thesis in digital forensic

•   Home
• University of Bedfordshire e-theses
• PhD e-theses

Digital forensics: an integrated approach for the investigation of cyber/computer related crimes

Description

Collections.

The following license files are associated with this item:

entitlement

Export search results

The export option will allow you to export the current search results of the entered query to a file. Different formats are available for download. To export the items, click on the button corresponding with the preferred download format.

By default, clicking on the export buttons will result in a download of the allowed maximum amount of items.

To select a subset of the search results, click "Selective Export" button and make a selection of the items you want to export. The amount of items that can be exported at once is similarly restricted as the full export.

After making a selection, click one of the export format buttons. The amount of items that will be exported is indicated in the bubble next to export format.

Ethical and Legal Aspects of Digital Forensics Algorithms: The Case of Digital Evidence Acquisition

DOI: https://doi.org/10.1145/3560107.3560114 ICEGOV 2022: 15th International Conference on Theory and Practice of Electronic Governance , Guimarães, Portugal, October 2022

The first step that forensic examiners perform is identifying and acquiring data. Both are among the most critical segments in the forensic process since they are sine qua non for completing the examination and analysis phases. The evidence acquisition must be managed in a deliberate, ethical and legal manner. On many occasions, the outcome of the investigation depends mainly on the relevance and precision of the evidence acquired. The goal of this research is to identify both legal and ethical issues that forensic investigators face during evidence acquisition and to design a framework using design science, which recognises and resolves the problems identified. The framework must preserve the forensic soundness of the investigation, overall integrity, effectiveness, and efficiency. The elicitation of the requirements for the framework is based on a literature review and ex-ante expert interviews, while the validation and evaluation of the framework stem from ex-post expert interviews. The designed framework aims to minimise hazardous practices that lead to negative consequences and to effectively align the new technologies in digital forensics with human expertise for improved results during the phase of digital evidence acquisition.

ACM Reference Format: Maria Ioanna Maratsi, Oliver Popov, Charalampos Alexopoulos and Yannis Charalabidis. 2022. Ethical and Legal Aspects of Digital Forensics Algorithms: The Case of Digital Evidence Acquisition. In 15th International Conference on Theory and Practice of Electronic Governance (ICEGOV 2022), October 04-07, 2022, Guimarães, Portugal . ACM, New York, NY, USA, 14 Pages. https://doi.org/10.1145/3560107.3560114

1 INTRODUCTION

The affordances provided by the powerful forensic software and hardware tools combined with data science technologies and automated decision-making have significantly improved the forensic process by reducing the amount of data the examiners need to look into during a criminal investigation. Cybercrime, which is an illegal activity conducted using computers and the Internet [ 1 ], was third among the most significant global threats in 2018, with ransomware being on centre stage [ 2 ]. The dynamics of cybercrime are relatively high, which requires security to be not only reactive but also proactive. In addition, it implies an urgent need for better digital forensics technologies that are more “intelligent”, efficient, and rigorous to cope with the enormity of cybercrime. In this light, forensics based on machine learning, behavioural forensics, crime prediction, profiling, and surveillance aim to better combat cybercrime and the forensic process as a whole.

The general steps of a forensic examination process according to NIST 800-86 [ 3 ] are shown in Figure 1 below.

The acquisition phase of the forensic investigation process is critical since identifying and collecting potential sources of evidence may significantly affect the next steps in the process. Forensic experts are bound to numerous codes of ethics associated with their profession [ 4 , 5 ] to ensure that the way the forensic phases are conducted is fair, objective, ethical, unbiased and compliant with the current legislation. Forensic soundness is also crucial in order to have evidence which is honest, informed, competent and complete while at the same time admissible in a court of law. However, many of these new technology processes and systems are not always designed with those codes of ethics in mind. Nowadays, more than ever, there is a pressing need to include ethical issues and principles to optimise the results and the benefits of portent and transformative technologies while at the same time mitigate negative implications and consequences. The forensic process ought to be conducted in an impartial, objective, legal and ethical manner in order to minimise human-induced error but also errors introduced by the digital tools which could negatively affect the outcome of the investigation and to maximise the effectiveness and efficiency of the utilised new technologies in the forensic field. This is highly critical of a task when the creation of artefacts is involved, as the adequacy of these artefacts -or rather the absence of them, can lead to tremendously serious and heavily multiparametric consequences. More specifically, the evidence data and the artefacts derived from the first stages of the forensic process must fulfil several criteria which will ensure that the evidence's integrity, value, legality and chain of custody, among others, are preserved and not tampered with. This problem is of general interest as these ethical and legal issues jeopardise the veracity and credibility of evidence while, in parallel, they affect the smooth conduction of the forensic process, on many occasions, even the outcome of the investigation itself. In addition, it is imperative to preserve the forensic soundness of the evidence. As per the Daubert Standard, which is a list of criteria used to determine the admissibility of expert witness testimony in federal court [ 6 ], “the judge is the gatekeeper” who makes the verdict over the expert's evidence. Consequently, if the evidence is not forensically sound, it can be easily disregarded and deemed useless before a court of law. Within the scope of this research is to adequately consider and analyse all the parameters necessary in order to identify and resolve the ethical and legal issues which arise in digital forensics investigations during the acquisition phase (first step of Figure 1 ) of the forensic process.

The structure of the presented research continues as follows: Introduction (this section), Background, Methodology, Results, Discussion and Conclusion. The first section is a rounded and short induction into the importance and relevance of the research area, the influence of the powerful technologies that move the horizon of problem-solving, inter alia in digital forensics and yet create challenging ethical problems that need to be addressed. The work and the body of research are central to the second section of the paper, along with the ideas and paradigms presented. Moreover, one can also see how the novel ideas are grounded along with possible extensions. To proceed, an actual definition of the problem is integral before Section 3, including different aspects of the error sources, such as the tools being used or the procedures exercised, which could make the digital forensic investigation unsound and incomplete. The research methods are presented in Section 4, and they include design science since we are building an artefact (or a framework in our case) which consists of various modules and their intended functionality, and surveys to elicit the requirements that are built in the framework. In Section 5, the results of the research are presented, with a clear demonstration of each phase of the framework and the interpretation of the qualitative data along with the identification of the associated legal and ethical issues. In Section 6, the positive perceptions, and the evaluation by the experts of the framework are analysed and contrasted with their expectations. Finally, the authors discuss the possibility of translating the framework from abstraction to an implemented model which does not supersede human expertise but rather serves as an extension assistant that improves the correctness of the digital investigation processes, its efficiency and effectiveness.

2 BACKGROUND

To the best of the authors’ knowledge, there has not been ample research using a similar approach to resolve ethical and legal issues in the field of digital forensics. There has been, however, research conducted to resolve ethical issues which arise when novel AI techniques are used in various areas of computer science and subsequent applications. While this body of work is potentially relevant to the presented research, since the main focus area is digital forensic science, it is the belief of the authors that the results based on the proposed methodology and the generality of the approach are complementary to the growing volume of knowledge in this fairly young discipline. In the remaining part of this Section, some of the most relevant research is presented for context and intuition.

Ward & Syversen (2008) presented a framework to cover ethical tasks to be found in forensic or correctional work. The authors enumerated some of the challenges found in ethical forensic practice and reasoned about the justice and proportionality of criminal punishment, the different levels of abstraction of ethical codes and their approach but also about what is to be expected when codes of ethics from different grounds are in conflict. The levels of ethical abstraction the authors chose are “ethical theories and concepts, ethical principles, institutional ethical rules or codes and specific ethical judgements of forensic practitioners” and all these strongly include the notion of human dignity. The main ethical principles that the authors included in their framework were beneficence and nonmaleficence, fidelity and responsibility, integrity, justice and respect for people's rights and dignity, each one examined in practice along with the common pitfalls they entail. They also discussed a model developed by Bush et al. (2006) and attempted to unify the various levels of ethical abstraction to help forensic practitioners think in a consistent manner rather than doing so in a fragmented way. Ward & Willis (2010) continued their work by having a slightly different perspective, thus creating a framework for ethical research in the domains of forensic and correctional sciences to help researchers address certain difficult situations instead of only relying on professional codes of ethics.

According to Floridi (1999), “Physical objects may not be affected by their manipulation, but any cognitive manipulation of information is performative. It modifies the nature of information by automatically cloning it.” This is a very sensitive subject not only for digital forensics but also for forensics in general, as the entropy and unpredictability caused by the human factor are a double-edged sword for the outcome of the investigation. It can introduce bias and distortion of information which may render the outcome either misleading or worthless. The situation may be rectified by exercising rational and realistic critical thinking. Models developed to deal with ethical issues in forensic acquisition in no way pretend to eliminate human bias or intervention but rather to minimise hazardous practices and behaviour that may lead to negative consequences. The combination of the two has the potential to generate the best results based on the synergy between new technologies and human expertise. Floridi & Turilli (2009) describe in detail the ethics of information transparency and demonstrate the process of deriving information from data, which apparently bears a direct similarity to the extraction of information by forensic examiners or tools when they acquire data for examination. In Figure 2 below, one can see the information creation process.

These relationships between raw data, ethical principles and information created are pivotal in planning and developing the model central to the research. Philip Brey argues that computer ethics should not just study ethical issues in the use of computer technology but also in the technology itself [ 12 ]. This is important since, by bringing AI and data mining into forensics, we are dealing with intelligent agents which, on many occasions, proceed into automatic decision making and exercise a sort of autonomy without human intervention. However, they are guided by human intervention. He claims that certain artefacts (in our case, tools or procedures) can be associated with certain recurring consequences. If this statement is generalised, then it can be claimed that “particular consequences may manifest themselves in all of the central uses of the artefact.” This generalisation does not always hold, and it translates to an excessively deterministic view of the artefact itself. However, it is suggestive of the fact that with the usage of an artefact, one can expect certain consequences to be necessary or unavoidable. What Brey baptised as an “embedded value” can be seen as a built-in consequence to make this outcome more controlled and predictable. For example, spyware tends to break privacy no matter how it is being used. Thus, one can claim that it has privacy invasion as its embedded “disvalue”, which is the antonym of embedded value.

Considering forensic tools as such artefacts, one can make similar analogies by breaking down their operation into smaller fragmented procedures to determine the desired defined values one would like to preserve while at the same time minimising the respective disvalues. Various approaches to integrating values into the design process are presented, something also named “value-sensitive” design. John Arquilla [ 12 ] brought up the ethical considerations following cyber surveillance and other intrusive means, stating that “individual liberty and privacy may come under sharp, devaluating pressure as a result of efforts to detect, deter or defend against the various forms of cyberattack”. This is directly related to what earlier was mentioned as “cyber-sleuthing” and other similar means that forensic experts sometimes use in investigations, jeopardising the evidence's credibility and lawfulness. According to Vincent Wiegel (2010), “Different applications will require different complexity in moral awareness and reasoning.” Moor (2009) sketches a continuum of increasingly rich moral agents: Ethical impact agent, Implicit ethical agent, Explicit ethical agent and Full ethical agent, the last being the human level of moral awareness with full initiative and autonomy. However, in our case, the framework needs to be of the first type as it measures the potential impact of its own existence. The framework will not be autonomous or have a self-decision-taking capability, but rather it will provide the forensic expert with a range of possible ethical implications of their actions, tools or procedures and their respective impact. As a result, we create an opportunity for human intervention that can eventually avoid what has been defined as “disvalue” according to the value that needs to be preserved each time.

In a more recent article concerning the human bias and ethics of algorithms, Martijn van Otterlo (2017) makes an analogy with physical libraries and archives as information providers. This is very relevant to our case as the same ethical issues can emerge in computer forensics techniques. Van Otterlo states that people, many times wrongfully so, associate algorithms with infallibility, trustworthiness and above all, objectiveness. He, in fact, views algorithms as heavily biased and an example of that is the black box phenomenon. Especially with complex systems, humans cannot see within the functions, data and learning processes of the algorithm upon which its decision is based. He also claims that with rapidly evolving technology, legal developments are too slow to catch up with the shift in moral values. “The more intelligent, autonomous or conscious an algorithm will become, the more moral values will be attributed to it, and the more ethical reasoning and behaviour will be expected of it.” Current literature on possible solutions for this mostly deals with how to make algorithms that behave appropriately. However, most of them inevitably include human involvement. The European General Data Protection Regulation (GDPR) will cover forms of algorithm decision-making, although its effectiveness will depend on its practical application when we have to deal with difficult cases. Van Otterlo proposed a research strategy called IntERMeDIUM (the acronym stands for intentional, executable, reward-based, moral, declarative, inductive, utilitarian and machine), which is a synthesis of preceding ideas and research. It aims to develop ethical learning agents in the future by including an executable code of ethics which will guide the algorithm's decisions. The aforementioned properties will be taken into consideration by the authors, as they might be deemed useful and directly applicable in our research case. Van Otterlo argues that this is a point of thin balance as the code of ethics will need to follow and comply with each one of those properties and will also need to be checked regularly to evaluate the model's effectiveness and correctness. Having taken into consideration the previous research presented, one can easily notice that there has been substantial research conducted that lasts several decades in analysing computer ethics in the world of technology. However, technology advances so rapidly that it appears to be that ethical and legal progress is always behind. In the following sections of this research, the authors are going to analyse the identified ethical issues derived from the existing literature, desktop analysis of commonly used forensic tools but also from the qualitative approach (questionnaire), which will be presented in the methodology section.

