Forensic Cop Journal Volume 3(3), Jan 2010

http://forensiccop.blogspot.com

Digital Forensic Principles

by Muhammad Nuh Al-Azhar, MSc. (CHFI, CEI, MBCS)
Commissioner Police – Coordinator of Digital Forensic Analyst Team (DFAT)
Forensic Lab Centre of Indonesian National Police HQ

Introduction

Following the fast development of IT, computer crime becomes a complex crime with the
use of high technology, so that it is not easy for forensic investigators to analyse this crime,
even to trace back the perpetrators. The criminals can utilise the internet or intranet in
order to commit this crime by exploiting vulnerabilities which might exist in the network, or
even in the target’s machine. By doing this, they can intrude the network and then hijack
the target computers. They make these computers become botnet (i.e. robot network), so
that they can get fully control on these machines, moreover they can order it to attack a
server in order to make it down by applying DDos (Distributed Denial of Service) attack.
When a target computer can be compromised, the criminals can get fully access on it. They
can obtain much information stored on this computer either confidential or normal. If the
information is confidential, so they can use it for their illegal benefits such as selling it to the
victim’s competitors or making identity fraud. If the information stolen is bank account or
credit/debit card, so they can use it to purchase any stuff from the internet (i.e. it is called
carding) or make money transfer. If the information obtained by the criminals is email
account, so they can hijack it by changing the password and then send many fully wrong
emails on behalf of the victim to anybody or any institutes. The receivers assume that the
emails come from the victim. As long as the receivers have not known the actual condition
yet, the criminals can persuade them to do something which is able to give bad impact to
the target. There are many disadvantages occurred when a computer crime is committed.

From the description above, computer crime is a serious crime which requires more
attention of law enforcement agencies. If it cannot be handled properly, so the perpetrators
cannot be arrested by police, or even they can be released by the court when the evidence
is not sufficient to support the case. Based on this reason, the digital forensic analyst is
expected to be able to handle this crime properly. It means that the analyst should be able
to provide strong evidence which can be used to prove the relationship between the case
and the perpetrators. If this can be performed correctly, so it can be guaranteed that the
case can be solved successfully. To provide strong evidence, the analyst should have good
background on computer science and practical IT; and then they should be well understood
on how a computer crime can occur. With this knowledge, they can investigate the case
comprehensively, so that they will be able to obtain the fact of the case properly. The
evidence supporting the involvement of the perpetrators can be provided perfectly by the
analyst/investigators in order to bring them to the jail.

1
Forensic Cop Journal Volume 3(3), Jan 2010
http://forensiccop.blogspot.com

To reach this goal, the analyst should perform comprehensive digital forensic investigation
by applying reliable investigative techniques as well as digital forensic procedures and
applications. In dealing with this, the analyst should understand well about digital forensic
principles. On this journal, it will explain the basic principles of Association of Chief Police
Officers (ACPO) which must be applied by digital forensic analyst. These principles are also
adopted by Digital Forensic Analyst Team (DFAT) of Forensic Laboratory Centre of
Indonesian National Police (INP).

ACPO Basic Principles on Digital Forensic

To understand how to do seizure correctly, firstly the analyst should be able to understand
digital forensic principles. According to ACPO in the UK, there are four principles which must
be implemented in digital forensic investigation. Below are such principles (ACPO, p8, 2008).

Principle 1: No action taken by law enforcement agencies or their agents should change
data held on a computer or storage media which may subsequently be relied
upon in court.

Principle 2: In circumstances where a person finds it necessary to access original data

held on a computer or on storage media, that person must be competent to
do so and be able to give evidence explaining the relevance and the
implications of their actions.
Principle 3: An audit trail or other record of all processes applied to computer-based
electronic evidence should be created and preserved. An independent third
party should be able to examine those processes and achieve the same
result.
Principle 4: The person in charge of the investigation (the case officer) has overall
responsibility for ensuring that the law and these principles are adhered to.

These principles emphasize on its implementation started from the first principle; and then
subsequently to the second, the third and the last principles. It means that any action
performed by the analyst or the investigators must not change the contents of the
computer-based electronic evidence. The changes will bring a big problem on the expert
witness testimony in the court later. It will weaken the position of the expert as the results
are considered weak and doubted.

Based on the first principle above, the analyst must not change the content of the evidence
during the process of digital forensic. When accessing the evidence for acquisition purposes,
the analysis workstation used must be firstly applied write protect in order to avoid any
changes in the content of the evidence which might occur either accidentally or
deliberately. The analysts then perform forensic imaging through bit stream copy method,

2
Forensic Cop Journal Volume 3(3), Jan 2010
http://forensiccop.blogspot.com

so that the output of this process is an image file which is identical with the evidence. This
image file is the target for analysis, while the evidence is stored in a safety place. It means
that any actions performed by the analyst are done on the image file only. It is aimed to
preserve the evidence.

The second principle requires competent analyst only who has access to the evidence. It is
aimed that the results will be strongly reliable. Such analyst can explain the findings
correctly and they can seek and find any data related to the case although it is deleted,
hidden and so on. When they do any action to reveal the evidence, they can perform it
properly and explain the relevance and its implication. To be able to be competent analyst,
someone must have formal background on computer science and digital forensic. It can be
reached through first, master and doctoral degree such as MSc in Forensic Informatics from
the University of Strathclyde in the UK. Besides those, they should also have professional
certificates on digital forensic such Computer Hacking Forensic Investigator (CHFI) from EC-
Council based in the US. They also have to update the information related to digital forensic
by becoming member on many well known institutes such as British Computer Society
(BCS), Forensic Focus, SANS and so on. All these backgrounds are important for the analyst
when they give expert witness testimony at the court. It strongly strengthens their position.

The third principle requires the analyst to make record for every action they perform during
analysis. It is aimed as an audit trail to check the results or findings. When the third party
performs the same action, they should the same findings or results with the same actions.
At the end of analysis, the analyst must make a comprehensive report explaining the
analysis on the findings. In some cases, it is helpful to put screenshots describing the
findings as well as photographs when it is firstly received.

The last principle emphasizes that the officer in charge in analysing the evidence must have
all responsibilities to ensure that these principles can be implemented properly as well as
the law. Based on this condition, the officer in charge should well understand on technical
and non-technical issues applied during digital forensic analysis.

Bibliography

ACPO. (2008). Good Practice Guide for Computer-Based Electronic Evidence. Available:
http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.p
df. Last accessed 30 September 2009.
Al-Azhar, M.N. (2009). Digital Forensic: State of the art. Forensic Cop. Available:
http://forensiccop.blogspot.com. Last accessed 1 January 2010.
Al-Azhar, M.N. (2009). Forensically Sound Write Protect. Forensic Cop Journal. 1 (3).
Available: http://forensiccop.blogspot.com. Last accessed 19 December 2009.

3
Forensic Cop Journal Volume 3(3), Jan 2010
http://forensiccop.blogspot.com

Al-Azhar, M.N. (2009). Standard Operating Procedure of Acquisition on Ubuntu. Forensic Cop
Journal. 2(3). Available: http://forensiccop.blogspot.com. Last accessed 1 January
2010.
Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the
Internet. 2nd edition. London: Elsevier Academic Press.
Carrier, B. (2005). File System Forensic Analysis. London: Addison – Wesley.
Department of Justice, US. (2001). Electronic Crime Scene Investigation: A Guide for First
Responders. Available: http://www.ncjrs.gov/pdffiles1/nij/187736.pdf. Last accessed
30 September 2009.