Digital Evidence in Cyber Forensics Examinations
In the past, the term computer evidence implied “the consistent print out from a computer”. In the world today, however, computer evidence signifies the data from the storage media, including hard drives and floppy disks, capturing of data transmitted through communications links, emails, and log files that are generated through operating systems (Tecuci et al., 2011). In addition, the formerly called computer evidence is now being referred to as digital evidence, which also comprises the new class of evidence that is largely drawn from an array of digital tools that do not fit into the conventional idea of a computer, which may include devises, such as mobile phones and laptops.
A body that has largely or extensively acknowledged techniques for clutching computers and digital storage media or copying the media contents has been created. Moreover, various techniques and tools address the evaluation the content of digital information that is highly applicable to a given investigation, and the presentation of that particular proof. Furthermore, these varied techniques, and the resultant data need to be both autonomously provable and highly implicit in contexts, including the courts of law. Protocols have been developed that are largely able to prevent the deportation of evidence, which are also very able to establish the continuity of evidence. Additionally, various techniques and protocols, which establish evidence and have such evidence acknowledged by the courts of law form part of the practice of digital forensics (USA, 2007).
For over ten decades now, courts of law have been faced with various challenges that relate to admitting digital related evidence. During these times and situations, the courts have mostly followed from the rules of proof, based on their legitimate tradition, for direction whether to admit the evidence into proceedings or reject such evidence (USA, 2007).
The concept of digital evidence is different from the prevailing forms of physical evidence. Moreover, digital evidence does not contain informational value. For this reason, it contrasts with usual types of evidence including such evidences as documents and testimony, which are largely understood by the literate as well as conversant. In addition, the content of the digital evidence is very reliant upon the process through which it is given interpretation. Therefore, while this process of interpreting the information is largely based on the principles of computer science, it can be possibly be undertaken manually by a skilled professional with enough time as well as motivation. Therefore, imperatives including efficiency and reliability have profoundly driven the rate of adoption of these tools in efforts to mechanize them (Ieong, 2006). In the past, the printouts of this discrimination was not very strong, but as the police embarked to seize the storage media in broad practice, the functions of these tools in processing the digital evidence have actually come to the fore.
The explosion of cyber crimes has driven the need for the analysis or evaluation of the various digital proofs. As forensic science has long been applied in order to determine legal disputes concerning various aspects of science, cyber forensics is fundamentally developed in a natural way in the aspects of cyber crimes and misconducts, therefore making the motivation for study in this paper.
Deductive, Inductive and Abductive Reasoning in the Context of Cyber Forensics Analysis
Reasoning is the approach of coming or arriving into a conclusion through the use and application of logical arguments. There are three major forms of reasoning, which include the inductive, deductive, and abductive reasoning.
Just like the out-dated forensics, cyber forensics entails the formulation of hypotheses that are grounded on the available evidence as and facts. Moreover, the digital evidence has been statutory witnesses for a long time. However, it is a controversial issue that conclusions from revealed digital evidence are subjective views that are without scientific justifications (Toulmin, 2003). Therefore, abductive reasoning in the cyber forensics is the process of analysis and interpretation of the available evidence in efforts to determine the probability of a given crime. It is based on observation in finding the likelihood of a crime happening.
Algorithm for Abductive Reasoning
Prob (H|E) is understood as posterior likelihood. It implies to the probability value in that when evidence (E) is recognized, the level of belief that the hypothesis (H) has actually happened. In addition, the prob (H) implies to the prior likelihood of the hypothesis (H) at a stage in which the evidence is not yet accessible. Moreover, the prob (E) is the also the prior chance of evidence (E), which is also referred as a normalizing constant. Thus, the above expression can be interpreted as: Likelihood Ratio =posterior probability normalizing constant/ hypothesis prior probability. However, given that the probability ratio is relative to posterior likelihood, the huge the posterior likelihood denotes a higher probability ratio. Besides, in regard to the evidence, it also implies the evidence that supports the hypothesis, more possibly that the hypothesis is very true (Toulmin, 2003).
Example of Abductive Reasoning
The abductive reasoning varies significantly from the other two forms of reasoning (deductive and inductive). For instance, in a crime case, after observing and seeing the eight mails coming to a mailbox, a person can abduct that the signal mail hit the eight mails. The arrival of the signal mail would account for the movement of the eight mails. It then serves as a hypothesis that explains the observation arrived at. Given the many probable explanations for the movement of the eight mails, the abduction does not leave the observer certain that the signal main hit the eight mails, but the abduction, still useful, can serve to orient people in their surroundings.
