wearables, embedded digital items, machine
to machine communications, RFID sensors, and context-aware
computing, etc. Each of these technologies has become a
specific domain on their own merit. With the new types of
devices constantly emerging, the IoT has almost reached its
99. uttermost evolution. With an estimated number of 50 billion
devices that will be networked by 2020 [20, 21], it is estimated
that there will be 10 connected IoT devices for every person
worldwide [22].
IoT-connected devices offer many benefits both individually
and collectively. For instance, connected sensors can help
farmers to monitor their crops and cattle so as to improve
production, efficiency and track the health of their herds.
Intelligent health-connected devices can save or significantly
improve patients’ lives through wearable devices. For instance,
the wearable device developed by Intel can track symptoms of
Parkinson's disease patients by passively collecting 300
observations per second from each wearer, tracking various
activities and symptoms [23, 24].
However, despite its many benefits, IoT-connected devices
pose significant privacy and security challenges as these
devices
and systems collect significant personal data about individuals.
As an example of privacy challenge, employers can use their
employees’ security access cards to track where they are in the
building to determine how much time the employees spend in
their office or in the kitchen. Another example relates to smart
meters that can determine when one is home and what
electronics they use. This data is shared with other devices and
stored in databases by companies. In relation to the security
challenges, due to the constant emergence of new and diverse
devices with varied OSs as well as the different networks and
related protocols, IoT produces a wider security attack surface
than that created by cloud computing. Examples of cyberattacks
that can be carried out on IoT devices include: intercepting and
hacking into cardiac devices such as pacemakers and patient
monitoring systems, launching DDoS attacks using
compromised IoT devices, hacking or intercepting In-Vehicle
Infotainment (IVI) systems, and hacking various CCTV and IP
100. cameras. Therefore, security is of paramount importance for the
secure and reliable operation of IoT-connected devices.
Although IoT uses the same monitoring requirements similar
to those utilised by cloud computing, it poses more security
challenges resulting from issues such volume, variety and
velocity. Furthermore, DFIs of IoT devices can be even more
difficult than those of cloud-based investigations as more
complex procedures are needed for investigation of these
devices.
IoT Forensics must involve identification and extraction of
evidential artefacts from smart devices and sensors, hardware
and software which facilitate a communication between smart
devices and the external world (such as computers, mobile, IPS,
IDS and firewalls), and also hardware and software which are
outside of the network being investigated (such as cloud, social
networks, ISPs and mobile network providers, virtual online
identities and the Internet). However, extracting evidential
artefacts from IoT devices in a forensically-sound manner and
then analysing them tend to be a complex process, if not
impossible, from a DF perspective. This is due to a variety of
reasons, including: the different proprietary hardware and
software, data formats, protocols and physical interfaces, spread
of data across multiple devices and platforms, change,
modification, loss and overwriting of data, and jurisdiction and
SLA (when data is stored in a cloud). Thus, determining where
data resides and how to acquire data can pose many challenges
to DFEs.
For instance, the DF analysis of IoT devices used in a
business or home environment can be challenging in relation to
establishing whom data belongs to since digital artefacts might
be shared or transmitted across multiple devices. In addition,
due
101. to the fact that IoT devices utilise proprietary formats for data
and communication protocols, understanding the links between
artifacts in both time and space can be very complex. Another
challenge related to the DFI of IoT devices concerns the chain
of custody. In civil or criminal trial, collecting evidence in a
forensically sound manner and preserving chain of custody are
of paramount importance. However, ownership and preservation
of evidence in an IoT setting could be difficult and can have a
negative effect on a court’s understanding that the evidence
acquired is reliable.
Furthermore, existing DF tools and methods used to
investigate IoT devices are designed mainly for traditional DF
examining conventional computing devices such as PCs, laptops
and other storage media and their networks. For instance, the
current methods utilised to extract data from IoT devices
include: obtaining a flash memory image, acquiring a memory
dump through Linux dd command or netcat, and extracting
firmware data via JTAG and UART techniques. Moreover,
protocols such as Telnet, SSH, Bluetooth and Wi-Fi are
deployed to access and interact with IoT devices. Likewise,
tools
such as FTK, EnCase, Cellebrite, X-Ways Forensic and
WinHex, etc. and internal utilities such as Linux dd command
(for IoT devices with OSs such as embedded Linux) are used to
extract and analyse data from IoT devices. However, the
forensic investigation of IoT devices necessitates specialised
handling procedures, techniques, and understanding of various
OSs and file systems. Additionally, by using conventional
Computer Forensic tools to conduct IoT Forensics, it would be
highly unlikely to maintain a chain of custody, the adherence to
which is required by the Association of Chief Police Officers
[25], concerning the collection of digital evidence.
