Moral, Ethical and Legal Issues

Question 1

What are the stages in the digital forensics process?

Answer 1

Recovery
Interpretation
Presentation

Question 2

In the digital forensics process, what happens in the recovery stage?

Answer 2

Data is extracted and then processed.

Question 3

During the recovery process, data is extracted. What may this involve?

Answer 3

Making a copy of a hard disk.
Downloading data from a mobile.
Recovering data from remote systems.

Question 4

During the recovery process, data is processed. What may this involve?

Answer 4

Decrypting data and recovering files.

Question 5

During the recovery process, data is processed. Why do they do this?

Answer 5

To allow the examiner to work on them.

Question 6

In the digital forensics process, what happens in the interpretation stage?

Answer 6

Data is analysed and interpreted.

Question 7

During the interpretation process, data is analysed. What may this involve?

Answer 7

Synthesising information from different sources. This requires expertise.

Question 8

In the digital forensics process, what happens in the presentation stage?

Answer 8

Findings are communicated.

Question 9

How are findings communicated?

Answer 9

Verbally to the investigation team.
As a written report.
Potential in court.

Question 10

How are findings communicated?

Answer 10

Verbally to the investigation team.
As a written report.
Potential in court.

Question 11

When can data be searched?

Answer 11

If the device has been lawfully seized.

Question 12

What law allows data to be searched if the device is lawfully seized?

Answer 12

Police and Criminal Evidence Act.

Question 13

When may law enforcement intercept the content of communications?

Answer 13

With a warrant.

Question 14

What power allows law enforcement to intercept communications and acquire information about communications?

Answer 14

Regulation of investigatory Powers Act.
Data Retention and investigatory Powers Act.

Question 15

What legislation allows investigators to acquire data with equipment and software.

Answer 15

Police and Crime Act.
Serious Crime Act.

Question 16

Which Act is important to ethical uses of computers?

Answer 16

Computer Misuse Act.

Question 17

What challenges could you face?

Answer 17

Encryption
Cloud Storage
Anti-forensics
Rapidly Changing Technology

Question 18

How does encryption pose a challenge to forensics investigations?

Answer 18

It scrambles data, so it can only be read by an authorised user.

Question 19

How does cloud storage pose a change to forensic investigations?

Answer 19

If deleted, it can be overwritten very quickly. This can make verification of the data difficult.
Data and activity records are less likely to be held locally on devices.
Lots of companies are based outside the UK.

Question 20

How do Law enforcement get data from companies based outside the UK?

Answer 20

They use Mutual Legal Assistance Treaties to get local law enforcement to issue a warrent to the company to abtain the data. This process can be extremely slow.

Question 21

What practice make up anti-forensics techniques?

Answer 21

Changing the dates and times associated with files to stop investigators building a reliable timeline of events.
Permanently erasing files by overwriting them.
Using encrypted digital storage with mulitple passwords leading to different sections of the drive. They can then revial data to a section with no crimial action while not revieling the hidden section.

Question 22

How does Rapidly Changing Technology pose a challenge to Forensic investiagtions?

Answer 22

New software and hardware must be studied to discover how to reliably find information of forensic value. This requires testing which often leaves forensic investigators playing catch up.

Question 23

What ways are there to address the challenges?

Answer 23

User encryption/cloud keys
Key Escrow/Backdoor

Question 24

How should the investigator act during forensic examinations?

Answer 24

They should maintain the greatest objectivity and present accurate findings.

Question 25

What are the ethical concerns in court?

Answer 25

All matters should be testified truthfully in court

Question 26

What shouldn’t an examiner do?

Answer 26

They shouldn’t take any action that would appear to be a conflict of interest.

Question 27

What are the ethical concerns of examinations?

Answer 27

Examinations must be based on well-extablished and validated principles.

Question 28

What is the examiner forbidden to do?

Answer 28

The examiner is forbidden to reveal any confidential information without the clients permission or a court order.

Question 29

What is the investigator not allowed to do?

Answer 29

Misrepresent credentials or associated memberships.

Question 30

What are the Good Practice steps?

Answer 30

▶ Document everything – photograph area
▶ If it is off do not turn on
▶ If on perform RAM forensics
▶ Document all drives removed
▶ Use write blocker to image
▶ Check BIOS clock with atomic clock
▶ During analysis all steps must be documented