Custom Search

Computer forensics and records management - compatible disciplines

Computer forensics and records management - compatible disciplines
Alastair Irons. Records Management Journal. Bradford: 2006. Vol. 16, Iss. 2; pg. 102

Abstract (Summary)
The meaning, methods and techniques associated with the subject of computer forensics are explored and the implications of computer forensics for records managers and recordkeeping are considered. Critically analyzed are the principles of computer forensics in the context of records characteristics - authenticity, reliability, integrity and usability - and the UK Association of Chief Police Officers (ACPO) principles and procedures for the collection of digital evidence. The disciplines of records management and computer forensics are potentially mutually compatible. Computer forensics allows for identification of incidents, gathering of evidence, analysis of evidence and potentially recovery of records. Records managers can utilise computer forensics principles to positively enhance records management and have valuable knowledge and expertise to share with their computer forensics colleagues; e.g. metadata expertise, functional requirements for electronic records management, recordkeeping systems design and implementation methodologies, digital preservation and retention management.

The ubiquitous nature of computing and information technology and the convenience associated with holding data, information and records electronically has the effect of making business, commerce, industry and society deeply dependent on the availability and accuracy of those systems. As dependency increases so does vulnerability, both to systems failure and to unauthorised access or attack. Once computers are used to store and manage records then the records become susceptible to unauthorised access, tampering, alteration, destruction and other potential misuse. Such issues raise potential records management problems in ensuring authenticity, reliability and integrity of records. The principles, techniques and tools of computer forensics can provide support for the records management environment in determining if any unauthorised transactions have taken place, obtaining digital evidence to indicate the nature of the transgression and help in the digital recovery and restoration of the original record when the record has been compromised.

Computer forensics is often associated with computer security and whilst there are synergies it is most appropriate to think of computer forensics and computer security being opposite sides of the same coin. Computer forensics differs from computer security, the issue of securing computers against malicious attacks. The difference can be illustrated as a spectrum, see Figure 1 [Figure omitted. See Article Image.], derived from [24] Troell et al. (2003).

Computer security is a defence against unauthorised and malicious intrusion and computer forensics allows for identification of incidents, gathering of evidence, analysis of evidence and potentially recovery of records.

Although computer forensics is a subject in its own right it derives principles from forensic science and computer science in establishing an area of study which is unique. Computer forensics has a strong inter-disciplinary background drawing on forensic science, criminology, law, mathematics, audit and business as well as from computer science.

The multi-disciplinary and inter-disciplinary nature of computer forensics extends to records management. It is suggested in this paper that computer forensics and records management are compatible disciplines and areas of study.

There is a growing body of knowledge in computer forensics ([20] Rogers, 2003; [21] Rogers and Seigfried, 2004) and, although there is some research indicating how records management can benefit from an understanding of computer forensics principles ([4], [5] Barrett, 2004a, b; [18] Jones, 2004; [27] Volonino, 2003), the research is still in its infancy. Other related discussions have tended to focus on the role of computer forensics as a corporate governance tool and the impact that corporate governance issues have on records management ([6] Barrett, 2005). From a records management perspective consideration of computer forensics has concentrated on the preservation of digital resources, for example, the establishment of the Digital Preservation Coalition, formulated in 1999 and launched in 2002 ([18] Jones, 2004). There remains very little published on the discussion of the potential implications of computer forensics for records managers or how computer forensics can enhance the records management discipline.

The purpose of this paper is to explore the meaning, methods and techniques associated with the subject of computer forensics and to consider the implications of computer forensics for records managers and recordkeeping. The ways in which computer forensics can be used to highlight inadequate recordkeeping and, conversely, how computer forensics can provide a different perspective on records management and assist records managers in promoting better recordkeeping and records management in the electronic environment will also be discussed.

Principles of computer forensics

Computer forensics, defined by [7] Bates (1997) as the:

... scientific examination and analysis of data held on or retrieved from computer storage media for the purposes of presentation in a court of law, together with the study of the legal aspects of computer use and misuse

focuses on the collection, preservation and analysis of digital evidence in resolving computer crime. The timeliness of Bates' definition is apparent in a more recent definition ([14] Gottschalk et al. , 2005) as:

... computer forensics deals with identifying, preserving, recovering, analysing and documenting computer data allegedly used in crimes committed using computers.

Computer forensics is much more than turning on a computer, making a directory listing and searching through files. There are rigorous processes and procedures which need to be followed in the identification, collection and analysis of data as evidence. It is very easy to "contaminate" a suspicious situation by "looking to see what's wrong" and by ignoring the principle, taken from forensic science, of "do no harm". In the UK, for instance, the procedures for the collection of evidence are defined in the Association of Chief Police Officers ([2] ACPO, 2003) Good Practice Guide for Computer Based Evidence . Following the four key principles outlined in this guide should maintain both evidential integrity and evidential continuity (i.e. the chain of custody or chain of evidence).

