A Look Into the Investigation Cycle in Computer Forensics

Computer forensics is a discipline that seeks to identify, analyse and maintain the integrity of digital data to be valid as evidence in legal proceedings or for some types of security auditing, evaluation and diagnostics. This practice obtains data from computers, mobile devices, routers, and storage media such as USB sticks and external disks.

Although there are various methodologies, adapted to the needs of each attack and the legislative frameworks of each country, in general, they coincide in three stages: the collection and preservation of data, its analysis, and the presentation of results and findings. Among the data collection techniques, we can find the analysis of network traffic, files and binaries, logs (system logs), configuration files, metadata, etc.

Digital Attacks on Civil Society

When engaging in a process of this kind from and for civil society, computer forensics focuses its efforts on contributing evidence to the construction of cases of Human Rights violations facilitated by digital technology, understanding the strategies of persecution and criminalisation of activists, and offering adequate containment to the people or groups affected by such attacks.

In cases of digital attacks on civil society actors, for example, when we are confronted with the installation of spyware on the mobile phones of activists or journalists, forensic investigation allows us to:

  • identify whether or not an attack is actually taking place;
  • estimate the impact, range and intentions of the attack;
  • recognise the actors involved;
  • guiding appropriate protection strategies for the affected person and their context; and
  • restore the information and functioning of your devices

As part of protection strategies, the development of risk reports and mapping is highly beneficial. This exercise can lead to the construction of information that provides first-hand knowledge of the phenomenon and generates background information for future research on digital attacks on civil society. For instance, it could uncover systematic attacks against activists and demand accountability from the parties involved, such as companies engaged in the development of surveillance software.

Preservation of Evidence

An essential task of computer forensics is the preservation of evidence without alteration. This is a central requirement to ensure its probative value. According to forensic science standards, preservation of evidence requires maintaining the chain of custody, handling only exact copies of evidence, and, in cases where evidence is altered, all interventions, and their effects, must be documented and justified.

These requirements respond to international standards relating to computer forensic practice and evidence management, among which we find: RFC 3227, RFC 4810, RFC 4998, RFC 6283, ISO/IECI 27037:2012, ISO/IEC 27040:2015, ISO/IEC 27042:2015.

Challenges of Computer Forensics

A fundamental and widely held concern among practitioners of this type of research is the consent of the parties involved and even third parties. At the same time, it is a challenge to maintain the confidentiality of the procedures and to avoid data leakage. On the other hand, and no less important, one of the significant challenges continues to be the communication of results: how to convey clearly and simply the findings and procedures involved throughout the process, in a way that complies with current standards or norms.

Finally, for those of us involved in computer forensics from civil society in the service of the defence of human rights, our great challenge lies in the following:

  • generate standards that respond to the specific type of attacks we are facing: technology-facilitated gender-based violence, surveillance, etc.;
  • increase the number of people with an IT profile and strengthen their technical expertise;
  • develop common methodologies that allow us to identify attack trends and design joint response and dissemination strategies.

In practice, an investigation with these characteristics does not replace the methods that have historically been used to document Human Rights violations, but rather complements them. It is the task of forensic research from and for civil society to recognise its scope and limitations, as well as to keep in mind that it also builds ethical precedents.

References