No matter what anybody tells you, words and ideas can change the world.~from
Dead Poet's Society
Ken Zatyko was previously the Director of the Defense Computer Forensics
Laboratory where he led the largest, accredited, internationally recognized,
leading edge
computer forensics laboratory with an annual budget of over $17 million. He
supervised over ninety personnel who completed over 900 cases, analyzed over
120 ter-abytes, and provided expert testimony in over seventy military and
federal trials. Previously Ken served as the United States Air Force’s
focal point and war planner for counterintelligence support to force protection,
criminal, computer crime, and fraud investigations for USCENTAF.
Wouldn’t it be great if we could just look up the term “digital
forensics” in the dictionary? Unfortunately, as you and others have found,
it is not that easy. Even better, wouldn’t it be great if we could sort
out who is really performing digital forensics versus those performing media
analysis, software code analysis, and/or network analysis? In the past, most
have used other terms such as computer forensics; intrusion forensics; video
forensics; audio forensics; and digital and multimedia forensics. It is past
time for someone to succinctly coin this term. Let us consider the following:
“The
application of computer science and investigative procedures for a legal purpose
involving the analysis of digital evidence after proper search authority, chain
of custody, validation with mathematics, use of validated tools, repeatability,
reporting, and possible expert presentation.”
Given this definition, this scientific process contains the following eight
steps:
- Search authority
- Chain of custody
- Imaging/hashing function
- Validated
tools
- Analysis
- Repeatability (Quality Assurance)
- Reporting
- Possible expert presentation
Consequently, digital forensics encompasses more than intrusion related security
incidents. Some break the process down into acquiring, analyzing, and reporting.
Dedicated academic researchers have attempted to define Digital Forensics Science
in the past. For example, the Digital Forensic Research Workshop met in 2001
to define this term, and provided a “compilation from group suggestions.” It
was later published by Brian Carrier in his paper Defining Digital Forensic
Examination and Analysis Tools. They defined Digital “Forensic” Science
in a 54 word sentence as “the use of scientifically derived and proven
methods toward the preservation, collection, validation, identification, analysis,
interpretation, documentation, and presentation of digital evidence derived
from digital sources for the purpose of facilitating or furthering the reconstruction
of events found to be criminal, or helping to anticipate unauthorized actions
shown to be disruptive to planned operations.” I and other practitioners
believe we can provide a shorter definition in this fast growing and evolving
discipline.
The basis for my definition of this new terminology is the Scientific Working
Group for Digital Evidence. They define digital evidence as “information
of probative value that is stored or transmitted in binary form.” However,
they and others have not provided a definition for this science. Given this
situation and the myriad of self-proclaimed digital forensics experts, I am
providing a definition for “digital forensics” best termed “digital
forensics science” which I have used in a course I taught for Johns Hopkins
University.
“Digital Forensics Science: The application of computer science
and investigative procedures for a legal purpose involving the analysis of
digital evidence (information of probative value that is stored or transmitted
in binary form) after proper search authority, chain of custody, validation
with mathematics (hash function), use of validated tools, repeatability, reporting,
and possible expert presentation.”
Or more simply:
“The application of computer science and investigative procedures
for a legal purpose involving the analysis of digital evidence after proper
search
authority, chain of custody, validation with mathematics, use of validated
tools, repeatability, reporting, and possible expert presentation.”
Many have recognized definitional challenges in this field such as noted author
Eoghan Casey in his book Digital Evidence and Computer Crime 2nd Edition. He
points out that there is imprecise terminology such as Digital Forensic Science,
Forensic Computing, Forensic Computer Analysis, and Digital Evidence examination.
Even overseas, Australian author McKemmish in his article What is Forensic
Computing? defines it as “the process of identifying, preserving, analyzing,
and presenting digital evidence in a manner that is legally acceptable.”
Breaking this into two terms, “digital” and “forensics,” I
have researched their meaning. According to Wikipedia, last viewed September
2006, “digital” is defined as:
“A digital system is one that
uses discrete numbers, especially binary numbers, or non-numeric symbols such
as letters or icons, for input, processing, transmission, storage, or display,
rather than a continuous spectrum of values (an analog system).
The distinction of “digital” versus “analog” can refer
to method of input, data storage and transfer, the internal working of an instrument,
and the kind of display. The word comes from the same source as the word digit
and digitus: the Latin word for finger (counting on the fingers) as these are
used for discrete counting.