3 METHODOLOGY

A large number of research strategies exist, out of which the authors must choose the most appropriate one according to the goals and requirements of their research. Johannesson & Perjons (2014) proposed nine research strategies: experiments, surveys, case studies, grounded theory, ethnography, action research, simulation, mathematical, logical proof and phenomenology in order to achieve the goals of each one of the five Design Science activities, as those are shown below. For the purpose of this research, the five activities this model proposes were organised and modified, as Figure 3 demonstrates, in order to complete each part of the process accordingly.

During the first activity, the authors used the questionnaire, relevant scientific research and the information derived from the way in which digital forensics tools work in order to identify and clearly state the problem. A questionnaire including questions of open type was then delivered to expert participants (digital forensic analysts, the police, lawyers, university professors and information security professionals) to help determine the next steps. In the next phase, the context and information derived from the questionnaire using grounded theory and content analysis were used to specify the requirements, which are the most critical aspect of the artefact created. At this phase and based on the same information, the authors defined what was mentioned earlier as “values”, which are the ones that need to be preserved, but also the “disvalues” which need to be minimised during the forensic acquisition stage.

Throughout the Design and Development phase, the authors sketched and designed multiple different potential models and frameworks, using the information derived so far. They then combined those with the support of existing literature and brainstorming and finally assessed all of them in order to select the one which (1) covers most aspects and (2) fulfils the specified requirements of the second activity. The usability and functionality of the produced artefact were then demonstrated and finally given to the expert participants for evaluation in order to test its performance. The last three activities of the method are conducted in an iterative manner to integrate the feedback into the design and development process.

3.1 Data Collection

According to Denscombe (2010), there are four data collection methods; ‘questionnaires, interviews, observations and documents.’ The data collection for this research was conducted mainly by means of a questionnaire to gain access to qualitative data, which assisted in forming the requirements of the artefact but also in the design and evaluation of it. The questionnaire included both short questions but also questions of open type to allow for more intuitive answers.

The option of interviews was not chosen due to constraints posed from the participants’ side due to their limited availability. Observations were also rejected due to the limited time within which this research is conducted since there would be some issues concerning the accuracy and the reflection of reality due to the short time span. For the same reason, documents were also excluded from the data collection methods used in this research. The questionnaire was, thus, deemed to be the most appropriate data collection method in this case, given all of the aforementioned limitations. As mentioned earlier, the questionnaire was completed mainly by digital forensic experts with many years of experience in this field, including police digital forensics experts, academics, and researchers as well as law experts, to give an insight of a different perspective on the same matter as another side of the same coin.

3.2 Data Analysis

The analysis of the collected data was mainly conducted based on content analysis but also influenced by a flavour of grounded theory. The reason for that was that the answers received by the participants were rather explicit and straightforward. These two similar but slightly differentiated methods are used to extract meaningful context out of given qualitative data. According to Johannesson & Perjons (2014), “in contrast to experiments, the grounded theory does not start with a hypothesis to be tested but instead with data from which a theory can be generated”. Hence, through the questionnaire and based on that, the authors extracted the information necessary in order to proceed with the design process of the artefact. The content analysis assisted in categorising the different aspects of information acquired by the open questions of the questionnaire with the same purpose. It helps develop relevant categories and identify “keywords” associated with them. As per Denscombe (2010), content analysis helps the researcher spot the priorities, values and ideas that are conveyed in the data by measuring the frequency with which those appear while also assigning a positive/negative sentiment and contextual proximity of one text part with another.

To define the requirements for the framework design, the authors conducted the aforementioned survey (questionnaire). While interpreting the qualitative data with the help of content analysis, the authors identified some common ground among the experts’ opinions. Some legal issues were identified by the participants, among which are user privacy, data protection and the unregulated use of non-accredited tools (OS tools) in courts of law. Also, the lack of documentation on how the acquisition and analysis of evidence should take place, especially when it comes to live memory acquisition. Similarly, the ethical issues which were identified were again user privacy, retrieval of more data than required for the case (many times involving sensitive data) and the involvement of third parties.

Many of the participants believed it would be helpful to have a standard protocol or procedure to handle and deal with such issues that might arise. Part of the current standard procedures appears to be consulting the law department of the institution or the district attorney. From a law perspective, though, this can be a bit problematic (as stated by digital forensics expert) as the people who specialised in law should be more involved in knowing how the tools work and acquire evidence in order to think of potential issues and work better with the forensic experts. Some things mentioned by the participants’ side that could help their work were: support for Linux RAM acquisition and ACL-based (Access Control List) case sharing so certain people have access to certain parts of a case file. A clear indication of the status of the progress of analysis and/or acquisition was deemed to be helpful. Simple license management procedures and the legal right to store and use databases for forensic data instead of prohibiting it altogether.

Some of the desired properties for data evidence mentioned by the experts to help their work were integrity, completeness, accuracy, reproducibility, simplicity, clarity, timeliness, and being fast. Nearly all the experts (83.3%) deemed both integrity and accuracy to be of great importance as properties that digital evidence should have. Legitimacy was rated medium on average, not the first priority. Relevance was also not rated high among the participants, lower than legitimacy. When dealing with large amounts of data, though, this property can become useful -if this opportunity can be given. This is one of the properties that data mining-based systems try to achieve to help forensic experts make sense of huge amounts of data and draw their attention to the most relevant data to their case. Impartiality was rated the lowest. This could possibly be due to the fact that it can be highly subjective and hard to prove, in which case it does not contribute much to the case and can even cause adverse effects if perceived wrongfully.

4.1 Definition of Requirements

Before moving on to the requirements, it is important that some notions, properties and concepts included in the requirements section are defined knowing what each term refers to, such as:

Integrity: Evidence integrity refers to “the validity of information derived from the examination of physical (in our case digital) evidence, and it depends entirely upon the care with which the evidence has been protected from contamination.” [ 17 ]

Accuracy: Forensic evidence accuracy is a term closely related to integrity but different as it denotes the proximity between the collected evidence and how the events occurred in reality [ 18 ]. In other words, it is a measure of how reliable the representation of reality is according to the information given by a piece of data.

Data minimisation (or minimality principle): “A principle that states that data collected and processed should not be held or further used unless this is essential for reasons that were clearly stated in advance, to support data privacy.” [ 19 ]. This principle is one of the fundamental principles in the European GDPR.

According to the questionnaire content analysis results, it appeared to be that the participants identified mainly three (3) ethical issues during the acquisition of digital evidence: (1) the difficulty of preserving user privacy, (2) the difficulty of preserving the minimality principle as in most investigations they inevitably get access to more data than may be required or data of third parties which in many cases are not related to the investigation (many times this can be sensitive personal data) and (3) the use of non-accredited forensic tools which can jeopardise the credibility of the evidence or make it inadmissible in a court of law.

Among the main legal issues identified by the participants, the first one, inter alia, was the lack of permission to store information about the investigation, which could facilitate the outcome of it. Some of the forensic experts mentioned that it would be very helpful for them to be able to store data (with the appropriate protection and help of verifiers and supervisors) related to the investigation. The second issue was the need to preserve the minimality principle which is not only an ethical but also a legal issue. For instance, it is one of the main principles in the European GDPR. Quoting one of the participants: “The Swedish law does not allow researchers to collect and analyse personal data from the Web, and neither is it allowed to collect personal information about possible criminal activity. So, for instance, the usage of crawlers (“a program that visits websites and reads their pages and other information in order to create entries for a search engine index” [ 20 ]) or other similar bots cannot be used without permission from the regional ethical review board of the university's region.” Another participant also stated that by Swedish law, they are not allowed to have databases where they store information about each investigation. Two other participants from another European country stated that in their country, the main problem of the same nature is that the communications of the suspect are protected during digital evidence seizure. Desired properties of the digital evidence by the experts were integrity, accuracy, timeliness (to be acquired fast) and legitimacy.

All things considered, the authors defined the requirements for the designed artefact in order to satisfy the most important and persistent issues identified by the experts and literature so far, but also to include and propel the desired properties of digital evidence data. As mentioned earlier, in the Cambridge Handbook of Information & Computer Ethics [ 12 ], an “embedded value” is a built-in consequence. For example, a crawler has the tendency to break privacy, no matter how it is being used. Thus, its embedded disvalue is the invasion of privacy. For the requirements, one needs to minimise the embedded disvalue of the forensic acquisition process procedures and consequently preserve the embedded value. The artefact designed is an “ethical impact agent”, as defined by Moor (2009), as it aims to inform the forensic examiner of the possible ethical and legal implications of their actions, tools or procedures so that they can intervene and avoid the disvalues. In the same principle, the requirements defined are shown in Table 1:

According to Johannesson & Perjons (2014), the artefact will have internal and external properties, among which need to be consistency (keeping conflicts at a minimum level), modularity (the model consists of many parts which interconnect and interact) and conciseness (keeping complexity and redundancy low).

4.2 The Artefact

In this Section, the functionality, construction and environment of the framework are presented. According to Johannesson & Perjons (2014), the construction includes the internal properties of the framework; the framework needs to be coherent, consistent (keeping conflicts at a minimum level), modular (consist of modules which interact and can be easily separated and recombined), concise (keeping complexity and redundancy low), but also elegant which means its design is pleasing and well-structured. On the other hand, the framework includes environmental (external) properties which describe how it interacts with other artefacts or external entities such as users.

These properties, in their turn, are divided into usage, management and generic external properties. These, among others, include properties such as usability, customisation, traceability, maintainability, accountability, autonomy and efficiency. The main activities of this piece of research were development and evaluation, while their output was different frameworks. The most suitable in terms of how it would fulfil the set requirements were then chosen. The abstract framework for this case was inspired by Saleem et al. (2014) and adapted to focus exclusively on the phase of data acquisition. The abstract form of the designed framework can be seen in Figure 4 .

The authors have added the sub-processes of Evaluation of the Acquired Data and an initial “Sieving” of the data after acquiring it. There, the forensic examiner (or the system, in the case of the development of a smart agent) will evaluate the data collected so far to ensure that it satisfies the requirements set in the previous Section. This process is called Evidence Assessment by the U.S. Department of Justice [ 22 ] under the rationale that digital evidence should be thoroughly assessed in order to specify the scope of the investigation and then determine the appropriate course of action. The authors also deemed this to be very important and thus decided to include it as a separate process. Once this is done, if needed, the process will be iterative for more data to be acquired and follow the same path. This is being done mainly under two “umbrellas” which are: (1) applying a protocol for handling digital evidence during digital forensic acquisition (this is divided into live forensic acquisition and offline forensic acquisition to capture the special traits of each case) and (2) the preservation of the embedded values which the authors mentioned in the previous Section.

Following the abstract framework, the sub-processes (1), (2), (3), (4) and (5) of Figure 4 are fragmented showing what they include and will be demonstrated separately below.

4.2.1 Protocol for handling digital evidence during acquisition (1). In order to improve the forensic soundness and integrity of the data, the authors decided to include the model PIDESC (Protecting Digital Evidence Integrity by using Smart Cards), developed by Saleem & Popov (2011). They evaluated existing security methods and realised most were based on digital hashes, which provided weaker security against tampering with them. The proposed solution preserves the integrity by combining smart cards, hashes and timestamps. The essence of the procedure can be seen below:

If a computer is off: (1a) Protocol for offline forensic acquisition

• Save the original material as it is.
• Take photos of physical evidence and a screenshot of evidence content.
• Document temporal information, date, time etc.
• Inject the bit-by-bit copy into the forensic computer.
• Apply PIDESC as shown in Figure 5 .
• Implement an Access Control List (ACL) only to let certain people have access to certain data according to their role in the investigation for the specific case. This will help increase accountability and decrease the chance of accidental mistakes by people who are not authorised to access this data. (Fewer people have hands on the data without absolutely needing to). The forensic system could operate on a reference monitor architecture where every operation (read, write etc.) by subjects on the data is being monitored to prevent unauthorised modification.
• Document everything.