Computer forensics makes use of a number of the fundamental principles of computer science, for example, how computers work, how data are stored and managed, how information is organised and how computers communicate over networks. Computer forensics makes use of the fact that every action and transaction on a computer is recorded, usually to a "log file" which provides a list of transactions with important forensics information such as a time stamp. So, for example, if someone accesses a record via their PC the transaction will be recorded with details of the record they accessed, what they did to the record, when they accessed and from where. The log file can be analysed later as a forensic activity and used to ensure the authenticity of records.

The other common aspect of computer forensics, which is relevant to records management, is the recovery of deleted files. Often people who are not behaving within the law will attempt to cover their tracks by deleting files, changing file extensions or hiding images using steganography techniques. However, not all of the old file will be deleted and by utilising computer forensics tools such as EnCase (from Guidance Software, www.guidancesoftware.com/products/index.asp) the original file can be recovered, changes to file extensions can be flagged and hidden images can be found. The contents of a hard drive, irrespective of attempts by perpetrators to hide, delete or destroy their activities, can contain digital evidence which can be used in the resolution of cases. Computer forensics can be applied to a range of scenarios from an individual disc to analysis of internet activities, and everything in between.

The first step in any computer forensics analysis is to carefully preserve the original file or device because this is all the computer forensics practitioner has to work with and they have to be sure that they can prove that they have not contaminated or tampered with the evidence (evidential integrity). In order to ensure evidential integrity, any computer forensics investigation must begin with the creation of an exact image of the file or device. Note that this is an image and not a copy - again there are tools and techniques which facilitate this process; for example, a write-blocker is used to ensure that the destination drive does not write back to the original source. All actions undertaken by a computer forensic practitioner need to be meticulously documented, therefore, creating records of the process.

The focus in the application of computer forensics has tended to centre on the resolution of legal cases associated with criminal activity in computing (ranging from economic fraud and computer misuse to identity theft and pornography) or in employment tribunal related activities such as disciplinary cases of computer misuse in organisations (for example, e-mail harassment or false overtime claims). [13] Gallegos (2005) argues, however, that:

... computer forensics is not only used for cybercrime cases, but the techniques and methods are also adopted for non-investigative purposes.

[3] Barbin and Patzakis (2002) suggest that computer forensics is "transitioning from an investigative and response mechanism to one of prevention, compliance and assurance". Of course whilst the emphasis tends to be on finding perpetrators of computer crimes, misuse and other misdemeanours, computer forensics can be used to prove the innocence of an accused person, just as good records management can demonstrate good management and good governance.

In spite of its significant capacities, it is important not to see computer forensics as a "get out" for not designing secure systems in the first place. For example, the UK Inland Revenue system, which was withdrawn from service in June 2002 because users could see other people's tax returns, would not have been prevented by applying the principles of computer forensics computer. The system should have given more detailed consideration to preventative security in the system design. Computer forensics could have been used subsequently to determine which tax returns had been compromised and which tax returns had been seen by which users.

Environment of computer crime

Records management professionals may well ask the question why they should be interested in computer crime or computer forensics. The fact of the matter is that digital information in records management and organisational business systems is valuable and, therefore, potentially attractive to computer criminals. Although computer-based business and records management systems may be more susceptible to attack, anyone entering a digital environment (authorised or unauthorised) will leave digital evidence and a "cybertrail".

The computing environment is such that anyone with the inclination will find it relatively easy and cheap to undertake inappropriate activities with digital records. There is a wide range of inappropriate (potentially criminal) activities digital records may be susceptible to, including unauthorised access (hacking or cracking which can lead to viewing, copying, altering, deleting or using the information for economic or other types of gain), infecting records through distribution of viruses, denial of service attacks (rendering organisations unable to make use of records) to even more sinister activities such as cyber-terrorism.

As well as being cheap (hardware costs continue to drop) and easy to enter (technical requirements are not high and systems security is rarely robust) motivation for computer misuse and crime centres on relatively high economic rewards with relatively reduced risks when compared to "traditional" face-to-face crime. [25] Turvey (2002) suggests a set of motivations for entering into computer crime or misuse which include status, greed, money, revenge, anger, perversion, politics and a desire for power. Whether motivated by curiosity, economic gain or vindictiveness computer criminals have the potential for inflicting massive harm ([15] Hundley and Anderson, 1995; [22] Schwartau, 1994; [12] Denning, 1999).