Therefore, to deal with the aforementioned challenges posed
by IoT-connected devices, cloud cybersecurity will need to be
102. reviewed since each IoT device produces data that is stored in
the cloud. Cloud cybersecurity policies must be blended with
IoT infrastructure so as to provide timely responses for
suspicious activities [20]. They must be reviewed in relation to
evidence identification, data integrity, preservation, and
accessibility. CSPs will need to ensure the integrity of the
digital
evidence acquired from cloud computing components in order
to facilitate an unbiased investigation process in establishing
the
root cause of the cyberattack in IoT. Therefore, as the IoT
paradigm is further developed, it becomes necessary to develop
adaptive processes, accredited tools and dynamic solutions
tailored to the IoT model.
D. Big Data and Backlog of Digital Forensic Cases
Another key challenge that the field of DF is currently facing
pertains to the substantial and continuing increase in the amount
of data, i.e. big data – both structured and unstructured –
acquired, stored and presented for forensic examination. This
data is collected from a variety of sources such as digital
devices,
networks, cloud, IoT devices, social media, sensors or machine-
to-machine data, etc. In particular, this challenge is relevant to
live network analysis since DFEs are unlikely to acquire and
store all the essential network traffic [2], [10]. This growth in
data volume is the consequence of the ongoing advancement of
storage technology such as growing storage capacity in devices
and cloud storage services, and an increase in the number of
devices seized per case. Consequently, this has resulted in an
increase in the backlog of DF cases that are awaiting (often
many months or years in some cases) investigations. The
103. backlog of DF cases necessitating investigation has had a
seriously adverse impact on the timeliness of criminal
investigations and the legal process. The delays of up to 4 years
in performing DFIs on seized digital devices have been reported
to have significant effect on the timeliness of criminal
investigations [5], [11], [26]. Due to such delays, some
prosecutions have even been discharged in courts. This backlog
of DF cases is predicted to increase due to the modern sources
of evidence such as those of IoT devices and CBSs.
To address the aforementioned issues, i.e. the 3Vs of the big
data, including: volume, variety and velocity, researchers have,
in recent years, proposed various solutions ranging from data
mining [27, 28, 29], data reduction and deduplication [27], [30,
31], triage [12], [32, 33, 34], increased processing power,
distributed processing [35, 36], cross-drive analysis [31],
artificial intelligence, and other advanced methods [30]. Despite
the usefulness of these solutions, additional research studies are
required to address the real-world relevance of the proposed
methods to deal with the data volume that gravely challenges
the
field of DF. Therefore, it is of paramount importance to
implement several practical infrastructural enhancements to the
existing DF process. These augmentations should cover
elements such as automation of device collection and
examination, hardware-facilitated heterogeneous evidence
processing, data visualisation, multi-device evidence and
timeline resolution, data deduplication for storage and
acquisition purposes, parallel or distributed investigations and
process optimisation of existing techniques. Such enhancements
should be integrated to assist both law enforcement and third-
party providers of DF service to speed up the existing DF
process. The implementation of the stated elements can
significantly assist both new and augmented forensic processes.
104. E. Encryption
According to a survey conducted by the Forensic Focus [37],
data encryption in addition to Cloud Forensics (discussed
previously) are the most difficult challenges encountered by
DFEs. Encryption is the fastest method used to prevent access
to data held on a device. There exist numerous encryption
methods that can be implemented on a system or its peripherals.
Increase in storage devices has resulted in the creation of tools
capable of encrypting the entire volume of a hard drive.
Encryption can also be performed on an application, a folder, a
cloud service, mobile devices, and data stored in a database or
transmitted through email, etc. Concerning network-based data
hiding, this can be facilitated through methods such as Virtual
Private Network (VPN) tunnelling and the utilisation of proxy
servers and terminal emulators. Regardless of data being stored
in an unknown server in the cloud or on the perpetrator’s
computer’s encrypted hard drive, encryption often makes it
impossible for DFEs to acquire data essential for a DFI.
Although such technologies are not unbeatable, they often
necessitate large amount of time and luck to be bypassed [32],
[38, 39].