If a computer is on: (1b) Protocol for live forensic acquisition

At this point, in the case of a live investigation, the protocol is being modified as follows:

• Freeze the current state of the computer in order to image RAM. This helps ensure that there have been no modifications during the acquisition (although not bulletproof).
• As Jones (2007) suggested: Swap the hard disk with forensic hardware in the principle of a shadow drive (place a drive between the motherboard and hard disk).
• Take the shadow drive and inject it into the forensic computer.
• Follow the same last three steps of protocol (1a)

4.2.2 Preservation of embedded values (2). The embedded values defined by the requirements of this artefact were (2):

• User privacy/ user data protection
• Data minimisation

To attain improved user privacy, we suggest the instrument of an external review where a small team of forensic experts and law experts will have the role of verifiers. The process should be done to increase the objectivity of the procedure and help the forensic examiners avoid pitfalls that could compromise the evidence admissibility in a court of law. Data can be pseudonymised so it can be reviewed by external reviewers without the user identity being revealed to them. This helps preserve the property of unlinkability with the true identity of the person but still allows for the reviewers to see how the procedure takes place. The external review will also be compliant with the existing regulation, for example, Article 10 of the GDPR, in order to have the appropriate permission and ensure the lawfulness of the processing. The rationale behind this sub-process came from a few survey participants who emphasised how useful they think it would be if there was closer cooperation and cross-education between law and forensic experts.

In order to achieve data minimisation, the authors related this to sub-process (1), where an Access Control List (ACL) is implemented in order to prevent unauthorised access for people who do not need to lay eyes on the data. It is very important in this process to ensure that the forensic examiners have signed and are compliant with the respective forensic science code of ethics.

4.2.3 Evaluation of the acquired data (3). As mentioned earlier, this sub-process was inspired by the U.S. Department of Justice's “Assessment of data”, as well as Grobler & von Solms (2007), who suggested a best practice approach.

This sub-process includes two (2) dimensions:

• Laws & Regulations: where the forensic experts assess the nature of the evidence data according to cybercrime law, admissibility in court and other legislation with the help of a district attorney.
• Scope: where the scope of the case is determined in order to avoid unnecessary hazards and include the particularities of each case. In this light, the assignment of roles to the experts is case-specific in order to implement the access control to the data (as mentioned in the protocol of evidence acquisition (1a) and (1b)).

4.2.4 “Sieving” of the data (4). At this point, the data is being sieved in order to get rid of data which is irrelevant to the specific case. Protecting metadata is important, such as third-person information. If those are irrelevant to the case, then they should not be accessible to everyone. This data must be anonymised to be able to work with them in case they can contribute to the case but without revealing the identity of the user, as this could undermine the evidence admissibility in court.

4.2.5 Return (5). In case there is a need, a return to the acquisition phase following the protocols presented (1) and preservation of embedded values (2) warrants the repeat of the process. Document everything, and if there is no more iteration required, move on to the forensic analysis stage.

4.3 Evaluation of the Artefact

One of the main goals of the evaluation is to determine the extent to which the artefact addresses the problem it was initially designed to solve [ 15 ]. In addition, the evaluation helps determine whether the requirements which were set before the design of the artefact were met. The first evaluation strategy for this piece of research is a naturalistic, ex-ante evaluation, as the artefact has not yet been used. Ex-ante evaluation appears to be the most suitable first type of evaluation for the artefact as it is fast and can provide a good first impression for an early version of the artefact. However, it is important to be cautious and ensure that the artefact will be re-evaluated at a later point. This is to avoid situations where an optimistic view implies a much better artefact than it is in reality. As mentioned earlier, the evaluation strategy of this artefact is also naturalistic as it aims to be used in real conditions by forensic experts. An ex-post evaluation of the artefact is in the process of being completed with the involvement of experts in the areas of forensics, information security, and law enforcement agencies.

5 DISCUSSION

The purpose of this piece of research was to create a framework for the acquisition phase of the forensic procedure to resolve issues of ethical and legal nature that might jeopardise important properties of the digital evidence. The framework was positively perceived by all the forensics, information security, law, and criminology experts during the evaluation phase (ex-ante and ex-post), and they all valued its potential contribution to improving the forensic acquisition in terms of preserving the critical digital evidence properties and embedded values of each investigation. The designed framework aimed to be added as the first step towards an innovative proposed solution to this research problem on the ground that similar research on this specific topic is still in its infancy. As mentioned earlier, while there has been extensive research regarding the ethicality and legality of algorithms and computers, there has not been a clear line of progress to embed this knowledge into digital and cyber forensics to resolve acquisition-specific issues.

While, according to the forensic and information security experts, the designed framework seems to be promising for delivering positive results and improvements, there are still many aspects that need to be taken into consideration before jumping to overly optimistic conclusions. The area of ethics is an area that needs special cautiousness and treading lightly, as any different definition or viewpoint can have a “walking on ice” effect. Any framework or research aiming to involve ethics, even more so when the outcome could have tremendous consequences, ought to be thoroughly verified and tested but also make room for the necessary flexibility and adaptability which will facilitate the fulfilment of the multi-sided specificities of human nature. As one of the experts added: “a framework that is too rigorously applied could be just as damaging as the lack of one”. For this reason, the designed framework does by no means aim to eliminate human intervention altogether but rather to minimise hazardous practices and behaviours that lead to negative consequences and to align the new knowledge and technologies effectively with human expertise. Another aspect and, at the same time, limitation of this research is that, due to the short timeframe within which the research was conducted, there has not yet been sufficient evaluation and improvement of the designed artefact. The continuous feedback and evaluation of the framework are pivotal to ensure more and more that all possible failures and problematic areas are taken into consideration and, at the same time, embed more knowledge into it in order to make it more adaptable, flexible and robust against misuse. However good the a priori analysis of the framework can be, such emergent issues can potentially show up at any time and therefore it is very important to spot them early on and improve them through this iterative procedure.

The purpose of this research was to contribute to the body of knowledge of the ethical and legal aspects of forensic algorithms and procedures, focusing on the acquisition phase. As discussed earlier, the research work was subject to limitations of different kinds, mainly of temporal nature. The subject of research presented is a subject of great complexity with various interactive parameters involved, so the time dedicated to it was rather short considering the vastness of the topic. However, according to the evaluators of the designed framework, it has set the beginning and, taking the right considerations in mind, has the potential to develop into a possible solution for the problem examined.

6 FUTURE PERSPECTIVE

Future research for this topic could address and include the implementation of a model which makes use of existing technologies such as, for instance, supervised algorithm learning and could improve the work for forensic experts in terms of effective selection of information and time consumption. The model would not pretend to supersede human expertise with machine decisions but work in a complementary manner for more efficient and rigorous investigations. This aspect was also pointed out by two of the ex-post evaluation experts, which underlined its significance and relevance.

In the same light, more research could be conducted for process (2) “Preservation of Embedded Values” where implementation of access control would ensure the prevention of unauthorised access to data that does not need to be accessed by any forensic examiner. The framework needs further and more thorough evaluation, particularly in the areas which might be potential sources of conflicts among the domain experts. In addition, practitioners and future researchers could consider analysing and comparing different implementations of access control to identify and assess the most, and eventually, the best applicable solution, which can be either case-specific or general with a high degree of adaptability.

ACKNOWLEDGMENTS

Special thanks to my academic supervisors at Stockholm University and the University of the Aegean, as well as the Information Systems Laboratory for their valuable support, guidance, and resources.

• What is cybercrime? Definition from SearchSecurity. Retrieved September 10, 2019, from https://www.techtarget.com/searchsecurity/definition/cybercrime
• World Economic Forum. 2019. The Global Risks Report 2018. [online] Retrieved from https://www.weforum.org/reports/the-global-risks-report-2018 [Accessed 10 Feb. 2019]
• The National Institute of Standards & Technology. 2016. Guide to Integrating Forensic Techniques into Incident Response, Computer Security Division Information Technology Laboratory, NIST, Gaithersburg, MD 20899-8930
• The California Association of Criminalists. 2009. A Model for a National Code of Ethics in the Forensic Sciences, Recommendation 7, NAS Report
• The Northwest Association of Forensic Scientists (NWAFS). 2007. The Code of Ethics of the Northwest Association of Forensic Scientists, Salt Lake City, UT.
• Expert, T. 2019. The Daubert Standard: A Guide to Motions, Hearings, and Rulings. [online] The Expert Institute. Retrieved from: https://www.theexpertinstitute.com/the-daubert-standard-a-guide-to-motions-hearings-and-rulings/ [Accessed 12 Feb. 2019].
• Ward, T., Syversen, K. 2008. Human Dignity & Vulnerable Agency: An Ethical Framework for Forensic Practice, 1359-1789 © 2008 Elsevier Ltd.
• Bush, S. S., Connell, M. A., & Denney, R. L. 2006. Ethical practice in forensic psychology: A systematic model for decision making (pp. ix-196). Washington, DC: American Psychological Association.
• Tony Ward, Gwenda Willis. 2010. Ethical issues in forensic and correctional research, Aggression and Violent Behavior, Volume 15, Issue 6, Pages 399-409, ISSN 1359-1789, https://doi.org/10.1016/j.avb.2010.07.002 .
• Floridi, L. 1999., Information Ethics: On the Philosophical Foundation of Computer Ethics, © 1999 Kluwer Academic Publishers
• Turilli, M., Floridi, L. 2009. The Ethics of Information Transparency, Springer Science+Business Media B.V. 2009
• Floridi, L. 2010. The Cambridge Handbook of Information and Computer Ethics, © Cambridge University Press 2010
• Moor, James. 2009. "Four kinds of ethical robots." Philosophy Now 72: 12-14.
• Otterlo, Martijn. 2018. Gatekeeping Algorithms with Human Ethical Bias: The ethics of algorithms in archives, libraries and society.
• Johannesson, P., Perjons, E. 2014. An Introduction to Design Science, DOI 10.1007/978-3-319-10632-8_13
• Denscombe, M. 2010. The Good Research Guide. Maidenhead, England: McGraw-Hill/Open University Press.
• Wilenet.org. 2017. “Evidence Integrity”, [online] Retrieved from: https://wilenet.org/html/crime-lab/physevbook/chapter1-evidence-integrity-2017.pdf [Accessed 30 April 2019].
• McKemmish, R. 2008. in IFIP International Federation for Information Processing, Volume 285; Advances in Digital Forensics IV; Indrajit Ray, Sujeet Shenoi; (Boston: Springer), pp. 3–15
• Experian.co.uk. 2019. “What is data minimization” [online] Retrieved from: https://www.experian.co.uk/business/glossary/data-minimisation/ [Accessed 30 April 2019].
• Techtarget.com. 2005. “Crawlers” [online] Retrieved from: https://searchmicroservices.techtarget.com/definition/crawler [Accessed 30 April, 2019].
• Saleem, S., Popov, O., Bagilli, I. 2014. Extended Abstract Digital Forensics Model with Preservation and Protection as Umbrella Principles, Procedia Computer Science, vol. 35, pp. 812-821
• U.S. Department of Justice, Office of Justice Programs. 1994. Forensic Examination of Digital Evidence: A Guide for Law Enforcement [online] Retrieved from: http://www.ojp.usdoj.gov/nij [Accessed 2 May 2019].
• Saleem, S., Popov, O. 2011., Protecting Digital Evidence Integrity by Using Smart Cards, Digital Forensics and Cyber Crime; Lecture Notes Institute of Computer Science Social Informatics and Telecommunications Engineering, vol. 53, pp. 110-119
• Jones, R. 2007. Safer Live Forensic Acquisition, Computer Science Laboratory University of Kent at Canterbury.
• Grobler, M., von Solms, S. 2007. Modelling Live Forensic Acquisition, Proceedings of the Fourth International Workshop on Digital Forensics & Incident Analysis (WDFIA 2009).
• Aditya, K. et al. 2018. Enabling Trust in Deep Learning Models: A Digital Forensics Case Study, School of Computer Science University College
• March, S., Smith, G. 1995. Design and Natural Science Research on Information Technology, Information and Decision Sciences Department, Carlson School of Management University of Minnesota
• Barger, R. 2008. Computer Ethics: A Case-Based Approach, Cambridge University Press
• Bostrom, N. & Yudkowsky, E. 2009. “The Ethics of Artificial Intelligence.” Cambridge Handbook of Artificial Intelligence, edited by Keith Frankish and William Ramsey. New York: Cambridge University Press

ICEGOV 2022, October 04–07, 2022, Guimarães, Portugal

© 2022 Copyright held by the owner/author(s). ACM ISBN 978-1-4503-9635-6/22/10. DOI: https://doi.org/10.1145/3560107.3560114

A Comprehensive Digital Forensic Investigation Model and Guidelines for Establishing Admissible Digital Evidence

MPhil Thesis

https://repository.uel.ac.uk/item/85xwz

Log in to edit

Download files

Forensically enhanced digital preservation

Author: Timothy Hart

• Thesis download: HartThesis2022.pdf     [ 3.2 MB ]  

Hart, Timothy, 2022 Forensically enhanced digital preservation , Flinders University, College of Science and Engineering

Terms of Use: This electronic version is (or will be) made publicly available by Flinders University in accordance with its open access policy for student theses. Copyright in this thesis remains with the author. You may use this material for uses permitted under the Copyright Act 1968. If you are the owner of any included third party copyright material and/or you believe that any material has been made available without permission of the copyright owner please contact [email protected] with the details.

