On Certainty Level of Digital Evidence
Problem Statement
Cyber attacks and online criminal activities are growing rapidly. However the level of certainty of digital evidence is not explicitly presented by the investigators. This may lead to misinterpretation and shaky conclusion.
Continuity of Offense
Digital investigators should ideally collect and examine unbiased and unaltered evidence from the source (e.g. attacker's PC), channel (traces on the network), and target (e.g. the victim's PC) of an cyber crime. Each of these three areas can have multiple sources of digital evidence and can be used to established the continuity of offense (COO). The more corroborating evidence that the investigators can obtain, the more certainty they can have in their conclusions (Casey 2002).
Sources of Uncertainty
(1) Locational Uncertainty
Cyber criminals can use various tools to change and hide their original IP addresses. Say, at the time of the online criminal event a fake IP address can be inserted into a packet or a log entry can be fabricated to misdirect investigators. Also victims' PCs can be compromised through phishing email and malware and then they are used for online attacks or cyber espionage.
(2) Temporal Uncertainty
System logs can be changed or deleted by online attackers such that the true sequence of
events and related time stamps can be adversely affected to digital investigators.
(3) Identity Uncertainty
Personal identity can be falsified in most social media platforms including public email accounts. Email sender information contained in email headers can be manipulated through using email relay.
Thus, forensic examiners should always remember the possibility that a sophisticated attacker in one location has staged a crime scene to make it appear to be another identity in a different location, at a different time.
On the other hand, one of the advantages of networks as a source of digital evidence is that a single event leaves traces on multiple systems. Therefore, it is possible to compare traces from different systems for consistency and it is difficult for criminals to destroy or alter all digital traces of their network activities.
Certainty Levels of Digital Evidence
Observations
To mitigate the risk of incorrect conclusions it is highly desirable to quantify uncertainty of digital evidence. In addition to collecting evidence from multiple, independent sources for cross reference, digital investigators should attempt to rate their level of confidence in the relevant digital evidence as described above. Using this type of systematic method to qualify conclusions helps decision makers assess the reliability of the information they are given and anticipates the challenges that will be raised in courts.
When the level of certainty is low, it is necessary to drop the case or to seek other sources of evidence or firmer proof such as confessions, video recording, physical evidence, etc.
References
Arthur, K.K. 2010. "Considerations Towards the Development of a Forensic Evidence Management System", Master Degree Thesis, Faculty of Engineering, University of Pretoria.
Casey, E. 2002. "Error, Uncertainty, and Loss in Digital Evidence", International Journal of Digital Evidence. Summer 2002, Vol. 1, Issue 2.
Mehta, S. 2012. "Cyber Forensics and Admissibility of Digital Evidence", retrieved on 15/6/2014 from http://www.supremecourtcases.com/index2.php?
option=com_content&itemid=135&do_pdf=1&id=22821