Since many of the encryption schemes are implemented to
resist brute-force attacks, it is, therefore, of paramount
importance that researchers be able to design certain
workarounds and exploits in order to be able to overcome
encryption and acquire evidence from encrypted devices.
Depending on the type of digital device involved, forensic
challenges of encrypted devices differ. There are currently
several exploits that DFEs can leverage to overcome encryption
in DFIs. For instance, DFEs can decrypt a BitLocker volume by
determining the correct Microsoft Account password. This can
be achieved by recovering the matching escrow key directly
from Microsoft Account. There are various tools and methods
(the discussion of which is outside the scope of this paper) for
105. retrieving the password. Another method of exploit used by the
researchers is to conduct RAM Forensics (imaging the RAM)
using a tool such as Belkasoft Live RAM Capturer and then
draw out a binary decryption key from that RAM image. Using
this method enables DFEs to bypass encryption and identify
malware that is not placed in persistent storage. For instance,
full-disk encryption on Windows desktop computers
(BitLocker) can be attacked by imaging the RAM through a
kernel-mode tool while the volume is mounted and examining
that memory image to acquire the binary decryption key. This
facilitates mounting BitLocker volumes in a short period of
time.
However, the development of RAM Forensic tools as noted
by Garfinkel [32] is more challenging than the creation of disk
tools. Data stored in disks is persistent and intended to be read
back in the future. However, data written to RAM can only be
read by the running program. Garfinkel [32] argues that as a
result there is less desire “for programmers to document data
structures from one version of a program to another”. Therefore,
issues as such can complicate the tasks of tool developers.
F. Limitations in DF Tools and Lack of Standardisation
Existing DF tools and techniques are also limited in their
functionality and are poorly appropriate to the task of
identifying
data which is “out-of-the-ordinary, out-of-place, or subtly
modified” [32], [40]. Traditional DF tools, techniques and
methods often lag behind new emerging technologies lacking
adequate capabilities to address the resultant challenges
presented by these technologies. Although current DF tools
might be able to handle a case containing several terabytes of
data, they are incapable of putting together terabytes of data
106. into
a succinct report. Furthermore, it is challenging to employ DF
tools to recreate a unified timeline of past events or the
activities
of a culprit. Event and timeline reconstructions are often
conducted manually during a given DFI. DF tools are also often
slow to conduct data analysis. Furthermore, the task of creating
digital documents which can be presented in courts has had an
adverse effect on the production of DF methods that could
process data that is not easily available [32], [41].
With regards to the lack of standardisation in DF, although
researchers in the field have made some attempts to agree on
formats, schema, and ontologies on DF artefacts, very little
progress have been made, if any [15], [42, 43, 44]. This is while
analysis of advanced cyber-attacks often necessitates concerted
efforts to deal with the processing of complex data. In most
cases
such cooperation does not exist amongst DFEs and DF
researchers alike. As a result, the diversity problem arising from
the absence of standardised methods and guidelines to detect,
acquire, store, examine, analyse and present digital evidence
also pose significant challenges for DFIs [45, 46]. The lack of
formal and generic Digital Forensic Investigation Process
Models (DFIPMs) also contribute to the intricacy of acquiring
and analysing digital evidence in a forensically sound manner
[42]. Therefore, it is essential that DF community engage in
more collaborations to create effective standard formats and
abstractions.
III. RESEARCH DIRECTIONS
A. IoT Forensics
The Identification, Acquisition and Analysis (main phases of
a conventional DFI) of digital evidence in IoT environments
107. pose significant challenges to LEAs and DFEs. In relation to the
identification of a particular user’s data, it would be difficult
for
investigators to determine how to conduct search and seizure
when the location and provenance of data (representing
potential
digital evidence) cannot be determined. One of the ways to
address this challenge is to integrate the IoT device data into
Building Information Modelling. Thus, the research community
can consider this as a research opportunity to be explored.
With regards to the problems of extracting a specific user’s
data in IoT devices, the volatility of evidence in these devices is
more complex than the evidence volatility in traditional devices.