Digital preservation and digital forensics are two fields with differing goals that travel similar pathways which often converge. Each field does not necessarily acknowledge the other, but they are closely aligned and share similarities. Digital preservation has much to benefit from digital forensics; however, this is not to say digital forensics could not gain with respect to documentation and perspective with collaboration in mind.

One of the key differences is long-term preservation, where the material is stored and maintained long after it has been processed versus forensic evidence gathered and used to prosecute, with no further regard once done so. The efforts that go into ensuring the preservation of digital objects are where the similarities between the two fields end. This results in digital forensic software being tailored to the specifics of the field, such as modern devices, specific data, and criminal prosecution. Perspective and purpose are important factors as they determine how the software is perceived and documented. This affects the adaptability of digital forensic software for memory institutions (galleries, libraries, archives, museums) as at face value, it does not cater to their needs, despite being beneficial.

In this thesis, the benefits of using digital forensic software for born-digital preservation are explored, as well as the risk to collections should data remain unprocessed via the suggested methods.

Hidden data may already exist within storage collections, yet to be discovered and impossible to do so without the use of digital forensic software. These data, rightly named “sensitive data” have many implications. Sensitive data, whilst the key to criminal investigations, is also paramount to digital preservation as it can reveal significant amounts of new information.

Australian law is explored regarding the risk of sensitive data discovery and the actions that follow. The threats of sensitive data are discussed with consideration to the potential legal implications that arise from discovering sensitive data. This includes examples of current and future threats that may reside in stored data that have not been processed assiduously using digital forensic software.

Policies and procedures regarding Aboriginal and Torres Strait Islander people and their information are explored and compared against standard policies. The strict and careful policies developed for our Indigenous people can positively influence the standard privacy policies within institutions implementing or advancing sensitive data discovery.

The scope of this study has been narrowed down to Australian institutions, targeting State and National libraries whilst also considering archives, galleries, and museums, as these are the influential institutions. Australian institutions have been investigated by the information publicly available and by communications, distributing a questionnaire to willing participants.

Collection institutions from the United States of America were investigated to form a comparison and to establish potential tools and methods that could be adopted within Australian institutions. The data gathered from the U.S institutions were derived by publicly available information and other studies conducted. The main sources of data were derived from workflows as these allowed a visual representation of the processes and the tools used within collection institutions, revealing if and where digital forensics was being utilised.

It was evident the major collection institutions of Australia were performing digital preservation at various maturity levels. Intake requirements and dedicated preservation procedures were varied, as was the influence of digital forensic tools and methods.

Some of the participants of the study identified the need for improvement regarding their workflows, whereas others had low demand and therefore did not see the need to make any changes. It was determined that some digital forensics was being utilised, but not to its full potential, and in most cases, was missing completely. With the analysis of collection institutions and the benefits of digital forensics, the objective is to increase awareness and provide workflow improvements to enable sensitive data discovery and the handling of any surrounding issues that may arise.

The identification of maturity levels for digital preservation in Australian institutions has been established by the feedback provided via questionnaire and data gathered from public sources. This information, compared with other institutions and maturity level modelling allowed the establishment of an average baseline in terms of maturity levels of digital preservation requirements and performance.

Digital forensic tools and methods have been analysed to determine the data gathering capabilities of digital forensic software and the relevance to digital preservation. The benefits of digital forensics within digital preservation workflows and the impact of sensitive data within collection institutions form the contributions of this study.

Experiments have been conducted in real world scenarios using donated material (hard drives), resulting in a plethora of data gathered with an extensive range in severity. The potential for sensitive data discovery was revealed as well as the ability to derive information about the users of the physical media.

Issues regarding digital preservation workflows have been identified. Many workflows are missing core processes that are required to handle sensitive data. This may be the result of either a lack of transparency, where sensitive data discovery is being performed to some extent but is undocumented, or the process is missing entirely.

Through the process of reviewing and analysing workflows, good practices were also identified, resulting in the discovery of exemplary workflow designs to help in determining how digital preservation workflows can be improved.

Amendments and enhancements to workflows to address sensitive data discovery are presented, enhancing digital preservation workflows with digital forensic tools and methods. This is not only to improve existing institutions, but also to better enable peer-to-peer learning and collaboration.

With the implementation of digital forensics within mature and influential collection institutions, other institutions that may be in their infancy or slowly developing their procedures will have guidance. This can be achieved with transparent workflows that accurately visualise the forensic processes, addressing all outcomes and decision-making, and documenting the tools used and any implementation requirements.

Subject: Computer Science thesis

Thesis type: Doctor of Philosophy Completed: 2022 School: College of Science and Engineering Supervisor: Denise de Vries

Award: Doctor of Philosophy -->

Flinders University Theses Collections

Brunel University Research Archive(BURA) preserves and enables easy and open access to all types of digital content. It showcases Brunel's research outputs. Research contained within BURA is open access, although some publications may be subject to publisher imposed embargoes. All awarded PhD theses are also archived on BURA.

• Brunel University Research Archive
• College of Engineering, Design and Physical Sciences
• Dept of Electronic and Electrical Engineering
• Dept of Electronic and Electrical Engineering Theses

Items in BURA are protected by copyright, with all rights reserved, unless otherwise indicated.

Chris Sanders

Information Security Analyst, Author, and Instructor

A Cognitive Skills Assessment of Digital Forensic Analysts – My Doctoral Dissertation

• Posted on December 9, 2021 December 9, 2021

In September of this year, I successfully defended my doctoral dissertation, earning the title of Doctor of Education from Baylor University. In this post, I’m sharing the entirety of that dissertation freely to benefit the information security community. I’ll also provide recommendations on relevant sections of the work based on your role. Finally, I’ll talk a bit about the past, present, and future of my research.

I believe this dissertation represents a significant step forward in understanding the cognitive skills that high-performing analysts rely on when conducting security investigations. The findings here help establish analytic doctrine and should yield significant improvements in how analysts are trained when considered thoughtfully by educators. Similarly, analysts who better understand their own cognitive skills stand to increase their metacognitive awareness. This knowledge has the potential to improve analyst performance as well as their ability to communicate with peers and mentor less experienced practitioners. This paper also further establishes the field of human-centric investigation theory research.

Let’s get straight to the point. You can download my complete dissertation paper for free at the link below.

DOWNLOAD: The Analyst Mindset: A Cognitive Task Assessment of Digital Forensic Analysts

Despite significant investment in cyber security, the industry is unable to stem the tide of damaging attacks against computer networks. This unfortunate situation is, in part, because cyber security exists in a state of cognitive crisis defined by tacit knowledge and poorly understood processes. At the heart of the crisis are digital forensic analysts that identify and investigate intrusions. Unfortunately, even skilled analysts in these roles are often unable to explain how they go about the process of finding intruders and assessing their foothold on a network. Without this knowledge, professional and academic educators are unable to build a standardized industry-accepted curriculum for the identification and training of new analysts. While there have been some attempts to inventory the skills, processes, and knowledge required to serve in the digital forensic analyst role, no current efforts provide a thorough, research-backed accounting of the profession with consideration for cognitive skill elements.

This problem of practice study details a cognitive skills assessment of the digital forensic analyst profession by leveraging two Cognitive Task Analysis (CTA) research methods. The Simplified Precursor, Action, Result, Interpretation (PARI) method provided a framework for eliciting procedural skills, and the Critical Decision Method (CDM) supported the discovery of decision-making skills. Using these techniques, interviews conducted with expert analyst practitioners revealed four unique procedural skill categories, characteristics of two significant facets of analyst decision making, and numerous subcategory elements that describe additional dimensions of expert analyst performance. The results converged on a model of diagnostic inquiry that represents the relationships between how analysts formed investigative questions, interpreted evidence, assessed the disposition of events, and chose their next investigative actions. These findings establish explicit knowledge that provides a foundational understanding of how skilled analysts perform investigations. They also lay new groundwork for cyber security’s emergence from its cognitive crisis, with implications for educators and practitioners alike.

Reading Guide

If you’re reading this as an information security practitioner, I recommend reading Chapter 1 (Introduction) for an overview, Chapter 2 (Literature Review) for background information, and then focusing on Chapter 4 (Findings) and the appendices referenced in it. Keep in mind that it is a research document, not a teaching document. It describes the process and results of my research on analyst cognitive processes and is narrowly scoped to the findings that I uncovered. These findings have significant value to analysts and those who support them but are not necessarily meant to be handed to an entry-level analyst on their own. If you want to learn to be an analyst, I recommend my Investigation Theory class, where much of my research (including this dissertation) manifests with learning in mind. It is here that these concepts are scaffolded by other relevant knowledge, paired with examples and demonstrations, and tied to specific learning objectives so that analysts can wield them properly.

If you’re reading this as an educator, then I recommend reading Chapter 1 (Introduction), Chapter 4 (Findings), and Chapter 5 (Distribution of Findings) . My primary goal with this research was to identify analyst cognitive skills so that we may better teach those skills to others. I expect that this work will find a home in many community college and university courses that have investigative components. If you do end up building curriculum components around these concepts, I’d love to hear about your approach .

If you’re reading this as an academic researcher, then I recommend reading the entire document so that you may understand my methods as well as the results I uncovered. I put extra effort into describing my cognitive task analysis strategy. My experience as a 15+ year practitioner before moving into the academic research space is atypical but allowed me to conduct this research through a unique lens that would not be possible by researchers lacking professional experience. I tried my best to elaborate on my research methods to highlight how I deployed my expertise to design the study and conduct data collection and analysis. I hope this work will help bring the academic and practitioner communities closer together.

My Research and How I Got Here

I struggled tremendously when I first began my analyst career. I could not understand how investigators took inputs and used them to pivot between various data sources and find evidence of compromise. I distinctly remember sitting in a state of paralysis, starting at a blank search bar, not knowing what to do next. I didn’t have access to many highly skilled people, and those who were could not effectively explain how they connected the dots. I was told to watch how they did their work, play around in the data, and I would eventually figure it out. I eventually did figure it out, but that path was much longer and more frustrating than it should have been. Worse yet, I was continually told that good analysts were born with a particular set of traits, and without them, someone’s chance of doing the job well was limited.

Over time, I recognized that information security is in a state of cognitive crisis. So much of the knowledge we rely on is tacit and unavailable to those seeking the practice this craft. That negatively affects everyone attempting to enter the field, but it affects those who are already marginalized even more. As my interests turned from computers to the humans using them, I felt a desire to make these tacit processes explicit, which led me on a long and challenging journey that included researching and writing the dissertation you see attached to this post. Along this path, I learned that digital forensic investigations are not art, although there is room for creativity to guide an analyst’s path. I also learned that digital forensic investigations are not science, but we can use scientific processes to study how humans can better bridge the gap between perception and reality. Digital forensic analysis is engineering. With the right people in the room asking the right questions, nothing a computer does cannot be explained. That means that the only thing standing between me and knowing what happened is my own ability to understand evidence and behavior. These realizations empowered me, dramatically changed my career trajectory, and are why you’re reading this.

Why an Education Doctorate?

I once read that everything exciting happens on the fringes of where two things meet; the middle is boring because everything is the same. While I’m not sure I agree with that idea completely, I know that most of my professional curiosity is stimulated at the borders shared by cyber security, cognitive psychology, and education. Every investigation involves a human sitting at a console looking at data. Ultimately, those humans have the most to say about whether a compromise is fully discovered and contained.

Paul L. Kirk was a biochemist, criminologist, and early pioneer of forensic science. He was also a successor of Edmund Locard, who is considered by many to be the father of modern forensic science. In 1953, Kirk invoked Locard’s Exchange Principle when he wrote a now-famous quote describing the relationship between an investigator, a criminal, and the evidence they leave behind. I’ve taken the liberty of updating his quote to make it more relevant to modern digital forensics.

Wherever they pivot, whatever they access, whatever they leave behind, even unconsciously, will serve as a silent witness against them. Not only their authentications or their executions, but the packets they transmit, the files they change, the tool marks they leave, and the data they upload or download. All of these and more bear mute witness against them. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Digital evidence cannot perjure itself and it cannot be wholly absent. Only human failure to find, study, and understand evidence can diminish its value. Chris Sanders, Revised from Paul L. Kirk (1953)

I find the last line of that quote (unchanged from its original version) the most impactful. Ultimately, many of the issues cyber security faces in its cognitive crisis are education problems. We must better understand how and why experts do the things they do to teach them to other people and refine them; something that we’re currently failing at.

Therefore, cyber security is the medium for my work, cognitive psychology provides the framework for understanding how analysts perform, and my findings are expressed through education. My choice to pursue a doctorate in education was primarily focused on the outputs I hope to achieve from my research; a more clear establishment of the human-centric investigation theory research field, a more formal digital forensics analytic doctrine, and the methods to help people learn that doctrine.

What’s next?

While a doctorate is a terminal degree, the document encapsulating it is only the beginning. I plan to continue my research focused on different facets of how analysts perform investigations and strategies for teaching investigation concepts. As a matter of fact, I have ongoing research projects as you read this post.