The punishment from the judicial system for those who are caught tends to be less severe because computer crime is perceived of as victimless. Organisations are often reluctant to make public any instances of records being compromised because of the lack of punishment and because of the potential harm to the organisation from customers and clients losing faith in the credibility and reliability of the organisation. A survey undertaken by the National High Tech Crime Unit ([19] NHTCU, 2003) indicates a potential 25 per cent drop in business if customers perceive that organisations have been victims of a computer attack ([19] NHTCU, 2003).

The [19] NHTCU (2003) survey goes on to identify a range of computer crimes including:

- crimes against organisations (such as sabotage of data or networks, virus attacks, financial fraud, theft of proprietary information, denial of service, unauthorised web site access/misuse, spoofing, theft of hardware, and telecomms fraud);

- crimes perpetrated by organisations (such as misuse of funds (e.g. pensions), false accounting, industrial espionage); and

- crimes against individuals (such as cyber-stalking, e-mail issues (phishing, flaming, defamation, harassment), access to personal data (identity theft), manipulation and/or loss of data, economic theft).

Perhaps the most widely publicised example of computer forensics being used in the investigation of computer crime is Operation Ore. In this case police forces in the UK were passed information on 7,272 credit card records from the FBI where the credit cards had been used to access child pornography.

Digital evidence

Computer forensics involves the examination and assessment of digital evidence. Computer evidence and digital evidence are like any other form of forensics evidence; in order to be valuable to an investigation the digital evidence must be: authentic, accurate, complete, have evidential integrity, be convincing to juries and conform with common law and legislative rules. [11] Chisum (1999) defines digital evidence as:

... any data stored or transmitted using a computer that supports or refutes a theory on how an offence occurred or addresses critical elements of the offence such as intent or alibi.

Chisum's definition is taken a little further by [9] Carrier and Spafford (2003) who suggest that digital evidence is:

... digital data that establish that a crime has been committed, can provide a link between a crime and its victim or can provide a link between the crime and the perpetrator.

Digital evidence is different to other forms of forensic evidence in that computer data changes moment by moment and computer data is invisible to the human eye. Digital evidence must be obtained reliably by following accepted legal procedures for seizure, imaging and storing as well as ensuring that evidential integrity is preserved at all times. [10] Casey (2004) suggests that when considering the sources of digital evidence it is valuable to categorize computer systems into three groups, namely:

open computer systems, e.g. the internet;

communication systems, e.g. mobile phones; and

embedded computer systems, e.g. a chip in a washing machine.

The majority of records management cases will probably fall into the open computer systems category although, particularly moving forward there will also be situations where all three categories are important in records management; for example, the records contained in communications systems such as e-mail.

In any investigation that includes the need to identify, seize, image and then analyse digital data there is likely to be a huge amount of data to work though. The sheer volume of data contained on standard disc drives makes it impossible to manually review all the files, therefore, when faced with digital evidence the first question a computer forensics investigator should attempt to clarify is, according to [4], [5] Barrett (2004a, b), "what am I supposed to be looking for?" Barrett goes on to suggest that an appropriate form of investigation is to try to frame "closed questions" about the evidence. By focussing on appropriate questions and carefully considering what the investigation is about, a great deal of time can be saved in the investigation and the investigator will not waste time sifting though an impossibly huge amount of data. Investigation of digital evidence from a computer is not just about looking for a needle in a haystack, it is about looking for a needle in a haystack when there is a field of haystacks and we do not know which haystack to start looking in.

When records management makes use of computer forensics it is important to consider the nature of digital evidence and the amount of data that could potentially contribute to that evidence. Computer forensics investigations should be based around the characteristics of good records, levels and nature of access and an indication of the completeness of the records.

Computer forensics and records management

The principles of computer forensics can be employed in records management contexts in order to monitor the integrity, authenticity, reliability and completeness of records. The tools of computer forensics can be used to investigate computer records, for example, to determine when records have been accessed, if they have been changed or to determine the logical location of the intrusion. The difference between the need for computer forensics and the existing tools of records management is that computer forensic tools are required when the perpetrators of the unauthorised access attempt to hide or cover their trail.

Figure 2 [Figure omitted. See Article Image.] shows the activities and relationships between computer forensics and records management.

Computer forensics can be used to ensure the four key characteristics of good records as identified in the international records management standard, [16] ISO 15489-1 (2001), i.e. that records have:

authenticity;

reliability;

integrity; and

useability.

Integrity and authenticity

In forensic computer investigations, the concept of evidential integrity is crucial. This principle requires that the material being examined must not be changed in any way. Any investigation that contravened this principle would render the evidence gathered in that investigation inadmissible in court or in an employment tribunal. The application of computer forensics in records management would require that that this principle was adhered to in order to preserve the integrity of the record, i.e. the record remained complete and unaltered.