In IoT environments, data might be held locally by an IoT
device. In this case, the lifespan of the data is very short before
it is overwritten or compressed. Furthermore, digital evidence
(data) from an IoT device might be shifted and used by another
IoT device (or a local network of IoT-connected devices), or it
might be moved to the cloud for aggregation and processing. As
a result, the transmission and aggregation of evidence poses
significant challenges for maintaining the chain of evidence. To
deal with this challenge, we propose the development of new
investigation methods that can track and filter the transfer of
data
across IoT-connected devices as supported by (Hegarty et al.,
2014). Such methods can then pave the way for the acquisition
of data that have been altered or deleted. Therefore, the creation
of such techniques should be considered as a new research
opportunity for further exploration
In terms of the challenges of the analysis process, IoT
devices produce large amounts of data which are stored in
large-
scale distributed cloud environments. If this data requires
108. Digital
Forensic analysis, first it needs to be imaged in order to adhere
to the principles of ‘forensically-sound investigations’.
However, from a …
The Governance of Corporate Forensics using
COBIT, NIST and Increased Automated Forensic
Approaches
Henry Nnoli1, Dale Lindskog2, Pavol Zavarsky2, Shaun
Aghili2, Ron Ruhl2
1ATB Financial, Edmonton T5J 1P1, Canada
2Information Systems Security Management, Concordia
University College of Alberta, Edmonton T5B 4E4, Canada
[email protected], {dale.lindskog, pavol.zavarsky, shaun.aghili,
ron.ruhl}@concordia.ab.ca
Abstract—Today, the ability to investigate internal matters
such as policy violations, regulatory compliance, and employee
separation has become important in order for corporations to
manage risk. The degree of information security threats
evolving
on a daily basis has increasingly raised concerns for enterprise
organizations. These threats include but are not limited to fraud,
insider threat and intellectual property (IP) theft. These have
increased the demand for organizations to implement corporate
forensics as a deterrent to illegitimate acts or for linking
perpetrators to their illegitimate acts. This explains why
forensic
practices are expanding from the traditional role in law
enforcement and becoming an essential part of business
processes. However, most organizations may not be maximizing
109. the benefits of corporate forensic capabilities because of lack of
corporate forensic governance best practices, needed to ensure
organizations prepare their operating environment for digital
forensic investigation. Corporate forensic governance will help
ensure that digital evidence is obtained in an efficient and
effective way with minimal interruption to the business. This
paper presents a corporate forensic governance framework
intended to enhance forensic readiness, governance, and
management, and increase the use of automated forensic
techniques and in-house forensically sound practices in large
organizations that have a need for these practices.
Index Terms—corporate forensic governance; corporate
forensic readiness; increased automated forensic solutions;
digital forensic investigation; digital evidence
I. INTRODUCTION
Most organizations waste effort, time and resources in
carrying out forensic investigations due to lack of corporate
forensic preparedness [4]. Forensic readiness (preparedness)
can be defined as the process of being prepared (having the
right policies, procedures, people, techniques in place to
respond professionally and timely) before an incident occurs.
Rowlingson [4], in his paper, ‘A Ten Step Process for Forensic
Readiness’ described forensic readiness as the ability of an
organization to maximize its potential to use digital evidence
while minimizing the cost of an investigation. In his paper he
discussed practices that, when implemented before a digital
incident occurs, can help organizations to be ready to carry out
forensic investigations. However, forensic readiness is one part
of a comprehensive and well-structured corporate forensic
governance program.
Governance is the process of establishing and maintaining a
framework and supporting management structure and processes
110. to provide assurance that applicable strategies are aligned with
and support business objectives, and are consistent with
applicable laws and regulations through adherence to policies
and internal controls, and assignment of responsibility, all in
the effort to manage risk [22]. In most organizations when
incidents occur, the incident response team’s major concern is
to contain the incident and restore operations, paying less
attention to potential evidence. In most cases digital evidence is
contaminated, incomplete and untrustworthy, all of which
inhibits linking perpetrators to their illegitimate acts if a crime
is committed [2]. This is simply because of the lack of forensic
readiness which is part of a good corporate forensic governance
program. Grobler et al [5] stated, “all disciplines need some
form of policy, procedures, standards and guidelines hence
necessitating the proper facilitation of governance”. In their
paper, entitled ‘Managing digital evidence - The governance of
digital forensics’, they introduced a preliminary framework for
the governance of digital forensics.
According to COBIT [10], the principles of governance
best practices include strategic alignment, risk management,
value delivery, resource optimization, and continuous
performance evaluation. Board briefings on IT governance [22]
stated that, governance practices have been confirmed to yield
huge benefits in the field of information technology (IT) and
information security (IS) due to the establishment and adoption
of applicable frameworks like COBIT. “In other words, top
management of various organizations are realizing the
significant impact information technology and information
security can have on the success of their enterprise because of
governance of these fields” [22]. Such governance practices are
lacking in the field of digital forensics [5]. For various reasons
which will be highlighted later in this paper, there is a need for
effective and efficient governance practices for corporate
forensic programs to ensure that value, risk and resources are
optimized during forensic investigations. Most organizations
112. Section V is a description of the proposed framework; finally,
in Section VI we conclude and recommend future work.