As part of this continued work, I’m seeking research partners who might want to work or collaborate. This includes:

• Universities who may be interested in providing graduate students to assist in research projects. These students will be compensated for their time and can come from a variety of subject areas like psychology, sociology, or education. They do not have to posses prior cyber security experience, but should be interested in the field and have some exposure to quantitative and qualitative research techniques. These opportunities are remote/online under the Applied Network Defense research umbrella.
• Businesses that wish to provide access to analysts for research subjects. A unique challenge of conducting analyst-centric research is finding enough analysts to serve as research subjects. This is particularly the case when I need to conduct research focused on several analysts within a single security operations center. If your organization is interested in providing analysts for these studies, please reach out. Depending on the scope of the research, there may be some costs associated with participation. However, as part of participating, you’ll receive free and discounted training courses along with priority access to research findings, as well as consulting from me on how to leverage the results meaningfully in your security team.

Please contact me directly if you are interested in either of these opportunities.

My Acknowledgments

While my acknowledgments are included in the dissertation document itself, I thought it important to also include them here just like I do with in all the blog posts that have accompanied the release of my books.

I would like to thank the people who helped make this document possible and contributed to the positive step forward it represents. First and foremost, thank you to my wife Ellen, who I kept awake countless nights by storming into the bedroom rambling on and on about the ideas running through my head following late classes.

Nobody becomes a scholar alone, and I was fortunate to have several amazing people on this journey with me. I want to extend my gratitude to my doctoral colleagues who made this whole experience more enjoyable. I also want to thank my instructors at Baylor who shepherded me along this scholarly experience, with special thanks to my advisor, Dr. Sandi Cooper. I don’t fit the mold of a typical education student, and I appreciate all of you opening up your mind to learn from me as I did from you.

I want to pay special tribute to my students, whose success helps motivate me, including anyone who has ever taken one of my classes, read one of my books, or sat in on one of my conference presentations. Additionally, I want to thank my colleagues that served as sounding boards and provided feedback on my ideas.

This whole project started over a decade ago when I was a struggling young analyst trying to learn the craft. Someone told me that you are either born with the skills needed to do this job, or you are not. I thought that was nonsense, and I have spent the rest of my career gathering the knowledge and data to prove it. The document you are about to read is a step along that path. I don’t remember the name of the person who told me that, but I want to thank them too.

Download and Citation

You can download my complete dissertation paper for free at this link .

The paper will be available in the Baylor and ProQuest databases on December 19th, 2021/

You may cite this work as:

Sanders, C. (2021). The analyst mindset: A cognitive task assessment of digital forensic analysts [Doctoral dissertation, Baylor University]. https://chrissanders.org

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Notify me of follow-up comments by email.

Notify me of new posts by email.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

• Bibliography
• More Referencing guides Blog Automated transliteration Relevant bibliographies by topics
• Automated transliteration
• Relevant bibliographies by topics
• Referencing guides

Recent Dissertation Topics in Forensic Science

This article serves as a compass, guiding readers through a diverse array of recent dissertation topics that encapsulate the multifaceted nature of forensic research. From digital forensics to forensic psychology, the chosen dissertation topics reflect the evolving challenges and advancements in solving complex legal puzzles.

Forensic DNA Analysis:

• “Next-Generation Sequencing (NGS) in Forensic DNA Profiling: Opportunities and Challenges”
• “The Impact of DNA Transfer and Secondary DNA Transfer in Forensic Investigations”
• “Ethical Implications of DNA Phenotyping: A Critical Analysis”

Digital Forensics:

• “Artificial Intelligence in Digital Forensic Analysis: A Comprehensive Review”
• “Cloud Forensics: Investigating Digital Crimes in Cloud Computing Environments”
• “Deepfake Detection Techniques: Safeguarding Digital Evidence Integrity”

Forensic Anthropology:

• “Facial Approximation in Forensic Anthropology: Integrating 3D Modeling Techniques”
• “The Role of Forensic Anthropologists in Mass Graves Investigations”
• “Advancements in Skeletal Trauma Analysis for Forensic Purposes”

Forensic Toxicology:

• “Metabolomics in Forensic Toxicology: Profiling Endogenous and Exogenous Compounds”
• “Designer Drugs: Analytical Approaches for the Detection of Novel Psychoactive Substances”
• “Forensic Challenges in Analyzing Postmortem Fluids for Toxicological Investigations”

Forensic Psychology:

• “The Impact of Jury Bias on Forensic Psychologists’ Testimonies: A Case Study Analysis”
• “Virtual Reality Applications in Forensic Psychology Training: Enhancing Investigative Skills”
• “Exploring the Ethical Dilemmas in Forensic Psychological Assessments”

Forensic Pathology:

• “Cardiac Biomarkers in Forensic Pathology: Exploring their Role in Cause of Death Determination”
• “The Use of Postmortem Imaging in Forensic Pathology: A Comparative Analysis”
• “Forensic Aspects of Pediatric Traumatic Brain Injuries: Patterns and Challenges”

Forensic Odontology:

• “Age Estimation in Subadults: Integrating Dental and Skeletal Methods in Forensic Odontology”
• “Digital Methods in Bite Mark Analysis: Enhancing Accuracy and Reliability”
• “Role of Dental Records in Disaster Victim Identification: A Global Perspective”

Forensic Entomology:

• “Forensic Entomogenomics: Unraveling New Dimensions in Time of Death Estimation”
• “Environmental Factors Influencing Insect Colonization on Decomposing Remains: A Forensic Study”
• “The Use of Entomotoxicology in Forensic Investigations: Current Trends and Applications”

Share this post:

Reader interactions.

January 7, 2024 at 2:22 am

thank you for this post. I needed to submit a topic for my dissertation on Monday and you guys saved me big time

Leave a Reply Cancel reply

Master of Science in Digital Forensics (MS)

Program at a glance.

• In State Tuition
• Out of State Tuition

Learn more about the cost to attend UCF.

Protect Your Organization by Detecting, Investigating and Defeating Cybercrime

The master’s in digital forensics program provides you with the latest techniques and hands-on approaches to analyzing computers and other types of digital media. The program’s coursework examines the various methods used to determine whether something has been used for illegal or unauthorized activities, or has fallen victim to an illegal attack. Upon graduating, you’ll have the knowledge and skills required to work as an examiner in the field or continue on to a doctoral degree or law school. Gain employment in a number of industries from government to law enforcement to the private sector. This program also prepares you for certification exams, including CompTIA A+, GIAC Security Essentials and CompTIA Network+.

Designed to help you balance school, work and life, the UCF Online digital forensics program is available 100 percent online. Please note that if you choose the thesis option, you will be required to have a one-time on-campus thesis defense before you can graduate. UCF also provides a Computer Forensics Graduate Certificate , which requires completing 12 credit hours.

The Master of Science in Digital Forensics degree is a collaborative effort between various UCF academic departments — Computer Science, Forensic Science of Chemistry, Criminal Justice and Legal Studies — and the National Center for Forensic Science. The National Center for Forensic Science is a State of Florida Type II Center and a member of the National Institute of Justice Forensic Resource Network of the Department of Justice, serving the needs of state and local law enforcement and forensic scientists.

Application Deadlines

Ready to get started, course overview, computer forensics i.

Explore legal issues regarding seizure and chain of custody, and technical issues in acquiring computer evidence. You’ll examine popular file systems, as well as reporting issues in the legal system.

Incident Response Technologies

Cover a range of topics related to security incidents and intrusions, including identifying and categorizing incidents, responding to incidents, log analysis, network traffic analysis and tools.

Malware and Software Vulnerability Analysis

Analyze computer malicious codes, such as virus, worm, trojan, spyware, and software vulnerabilities, such as buffer-overflow.

Digital Forensics Skills You’ll Learn

• Prepare for a career in digital forensics examination, forensic tool development, tool verification, and validation, security and forensics administration, or pursue advanced studies.
• Gain the communication skills, both oral and written, to become an effective problem solver as well as an expert witness and forensic examiner.
• Participate as an effective team member or team leader in digital evidence investigations.

Career Opportunities

• Computer Forensic Examiner
• Computer Forensic Investigator
• Electronic Discovery
• Incident Response Examiner
• Information Security Analyst
• Malware Analyst

Admission Requirements

UCF’s Master of Science in Digital Forensics program is designed for those with a bachelor’s degree in computer science (CS), computer engineering, information technology (IT) or a closely related field.

Students with a BS and/or MS in areas other than a computer-related field need to show either they have taken some basic CS/IT courses or training, or have working experience in CS or IT or digital forensics field.

To apply, submit the general graduate admissions requirements and the following:

• Statement of educational, research and professional career objectives
• Three letters of recommendation

News and Updates

Check out more stories

University of Central Florida Colleges

Request Information

Enter your information below to receive more information about the Digital Forensics (MS) program offered at UCF.

The mission of the MSDF degree program is to provide a quality graduate education in science and practices of digital forensics, to prepare the students for digital forensics jobs, and to prepare the students for a lifetime of learning. The objectives of the program include the following:

• To give MSDF graduates the knowledge and skills necessary to participate as an effective team member or team leader in digital evidence investigations
• To prepare MSDF graduates for professional careers in digital forensics examination, forensic tool development, tool verification and validation, security and forensics administration
• To prepare MSDF graduates with the knowledge and skills to pursue advanced studies and research in computer technology or computer crime-related disciplines
• To equip MSDF graduates with the communication skills, both oral and written, to become an effective problem solver as well as an effective communicator as an expert forensic examiner and expert witness

The Digital Forensics MS degree is comprised of 30 hours of study beyond the bachelor's degree with required, intensive specialization in topics related to digital forensics. The degree program prepares students, including working professionals, who will pursue the degree on a part-time basis to gain the knowledge and skills required to work as an examiner in the field. The program may also be taken by those who have an interest in scientific applications and research in the field, and who would like to continue to a doctoral degree program or law school after completion.

The program offers both a thesis option (6 credit hours) or an opportunity to complete two additional courses (6 credit hours) selected from the Restricted Electives. At least one-half of the credit hours must be at the 6000 level.

Total Credit Hours Required: 30 Credit Hours Minimum beyond the Bachelor's Degree

Please note: Digital Forensics (MS) may be completed fully online . Most courses are either online courses or have both in-campus and online course sessions. Newly admitted students choosing to complete this program exclusively via UCF online classes may enroll with a reduction in campus-based fees.

International students (F or J visa) are required to enroll in a full-time course load of 9 credit hours during the fall and spring semesters. Only 3 of the 9 credit hours may be taken in a completely online format. It could be difficult to satisfy these requirement since many courses in this program only have online format. Please contact Program Coordinator to discuss possible admission issue.

UCF is not authorized to provide online courses or instruction to students in some states. Refer to State Restrictions for current information.

Program Prerequisites

Undergraduate articulation courses may be required for students with BS and/or MS degrees in fields other than a computer-related field. If you are not in STEM related BS program, you need to show either you have taken some basic CS/IT courses, or have working experience in CS or IT or digital forensics field. If you want to take some prerequisite courses, you can take two to three of the following courses in UCF or equivalent courses in other places:

• Basic CS knowledge: COP 3502: Computer Science I
• Basic networking knowledge: CNT 3004 Computer Network Concepts, or CNT 4703C Design and Implementation of Computer Communication Networks, or CNT 4704 Analysis of Computer Communication Networks
• Basic Computer architecture: CDA 3103: Computer Logic and Organization
• Programming course, such as: COP 3223C Introduction to Programming with C, or COP 3330 Intro to OO Programming with Java

Courses taken to correct deficiencies cannot be used to satisfy minimum degree requirements.

Degree Requirements

Required courses.

• CGS5131 - Computer Forensics I: Seizure and Examination of Computer Systems (3)
• CHS5504 - Topics in Forensic Science (3)
• CIS6207 - The Practice of Digital Forensics (3)
• CNT6418 - Computer Forensics II (3)

Restricted Elective Courses

• CAP6133 - Advanced Topics in Computer Security and Computer Forensics (3)
• CNT6519 - Wireless Security and Forensics (3)
• CAP6135 - Malware and Software Vulnerability Analysis (3)
• CIS6386 - Operating Systems and File System Forensics (3)
• CIS6395 - Incident Response Technologies (3)
• CNT5410L - Cyber Operations Lab (3)
• IDC5602 - Cybersecurity: A Multidisciplinary Approach (3)
• IDC6600 - Emerging Cyber Issues (3)
• IDC6601 - Behavioral Aspects of Cybersecurity (3)
• CCJ5015 - The Nature of Crime (3)
• CCJ5456 - The Administration of Justice (3)
• CCJ6074 - Investigative and Intelligence Analysis: Theory and Methods (3)
• CCJ6704 - Research Methods in Criminal Justice (3)
• CCJ6706 - Data Analysis in Criminal Justice I (3)
• CJE6688 - Cyber Crime and Criminal Justice (3)
• CJL6568 - Law and Social Control (3)
• CHS5596 - The Forensic Expert in the Courtroom (3)
• CHS5518 - The Forensic Collection and Examination of Digital Evidence (3)
• PLA5587 - Current Issues in Cyberlaw (3)
• CIS6206 - Electronic Discovery for Digital Forensics Professionals (3)

Thesis/Nonthesis Option

• Earn at least 6 credits from the following types of courses: CAP 6971 Thesis The College of Engineering and Computer Science requires that all thesis defense announcements are approved by the student's adviser and posted on the college's website and on the Events Calendar at the College of Graduate Studies website at least two weeks before the defense date.
• Earn at least 6 credits from the following types of courses: Students not interested in a thesis can instead take one elective course and the "CDA 6946: Internship" course, or take two electives. The electives can be any courses from the list of Restricted Electives above, or the following electives.