Computer forensics tools and techniques can also be used to identify and trace any legitimate additions, alterations or annotations to a record (which user made them, when, from which machine and what the alteration was) and as such ensure the integrity of the record.

The principle of evidential integrity can also be applied to authenticity of records where authenticity, as stated in [16] ISO 15489:1 (2001), means that records:

- are what they claim to be;

- have been created or sent by the person who claims to have created or sent them; and

- were created or sent at the time claimed.

Computer forensics also allows for the examination of log files and audit files in order to ascertain the authenticity of records.

A further computer forensic technique of calculating hash values can be used to determine the authenticity of a record. The hash value of a record is a sort of digital fingerprint of the record. Without going into the maths behind the algorithm the principle works by taking a hash value when the initial record is set up and then taking a second hash value at a later point in time. The two values are then compared and if the hash value stays the same there is only a very small probability that the record can have been changed. So the hash value can be used to indicate that a record has not changed.

Reliability

The reliability of a record, according to ISO 15489:1 pertains to trusting the contents of a record to be a:

... full and accurate representation of the transactions, activities or facts that the attest and can be depended on in the course of subsequent transactions or activities.

Whilst it is not possible to use computer forensics to ensure that the records are correct when they are first entered (separate validation and check procedures would be necessary to ensure correctness) it is possible to make use of computer forensics tools and techniques to analyse whether any changes have been made to individual records or whether records have been deleted.

Usability

[16] ISO 15489:1 (2001) defines useable record as one that can be:

... located, retrieved, presented and interpreted. It should be capable of subsequent presentation as directly connected to the business activity or transaction that produced it.

Many of the audit features of computer forensics as described above are also pertinent to ensuring the usability of records. However, one of the key aspects in ensuring usability and one in which computer forensics can be of significant benefit, is in the recovery of lost, compromised or damaged records. Computer forensics tools and techniques can be used in the recovery and restoration of records and can, therefore, be a significant tool for the records manager in developing strategies for the legal obligations in managing records for an organisation.

The principles of computer forensics can be used by records managers to help in the identification of potential deficiencies and weaknesses in records management systems, provide opportunities to recover information, determine appropriate and effective destruction processes for electronic records and provide a "cybertrail" of digital evidence when records management systems have been compromised.

Records management principles and computer forensics

Therefore, there are opportunities for records management professionals to proactively employ and utilise the principles of computer forensics to positively enhance records management. Computer forensics tools and principles can, for example, be used as the basis for auditing and monitoring records management, as well as aiding in the recovery of lost or damaged records.

To seize these opportunities records managers will need continuing professional development in computer forensics. Just as they need to be knowledgeable about risk management, corporate governance, legal issues, business imperatives, etc. so too should they be at least cognisant of the principles and implications of computer forensics. In fact, it could be argued that, in the electronic business environment they should be proactively working with IT and computer forensics colleagues on these issues. Computer forensics is an area in which educators, trainers and records management professional bodies should take an interest.

The relationship between records management and computer forensics is, however, not all one way. There are many records management techniques and skills, such as metadata expertise, functional requirements for electronic records management, digital preservation, retention management, knowledge of digital libraries and archives, skills in data analysis, managing the electronic knowledge of an organisation and the understanding of intellectual property regulations which could contribute to the analysis and audit activities associated with computer forensics. In addition, in the area of recordkeeping systems design and implementation, methodologies such as DIRKS ([23] State Records New South Wales, 2003) and others ([17] Johnston, 2005), records managers have valuable knowledge and expertise to bring to the table and share with their computer forensics colleagues.

Computer forensics could also benefit through the application of theoretical models developed within the records management community. For example, it could be interesting to consider computer forensics in the context of the records continuum model and model it in the same way that [26] Upward (2000) modelled other areas of information management such as information systems management and publishing. The end result would be a model of how records need to be managed in a computer forensics sense where the emphasis is on understanding the actions and transactions recorded as a result of access and use of records and data.

Conclusion
As organisations place more and more emphasis on electronic records the need to guard against inadequate recordkeeping, ensure the accuracy of those records and guarantee that they have not been compromised will become more and more important. As has been discussed, the compatibility that exists between records management and computer forensics can help to ensure that computer forensics provides support, backup and reassurance for records managers in these tasks. Our professions have much in common and we can learn from one another in out quest to ensure the ongoing accessibility and integrity of digital information.

1 comment:

mahak said...

Computer forensics has its own discipline but still it can be describe in relation to the records management in terms of authenticity,reliability and usability.This post describe all aspect of both so have a look on it.
medical records management

Custom Search