II. CORPORATE FORENSIC READINESS AND
GOVERNANCE
According to [8], litigation is a last option for most
organizations, because of concerns like negative publicity and
its negative impact to the business. Therefore, corporate
forensic readiness, governance and in-house forensic capability
will help organizations to be prepared to gather and use digital
evidence as a deterrent and for making firm conclusions during
internal investigations of non-criminal violations. The objective
of corporate forensic readiness is to ensure that digital evidence
is collected using sound forensic processes and in an effective
way with minimal interruption to the business. This evidence
can also be used for the organizations interest and defense.
Although many organizations outsource forensic activities, it is
likely that most will prefer to perform them internally. The
reasons for this include privacy, confidentiality of
organizational and customer data, legal risk, delayed forensic
results from consultants and compliance with regulations like
Sarbanes Oxley, King 3 Report, the Basel Committee report on
banking supervision, and FIPS PUB 200. In addition, it is
costly to outsource forensic activities in those large
organizations that experience recurring digital incidents.
Regulations like FIPS PUB 200 (2002) mandated all federal
agencies in the United States to comply with the standard’s
Audit and Accountability section, which states that
“Organizations must:
1. Create, protect, and retain information system audit
records to the extent needed to enable the monitoring,
analysis, investigation, and reporting of unlawful,
unauthorized, or inappropriate information system
activity.
113. 2. Ensure that the actions of individual information
system users can be uniquely traced to those users so
they can be held accountable for their actions” [12].
These considerations show that, in a great many cases,
there is a clear need for corporate forensic readiness
and in-house forensic capability.
Rowlingson [4] articulates ten steps toward corporate
forensic readiness:
1. “Define the business scenarios that require digital
evidence.
2. Identify available sources and different types of
potential evidence.
3. Determine the evidence collection requirement.
4. Establish a capability of securely gathering admissible
evidence to meet the requirement.
5. Establish a policy for secure storage and handling of
potential evidence.
6. Ensure monitoring is targeted to detect and deter major
incidents.
7. Specify circumstances when escalation to a full formal
investigation should be launched.
8. Train staff in incident awareness so that all those
involved understand their role in the digital process and
the legal sensitivities of evidence.
9. Document an evidence-based case describing the
114. incident and its impact.
10. Ensure legal review to facilitate action in response to the
incident”.
A good governance framework consists of both governance
and management processes [11]. Rowlingson’s work should be
incorporated into management processes and we therefore
refined and used it in the development of the management
processes (CFM domain) of our proposed corporate forensic
governance framework. More elaboration on the need for
corporate forensics can be found in [8].
A. The Relationship between IT Governance, IS Governance
and Corporate Forensics
It could be argued that corporate forensics falls, in some
respects, under IT governance and IS governance. However,
some important aspects of corporate forensics, like
jurisprudence (legal) and forensically sound processes are not
fully part of IT and IS governance [3]. According to ACPO
[30], forensically sound processes mean performing forensic
practices (collection, examination, analysis, documentation,
preservation of evidence and chain of custody) according to
applicable jurisdiction. It also means that forensic practices
should be conducted in such a way that if necessary an
independent third party is able to repeat the same processes and
obtain the same result. This shows that the preservation of the
integrity of evidence is very important during forensic
investigations. Corporate forensics (CF) and digital forensics
(DF) will be used interchangeably in this paper. Researchers
like Von Solms [3] and Grobler [5] explains the relationship
between Digital Forensic (DF), IS Governance, IT Governance
and Corporate Governance. Von Solms et al states “that the
proactive mode of information security ensures all policies,
procedures, and technical mechanisms are in place to prevent
115. harm to the organization’s information; the reactive mode
ensures that if harm occur, it will be repaired (Business
continuity planning, Good backup and Disaster recovery
techniques are part of the reactive mode)” [3] . “The proactive
mode of digital forensics ensures all policies, procedure,
technical and automated mechanisms are in place to be able to
act when required; the reactive mode ensures that the necessary
actions can be performed to support specified analytical and
investigative techniques required by digital forensics”[3]. This
shows that some components of Digital forensic, IS and IT
governance overlap and are related. Therefore, the best practice
735
governance principles used for effective IT and IS governance
can also be used for corporate forensic governance.