Grand Total Credits: 30

Application requirements, financial information.

Graduate students may receive financial assistance through fellowships, assistantships, tuition support, or loans. For more information, see the College of Graduate Studies Funding website, which describes the types of financial assistance available at UCF and provides general guidance in planning your graduate finances. The Financial Information section of the Graduate Catalog is another key resource.

Fellowship Information

Fellowships are awarded based on academic merit to highly qualified students. They are paid to students through the Office of Student Financial Assistance, based on instructions provided by the College of Graduate Studies. Fellowships are given to support a student's graduate study and do not have a work obligation. For more information, see UCF Graduate Fellowships, which includes descriptions of university fellowships and what you should do to be considered for a fellowship.

The Independent Learning Requirement is met by successful completion of a master's thesis or completing the capstone course CIS 6207.

• [email protected]
• +91-97 91 62 64 69

Digital Forensics Thesis Ideas

‘Digital forensics’ represents the collection of digital investigation techniques used for crime-based applications. It is a sophisticated platform to analyze evidence in digital format for legal issues. The main aim of this technology is to examine the computer-oriented criminal activities caused by intruders/hackers on digital information through different methodologies. The investigation and evaluation techniques of the pieces of evidence should meet the reliability and sound technical practices. This page gives you more information on new advances in the Forensics research field with the latest Digital Forensics Thesis ideas and tools !!!

Due to the increased growth of digital innovations, digital forensics is currently used in all information technology and computer-aided systems. So, it grabs the attention of the majority of scholars to begin their research careers.  

How do choose a good thesis idea? 

Based on the current demand and research issues of digital forensics , we have collected a vast amount of Digital Forensics Thesis Ideas for current and upcoming scholars. For your information, here we have given you a few tips to select the best thesis idea for your forensics research.

• Select the interesting area which motivates you to do research
• The interested area will reduce over extra time on analyzing primary and secondary information
• So, choose your topic in your passionate area
• Level of Latest Technologies
• Make yourself aware of latest advancements in interested area
• If you have sufficient knowledge/practice on your topic then it will more useful
• Also, it reduces the effort of research work and makes the process simple
• Make sure that your handpicked topic has more online and offline resources
• So, it helps perform complete research on your topic and make you as an expert on the interested area  

Overview of Digital Forensics 

With an intention to find the actual incident, digital forensic agents investigate collected event data like artifacts, footprints, fingerprints, etc. At the end of the investigation, the agent come to conclusion based on discovered evidence. Further, it also includes the following advantages,

• Forensic Science is used to inspect and improve the stored data
• Specialized to examine corporate and criminal actions
• Primary functions are data collection, detection, assessment, accessibility, etc.  

How does digital forensics work?

In general, the digital forensics field primarily envisioned analyzing web-based cybercrime. Also, they are adept to collect, categorize and secure evidence from any form of corrupted/modified digital data . Further, they validate the evidence to guarantee acceptability in court. Overall, they detect the original content from collected data through advanced and reliable techniques.

Next, we can see that some classification of digital forensics. It helps you to find the important purposes of a digital forensics investigation. Our experts have more than enough skills in handling the following scenarios. Additionally, we also support you in other major use-cases of the digital forensics field .

Taxonomy of Digital Forensics 

• Slack, assigned, deleted, and unassigned
• Email, SID, post (social and message), authentication
• GPS locality data, authentication, hashing, SHA256, MD5 and SHA1
• IP address, metadata objects, time with date, GPS tags, authentication (social media, ISP, mail)

We hope, you understand the special purpose of digital forensics from the above classifications. In addition, we have bulletined the two primary steps involved in digital forensics.   

2 Important Steps for Digital Forensics 

• Acquisition– Collecting images and evidence
• Analysis – Investigation on collected data and recover the ruined data

In the above section, we have already discussed the aim of digital forensics. Now, we can see that the list of objectives in digital forensics is based on research perspectives. The scholars who wish to do research on forensic related projects are intended to achieve the following objectives through advanced technologies. Our resource team will definitely guide you in formulating novel digital forensics thesis ideas.  

Objectives of Digital Forensics 

• Minimization and Prevention of Interferences
• Enhancement of Forensic Evidence Worth
• Secure Information Management against Attacks
• Reduce Cost of Employing Forensic Enquiry

For more simplicity, here we have given you the lifecycle of digital forensics in terms of data collection, data analysis, and evidence acquirements with their processes . These are lifecycle classifications that are common for all digital forensic projects. In the case of requirements, more steps will be included for improvement. We are ready to assist you in all types of forensics applications regardless of complexity.

Lifecycle of Digital Forensics 

• Separate the required area
• Collect the reliable data
• Pack and label the collected data
• Construct the protection shield over packed data
• Detect and extract the essential features (recognize the people /place and associate location)
• Filter the optimal features (reconstruct the scene/incident)
• Prepare the report
• Write the report with the attachment of evidence
• Generate the hash for protection

Our resource team is well-practiced in both real-time and non-real-time applications to support you in every aspect of research and development. Our primary motive is to give you up-to-date Digital Forensics Thesis Ideas . So, we regularly collect the latest research issues by referring to several online and offline research materials. From our current collection, here we have listed a few ongoing research challenges of digital forensic .

Research Challenges of Digital Forensics 

• Lack of security over evidence (high susceptibility)
• Heterogeneity in software, hardware, and network
• Run-time network variation (insufficient logging and blurred network edge)
• Pervasive sensing of large data / evidence from multiple sources
• Complicated communication and accountability in automated execution
• Resource-constrained devices like low battery, low power usage, low existence time

Furthermore, we have also listed the list of future research directions of the digital forensics field . Since today’s research areas will be tomorrow’s research foundations. We assure you all these below specified research notions have long-lasting future scope for further studies. For more details on both current and future generation research on digital forensics, communicate with our team.

Top 9 Interesting Digital Forensics Thesis Ideas

• DNA Matching and Analysis System
• Forensics on Computerized System
• Scientific Identification of End User Type
• Mobile Device Forensic Data Authentication and Analysis
• Forensics based Data Recovery from Database
• Biometrics based User Authentication (Fingerprint / Iris)
• Forensic Principles for Federal, Corporate and Government Sectors
• GPS based Mobile Device Geographic Location Detection
• Forensics Investigation on Network Data

In addition, we have itemized the significant methodologies involved in both forensic and anti-forensic studies . All these methodologies are considered as best result-yielding techniques based on our experience. More than these methodologies, we also support you in other growing technologies of digital forensics. Now, we are currently working on hybrid technologies to elevate the research worth to the next level for our handhold scholars.

Digital Forensics Techniques and Methods 

• Timestamping
• Secure wiping
• Information (forgery, hiding, and obfuscation)
• Artificial Intelligence
• Data Mining Methods
• Blockchain Security
• Homomorphic Encryption
• Block Signature (Matching)
• Secure Hashing Technique
• Ultra-Lightweight Cryptography
• Deep Learning and Machine learning algorithms

For the benefit of active scholars, here we have listed the top 5 innovative Digital Forensics Thesis Ideas. This helps you to identify the current research directions of the forensic field in a digital society.

Top 5 Digital Forensics Research Ideas 

• Interrogation and Extraction of Evidence
• Efficient Design of Correlation Frameworks
• Evidence Recovery or eDiscovery
• Experimental Analysis on Evidence Logs
• Evidence Graphs and Finite State Construction

Moreover, we also included the latest digital forensics research topics from top-demanding research areas of the digital forensic field. If you are looking for innovative digital forensic project topics from your interested area then approach us. We will let you know about upcoming improvements.

Latest Digital Forensics Research Topics

• Security of Cyber-Physical System
• Fast Attainment of Physical Memory
• Advance Inspection of Fraudulent Digital Activities
• Cyber Crime Inquiry and Reporting
• Identity Access Management and Verification
• Spontaneous Incident Response System Maintenance
• And many more

Once you select the research topic with appropriate solutions, the next vital step is development tool selection. For the digital forensic field, there are numerous commercial and non-commercial tools have developed. Now, we are going to see about a few widely used tools and technologies among them. Since forensic analysis is a challenging task to perform in a real environment. So, it is essential to choose the apt implementation tool for evidence collection, mitigation, and investigation. 

Simulation Tools for Digital Forensics 

Digital forensics plays a vital role in proving and disproving the digital evidence of cyber-crime. Here, we have given you a list of popular digital forensic tools with their supporting platforms and purposes.

• Scripting Language (code, debug and execute)
• Embed with any IDE for programming
• Purpose – Support Forensics and Cybersecurity Applications with Penetration Test
• Network Packet Analyzer Tool
• Purpose – Monitor and Examine Network related activities
• Computer-Aided Investigative Environment
• Platform – Linux
• Purpose – Perform all Digital Forensics Operations
• Framework for memory-related forensics
• Filter the digital information from RAM
• Purpose – Malware Detection / Analysis and Incident Response
• Analyzer Software for network forensic
• Platform – MAC OS, Linux, Windows,
• Purpose – Identification of host, OS, open ports, sessions, and open ports by PCAP file/packet sniffing
• Software for memory-related forensics and reverse engineering
• Purpose – Investigation of Volatile Memory
• Enhanced Forensics Framework
• Platform – Windows
• Purpose – Operate will all Forensics Investigation
• Stands for Network Mapper which is an Open-source software
• Platform – MAC OS, Linux, Windows, HP-UX, Solaris, etc.
• Purpose – Auditing of Network Security
• Computer-based forensics software
• Examine files, folders, and disk image
• Purpose – Data Extraction (Private information, ZIP files, URLs, etc.
• Shortly abbreviated as SIFT
• Versatile Forensic Operating System (OS)
• Platform -Ubuntu
• Purpose – Comprised of several tools especially for Digital Forensics

For your digital forensic project, we can support installation and execution steps. The installation steps for the python programming language are mentioned below.

Installation of Python for Digital Forensics Projects 

LibForensics

• Package supported in Python
• Purpose – Constructing digital forensics applications
• Some bottlenecks will slightly be renewed into C-based module
• Python Version 3.1
• $pip install libforensics

Next, we can see about the other research ideas that are waiting to create an incredibly positive impact on digital forensics. These ideas surely make stand one step forward among your competitors. Just for your references here, we have given only a few and beyond these ideas, we have an abundant amount of innovations based on new developments.

Latest Digital Forensics Thesis Ideas

Forensics in Cyber System

• Face Matching and Analysis
• Privacy and Security for Mobile Crowdsourcing
• Insider and Outsider Threats Control in Cyber System
• Watermarking and Digital Audio Signature
• Data Auditing and Assurance in Distributed System
• Proxy Re-Authentication and Confidentiality in Source Location
• Geographical Location Substantiation
• Fake Post Source Identification and Fact-Inspection
• Detection and Prevention of Spoofing Attacks
• Enhancing Reliability on Live Investigation
• Malware Identification in Web-based Social-Media
• Forensics-as-a-Service
• Design of Attack and Intrusion
• Improvement of Policy and Trust
• Crime-as-a-Service
• Digital Evidences Detection and Recovery
• Side Channel Attack Prevention
• Multimodal and Soft Biometrics
• Behavioral and Audiovisual Biometrics
• Detection of Smart Device and Anonymity
• Steganography and Surveillance
• Pattern, Imprint, Feature Identical Detection

Overall, we ensure that we provide fine-tuned services at every stage of your research journey. We have guided numerous research scholars in crafting innovative digital forensics thesis ideas. Once you make a bond with us, we will take whole responsibilities of your research and assist you from interested area identification to empirical result investigation . In other words, we will be with you throughout the whole journey of research.

Opening Hours

• Mon-Sat 09.00 am – 6.30 pm
• Lunch Time 12.30 pm – 01.30 pm
• Break Time 04.00 pm – 04.30 pm
• 18 years service excellence
• 40+ country reach
• 36+ university mou
• 194+ college mou
• 6000+ happy customers
• 100+ employees
• 240+ writers
• 60+ developers
• 45+ researchers
• 540+ Journal tieup

Payment Options

Our Clients

Social Links

• Terms of Use

Opening Time

Closing Time

• We follow Indian time zone

• Magnet One Unite your digital forensics solutions and teams across your entire workflow for faster investigations.
• Magnet Axiom Recover and analyze all your evidence in one case
• Magnet Graykey Lawfully access and extract data from mobile devices
• Magnet Graykey Fastrak Extract data from multiple mobile devices simultaneously
• Magnet Automate Close cases faster by automating your workflow
• Magnet Review Analyze digital evidence from your browser
• Magnet Witness Streamline Your DVR Video Recovery and Analysis
• Magnet Outrider Quickly preview devices for CSAM and illicit apps
• Magnet Griffeye Swiftly process and analyze vast volumes of digital media

Unite your digital forensics solutions and teams across your entire workflow for faster investigations.