Case Study for Abductive Reasoning
Case study is the in-depth and detailed study of a situation, an incident, as well as a person. The case study in this case will involve in-depth or detailed information about abductive reasoning in relation to how it enhances validation of digital evidence in cyber forensic examinations. Today, across the world, people have benefited from the acquaintance to new research about how people think and act in the abstract world. Abductive reasoning has been manifested in various contexts and fields of uncertainties. Abductive reasoning is based on perceptions of individuals (Toulmin, 2003). Therefore, in the context of cyber forensics analysis, people have adopted cyber forensics in the modern world because of the connections with human beings and the realities that the cyber evidence provides.
As mentioned earlier, deductive reasoning is one of the different forms of logic. What is deductive reasoning? In contrast to the other forms of logic, deductive reasoning starts from the top downwards. Essentially, it can be defined as a concept of reasoning that is usually from a single or more statements in order to reach at a certain conclusion. It should be noted that in this type of reasoning, premises are always linked to conclusions. That is to say, if the premises or statements made are correct, clear, valid and true, it is obvious that the conclusion made from the premises or statements is also correct, clear, valid, and true. In the context of cyber forensics analysis, it would be argued that if the evidence collected through technology, such as computers or Smartphone is true, of which video evidence is always true, the conclusion that will be made will also be true. Video evidences often prove the innocence or guilt of an individual, without arguments.
Algorithm for the deductive method of reasoning
In deductive reasoning, the conclusion must be made based on the statements and premises. Thus, the algorithm for deductive reasoning is as follows:
- Premise 1
- If P, then Q
- Premise 2
- P is true
- Q is true because P is true
Example of Deductive Reasoning
There are a number of situations in normal life that indicate or rather show deductive reasoning. However, emphasis must always be made that the conclusion is dependent of the statements or premises. If the premises or statements made are true, the conclusion is true. Besides, if the statements or premises made are false, the conclusion must also be false. An example of deductive reasoning is as follows:
Premise 1- All students are thieves
Premise 2- John is a student
Conclusion- therefore, John is a thief.
Premise 1- All women are entrepreneurs
Premise 2- Rose is a woman
Conclusion: Therefore, Rose is an entrepreneur
Case Study on Deductive Reasoning
Deductive reasoning has been applied in cyber forensics to determine the reliability and credibility of evidences given or brought forward during cases. Court systems have had an easy time in making conclusions on cases of evidence in form of a video is produced. For instance, if a video of people robbing a woman is presented before a court of law as an evidence of a crime, and the accused, in such as a case John, is seen in the video, then the judge or magistrate has the right to make a ruling that John is a robber and should be charged or sentenced. Notably, the deductive reasoning in this case is that making a correct hypothesis depends on the whether the premises are correct or true. The face of John is seen in the video among people robbing a woman; hence, the conclusion that John is a robber will be true.
This form of reasoning or logic is different from abductive and deductive forms of reasoning. It is argued that in deductive reasoning, the conclusion made from the premises is certain and true. However, the conclusion made from the premises in inductive reasoning is perceived to be probable. For instance, in a crime case, when cyber forensics is applied where a video is produced showing a group of individuals robbing a woman, and the face of an accused person is seen in the video, a conclusion that the accused is most likely to be a robber will be made. The difference here is that in deductive reasoning, the conclusion made is true and certain while in inductive reasoning, the conclusion made is a probability.
Algorithm for Inductive Reasoning
It should be noted that in inductive reasoning, although the conclusions are also made on the premises or statements, they are not certain but are probable.
The algorithm for the inductive reasoning is as follows:
A video presented of people robbing a woman
John is seen among the people.
There is a probability that John is a robber.
Example of inductive Reasoning
Inductive reasoning can help people make conclusions in a court of law where cyber forensics has been applied. However, the conclusions made are probabilities though they can still help in the prosecution of the accused in courts of law.
An example of inductive reasoning is as follows:
People are captured in a video robbing a woman in the streets
John is seen among the people robbing the woman
There is a probability that John is a robber.
Case Study on Inductive Reasoning
Inductive reasoning has played an integral role in helping people come up with conclusions on various cases or incidences in everyday life. Decision making in justice systems is often hard, but the introduction of cyber forensics has helped in the improvement of decision-making processes. Videos used or presented by forensic analysts in courts have helped people come up with conclusions though they are probabilities. Notably, it is preferable to have a probable conclusion than to have no conclusion at all. Inductive reasoning has become part of cyber forensics used in court processes.
