Advertisement

No matter what anybody tells you, words and ideas can change the world.~from Dead Poet's Society

Ken Zatyko was previously the Director of the Defense Computer Forensics Laboratory where he led the largest, accredited, internationally recognized, leading edge computer forensics laboratory with an annual budget of over $17 million. He supervised over ninety personnel who completed over 900 cases, analyzed over 120 ter-abytes, and provided expert testimony in over seventy military and federal trials. Previously Ken served as the United States Air Force’s focal point and war planner for counterintelligence support to force protection, criminal, computer crime, and fraud investigations for USCENTAF.

Wouldn’t it be great if we could just look up the term “digital forensics” in the dictionary? Unfortunately, as you and others have found, it is not that easy. Even better, wouldn’t it be great if we could sort out who is really performing digital forensics versus those performing media analysis, software code analysis, and/or network analysis? In the past, most have used other terms such as computer forensics; intrusion forensics; video forensics; audio forensics; and digital and multimedia forensics. It is past time for someone to succinctly coin this term. Let us consider the following:

“The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.”

Given this definition, this scientific process contains the following eight steps:

- Search authority
- Chain of custody
- Imaging/hashing function
- Validated tools
- Analysis
- Repeatability (Quality Assurance)
- Reporting
- Possible expert presentation

Consequently, digital forensics encompasses more than intrusion related security incidents. Some break the process down into acquiring, analyzing, and reporting. Dedicated academic researchers have attempted to define Digital Forensics Science in the past. For example, the Digital Forensic Research Workshop met in 2001 to define this term, and provided a “compilation from group suggestions.” It was later published by Brian Carrier in his paper Defining Digital Forensic Examination and Analysis Tools. They defined Digital “Forensic” Science in a 54 word sentence as “the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” I and other practitioners believe we can provide a shorter definition in this fast growing and evolving discipline.

The basis for my definition of this new terminology is the Scientific Working Group for Digital Evidence. They define digital evidence as “information of probative value that is stored or transmitted in binary form.” However, they and others have not provided a definition for this science. Given this situation and the myriad of self-proclaimed digital forensics experts, I am providing a definition for “digital forensics” best termed “digital forensics science” which I have used in a course I taught for Johns Hopkins University.

“Digital Forensics Science: The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence (information of probative value that is stored or transmitted in binary form) after proper search authority, chain of custody, validation with mathematics (hash function), use of validated tools, repeatability, reporting, and possible expert presentation.”

Or more simply:

“The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.”

Many have recognized definitional challenges in this field such as noted author Eoghan Casey in his book Digital Evidence and Computer Crime 2nd Edition. He points out that there is imprecise terminology such as Digital Forensic Science, Forensic Computing, Forensic Computer Analysis, and Digital Evidence examination. Even overseas, Australian author McKemmish in his article What is Forensic Computing? defines it as “the process of identifying, preserving, analyzing, and presenting digital evidence in a manner that is legally acceptable.”

Breaking this into two terms, “digital” and “forensics,” I have researched their meaning. According to Wikipedia, last viewed September 2006, “digital” is defined as:

“A digital system is one that uses discrete numbers, especially binary numbers, or non-numeric symbols such as letters or icons, for input, processing, transmission, storage, or display, rather than a continuous spectrum of values (an analog system).

The distinction of “digital” versus “analog” can refer to method of input, data storage and transfer, the internal working of an instrument, and the kind of display. The word comes from the same source as the word digit and digitus: the Latin word for finger (counting on the fingers) as these are used for discrete counting.

The word digital is most commonly used in computing and electronics, especially where real-world information is converted to binary numeric form as in digital audio and digital photography. Such data-carrying signals carry either one of two electronic or optical pulses, logic 1 (pulse present) or 0 (pulse absent). The term is often meant by the prefix “e-”, as in e-mail and ebook, even though not all electronics systems are digital.”

“Forensic science” (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to the legal system. This may be in relation to a crime or to a civil action. The use of the term “forensics” in place of “forensic science” could be considered incorrect; the term “forensic” is effectively a synonym for “legal” or “related to courts” (from Latin, it means “before the forum”). However, it is now so closely associated with the scientific field that many dictionaries include the meaning given here.

This new definition presented of “digital forensics science” incorporates the correct use of the term forensics and uses the term and definition of digital evidence approved by the National Institute of Justice sponsored SWG-DE. “Digital Evidence” is defined as “Information of probative value that is stored or transmitted in binary form.” “Forensics” is effectively a synonym for “legal” or “related to courts.”

I have considered other definitions of computer forensics. WhatIsIt.com (last viewed September 2006) defines computer forensics as follows:

Computer forensics, also called cyberforensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.”

Others have taken a stab at defining this as well such as in the text Computer and Intrusion Forensics. Mohay, et al provided the following:

“Computer Forensics Definitions: ‘The study of how people use computers to inflict mischief, hurt, and even destruction’ or ‘Which relates to the investigation of situations where there is computer-basis (digital) or electronic evidence of a crime or suspicious behaviors, but the crime or behaviors may be of any type, quite possibly not otherwise involving computers.’”

They go on to state that “intrusions forensics” can be perceived as a specialization of computer forensics or a subset of computer forensics: “the recovery of information from a computer system or computer network suspected of having been compromised or accessed in an unauthorized fashion, information which included host-based data and will typically also include communications traffic and payload data with analysis also of information very possibly from other sources, for example call records, personal digital assistant (PDAs) flash memory contents, and business organizational structure, in order to allow investigators to reason about validity of hypothesis’ attempting to explain the circumstances and cause of activity under investigation, and possibly provide evidence to support litigation either criminal or civil.”

The preeminent private organization concerning this issue is the American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB). Here is some information from their 2005 Manual you may want to consider. They have adopted the SWG-DE definition of digital evidence, but neither organization goes on to specifically define Digital Forensics Science. Instead, ASCLD/LAB uses the terminology “Digital and Multimedia Evidence.”

My proposal is that Digital Forensics Science professionals start to use this new definition. Regarding other related terminology, I would refer you to the NIJ Special Report: Forensics Examination of Digital Evidence and its glossary along with SWG-DE's glossary found at http: ncfs.org/swgde/index.html. As Robin Williams once stated in a great movie “No matter what anybody tells you, words and ideas can change the world.” Let’s make it happen by using the correct term, Digital Forensics Science, which involves all eight functions.

References
• Mohay, Anderson, Collie, De Vel, and McKemmish, Computer and Intrusion Forensics, Artech House, 2003, (ISBN: 1580533698)

• Casey, Eoghan, Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet, 2d Ed, Academic Press, 2004 (0-12-163104-4)

• McKemmish, Rodney, “What is Forensic Computing?” Australian Institute of Criminology trends and issues in crime and criminal justice, June 1999 (last viewed at www.aic.gov.au on September 27, 20006).

• The Digital Forensic Research Workshop <http://www.dfrws.org>

• Wikipedia <http://www.wikipedia.org>

• WhatIsIt <http://www.whatIsIt.com>

• SWG-DE <http://ncfs.org/swgde/index.html>

• National Institute for Justice <http://www.ncjrs.gov/pdffiles1/nij/199408.pdf>

Ken Zatyko is currently an Associate with Booz Allen Hamilton, and adjunct professor with Johns Hopkins University. Booz Allen Hamilton has been at the forefront of management consulting for businesses and governments for more than 90 years. Ken may be reached at zatyko_kenneth@bah.com or 410-694-3654.

Advertisement
Advertisement