• Magnet Axiom Cyber Simplify your corporate investigations
• Magnet Nexus Large-scale investigations, made easy
• Magnet Verakey Advanced consent-based mobile data extraction
• Magnet Automate Automate tools and tasks across your DFIR lab

All Resources

Check out the latest resources and thought leadership for all resources.

Content Types

• Case studies
• White papers
• Customer stories
• Grants for law enforcement
• Artifact exchange
• Mobile Unpacked with Chris Vance

Resources By Industry

Enterprise resources.

Check out the latest resources and thought leadership for enterprises and corporate digital investigations.

Public Safety Resources

Check out the latest resources and thought leadership for public safety.

Service Providers Resources

Check out the latest resources and thought leadership for forensic service providers.

Federal Agencies Resources

Check out the latest resources and thought leadership for federal agencies and government.

Military & Intelligence Resources

Check out the latest resources and thought leadership for military, defense, and intelligence.

• Magnet Idea Lab
• Officer wellness
• Scholarship program
• The Auxtera Project
• Why partner with magnet forensics?
• Strategic partners
• Channel partners
• Training partners

Digital Forensics Tools: The Ultimate Guide (2024)

Digital forensics tools have improved a lot in the past several years. With these advances, the digital forensics community now has many tool options for each phase of an investigation.

In fact, there can be a lot of options to keep track of.

That’s why we wanted to bring together the ultimate guide to DFIR tools—highlighting options available to examiners and the best time to use them.

The advancements in digital forensic tools over the years have largely been driven by two things to meet evolving investigation needs: competition between more forensic software developers and the maturation of the digital forensics open source and research communities.

When it comes to the rise in competition between software providers, IDC has created a few in-depth reports comparing digital forensic tools for both private-sector cyber security professionals and public-sector digital investigators. Their recent MarketScape report found Magnet Forensics to have the highest capabilities of any digital forensic tool. 

As for the maturation of the digital forensics research community, conferences like the Digital Forensics Research Workshop , the the  Scientific Working Group on Digital Evidence (SWGDE) , and the Magnet User Summit have been great opportunities for the community to get together and share knowledge and pain points. Companies like Magnet Forensics support these communities with resources and data sets and provide an easy way for the community to capture, re-use, and share new artifact knowledge. Instead of gatekeeping, software companies working with the digital forensics community have led to rapid advancement in all types of digital forensic tools. Whether closed or open-source, free or paid, we’re bringing you a comprehensive list of digital forensic tools to help you kit out a digital forensic laboratory of any size.

This guide will focus on the tools needed to build a functioning general-purpose laboratory in

Digital Forensics Tools

Typically, a digital forensics laboratory will have several digital forensics tools that do the same task. For example, several overlapping tools allow the laboratory to validate investigation results (see Josh Brunty’s guide and SWGDE validation guidelines ).

Whatever tooling you choose, ensure that you can get the same results using different methods. If you can’t, you must be able to explain why you can’t. Validation may mean manual parsing, conducting research, and reaching out to the forensics community .

When choosing digital forensics tools for your toolkit, think about each part of your investigation workflow and the tasks that normally need to be completed. Comprehensive digital investigation toolkits support the most common investigation tasks. These toolkits can often include third-party or user-created artifacts or modules . Custom artifacts let a lab quickly develop parsers for newly observed sources of evidence, regardless of the underlying software tool. It’s worth learning how to write custom artifacts for your preferred toolkits.

Free, open-source forensics software tools are excellent for validating results. But outfitting an entire lab with free software can lead to a patchwork of tools that don’t always work together. Sometimes, this can make for complex and inefficient workflows and reduce your time to evidence. It’s recommended that a professional lab have at least one fully comprehensive software solution, like Magnet One , to work quickly through cases with a minimum of downtime. Using tools that are well-recognized by courts will also save time, and smooth testimony at trial.

The following digital forensic tool lists are categorized using the first Digital Forensic Research Workshop investigative process for digital forensic science. Although proposed in 2001, the procedural concept is holding up surprisingly well. Let’s look at digital forensic tools and where they fit in identification, preservation, collection, examination, and analysis.

Identification

This is probably the most challenging part of any investigation. Before we can respond to an incident, we must detect it. Reporting could come from victims opening a case, a financial audit or an admin checking their logs.

In criminal investigations, cases are typically reported to law enforcement. For private organizations, however, incident detection is critical. Passive measures like honeypots and canary tokens can greatly assist in alerting an organization to a compromise, while a tool like Magnet Axiom Cyber helps with threat-hunting Windows event log analysis and incident response tasks.

Increasingly, users identify security incidents from threatening messages on the screen. Ransomware encrypts user files and demands payment for the decryption key. If you or your organization have been a victim of ransomware, find information and tools from Magnet Axiom Cyber . Continue with your incident response plan and make copies of all data. To learn more about ransomware, see this excellent talk by Cindy Murphy. For an in-depth report on global threats, see the CrowdStrike 2024 Global Threat Report .   

Tools to assist in incident identification are either used pre- or post-incident. Pre-incident monitoring often results in more data and higher fidelity. Post-incident analysis requires much more challenging event reconstruction, often with limited data. Corporate environments have control of their systems and may enable pre-incident monitoring with additional logging and detection systems. Law Enforcement, however, almost always deals with post-incident default (or disabled) logging and anti-forensics.

Magnet Axiom Cyber is the industry leader in pre-incident monitoring and post-incident acquisition. It allows you to recover deleted data and investigate digital evidence from mobile, computer, cloud, and vehicle sources all in one case file with powerful analytics.

Preservation

Unfortunately, an incident has been identified, and you now need to create a case, start documentation, and preserve any related data.

Case Management, Documentation, and Reporting

Most comprehensive digital investigation toolkits require creating a “case” in the software before adding exhibits. Case management within your primary analysis tool may be possible. However, consider overall lab management and collaboration. An organization-wide case management system will provide better visibility and coordination.

Regardless of where case management tools are placed, ensure your investigators can easily document their processes and are supported in writing comprehensive reports. This support implies access to a knowledge base of commonly used legislation, definitions, references, and procedures.

Case management, documentation, and reporting requirements have advanced beyond an MS Word document. Here are tools to assist in the quality and security of investigation communications.

Magnet ONE is the gold standard tool here; improve efficiency and breakit improves efficiency and breaks down silos by enabling stakeholders agency-wide to manage, collaborate, analyze, and report on all aspects of your digital investigations.

Help first responders collect evidence from witnesses on-scene without asking them to give up their devices with Magnet Shield .

Digital Forensic Imaging

Forensic imaging is both common and important in digital forensic investigations. But imaging is not easy. Resources like Practical Forensic Imaging are great for understanding the imaging process and challenges.

Forensic Hardware Write Blocker and Disk Imagers

Hardware write-blockers are highly reliable devices and typically only fail when misconfigured. Some write blockers allow you to disable write-block functions and use the device as a read/write hardware bridge. Be sure to include usage training and testing when adding hardware write blockers to your toolkit. It is crucial to have a  standard testing methodology  that your local court accepts and regularly test your

Most Linux-based forensic operating systems include software (kernel-level) write-blocking. There are several commercial write blockers for Windows, but they tend to be more expensive than hardware write blockers. If you choose a software write-blocker, ensure a testing and validation procedure is in place. 

Disk Acquisition Software

Hardware and software write blockers need to be paired with imaging software. Hardware disk imagers have disk imaging software built-in; some external write blocker devices do not. Correct imaging is critical in any investigation, and the community is lucky to have such solid tools available for free.

Magnet Acquire is the best tool for physical and logical disk imaging as well as mobile device imaging. It allows investigators to quickly and easily acquire forensic images of any iOS or Android device, hard drive, and removable media. Best of all it is completely free.

With disk acquisition, be aware of how the acquisition software treats bad clusters. For example, some software may write 0’s where disk read fails. Others may skip and not write anything to the image. Imaging error response can lead to two different images from the same failing disk. Configure your imaging software to respond to errors according to your lab’s SOP. Unfortunately, imaging software often does not allow error configurations and may not document their read failure procedure. In that case, you will need to test responses from different software and choose those that fit your lab the best.

RAM Acquisition Software

Like disk imaging, laboratories should acquire RAM acquisitions from case-related systems. Random Access Memory (RAM) contains information about the system and user activities since the last time the computer was shut down. This might include information that will never be written to disk. As such, it can be a valuable source of evidence for investigators.

RAM is volatile, meaning that it changes quickly. If a computer or device is shut down, all data in RAM is cleared and cannot easily  be recovered. First responders need the tools and training to collect a RAM image from a live environment. Live Data Forensics is not easy and should only be done by those competent to do so.

Magnet DumpIt for Windows is a free, fast memory acquisition tool for Windows (x86, x64, ARM64).  This software, created by Comae Technologies, does not require a pre installed agent.  Machine states can be collected via DumpIt and its PowerShell interface to provide your organization with more flexibility.​ It generates full memory Microsoft crash dumps on the fly without having to trigger a Blue Screen of Death (BSOD).   

Magnet Response is a free and easy-to-use solution to quickly collect and preserve data from local endpoints before it is potentially modified or lost. A pre-set collection profile gives you the ability to target a comprehensive set of files and data relevant to incident response investigations, including RAM.  Key features: 

• Easy-To-Use: A guided two-step process and progress bar is straightforward for even non-technical users to use  
• Fast & Comprehensive: Collect and preserve data starting with the most volatile using the built-in Comae RAM capture (Magnet DumpIt) functionality, and volatile data and files commonly associated to cybercrime, such as Windows Event Logs, Registry Hives, Jumplist files, and many other log files in minutes – no need for multiple tools to get the IR data you need  
• Portable: It is comprised of a single executable file, is easily downloaded, and can be stored and run from a USB key   
• Collect by Keyword & Skip Large Files: configure free-form collections using your own set of keywords (or the defaults provided), with the option to limit the size of files collected to maintain speed  
• Consolidated Output: Output is consolidated and saved as a .zip file for easy delivery or processing and analysis in Magnet Axiom & Magnet Axiom Cyber  
• Data Integrity: An embedded hash value is provided to verify the integrity of the data 

Remember that RAM acquisition is complicated. You will need to load the tool into memory to acquire memory. As forensic examiners, we want to reduce the size of forensic tools in memory so we don’t overwrite valuable evidence. Also, if the system is on, the RAM contents are changing. Imaging the same RAM twice will never result in the same image (and hash value). Hash the RAM image after the acquisition, that hash becomes your ground truth.

Mobile Acquisition Software Digital Forensics Tools

Just like computer forensics, mobile forensics is split into acquisition and analysis. Recently, more analysis toolkits have included processing data from mobile devices. Acquisition, however, remains a significant challenge. Newer mobile devices are often secure, requiring advanced technologies such as Magnet GrayKey to acquire data from them.  

Older devices often have publicly released vulnerabilities and utilities to bypass disk protection. Commercial tools, while more user-friendly with extensive interfaces and resources, often include non-publicly released exploits for newer devices. In addition, tools like Magnet GrayKey provide much more complete data extraction from supported devices. Extracting a full file system contains significantly more information than a logical extraction.   

Magnet Acquire allows mobile device acquisition for both iOS and Android.

Collection / Examination / Analysis Digital Forensics Tools

Collection, examination, and analysis are theoretically separate concepts in the DFRWS process model, but multi-function digital forensics tools tend to cover some aspects of each. Multi-function tools help an investigator understand the data and its relation to the investigation question. From there, we tend to dig deeper into specific artifacts or even pivot to other more specialized tools for analysis.

We have our forensically sound acquisitions of all case-related devices. Most full-featured digital forensic tools will ask to create a case in the tool’s management system. All exhibits and data sources are typically added under a single case. Grouping exhibits by case keeps everything together, but tools like Magnet Axiom and Magnet Axiom Cyber can find similarities between data sources such as files, usernames, phone numbers, etc.

The following tools are the gold standard investigation tools used worldwide:

• Magnet Axiom — The industry standard: it lets you recover data from smartphones, computers, and the cloud and includes advanced analytics and reporting tools to help find case-related data faster.
• Magnet Axiom Cyber — Purpose-built for private sector acquisitions with covert remote collection and support for enterprise cloud apps and services.

Mobile Analysis Software

Handling mobile data structures is challenging due to their complexity and the varying formats employed by different manufacturers. Additionally, the rapidly evolving changes in the mobile environment, such as frequent OS updates and new security features, constantly require forensic experts to adapt and update their methods and tools.