Reasoning at different stages of the cyber forensic investigation process
The cyber forensic investigation process emphasises on the use of the computer technology and other technologies, such as mobile phones and cameras to collect evidence that are vital in civil, criminal, and administrative cases in courts of law (InternationalCompetitionNetwork(ICN), 2010). Cyber forensic investigation has become part of human beings’ everyday life. In fact, most cases won in law courts are as a result of the use of cyber forensics investigation. Unlike the ancient times, the process of decision making in criminal, civil, as well as administrative cases has become easier. The forensic investigative process involves different stages: acquisition, analysis, and reporting. Reasoning takes place at each of the three stages of the cyber forensic investigative process. In the acquisition process, duplicates are created through the use of hard-drive duplicators or software-imaging tools, after which the image of an accused person performing a crime is acquired (Leucari, 2005). The reasoning in this stage is whether the accused appears in the image acquired. If the accused appears in the image acquired, there is a probability that he/she and others perpetrated the crime; hence, he or she can be charged. Another stage in forensic investigative process is the analysis stage. In this stage, the investigator for analysis retrieves the image files in order to identify the evidence that supports or is in contradiction to the hypothesis. This stage also experiences reasoning because the presence of the image of an accused person will spark a conclusion that he is part of the crime committed (Losavio et al, 2008). This will be a good basis or platform for prosecution of the accused individual. The other stage in the cyber forensic investigation process is reporting. During the reporting stage, reasoning is vital because it makes or leads to a correct conclusion. The person reading the report has to reason that the accused person is seen in the images presented during the case and thus, he must be one of the perpetrators of the crime (Marcella & Guillossou, 2012).
Processes that assist in developing a case hypothesis and alternative hypothesis
Developing case hypothesis, as well as alternative hypothesis in the cyber forensic investigative process is vital. It should be noted that there are various process in the development of case and alternative hypothesis. The key stakeholders of the problem, in this case, the investigators, need to review the overview of the case or problem (Sherman, 2006). They should look at where the problem happened, the individuals suspected to be part of the problem, and their reasons for causing the problem. The forensic instigators should also provide additional information to support their view of the problem. This may include the videos or images of individuals or an individual committing a certain crime. The other processes involved in the development of the case hypothesis or the alternative hypothesis is the determination of reasons why the problem at hand might have occurred (Saad & Traore, 2010).
Toulmin’s model may also play an integral role in the process of developing a case hypothesis and alternative hypothesis. According to Stephen Toulmin, arguments should be analyzed using a wider format than the traditional one of formal logic, where only premises and conclusions are distinguished. Toulmin gives an example of a claim that an individual by the name Harry is a British subject. Toulmin argues that the claim is supported by the fact that Harry is born in Bermuda, because there is a warranty that a man born in Bermuda will generally be a British citizen. Since the warrant cannot be justified, the fact that Harry is a British must be qualified. In a case, a claim can be made that Peterson is a robber. The claim can be supported by the fact that Peterson was born in Kingston, and that there is a connection between being born in Kingston and being a robber. In this case, a conclusion can be made that people born in Kingston are robbers. Therefore, Toulmin’s model can help develop a case hypothesis that Peterson is a robber. Generally, Toulmin’s model helps come up with conclusions or hypotheses during any court case.
Case Study on analysis process in a child pornography case to develop more reliable case hypotheses
The analysis process or stage in cyber forensic investigations involves the identification of evidence that support or contradict the hypothesis at hand. During the process, the forensic investigator retrieves or recovers evidence materials, such as images, videos, mails, chat logs or documents that prove that an accused person must have been behind the commission of the crime in discussion. For instance, in a child pornography case, in order to develop a more reliable case hypothesis, the investigator has to recover evidence material that was acquired to show that the accused person truly committed the crime. In the acquisition process, the image of the accused person must have been seen bribing little children. Besides, a recording of the accused person may be produced giving evidence of the conversation that the accused person may have had prior to the commission of the crime. The other evidence that the investigator may produce during the analysis process is videos shot by the accused person showing little children having sexual relations. The retrieval of such evidences during the analysis process in a child pornography case is likely to lead to the development of more reliable case hypotheses. In fact, after viewing the presentation of images, videos and recordings, the conclusion that will be made must be true or probably true, depending on the reasoning used.
Validation Processes of Digital Evidence Exhibits
The validity of digital evidence exhibits is vital in coming up with the correct conclusions or case hypotheses. In the validation process, verification of relevant parts of the digital facility where the evidence is created, processed and transferred is important. In validation, the investigator has to preserve the evidence because most of the digital evidences are fragile and may be lost or get damaged (Marcella & Guillossou, 2012). In validation process, the investigator has to locate the evidence using various technical tools as this will help in the support or refute of the hypothesis about the given problem. The investigator should also select the evidence to critically determine the events that occurred during the commission of the crime. After selection of the evidence, testing of the evidence is necessary. For instance, the investigator will need to assert that a particular message was deleted, an image deleted, or the technical tool interfered with.