Fig. 1. Relationship between Corporate governance, IT
governance, IS
governance and Digital forensic [3]
Figure 1 shows a holistic view of DF and its relationship
with corporate governance, IS governance and IT governance.
III. BEST PRACTICE GOVERNANCE PRINCIPLES
According to best practices [10][11][22] governance
principles include strategic alignment with business objectives,
value delivery to the business, risk management, resource
optimization of available resources and continuous
performance evaluation.
A. Strategic Alignment
Good governance of corporate forensics (CF) will ensure
116. that the objectives of CF practices are aligned to the
organization’s goals. According to Board briefing on IT
governance [22], the cost effectiveness of a security program is
determined by how well it supports the organization’s
objective. Corporate forensic governance will also ensure that
corporate forensic objectives are defined in business terms and
all CF controls tracked to a specific business requirement. The
following will indicate alignment: a corporate forensic program
that enhances business activities; a corporate forensic program
that is responsive to defined business needs; corporate forensic
program and organization objectives that are defined and
clearly understood by relevant stakeholders; corporate forensic
program that is mapped to organizational goals and is validated
by senior management; a corporate forensic strategy and
steering committee made up of key executives to ensure
continuous alignment of corporate forensic objectives and
business goals.
B. Value Delivery
Good governance of corporate forensic practices will also
ensure that corporate forensic investments are optimized in
support of enterprise objectives. It also ensures that the
organization gets benefits from their corporate forensic
investments. Governance will ensure corporate forensic
investments are supporting business needs and adding expected
value. For instance, in a scenario where there is no governance,
there won’t be monitoring and evaluation to ensure that
corporate forensic investment is continuously supporting the
business in achieving some of its strategic needs. Therefore,
forensic investments may not add expected value to the
business, since there are no metrics to measure if value is
optimized. Corporate forensic governance increases the
likelihood of corporate forensic program’s success considering
the significant cost associated with corporate forensic practices.
117. Figure 2 shows some of the questions governance will ask to
ensure value is optimized.
Fig. 2. Val IT Framework 2.0, Value according to the Four
‘Are’s as
described in the information paradox [34]
C. Risk Management
For applicable IT related business risk to be mitigated using
corporate forensic practices, CF governance would help ensure
that corporate forensic practices are an integral part of
enterprise risk management program. CF governance will also
ensure that corporate forensic strategy and program will help
organizations achieve acceptable level of applicable IT related
business risk. A structure for risk assessment as defined by
NIST 800-30 is shown in figure 3 below. If corporate forensic
practices are part of enterprise risk management program,
potential evidence sources will be identified in a proactive
manner. Also, CF governance will ensure legal risk involved
during corporate forensic practices are fully identified,
communicated, mitigated and managed.
Fig. 3. NIST 800-30 Risk Assessment Methodology [32]
Furthermore, from the risk assessment methodology shown
in Figure 3, step 4 requires control analysis and selection. This
736
is where different controls are selected for all identified risks.
Different controls are weighed and analyzed based on their
strength and weaknesses and the best control to mitigate each
118. risk effectively is selected. All risks that could be best
mitigated with corporate forensic practices should be identified,
documented in a risk profile chart and rated to show their
potential value impact to the business. This is one of the
principles of good CF governance which will ensure that all
risk that could be mitigated with corporate forensic practices
are mitigated and optimized.
D. Resource Optimization
This principle of good corporate forensic governance deals
with planning, allocation and control of corporate forensic
resources which include people, processes and technologies
(increased automated forensic suites) towards adding value to
the business. CF resources need to be managed properly for its
effectiveness. Proper CF resource management will ensure that
corporate forensic practices are efficient, cost effective and
most importantly ensure corporate forensic is effectively
addressing applicable business needs.
E. Performance Evaluation
Since there is a clear saying that “you cannot manage what
you cannot measure,” the governance of corporate forensic
practices will ensure measures are in place to monitor corporate
forensic processes and measure its performance. This will help
management to make informed decisions about the state of
corporate forensic program and ascertain if it is effective or
not. Methods like Maturity model, checklist and other tools
could be used. Some of the indicators of effective corporate
forensic program as observed from performance measurement
include: the time it takes to detect and uncover potential
security threats to the business; number of threats effectively
traced to their sources within minimal time interval without
interruption to the business; number of security breaches
reported (lesser number of reported breaches means
119. effectiveness of the control in terms of deterrent). The
performance measurement module of the governance
framework is represented in the corporate forensic evaluation
(CFE) domain of the proposed framework.
