Digital evidence

About: Digital evidence is a research topic. Over the lifetime, 1621 publications have been published within this topic receiving 18476 citations.

Extraction of Electronic Evidence from VoIP: Identification & Analysis of Digital Speech

Abstract: The Voice over Internet Protocol (VoIP) is increasing in popularity as a cost effective and efficient means of making telephone calls via the Internet. However, VoIP may also be an attractive method of communication to criminals as their true identity may be hidden and voice and video communications are encrypted as they are deployed across the Internet. This produces in a new set of challenges for forensic analysts compared with traditional wire-tapping of the Public Switched Telephone Network (PSTN) infrastructure, which is not applicable to VoIP. Therefore, other methods of recovering electronic evidence from VoIP are required. This research investigates the analysis and recovery of digitised human, which persists in computer memory after a VoIP call. This paper proposes a proof of concept how remnants of digitised human speech from a VoIP call may be identified within a forensic memory capture based on how the human voice is detected via a microphone and encoded to a digital format using the sound card of your personal computer. This digital format is unencrypted whist processed in Random Access Memory (RAM) before it is passed to the VoIP application for encryption and  transmission over the Internet. Similarly, an incoming encrypted VoIP call is decrypted by the VoIP application and passes through RAM unencrypted in order to be played via the speaker output. A series of controlled tests were undertaken whereby RAM captures were analysed for remnants of digital speech after a VoIP audio call with known conversation. The identification and analysis of digital speech from RAM attempts to construct an automatic process for the identification and subsequent reconstruction of the audio content of a VoIP call.

Digital Forensic Investigation Development Model

Abstract: The arena of computer forensics investigation is a relatively new field of study. Many of the methods used in digital forensics have not been formally outlined. Digital Forensics is looked as part of art and part of science. This paper discussed breaking down the digital forensic investigation and their progression into an investigation development model so that an examiner can easily grip the problem and challenges during preparing and processing investigations. After going through various system and case analyses key issues, resulting in the documentation of role of computer examiner to gather evidence from a suspect computer terminal and determine whether the suspect committed a crime or violated a organization policies. As an outcome Digital forensic investigation development model (DFIDM) is introduced as a tailored approach for computer examiner or investigators for gathering and preserving the necessary digital evidence from different computer terminals or resources.

Unintended Consequences: Digital Evidence in Our Legal System

Abstract: The legal and judicial communities have minimal, if any, background necessary to understand the nature of digital evidence and use it appropriately. Given accumulated examples of egregious outcomes resulting from this condition, the authors conclude that no less than the credibility of the justice system is at stake if we, as a technical community, sit idly by. Examples of projects at the University of Washington designed to change this picture seed a discussion the authors wish to encourage among the readership about what can be done to change this situation.

Standard Representation for Digital Forensic Processing

Abstract: This paper discusses the lack of reliability and reproducibility validation in digital forensics for a criminal trial. It is argued that this challenge can be addressed with standard data-representation for digital evidence. The representation must include reproducibility documentation on processing operations including automation, human interaction, and investigation steps. Analyzed are two blueprint articles – the CASE specification language for cyber-investigations [1] and the WANDA data standard for the documenting semi-automated hand-writing examination [2]. These two generic frameworks are studied for their granularity to support reproducibility testing by representing: (i) artefact characteristics, forensic – tool parameters and input – output logic; (ii) human and tool data interpretation; and (iii) parallel-running forensic tasks or chains of processes. Proposed is the integration of WANDA-based schema as CASE expression. The utility of such integration is demonstrated as a new module in CASE designed to meet the high standard of proof and scientific validation typically required in criminal investigations and trials. The expression ensures compliance without overburdening digital forensic practitioners.

Secure and Trusted Environment as a Strategy to Maintain the Integrity and Authenticity of Digital Evidence

Abstract: The authenticity and the integrity of digital evidence are critical issues in digital forensics activities. Both aspects are directly related to the application of The Locard Exchange Principle (LEP), which is a basic principle of the existence of evidence in an event. This principle, not only applies before and at the time the event occurs, but also applies to the investigation process. In the handling of digital evidence, all activities to access the digital evidence are not likely to occur without the mediation of a set of instruments or applications, whereas every application is made possible for the existence of bugs. In addition, the presence of illegal access to the system, malicious software as well as vulnerabilities of a computer system are a number of potential problems that can have an impact on the change in the authenticity and the integrity of digital evidence. If this is the case, secure and trust characteristics that should appear in the activity of digital forensics may be reduced. This paper tries to discuss how the concept of a secure and trusted environment can be applied to maintain the authenticity and integrity of digital evidence. The proposed concept includes the unity of five components, namely standard and forensics policy, security policy, model and trusted management system, trusted computing, secure channel communication, and human factor. The ultimate purpose of this paper is to provide an overview of how the recommendation can be applied to meet the requirements of a secure and trusted environment in digital forensics for keeping the authenticity and the integrity of digital evidence. In general, this paper tends to explain a high-level concept and does not discuss low-level implementation of a secure and trusted environment.