In his latest column on cybersecurity and cybercrime, Peter Yapp looks at the development of guidelines for forensic digital evidence.
The first few times I attended English courts as an expert witness for forensic computer evidence in the 1990’s, the barristers and judges involved were never quite sure how to ascertain how ‘expert’ my credentials were. They would ask a series of questions about length of experience, training courses attended and any qualifications or previous cases, to determine suitability as an expert for that particular case. Although most law enforcement practitioners were following the same fundamental procedures, there was no common published set of standards or principles that we – or they - could refer to. It was obvious to the forensic computing community at the time that one centrally issued document for use by officers attending, investigators, computer evidence recovery personnel and external (i.e. non-law enforcement) consulting witnesses, was desperately needed. And so was born the Good Practice Guide for Electronic Evidence. I first worked on the Guide in the 1990’s as part of the Joint Agency Forensic Computing Group. On 20th March 1998 we submitted a draft document to ACPO for approval.
The guide and its four principles are an example of one of the first published guides on digital evidence best practice and have supported and influenced others around the world ever since.
There have been a series of versions since 1998 and we are currently on version 5, but this was finalised in October 2011 and issued by ACPO in March 2012. Confusingly, while the ACPO-branded guide lives on, ACPO does not. The organisation, formed in 1948, changed its name to the National Police Chiefs’ Council on 1st April 2015. This makes it even more painfully obvious that the text of the guide is a little dated – 10 years old this year, to be precise.
In 2007, a commercial company partnered with the ACPO E-Crime Working Group in the publication of version 4 of the guide. This foray into the commercial world was a mistake as it put a block on other commercial companies promoting and distributing the extremely valuable guide. The gathering of digital evidence is too important to be tainted by commercial one-upmanship.
Version 5 of the guide moved on from the previous version which centred on computer-based evidence; the latest revision reflects digital based evidence and attempts to encompass the huge and broad reach of the digital world. As with the very first guide, it was designed to not only assist law enforcement but also the wider group of professionals who assist in investigating cyber security incidents.
Over time we have described this type of evidence as computer (up to 1987), electronic (1998), digital and cyber with the widely accepted term currently being ‘digital’.
In July 2020 the NPCC published a Digital Forensic Science Strategy 2020. To quote from their executive summary: “Digital forensic (DF) science - examining digital evidence to support investigations and prosecutions - was once niche but is now very much mainstream. Over 90% of all crime is recognised as having a digital element, and society’s accelerating use of technology means the critical role DF science plays will only grow. We have developed this strategy to address the huge opportunities and corresponding challenges this presents for policing.”
It seems that the NPCC has been concentrating on the Digital Forensic Science Strategy with a view to a solution to the all-pervasive use of technology rather than the niche area of computer crime and crimes that require much deeper analysis of digital devices. I would argue that this niche area will always be a requirement, but the need to equip every police officer with the knowledge and mechanism to investigate digital devices in a timely manner is long overdue in being addressed. And looking at the extensive roll out of smart vehicles with Internet-enabled functions (and the arrival of autonomous vehicles) has added urgency to the need to create smart vehicle forensics processes, standards, and tools that will enable proper digital forensic investigation of vehicles that every police officer can have access to.
Having set out the NPCC’s strategy for the police to deal with the mass processing and investigation of digital devices, perhaps it is now time for them to revisit the 2012 Good Practice Guide for Digital Forensics.
Some have argued for fundamental changes to be made to version 5 with an expansion of the 4 principles. I don’t think this is necessary. The 4 principles were designed to stand the test of time and it is a testament to the Joint Agency Forensic Computing Group that those original four guiding principles for digital forensics still hold today.
Those principles (with minor additions by me in square brackets) are:
Principle 1: No action taken by [a specialist,] law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and [where possible] achieve the same [or comparable] result.
Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
There may be an argument for adding a further principle, as advocated by the European Network of Forensic Science Institute in 2015, that “to prevent the misinterpretation or the placement of inappropriate weight on digital evidence, the report should communicate known errors and uncertainty in results”. However, I would argue that this could be covered in the narrative of the guide and not as an extra principle.
There might also be an argument for validation of software and techniques to be included, but rather than the onus being on the individual examiner or unit, this should be undertaken at a government level with as close to global coverage as possible. Even NIST in the USA struggled to keep up with validating software versions of different digital forensic software.
In the private sector, the response to cybersecurity incidents (e.g., ransomware, a distributed denial of service attack, IP theft, or data breach) includes specific procedures that are followed to contain the incident, to investigate it and/or to resolve it. Many believe that there are only two ways of handling a cybersecurity incident: either recover quickly or gather evidence. In the first approach, to recover quickly, the focus is on containment of the incident to minimize harm, but evidence may be lost. The second approach is to monitor the cybersecurity incident but focus on gathering forensic evidence and information about the incident, delaying recovery. Of course, there may be an opportunity for a middle way.
On a recent case at a company where two servers had been wiped clean during an external attack, we were asked to help with a fast recovery, but the owner still wanted to know how the attacker got into their systems. Due to their available internal resources, they were not able to restore both servers simultaneously. While we helped them restore one server, we forensically imaged the other server for later detailed analysis. Analysis indicated, from recovered deleted data, that an open Remote Desktop Port was used as an access point. As my cyber investigation team often says, if there is digital evidence to be found, we will find it.
The two acquisition phases of digital evidence - Preservation and Collection - are critical because they are open to challenges in relation to breaks in the chain of evidence, the integrity of the evidence, the completeness of the evidence or how the evidence was gathered. These underpin all the investigation, analysis and presentation that flows from the acquisition.
The digital forensic practitioner is authorised, trained and qualified with specialised knowledge, skills and abilities for performing digital evidence acquisition, handling and collection tasks. The digital forensic practitioner observes the requirements that their actions should be auditable (through maintenance of appropriate documentation), repeatable where possible (in that using the same tools on the same item under the same conditions would produce the same results), reproducible where possible (in that using different tools on the same item would produce substantially similar results) and justified. They will check results of forensic software against another tool (or where none exists, against a manual process).
Some things are a given, such as: the digital forensic practitioner must take into consideration all aspects of personal and equipment safety whilst undertaking their work. All through the process the legal rights of anyone affected by their actions should be considered. The practitioner must be aware of all the organisational policies and procedures relating to their activities. Communication should be maintained as appropriate with the client, legal practitioners, managers and other team members.
As an instructing solicitor or barrister in the UK, you should check that any expert you use to secure, analyse or investigate digital evidence at the very least knows about and adheres to the ACPO guidelines.
Peter Yapp, Cyber Partner at Schillings Peter started his career in investigation and has been involved in computer forensics for nearly three decades. He was a deputy director at the UK’s National Cyber Security Centre and now provides pre and post cyber security incident advice to a range of individuals, companies, boards and operators of essential services.