Some of the full-featured tools listed previously have built-in mobile data analysis capability. Sometimes integration for mobile analysis feels like an add-on rather than the main investigation point. That’s useful for basic searching and analysis, but needing more in-depth functionality is common. The following tools appear to put mobile device data analysis first, including the challenges that come with it.

• Magnet Axiom — yes, we’ve listed this before, but Axiom is fully-integrated with Graykey, and processing mobile device data feels like a first-class workflow instead of an add-on. Using Axiom also lets you take advantage of Magnet custom artifacts for applications and data structures that are not supported.
• Magnet Axiom Cyber — data reduction with keywords, hash lists, and advanced picture and video analysis.

When looking for a mobile analysis tool, consider whether the tool can parse common as well as trending data structures, an ability to customize or get support for case-specific data structures, and how easily (and comprehensively) the tool allows you to search and visualize the data. With mobile data analysis, you’re looking for updates more often than with computer analysis.

eDiscovery solutions focus more on litigation and discovery workflows. They have feature sets that are often useful for any digital forensic investigation. It is common to see eDiscovery software used with comprehensive toolkits described above. The scope of eDiscovery can vary, and the tools required will as well. We’ve talked about the anatomy of an eDiscovery investigation before. You’ll need a tool that helps with data collection, reduction, and review.

Magnet Axiom Cyber allows for covert remote device acquisition, data reduction with keywords, hash lists, and advanced picture and video analysis. After data reduction, Axiom Cyber produces a load file for eDiscovery review platforms.

Modern eDiscovery tools are very powerful and tend to prefer cloud-based systems. Cloud-based systems make processing much faster and allow for advanced automation and machine learning. Each tool will work great for standard workflows. Which one works best for you depends on the data types you tend to work with and your goals. Almost all eDiscovery tools are attempting to use machine learning for classification. The best model for you will be the one that most closely matches your data.

Open-Source Intelligence

In investigations, it’s increasingly common that some sort of open-source intelligence (OSINT) is necessary. In other words, looking up publicly available information online to help build timelines, corroborate evidence, and sometimes blatantly get a confession.

Magnet Web Page Saver can act as a browser and allows you to take full-page snapshots, including source files, an acquisition report, timestamping, and automatic file hashing. It also accepts a list of URLs to render and acquire automatically. If you ever take screenshots of web pages, this is a must-have.

Training/Community

We’re not quite done! The most valuable piece of your kit is you (and your team). Hardware, software, automation, and artificial intelligence can get you far. Still, a well-trained investigator must put the puzzle together and tell the story. Invest in your investigators.

• Magnet Forensics Training Programs — basic through advanced training on all aspects of digital investigation offered online and in-person, also offers several Magnet-specific certification courses. Some of the most well-regarded courses in the industry.
• SANS — an extensive range of high-quality training on information security and digital investigation topics.
• NW3C — basic through advanced training related to various types of crime investigation. Often free for Law Enforcement.
• ECTEG — develops basic through advanced digital investigation training in the European Union. Law Enforcement from any country can request free training from ECTEG.

Similarly, the digital forensics community is relatively small but very active. There are some great resources like This Week in 4n6 , DFIR Training , and About DFIR . Public and private sector experts often share information and resources and answer questions at the DFIR Discord as well as Forensic Focus .

If you are ready to collaborate and share resources with the community, check out Use GitHub to get started in the DFIR Community below.

Conclusions

That about does it for the ultimate guide to DFIR tools in 2024! It’s a fantastic community with a rapid development. No list can do justice to all the great work, but this should be enough to get any digital forensic laboratory started. Check back often to see what’s new. And don’t be afraid to search for specialty tools on GitHub. You never know where you will find the next big break in the case. Keep your options open.

Related Resources

Meet the magnet forensics training team: kelvin goodram.

August 9, 2024 • About a 5 minute view

Announcing our new qualification: Magnet Qualified Graykey Investigator (MQGI) 

June 25, 2024 • About a 2 minute view

Why endpoint forensics is essential for business security

June 19, 2024 • About a 4 minute view

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Complete the company & contact information form below and sales will be in touch with you shortly.

To learn more about cookies, which ones we use on our site, and how to change your cookie settings, please view our Privacy Policy*. By continuing to use this site without changing your settings, you consent to our use of cookies in accordance with the Privacy Policy.*

A Digital Forensic Analysis of the Impending iOS Update

May 22, 2023

Apple has released the Beta version of iOS 16, which is expected to be fully released in September. This release will include new messaging features, including editing, recall and recovery capabilities for messages sent between Apple devices. Our Digital Forensics & Investigations practice has been closely following and regularly testing iOS releases so as to explore potential investigations issues, challenges and opportunities. The new messaging capabilities are particularly interesting in the current Beta release because they carry a number of implications from a digital forensics perspective.

For legal teams and organizations that are routinely monitoring and/or collecting from iOS devices for investigations and litigations, it’s critical to understand how the new messaging capabilities in this Beta version may impact the ability to preserve and recover evidence in the future.

Most notably, the Beta version of iOS 16 implements a “Recently Deleted” folder, which enables users to recover messages deleted within a 30-day period. This involves a “soft delete” function wherein deleted messages are moved to the Recently Deleted folder for 30 days before being permanently removed from the device. Essentially, messages are left behind on the device for a period of 30 days. Given the difficulties of recovering deleted messages in earlier iOS versions, which were set up to permanently remove nearly all traces of deleted content immediately, this new feature could be a boon for investigators who know where to look and how to uncover these artifacts.

In addition to examining the implications of this new “soft delete” function (i.e., when a user deletes a message but the message is automatically moved to the Recently Deleted folder rather than immediately removed from the device), our team conducted extensive testing on the changes to the messaging capabilities in iOS 16, using a suite of forensic tools. Our key findings include:

• Messaging capabilities now include message editing, which allows users to edit a recently sent message up to 15 minutes after sending it; message recall, which allows users to recall a recently sent message up to 15 minutes after sending it; recovery of deleted messages for up to 30 days; and marking of conversations as unread, through which a previously read conversation can be marked as unread by the user.
• The new editing, recall, recovery and “mark as unread” features are not compatible when messaging with Android devices.
• Edited messages and their original versions are tracked with one record. However, the content of the original message is not stored. Rather, the database indicates that it was edited and when.
• Recalled messages and their original version are also tracked with one record, which can indicate to investigators that a message was recalled and when, as well as when the original was sent and read. However, the content of recalled messages does not appear to be recoverable.
• In testing on the Beta release to date, messages that have been marked as unread do not appear to be flagged with any discernible changes within the device’s database.

An important consideration with these changes is that they are consistent with the increasing prevalence of modify, delete, mask and recover functions in messaging applications. The proliferation of ephemeral messaging tools have made it difficult for investigators to follow the trail of evidence in many matters. Some of these changes within iOS 16 (such as message editing and recall) will follow that trend. However, digital forensics experts who know where to look and what to look for will be able to leverage the soft delete feature and records of other message changes to uncover artifacts that will help paint a picture of what was happening on a device and when.

Our team will continue testing iOS 16 in Beta, as well as the features that are ultimately released when the full version launches.

Key Contacts

Kevin Leung

Senior Director

Matt Witchey

Megan Danilek

Most Popular Insights

• Insolvencies Are Well-Above Pre-COVID Levels and Rising
• Navigating the EU Corporate Sustainability Due Diligence Directive
• Current Power Trends and Implications for the Data Center Industry
• U.S. Renewable Energy M&A: Review of 2023 and Outlook for 2024
• UK Implementation of Pillar 2 Model Rules

Sign up to get access to FTI Consulting Insights

‘A battle of experts’: Karen Read case spotlights murky realities of digital forensics

Despite its made-for-TV elements, the Karen Read trial featured an array of critical evidence from cellphones and computers that turned out not to be as clear or convincing as the kind often featured on “Law & Order,” “CSI,” and other popular crime series.

Inconsistencies in phone call records ; a confusing time stamp on a Google search to learn how long it would take for a person to die in the cold; health data that showed a person descending a stairway — or maybe in a car.

While some forensic work is well established, such as DNA evidence, other technologies aren’t quite as grounded, as the Read trial showed. In particular, the field of digital forensics continues to evolve, shaped by court challenges and advancing technology. So, questions around the validity of that data have become the latest frontier in what legal observers call the “battle of experts”: dueling interpretations of an unsettled science.

Advertisement

And, with enough legal prowess — and financial resources — defendants can line up parades of experts to try to undermine a prosecution witness’s interpretation of forensic data, from the timing of a Google search to the movement of a human body.

“As technology advances at such a rapid pace, the things that we used to think were black and white aren’t black and white anymore,” said Christina Miller, a professor at Suffolk Law who previously focused on cases that involved digital forensics as a Suffolk County prosecutor.

She noted two recent Massachusetts Supreme Judicial Court rulings that each upheld decisions to disallow certain data from being used as evidence because of questions about their accuracy: In 2021, the courts disallowed the calculation of a defendant’s speed by a GPS device, and earlier this year, the courts prevented evidence of a defendant’s cellphone location history from being introduced in a criminal trial.

In the latter case, the analysts for the prosecution had used a different version of an iPhone’s operating system as they sought to replicate the data. That underlined one of Miller’s main points: “The forensic examiner is only as good as the tools they use, and the tools are only as good as the data.”

Expect to see more court challenges, she said.

Michael Kendall, a former federal prosecutor who’s now a defense attorney, added that judges have to be “much more demanding” in determining the validity and credibility of someone claiming to be an expert — as well as what science and processes are rigorous enough to constitute presentable evidence.

“There has been so much phony scientific evidence that has railroaded people over the years,” he said. “There has to be some validation of the expert. The court needs to police the quality of the experts and the quality of the science.”

The reliability of certain digital forensic data varies with the nature of the technology at issue. Programs were developed to complete specific functions, not, for example, to serve as an official time-stamped record of events that could constitute irrefutable evidence, said Seth P. Berman, a defense attorney and former prosecutor. So, while emails, Google searches, or phone calls may include a time stamp, that doesn’t mean the time stamp itself is accurate.

“This entire field of computer forensics is essentially an accident,” said Berman, who leads the privacy and data security practice group at law firm Nutter and previously worked for a firm that specialized in digital forensics. “Nobody created computers with the goal of using them to create evidence.”

So, he added, “As a result, the data is not that clear. There are a bunch of things that just go wrong,” and can lead to different expert interpretations.

Take, for example, the Read case. She was charged with backing into her boyfriend, Boston police Officer John O’Keefe, with her Lexus SUV after a night of heavy drinking in 2022 and leaving him to die outside the Canton home of a fellow Boston police officer during a blizzard. Her defense team claims she is being framed, and that O’Keefe was actually beaten by people who had been attending a gathering inside the home, and then dumped outside. Read found O’Keefe’s body hours later in a snowbank, after returning to look for him.

The case ended in a mistrial in July, and a new trial is slated for January.

At the core of the defense’s theory is the timing of a Google search for “hos [sic] long to die in cold” by Jen McCabe, a woman who was at the gathering inside the Canton home. According to an expert hired by the defense, data show she Googled the inquiry on her phone at 2:27 a.m., hours before O’Keefe’s body was found. Many among the crowds of Read supporters who gathered regularly outside the courthouse cited the testimony as a crucial indicator of her innocence.

But prosecution experts said the testimony was wrong and that the search occurred after Read and McCabe found O’Keefe’s body shortly after 6 a.m. The discrepancy, prosecution witnesses said, stemmed from confusion around what the time stamp was referring to; they said the 2:27 a.m. stamp simply referred to when the web page that was later used for the search was first opened.

There were similarly differing claims over other evidence: calls that were deleted from the phone, or not; how fast Read’s car accelerated while in reverse; O’Keefe’s movements, based on data from his phone and watch.

Read’s team of lawyers mounted an aggressive defense, sharply cross-examining most of the government witnesses and also producing some of their own.

A judge declared a mistrial after the jury reported it was deadlocked and could not reach a verdict. Read maintains her innocence.

Berman noted that most defendants don’t have the financial means of Read, a financial analyst and adjunct professor who also benefited from the donations of ardent supporters. A defense effort that had less time, labor force, and money likely would not have been able to push back so forcefully on inconsistencies in the data, he said.

Ultimately, judges are the arbiters in determining the credibility of an expert witness or the validity of a science, guided by appeals court decisions, including precedents set by the US Supreme Court. The goal is to “winnow science from junk science,” said Rosanna Cavallaro, a Suffolk Law professor who teaches about evidence. But that can be difficult, she said, as new technologies and expertise in those technologies evolve.

Cavallaro also said a “battle of experts” can be detrimental to a case when the process devolves into each side simply hunting for the most favorable expert they can find — someone who not only will come to the conclusion they seek, but who will communicate it engagingly and effectively.

At times, she said, “you do become concerned that the person’s opinion is up for sale. The problem has been pervasive across the sciences.”

Sean Cotter can be reached at [email protected] . Follow him @cotterreporter .