Moral, Ethical and Legal Issues Flashcards
What are the stages in the digital forensics process?
Recovery
Interpretation
Presentation
In the digital forensics process, what happens in the recovery stage?
Data is extracted and then processed.
During the recovery process, data is extracted. What may this involve?
Making a copy of a hard disk.
Downloading data from a mobile.
Recovering data from remote systems.
During the recovery process, data is processed. What may this involve?
Decrypting data and recovering files.
During the recovery process, data is processed. Why do they do this?
To allow the examiner to work on them.
In the digital forensics process, what happens in the interpretation stage?
Data is analysed and interpreted.
During the interpretation process, data is analysed. What may this involve?
Synthesising information from different sources. This requires expertise.
In the digital forensics process, what happens in the presentation stage?
Findings are communicated.
How are findings communicated?
Verbally to the investigation team.
As a written report.
Potential in court.
How are findings communicated?
Verbally to the investigation team.
As a written report.
Potential in court.
When can data be searched?
If the device has been lawfully seized.
What law allows data to be searched if the device is lawfully seized?
Police and Criminal Evidence Act.
When may law enforcement intercept the content of communications?
With a warrant.
What power allows law enforcement to intercept communications and acquire information about communications?
Regulation of investigatory Powers Act.
Data Retention and investigatory Powers Act.
What legislation allows investigators to acquire data with equipment and software.
Police and Crime Act.
Serious Crime Act.
Which Act is important to ethical uses of computers?
Computer Misuse Act.
What challenges could you face?
Encryption
Cloud Storage
Anti-forensics
Rapidly Changing Technology
How does encryption pose a challenge to forensics investigations?
It scrambles data, so it can only be read by an authorised user.
How does cloud storage pose a change to forensic investigations?
If deleted, it can be overwritten very quickly. This can make verification of the data difficult.
Data and activity records are less likely to be held locally on devices.
Lots of companies are based outside the UK.
How do Law enforcement get data from companies based outside the UK?
They use Mutual Legal Assistance Treaties to get local law enforcement to issue a warrent to the company to abtain the data. This process can be extremely slow.
What practice make up anti-forensics techniques?
Changing the dates and times associated with files to stop investigators building a reliable timeline of events.
Permanently erasing files by overwriting them.
Using encrypted digital storage with mulitple passwords leading to different sections of the drive. They can then revial data to a section with no crimial action while not revieling the hidden section.
How does Rapidly Changing Technology pose a challenge to Forensic investiagtions?
New software and hardware must be studied to discover how to reliably find information of forensic value. This requires testing which often leaves forensic investigators playing catch up.
What ways are there to address the challenges?
User encryption/cloud keys
Key Escrow/Backdoor
How should the investigator act during forensic examinations?
They should maintain the greatest objectivity and present accurate findings.
What are the ethical concerns in court?
All matters should be testified truthfully in court
What shouldn’t an examiner do?
They shouldn’t take any action that would appear to be a conflict of interest.
What are the ethical concerns of examinations?
Examinations must be based on well-extablished and validated principles.
What is the examiner forbidden to do?
The examiner is forbidden to reveal any confidential information without the clients permission or a court order.
What is the investigator not allowed to do?
Misrepresent credentials or associated memberships.
What are the Good Practice steps?
▶ Document everything – photograph area
▶ If it is off do not turn on
▶ If on perform RAM forensics
▶ Document all drives removed
▶ Use write blocker to image
▶ Check BIOS clock with atomic clock
▶ During analysis all steps must be documented