IV. RELATED WORK
Researchers like [4][6][7][8] have looked into some form of
forensic readiness while [2][8][9][21] have looked into some
form of proactive digital forensics which are considered part
but not a comprehensive representation of good governance
practices. They did not comprehensively address the
establishment of a good governance framework and major
governance processes for corporate forensics practices which
will obviously make their work more effective. In other words,
they did not address in details how corporate forensic practices
could be enhanced using governance best practices. Lack of CF
governance practices might explain why management see
digital forensic as an abstract and highly technical field and
have very little interest in leveraging on its benefits to achieve
some of their corporate goals. Good governance referred to in
the beginning of this section means getting senior management
involved in an interactive manner by using globally adopted
common business languages in a governance framework for
forensic practices; management taking ownership of forensic
program by assuming responsibility and accountability (RACI
Chart) of forensic processes; use of increased automated
forensic suites with generation of user friendly executive
reports, remote forensics and automated processes; use of
forensic practices to minimize high IT related business risk. All
these enhancements are expected to help organizations
maximize the benefits of forensic practices in an efficient and
effective way. Discussing proactive or corporate forensic
readiness by [2][4][6][7][8][9][21] without the establishment of
a governance structure, framework and obtaining management
120. support will result in the corporate forensic readiness program
not being fully effective and efficient.
Furthermore, at the time this paper was written, only one
researcher, Grobler et al [5], to the best of our knowledge, had
researched on the governance of digital forensics. Their paper
was a preliminary framework in the form of an outline for the
governance of digital forensics. The scope of the paper did not
comprehensively address how globally accepted governance
best practices [10][11][22] can be used to enhance a corporate
forensic program in enterprise organizations.
V. DESCRIPTION OF THE PROPOSED FRAMEWORK
According to best practice [11] a governance framework
should consist of two major processes: the governance and
management processes. The governance processes involve
direction in strategic alignment, risk management, resource
optimization, value delivery and performance evaluation. The
governance field directs the management field and ensures
management processes are achieving their goals. The
management field is responsible for executing and
implementing directions from the governance field. The
management processes involved specialized and operational
processes which governance uses to achieve its tactical and
operational goals. The management section performs more
hands-on tasks than the governance section. The proposed
framework was developed with this principle. The framework
was categorized into three domains namely Corporate Forensic
Governance ((CFG) governance processes), Corporate Forensic
Management ((CFM) management processes) and Corporate
Forensic Evaluation (CFE). The third domain CFE maintains a
life cycle model for the framework by evaluating, monitoring
and continually improving forensic processes through lesson
learned and evaluation using maturity model. Figure 4 shows
the corporate forensic governance framework lifecycle.
121. Fig. 4. The three major domains of the proposed corporate
forensic
governance framework lifecycle
The proposed corporate forensic governance framework
was developed with the common languages and best practices
used in related governance models.
737
A. Corporate Forensic Governance (CFG)
Corporate Forensic Governance was developed with the
major principles of best governance practices as recommended
by COBIT [10][11] and Board briefing on IT governance [22],
which includes strategic alignment, risk management, resource
optimization, and value delivery. These principles represent
control objectives CFG 1 to CFG 4 of the corporate forensic
governance domain. Detailed control practices were developed
under each of these control objectives.
B. Corporate Forensic Management (CFM)
The second domain Corporate Forensic Management
(CFM) contains functions classified as management functions
in the framework. This domain was developed from best
practices, Rowlingson’s work [4] and all other literatures
reviewed in the reference section. The control objectives in
these domain (CFM 1 to CFM 10) include: manage legal and
ethical requirements; define policies; define procedures;
manage education, training and awareness; perform pro-active
evidence identification; collect evidence; examine and analyze
evidence; manage evidence; manage third party; document,
122. report and present evidence. Detailed control practices were
developed under each of these control objectives.
C. Corporate Forensic Evaluation (CFE)
The third domain Corporate Forensic Evaluation (CFE)
contains processes to evaluate (maturity model), monitor,
assess and improve (with lesson learned and feedback) forensic
practices to ensure the objective of the framework is
continuously achieved. The objective of the framework
includes performing corporate forensic activities in an efficient
and effective way, with minimal disruption to the business;
collecting evidence in a forensically sound way and reduction
of applicable potential IT related risk to the business. This
domain was developed from process assessment best practices
from all the literatures reviewed. Detailed control practices
were developed under each of the control objectives (CFE 1 to
CFE 3) for this domain.
