Technology has evolved significantly over the past five years and at a much faster pace than expected. With the increased technological penetration, we also see increased instances of frauds using technology. Enabling investigations through technology and gathering technological evidence has become more critical today than in the past decade. While a number of software tools for conducting investigations and gathering technology-oriented evidence have emerged, challenges still remain. Some of these challenges are as follows:

Hardware issues: Modulating technological needs and hardware enhancements are a key constraint

  • In an investigation, if the suspect replaces his hard disk before it is acquired by forensic experts and transfers the data from the old hard disk to a new one using write blockers, forensic examiners would not have certain essential evidences from unallocated clusters. Furthermore, the evidence of the replacement of the hard disk may not be apparent in some cases.
  • Similarly, gathering evidence of communication from a mobile device that was reset (before acquiring the evidence) and where only a select backup was reinstalled, also accentuates the issue.
  • For instance, in several laptops, the hard disks contain an embedded algorithm to self-erase data on removal from the machine. With the pace of tool development for gathering evidence from new digital devices being slightly slower than the pace at which devices are developed, a lag is expected in digital forensics in the years to come. Furthermore, in modern solid-state drives (SSDs), recovery of deleted content is a challenge.

Software issues: Saas and PaaS models have changed the structure of computing

With such a significant change, there are a few challenges, which include:

  • The extent of log enablement in operating systems for computers has evolved and now takes into account the need for gathering background information on application access, usage and other specific user-level information. While such evolution is progressing for mobile devices, it is yet to mature.
  • Furthermore, the accessibility of application data has multiple constraints due to the nature in which operating systems and applications are defined. For instance, changes made in the contents of a file cannot be tracked unless it is compared with previous/subsequent versions of the file or with its last modified time stamp. This may be a challenge in cases where document manipulation is suspected.
  • In addition, certain logs and application information gathered by an application/operating system may be helpful in select investigations. However, the awareness of such utility for effective application is in its early stages. For instance, the Windows-8 operating system gathers information on a Wi-Fi network accessed as well as the extent of data transmitted. This information may be helpful in data-theft scenarios (upload or download of information) or certain network-intrusion scenarios. However, the correlation between the information gathered from these sources and the event of violation is still being tested on an individual case basis.
  • With the increased number of mobile chat applications containing features of self-erase/self-deletion on delivery to the intended recipient, the challenges of gathering evidence have become more complex.  
  • Encryption in devices to protect data/information also proves to be a challenge while gathering evidence from them. For instance, to gather evidence from WhatsApp – a mobile messaging application – one has to decrypt the device. This could be a challenge in certain investigations. Similarly, with Android 6 expected to have full disk encryption, the challenges for data recovery will increase.

Other issues

  • Cloud-based applications allow users to access data from different devices. For instance, if one of a user’s two devices is compromised and both devices make changes to the application data or service at the same time, it may be difficult to identify the source of the changes. With increased opportunities of credential compromise and identity theft in a cloud-based environment, the challenges in gathering such evidence remain unknown.
  • Similarly, an email which was viewed on a mobile device and subsequently deleted may not have any trace of it on a computer. Often, one may not specifically examine the mail server logs to identify evidence of such communication.

Legal issues

  • Evolving privacy and data protection regulations across geographies and maturing regulatory definitions/enforcements on such aspects may add to the complexity of gathering forensic evidence. For instance, information available on the suspect’s machine (provided by the company) may contain certain private, non-sensitive information, which may be useful in investigations. However, access to this information may be considered a violation in certain countries.
  • Similarly, with the age of “bring your own device” (BYOD), companies allowing personnel to use personal mobile devices for accessing official communication may contribute to the challenges of gathering evidence. For instance, access to an email from webmail through a mobile device and the download of attachments may be a source of data theft/confidential information theft. However, specific information on the device on which such information was downloaded and details on which files were downloaded may be difficult to trace in the current environment.

Having said the above, we have never seen a faster evolution in technology than in the past five years and future evolution may be fast enough to catch up with some of the abovementioned issues. We look forward eagerly to see how technology shapes the future in simplifying the process of gathering evidence.

Sundar Narayanan is a fraud examiner by qualification and profession. He currently leads the Forensic Services division at SKP Business Consulting in India. He frequently writes on anti-bribery matters and corruption and investigation techniques.