Introduction
IT Forensics tools are used as aids by law enforcement authorities to monitor or gather evidence against criminals and wrongdoers using computers and other computing devices to victimize specific individuals or the general public. As defined online, [1] it is a branch of forensic science pertaining to legal evidence found in computers and digital storage media.
Computer forensics tools are known to make cybercriminals stop dead on their tracks. As illustrated, [2] a financial analyst is suspected or confirmed to have committed a white collar crime like embezzlement – the company decides to terminate the person. The employee is dismissed at 9 am, cleans up his desk with a security guard standing by and is escorted to the human resources (HR) department at 9:05 am. His computer and Blackberry are sent to the employer’s IT department, ideally accompanied by the security guard to safeguard the chain of custody. Then, the company’s IT people boot up the employee’s computer and begin to fish around in his e-mail and documents, seeking incriminating evidence. Perhaps they then copy all the relevant items to an external drive or CD. After all this has taken place, they send the forensics examiner the equipment or set it aside until that examiner arrives.
The contribution of IT forensics tools are lauded by many law enforcement agencies throughout the world. In the United States, law enforcement experts have cited the contribution of Microsoft in developing several IT devices to help neutralize cybercrime. Relevantly, it may be known that more than 2,000 officers in 15 nations, including Poland, the Philippines, Germany, New Zealand and the United States, are using the device, which Microsoft provides for free. [3]
However, it is known throughout many online communities that forensic software is widely-available all throughout cyberspace. Because of the multifarious benefits and uses that these programs bring to the table, computer-savvy individuals have managed to hack these programs out of secured servers. Because of the widespread availability of devices to supplement computers, highly computer-literate people have even developed analogous or hybrid programs of these softwares that was supposed to be only restricted to government or law enforcement purposes. As a result of the apparently loose safeguard of these aids, it is opined throughout many IT forensic circles that the integrity of evidence gathered by these computer forensic tools as regards admissibility in court may be compromised.
This paper aims to highlight the lack of regulation and safeguards that characterize the accessibility of theses software. As admissibility of evidence may be affected by this situation, a more serious problem would appear in the horizon – the adaptability of cybercrooks to IT-related evidence and increased brazenness in their nefarious activities.
I. Computer forensics tools
Computer forensics tools are readily available commercially. Digital evidence can be collected from many sources. Obvious sources include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, and so on. Non-obvious sources include settings of digital thermometers, black boxes inside automobiles, RFID tags, and web pages (which must be preserved as they are subject to change). [4]
However, it is known that tools are not by themselves enough, as processes and safeguards as regards the evidence on hand need to be done. Brian Carrier [5] of Purdue highlights the process in bringing the evidence to court:
- Acquisition
- Analysis
- Presentation
The Acquisition Phase saves the state of a digital system so that it can be later analyzed. This is analogous to taking photographs, fingerprints, blood samples, or tire patterns from a crime scene. As in the physical world, it is unknown which data will be used as digital evidence so the goal of this phase is to save all digital values.
The Analysis Phase takes the acquired data and examines it to identify pieces of evidence. There are three major categories of evidence that are being looked into:
a. Inculpatory Evidence: That which supports a given theory
b. Exculpatory Evidence: That which contradicts a given theory
c. Evidence of tampering: That which can not be related to any theory, but shows that the system was tampered with to avoid identification. This phase includes examining file and directory contents and recovering deleted content. The scientific method is used in this phase to draw conclusions based on the evidence.
Prescinding the stage of presentation, this would involve the offering of analyzed evidence in judicial proceedings.
II. Computer forensics procedural rules: Philippine setting
The Supreme Court of the Philippines recognizes the role of electronic evidence in proving the commission of crimes and other wrongs that are often aided by computers and technologically-advanced devices, and thus the conviction or punishment of these offenders or wrongdoers.
A.M. No. 01-7-01-SC – Re: Rules on Electronic Evidence shall apply to cases pending after their effectivity. These Rules shall take effect on the first day of August 2001 following their publication before the 20th day of July in two newspapers of general circulation in the Philippines (dated 17th July 2001).
Salient features of the rules include the recognition of ephemeral electronic communications as object evidence. These forms of communications refer to telephone conversations, text messages, chatroom sessions, streaming audio, and other forms of electronic communication, the evidence of which is not recorded or retained. [6] The Rules also recognize an electronic document as documentary evidence, such referring to “information or the representation of information, data, figures, symbols or other modes of written expression, described or however represented, by which a right is established or an obligation extinguished, or by which a fact may be proved and affirmed, which is received, recorded, transmitted, stored processed, retrieved or produced electronically. It includes digitally signed documents and any print-out or output, readable by sight or other means, which accurately reflects the electronic data message or electronic document. For purposes of these Rules, the term “electronic document” may be used interchangeably with electronic data message” [7].