The word digital is most commonly used in computing and electronics, especially
where real-world information is converted to binary numeric form as in digital
audio and digital photography. Such data-carrying signals carry either one
of two electronic or optical pulses, logic 1 (pulse present) or 0 (pulse absent).
The term is often meant by the prefix “e-”, as in e-mail and ebook,
even though not all electronics systems are digital.”
“Forensic
science” (often shortened to forensics) is the application of a broad
spectrum of sciences to answer questions of interest to the legal system. This
may be in relation to a crime or to a civil action. The use of the term “forensics” in
place of “forensic science” could be considered incorrect; the
term “forensic” is effectively a synonym for “legal” or “related
to courts” (from Latin, it means “before the forum”). However,
it is now so closely associated with the scientific field that many dictionaries
include the meaning given here.
This new definition presented of “digital
forensics science” incorporates the correct use of the term forensics
and uses the term and definition of digital evidence approved by the National
Institute of Justice sponsored SWG-DE. “Digital Evidence” is defined
as “Information of probative value that is stored or transmitted in binary
form.” “Forensics” is effectively a synonym for “legal” or “related
to courts.”
I have considered other definitions of computer forensics.
WhatIsIt.com (last viewed September 2006) defines computer forensics as follows:
Computer forensics, also called cyberforensics, is the application of computer
investigation and analysis techniques to gather evidence suitable for presentation
in a court of law. The goal of computer forensics is to perform a structured
investigation while maintaining a documented chain of evidence to find out
exactly what happened on a computer and who was responsible for it.”
Others
have taken a stab at defining this as well such as in the text Computer and
Intrusion Forensics. Mohay, et al provided the following:
“Computer Forensics
Definitions: ‘The study of how people use computers to inflict mischief,
hurt, and even destruction’ or ‘Which relates to the investigation
of situations where there is computer-basis (digital) or electronic evidence
of a crime or suspicious behaviors, but the crime or behaviors may be of any
type, quite possibly not otherwise involving computers.’”
They
go on to state that “intrusions forensics” can be perceived as
a specialization of computer forensics or a subset of computer forensics: “the
recovery of information from a computer system or computer network suspected
of having been compromised or accessed in an unauthorized fashion, information
which included host-based data and will typically also include communications
traffic and payload data with analysis also of information very possibly from
other sources, for example call records, personal digital assistant (PDAs)
flash memory contents, and business organizational structure, in order to allow
investigators to reason about validity of hypothesis’ attempting to explain
the circumstances and cause of activity under investigation, and possibly provide
evidence to support litigation either criminal or civil.”
The preeminent
private organization concerning this issue is the American Society of Crime
Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB). Here is some
information from their 2005 Manual you may want to consider. They have adopted
the SWG-DE definition of digital evidence, but neither organization goes on
to specifically define Digital Forensics Science. Instead, ASCLD/LAB uses the
terminology “Digital and Multimedia Evidence.”
My proposal is that
Digital Forensics Science professionals start to use this new definition.
Regarding other related terminology, I would refer you to the NIJ Special Report:
Forensics Examination of Digital Evidence and its glossary along with SWG-DE's
glossary found at http: ncfs.org/swgde/index.html. As Robin Williams once stated
in a great movie “No matter what anybody tells you, words and ideas can
change the world.” Let’s make it happen by using the correct term,
Digital Forensics Science, which involves all eight functions.
References
•
Mohay, Anderson, Collie, De Vel, and McKemmish, Computer and Intrusion Forensics,
Artech House, 2003, (ISBN: 1580533698)
• Casey, Eoghan, Digital Evidence
and Computer Crime: Forensic Science, Computers, and the Internet, 2d Ed, Academic
Press, 2004 (0-12-163104-4)
• McKemmish, Rodney, “What is Forensic
Computing?” Australian Institute of Criminology trends and issues in
crime and criminal justice, June 1999 (last viewed at www.aic.gov.au on September
27, 20006).
Ken Zatyko is currently an Associate with Booz Allen Hamilton, and adjunct
professor with Johns Hopkins University. Booz Allen Hamilton has been at the
forefront of management consulting for businesses and governments for more
than 90 years. Ken may be reached at zatyko_kenneth@bah.com or 410-694-3654.
