Technical Challenges

With growing incidences of computer crimes, the digital forensic tools should also be developed at the same pace (if not faster) to provide sufficient support for dealing with these attacks. At the same time, it is critical that investigators should be equipped with adequate tools and skills, allowing them to gather enough evidence for the prosecution of the perpetrators. Karyda and Mitrou (2007) discussed the technical and legal challenges being faced during digital forensic investigations. The diversity and heterogeneity of the infrastructure and physical barriers involved prohibit investigators from accessing the sources of evidence.

Most models work on a presumption that an attack has taken place in order to apply certain procedures, with the objective of discovering and collecting relevant evidences. To begin an investigation, a deep understanding of the characteristics of the attack is required. Hence, the case can be dealt with accordingly. Important challenges that forensic investigators and models need to take into consideration include the growing size of data storage, the prevalence of embedded flash storage, the need to analyse multiple devices, the use of encryption and cloud computing (Garfinkel, 2010; Moore, 2006). Choosing between the more important and relevant information is a further challenge when dealing with a large

63

amount of data. Also, large networks over multiple systems are another difficult proposition for digital forensic investigators to overcome. Multiple systems (using Network Address Translation) sharing the same IP address further poses a challenge as it is difficult to relate the traffic to a specific host (Cohen, 2009). Another difficulty that the Internet poses is in terms of conducting date and timeline analyses on collected data. Mohay (2005) discussed both monitoring the Internet and large volumes of data as challenges to be dealt with by digital forensics investigators.

Cybercriminals utilise a wide range of techniques to avoid being traced and captured by authorities. They create various obstacles, with the objective of removing the evidence or to cast a shadow of doubt on the evidence collected. In E-crime Watch Survey (2006), changing file extensions, utilising swap space and disk wiping software, physically destroying media, techniques facilitating anonymity, cryptography and steganography were recognised as common activities.

The current practice in digital forensic principles, tools and practices assume that the storage media is under complete control of the investigator (Grispos et al, 2011). This ignores the challenge posed by online storage of data that can be easily exploited by perpetrators.

Information technologies in today‟s era have a dynamic nature. For instance, according to Moor‟s Law, information technology becomes obsolete every 18 months, resulting in the unstable and unpredictable environment for continuance of the same infrastructure (Moor‟s Law, nd). This means that the advancements in technology are at a fast pace which makes the underlying infrastructure obsolete for utilising the full potential of advancements. Digital devices, notebooks, iPods, mobile phones, cameras have developed very quickly. According to Mohay (2005), it is a challenge to keep up to pace with new devices when developing appropriate tools. This further affects the digital evidence to be acquired. Also Bogen and Dampier (2005) stated that a single tool which is capable of meeting the entire set of needs of an investigation does not exist.

A further challenge for digital forensics is forensic readiness – which is the ability of a system to capture and use evidence in an effective manner (Endicott-Popovsky and Frincke, 2006; Yasinsac and Manzano, 2001). Forensic readiness is a term used to describe the extent to which computer systems and networks record data and activities in a manner that ensures a

64

sufficient record for subsequent purposes is maintained. It is important that the records can be accepted as authentic within digital forensic investigations.

An organisation is in a much better position to handle a digital crime incident if it is in a state of forensic readiness (Casey, 2005). This refers to various factors such as properly trained handlers and so forth. It is possible that after an incident has taken place, the first respondent might unknowingly damage the evidence or carry out some activities, which makes it difficult for the forensic team to gain clues regarding the incident. As a result, evidence needs to be handled with care, and even a trivial item needs to be kept on record. In the absence of such close scrutiny it is possible for evidence to be destroyed or never found in the right place at the right time. Being forensically ready is also important because in most cases it is the same set of personnel who are both the incident handlers and forensic investigators.

Cloud Computing has drastically changed how the creation, delivery and management of information technology services are conducted (Ruan et al, 2011). The main categories of the types of Cloud services are described as follows (Grispos et al, 2011):

 In the case of a private Cloud, it is most likely that a single organisation owns and controls the Cloud infrastructure, and everything is located in the same geographical location.

 Community Clouds are relatively more dispersed, and tend to collectively use the resources of Cloud Computing.

 Public Clouds are meant to be used for various users and hence contain data from a variety of users.

 Lastly, a hybrid Cloud is a mixture of one or more of the above models.

Hence it can be seen that the technology of Cloud Computing, acts as an excellent technical platform by providing distributed services at economical costs, allowing people and organisations of all scales and levels to reap the benefits of software, packages and services which would otherwise be beyond their reach. However, there are several challenges associated with Cloud Computing from the perspective of digital forensics due to its vastly distributed nature. For instance, it is not possible to demarcate precisely the area of operation of the “Cloud” especially in case of public Clouds. Within Cloud environments, security and confidentiality are major concerns along with issues such as encryption, proliferation of endpoints, multi jurisdiction, and loss of control over data (Curtis et al., 2010). Reports of

65

Botnet attacks on the Cloud infrastructure of Amazon and the recent hacking of Gmail illustrate that the Cloud environment is already a target for malicious intentions (Kirwan, 2013).

Furthermore, since the Cloud is embraced globally, the number of computer crimes committed in the Clouds will rise too.