III. Lack of Regulation/Accessibility
It is very common among online communities to talk about the apparently widespread availability of computer forensics tools in webspace and even in hardware commercial form. Several blog communities are stating that new computer software forensic tools, initially thought of as restricted to government use are actually available online in different variants or names but produce essentially the same results. [8] It is also cited that popular computer software programs can be actually used as digital forensic tools among them Photoshop, Gimp, 3DS Max, Maya and Bryce. [9] It is not uncommon that once in a while a computer forensic software or hardware becomes available only within a confined group, with someone uploading it to a computer for distribution online. [10] Evidently, the inherent characteristic of a program to be easily uploaded has contributed to the accessibility of such computer software. Adding to this problem is the additionally wide availability of computer-literate individuals and machines that would unlock accessibility programs within the software (e.g. passwords, information, or encryption technologies).
Aside: The COFFE Leak
Recently, several IT newspapers, magazines and even newspapers of general circulation reported the upload of the software COFFE developed by Microsoft, making it available to the Internet community for a certain period of time, before it was taken off by Microsoft and U.S. law enforcement authorities.
The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June 2009 based on reports.
The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.
It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site. [11]
As news of the leak was only announced by Microsoft during November 2009, the effects of the momentary upload of the COFFE remain to be seen. However, several IT writers expect that reverse engineering codes may be available after several months. They have also opined that the abilities of COFFE are even already present among computer forensic tools accessible online. [12]
IV. Consequences of Lack of Regulation
1. Emergence of underground anti-forensics
In general terms, anti-forensics refers to various systems or procedures to negate, combat, or neutralize the desired effect of computer forensic softwares. It is technically defined as “attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct.” [13] Prescinding from these definitions, the negative or undesirable effect of anti-forensics to criminal investigation and later on criminal prosecution, becomes magnified. However, it may be pointed out that anti-forensic tools may either be good or bad as based on the aforesaid criminal investigation purposes. Moreso specifically, others believe that these tools should be used to illustrate deficiencies in digital forensic procedures, digital forensic tools, and forensic examiner education. This sentiment was echoed at the 2005 Blackhat Conference by anti-forensic tool authors, James Foster and Vinnie Liu. They stated that by exposing these issues, forensic investigators will have to work harder to prove that collected evidence is both accurate and dependable. They believe that this will result in better tools and education for the forensic examiner. [14]
The following are anti-forensic tools that may be used by Blackhat hackers:
a. Data hiding
Data hiding is the process of making data difficult to find while also keeping it accessible for future use. “Obfuscation and encryption of data give an adversary the ability to limit identification and collection of evidence by investigators while allowing access and use to themselves.” [15]
b. Steganography
Steganography is a technique where information or files are hidden within another file in an attempt to hide data by leaving it in plain sight. “Steganography produces dark data that is typically buried within light data (e.g., a non-perceptible digital watermark buried within a digital photograph).” Some experts have argued that the use of steganography techniques are not very widespread and therefore shouldn’t be given a lot of thought. Most experts will agree that steganography has the capability of disrupting the forensic process when used correctly [16].
c. Encryption
The majority of publicly available encryption programs allow the user to create virtual encrypted disks which can only be opened with a designated key. Through the use of modern encryption algorithms and various encryption techniques these programs make the data virtually impossible to read without the designated key. [17]
(Note: The succeeding consequences/effects are more concrete and perceived effects of the lack of regulation of forensic softwares).
2. Concerns over the admissibility of forensic evidence
With the easy access to forensic tools, variants to copy its effects, or tools to neutralize its intended benefits, it could be inevitable that concerns over its admissibility may reach the judiciary and thus lead to a change of existing procedural laws.
Evidence, to be admissible, needs to be categorical, factual/definite, adverse to the other party, and knowingly or voluntarily made by the party concerned. Lack of one would make the evidence mere hearsay [18]. The lack of dependability of forensic evidence may impinge on the factual aspect of evidence, and could make the offered evidence hearsay.
Even if forensic evidence maintains its admissibility in procedural law, the weight of such matter would certainly be affected if anti-matter as regards the credibility of such evidence continually propagate. This possibility would certainly be relevant in criminal prosecution as any conviction is based on guilt beyond reasonable doubt, that is, equivalent to moral certainty, or that degree of evidence which produces a conviction in an unprejudiced mind [19]. Forensic evidence that lacks credibility would affect the said degree of conviction and thus affect its weight as evidence for the prosecution. In statutory law, Congress has valued this need for reliability as set forth in Republic Act No. 8792:
“Section 12. Admissibility and Evidential Weight of Electronic Data Message or electronic document. – In any legal proceedings, nothing in the application of the rules on evidence shall deny the admissibility of an electronic data message or electronic document in evidence –
(a) On the sole ground that it is in electronic form; or
(b) On the ground that it is not in the standard written form, and the electronic data message or electronic document meeting, and complying with the requirements under Sections 6 or7 hereof shall be the best evidence of the agreement and transaction contained therein.
In assessing the evidential weight of an electronic data message or electronic document, the reliability of the manner in which it was generated, stored or communicated, the reliability of the manner in which its originator was identified, and other relevant factor shall be given due regard.”.