Validation of digital evidence exhibits also involves a series of prompts that play an integral role in determining if the evidence is valid. Some of the responses given during the prompts include ‘yes’ (the evidence is valid), ‘no’ (the evidence is considered invalid) and ‘unclear’ (further explanation needed). The figure below represents the above discussed validation process.
Figure 1: Chain of Evidence: Showing the validation process of digital evidence exhibit ‘B’
The validation process also involves a decomposition of assertions that are provided by the digital evidence exhibits. This is important as it also determines how valid the digital evidence exhibit is. This is shown in the figure below:
Figure 2: Decomposition of the evidence through validation process
Validation processes that check and test the digital evidence exhibits’ relationships with corroborating evidence relied on in legal cases
In order to determine the digital evidence exhibits’ relationships with corroborating evidence relied on in legal cases, the investigator should set up the device, analyse it, and configure it correctly (Rogers, 2003). The validation process should also involve the investigator testing the evidence in order to determine its validity. For example, the investigator can be forced to assert that an email message was deleted by confirming the existence of the deleted file. The validation process needs the investigator to check the time, and that the information was not altered in any way by system processes. The checking and testing plays an integral in ensuring that the conclusion made is the correct and true.
Case Study on validation process in a child pornography case
In a child pornography case, digital evidence exhibit can be in the form of images of the accused person, conversation between the accused person and the victims of the crime, as well as videos showing the actions of child pornography. In validating the evidence in such as case, the investigator should select the evidence, image, recorded conversation or video, to critically determine the events that occurred during the commission of the crime, in this case child pornography. After selection of the digital tool, the investigator should test the evidence. For instance, the investigator will need to assert that a particular image of the accused person committing the crime of child pornography was not deleted. He also has to assert that the technical tool is not interfered with, and that no recorded conversation is deleted from the technical tool (Shaw, 2006).
Processes to enhance communication of and presentation of case analysis to the legal practitioner and courts
The use of digital evidence is on the rise in courts in the world today. It is for this reason that people are looking forward to ways and means of enhancing communication and presentation of case analysis to legal practitioners and courts. Investigators have turned to the use of simple technological tools that are easily operated by legal practitioners and stakeholders in courts (Sherman, 2006). Besides, investigators have enhanced communication through the use of languages that are understood by every individual in the court during presentation of case analysis.
The use of digital evidence exhibits is on the rise due to the fact that the hypotheses or conclusions made on the basis of their use are true and correct. It is hard for an accused person to refute his/her actions seen in an image or video, as well as those heard in recordings. However, we should stress on the validation of the digital evidences before use in order to do away with the possibilities of making wrong conclusions during cases in courts (Selamat et al., 2008).
Ieong, R. S. C. (2006). FORZA – Digital forensics investigation framework that incorporate legal issues. Digital Investigation, 3, Supplement(0), 29-36. doi: http://dx.doi.org/10.1016/j.diin.2006.06.004
InternationalCompetitionNetwork(ICN). (2010). ANTI-CARTEL ENFORCEMENT MANUAL Chapter 3: Digital Evidence Gathering. http://www.internationalcompetitionnetwork.org/.
Leucari, V. (2005). Analysis of complex patterns of evidence in legal cases: Wigmore charts vs. Bayesian networks. Paper presented at the Forensic Science: The Nexus of Science and the Law.
Losavio, M., Keeling, D. W., Elmaghraby, A., Higgins, G., & Shutt, J. (2008). Implications of Attorney Experiences with Digital Forensics and Electronic Evidence in the United States.
Marcella Jr, A. J., & Guillossou, F. (2012). Cyber forensics: From data to digital evidence (Vol. 623): John Wiley & Sons.
Rogers, M. (2003). The role of criminal profiling in the computer forensics process. Computers & Security, 22(4), 292-298. doi: http://dx.doi.org/10.1016/S0167-4048(03)00405-X
Saad, S., & Traore, I. (2010). Method ontology for intelligent network forensics analysis. Paper presented at the Privacy Security and Trust (PST), 2010 Eighth Annual International Conference on.
Selamat, S. R., Yusof, R., & Sahib, S. (2008). Mapping process of digital forensic investigation framework. International Journal of Computer Science and Network Security, 8(10), 163-169.