D. Corporate Forensic Governance Structure
Figure 5 shows a high level hypothetical corporate forensic
governance structure. Other Assurance functions like HR,
Internal Audit, Privacy, Value Management office, Legal etc
are part of the corporate forensic strategy and steering
committee. To establish effective CF governance program, the
first step is to establish a governance structure that will oversee
the governance of corporate forensics program. This is one of
the requirements of good governance. According to several
regulations and best practices [11][22], senior management is
ultimately responsible for good governance and to exercise due
care in performing task involving all specialized disciplines.
Corporate forensics, Information technology and Information
Security are examples of those specialized disciplines in a
corporate environment. Therefore the overall accountability of
good governance is the responsibility of the board of directors.
123. The Board or the CEO should set up a steering and strategy
committee to oversee its corporate forensic responsibilities and
report back to them since they have many commitments. This
responsibility could also be taken by the CIO depending on
how large the organization is or the business environment of
the organization. Therefore, this is just a hypothetical structure;
organizations can set up their governance structure as it suits
their business environment. For instance, if an organization is
experiencing various insider frauds and other negative publicity
due to security breaches, the Board of directors will be
interested in knowing the most effective mitigation strategy to
mitigate that risk. This will increase the organization’s interest
in implementing a corporate forensic program which the CEO
or board might want to oversee.
Fig. 5. A hypothetical corporate forensic governance structure
Each member of the governance and management teams in
the proposed framework has assigned roles and responsibilities
similar to those seen in [22]. They are either responsible,
accountable, consulted and/or informed on each of the
governance, management and evaluation processes of the
corporate forensic governance framework. This is achieved
using the RACI chart which means who is Responsible,
Accountable, Consulted and/or Informed. Table I briefly
explains the RACI chart.
E. Corporate Forensic Governance Framework
The framework consists of 3 domains (CFG, CFM & CFE),
17 high level control objectives (CFG1-CFG4, CFM1-CFM10,
CFE1-CFE3) and 119 detailed control practices. The control
practices and RACI assignment of roles and responsibilities
can be adjusted to suit each organization’s needs and business
environment. In other words some of the control practices
124. might not be applicable in some organizations depending on
how they are structured and what their business environment is
like.
TABLE I. THE RACI CHART
RACI Task
R means Responsible Those responsible for performing the task
or ensuring the task is done
A means Accountable The person who must approve or sign off
before the process is effective or person accountable for the
success of the process.
738
C means Consulted Those who provide input needed to complete
the task
I means Informed Those who are regularly updated on the
outcome of decisions, processes and actions taken
In addition, some of these controls have already been
implemented in some organizations (maybe for information
security) enhancement is needed in such scenario to
accommodate forensic practices. During implementation of the
framework CFG1 – CFG4 will be implemented first before
CFM1 – CFM10 and then CFE1 – CFE3. RACI chart was used
in assigning roles and responsibilities to the governance and
management team according to best practices [10][22]. Refer to
Section V. for more explanation on the structure of the
proposed framework. Brief explanation of the scope and
control objectives of the proposed framework is shown in
Table II.
The scope of the proposed corporate forensic governance
125. framework is based on the use of increased automated forensic
suites like Encase Enterprise for forensic practices. These
increased automated suites are known for increased automation
and provision of ease of use approach towards performing
forensic practices. However, a forensic expert is needed in the
forensic team for effective and efficient use of these automated
suites to achieve applicable organizational goals. The
framework was designed for global use and in a high level
format with general requirements for performing forensic
practices using automated forensic suites. Brief explanation of
the control objectives are shown below.
TABLE II. EXPLANATION OF THE SCOPE AND CONTROL
OBJECTIVES FOR THE PROPOSED FRAMEWORK
Control objectives Brief explanation of the controls in the
proposed framework
CFG1 Strategic alignment This control ensures clear goals and
objectives of a corporate forensic program are defined and that
these defined
goals and objectives are strategically aligned to enterprise goals
and objectives. In other words this control ensures
that corporate forensic program is helping the organization
achieve some of its goals and objectives.
CFG2 Ensure risk is optimized with
CF implementation
This control ensures that business risk …