In the Revised Rules of Electronic Evidence, the need for reliability of forensic evidence takes a more definite shape:
“SECTION 1. Factors for assessing evidentiary weight. – In assessing the evidentiary weight of an electronic document, the following factors may be considered:
(a) The reliability of the manner or method in which it was generated, stored or communicated, including but not limited to input and output procedures, controls, tests and checks for accuracy and reliability of the electronic data message or document, in the light of all the circumstances as well as any relevant agreement;
(b) The reliability of the manner in which its originator was identified;
(c) The integrity of the information and communication system in which it is recorded or stored, including but not limited to the hardware and computer programs or software used as well as programming errors;
(d) The familiarity of the witness or the person who made the entry with the communication and information system;
(e) The nature and quality of the information which went into the communication and information system upon which the electronic data message or electronic document was based; or
(f) Other factors which the court may consider as affecting the accuracy or integrity of the electronic document or electronic data message.
3. Increase in computer-related crimes
As set forth in the discussion above, increased complexity of computer systems may lead to an increase in ways to offset the purpose of such systems. For example, anti-forensic tools may lead to loopholes and damages in computer forensic systems that would lead to more varied problems, problems which the original system aimed to solve [20]. To illustrate, computer forensic software that can immediately track the IP address of computers may be neutralized by anti-forensic software that would give the authorities a false or non-existent address. Such anti-forensic software could have turned out to be a variant of a computer software that is available online. With the created maze, the criminal and his Blackhat hacker may nefariously navigate throughout cyberspace given the leeway created by the false address.
(Several online communities have pointed out that this consequence would be the ultimate effect of lack of regulation as its effect towards national economy and public order would be more pervasive) [21].
Conclusion
With the lack of regulation of computer forensic tools, the online communities are certainly correct that national economy and public order would be the ultimate variables directly affected. In the Philippine setting, particularly, it is obvious that regulation, handling and enforcement of only a few statutes, and lax rules and regulations relevant to the abuse software forensics would continue if the current formula of legislation and enforcement remain unchanged.
With the sluggish legislation a factor given, the state of enforcement of software regulation is the one that would be dynamic given joint efforts of the authorities, the private sector, the online communities and the public. For the authorities, the E-Commerce Law has provided some teeth in enforcement as the call of the legislature for reliable evidence should lead them to the creation of a computer forensics division (which is already in place and termed as Anti-Fraud and Computer Crimes Division in the NBI), the continuing education of a dedicated police force through participation in software forensic seminars in country leaders (e.g. United States and Germany), and the need to keep abreast of forensic software updates with the FBI and Interpol. On the other hand, the private sector should involve themselves and enter into partnerships wih the government to produce computer software tools to combat cybercrooks. Government incentives, regulatory or fiscal, may enhance private sector involvement.
As regards the online communities and the public, the government and private sectors should organize symposiums, seminars, and awareness programs on the developments and dangers of computer crimes. Proactivity and coordination between the sectors are a must.
Lastly, responsive legislation should still follow suit. With the ever-incresing complexity of computer systems and softwares, there is an inevitable need for a central electronic information systems authority in the country to address regulation and enforcement of existing and prospective computer forensic laws.
[1] http://en.wikipedia.org/wiki/Computer_forensics
[2] http://www.abanet.org/lpm/lpt/articles/tch11071.shtml
[3] http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html
[4] http://en.wikipedia.org/wiki/Computer_forensics
[5] http://www.digital-evidence.org/papers/opensrc_legal.pdf
[6] Sec. 1(k), Rules on Electronic Evidence
[7] Sec. 1(h), Rules on Electronic Evidence
[8] http://msforums.ph/forums/t/48034.aspx
[9] http://www.technologyreview.com/computing/20423/
[10] http://forum.ebaumnation.com/showthread.php?s=b5269dbaf23903a85c26b520f62283dd&t=33001
[11] http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html
[12] blogs.zdnet.com/Bott/?p=435, http://msforums.ph/forums/t/48034.aspx
[13] Rogers, D. M. (2005). Anti-Forensic Presentation given to Lockheed Martin. San Diego.
[14] Foster, J. C., & Liu, V. (2005). Catch me, if you can… Las Vegas: Blackhhat Briefings
[15] Peron, C.S.J. (n.a.). Digital anti-forensics: Emerging trends in data transformation techniques. from Seccuris: http://www.seccuris.com/documents/whitepapers/Seccuris-Antiforensics.pdf
[16] Berinato, S. (2007). Supra.
[17] http://en.wikipedia.org/wiki/Counter_forensics#cite_note-2#cite_note-2
[18] Regalado, F.D., Remedial Law Compendium, 1998
[19] Rule 133, Sec. 2; Rules of Court
[20] http://www.abanet.org/lpm/lpt/articles/tch11071.shtml
[21] http://seattletimes.nwsource.com, supra; http://msforums.ph/forums/t/48034.aspx; http://www.gseis.ucla.edu/iclp/bfox.html
AUSL Tech & Law 