Digital forensics has been defined as the use of scientifically derived and proven methods towards the identification, collection, preservation, validation, analysis, interpretation, and presentation of digital evidence derivative from digital sources to facilitate the reconstruction of events found to be criminal.[1] But these digital forensics investigation methods face some major challenges at the time of practical implementation. Digital forensic challenges are categorized into three major heads as per Fahdi, Clark, and Furnell (2013)[2] these are:-
TECHNICAL CHALLENGES
As technology develops crimes and criminals are also developed with it. Digital forensic experts use forensic tools for collecting shreds of evidence against criminals and criminals use such tools for hiding, altering or removing the traces of their crime, in digital forensic this process is called Anti- forensics technique which is considered as a major challenge in digital forensics world. Anti-forensics techniques[6] are categorized into the following types:-
S. No. | Type | Description |
Â
1 |
Encryption |
It is legitimately used for ensuring the privacy of information by keeping it hidden from an unauthorized user/person. Unfortunately, it can also be used by criminals to hide their crimes. |
Â
2 |
Data hiding in storage space | Criminals usually hide chunks of data inside the storage medium in invisible form by using system commands, and programs. |
Â
3 |
Covert Channel |
A covert channel is a communication protocol which allows an attacker to bypass intrusion detection technique and hide data over the network. The attacker used it for hiding the connection between him and the compromised system. |
Other Technical challenges are:
LEGAL CHALLENGES
The presentation of digital evidence is more difficult than its collection because there are many instances where the legal framework acquires a soft approach and does not recognize every aspect of cyber forensics, as in Jagdeo Singh V. The State and Ors[11], case Hon’ble High Court of Delhi held that “while dealing with the admissibility of an intercepted telephone call in a CD and CDR which was without a certificate under Sec. 65B of the Indian Evidence Act, 1872 the court observed that the secondary electronic evidence without certificate u/s. 65B of Indian Evidence Act, 1872 is not admissible and cannot be looked into by the court for any purpose whatsoever.” This happens in most of the cases as the cyber police lack the necessary qualification and ability to identify a possible source of evidence and prove it. Besides, most of the time electronic evidence is challenged in the court due to its integrity. In the absence of proper guidelines and the nonexistence of proper explanation of the collection, and acquisition of electronic evidence gets dismissed in itself.
Legal Challenges | ||
S. no | Type | Description |
Â
   1 |
Absence of guidelines and standards |
In India, there are no proper guidelines for the collection and acquisition of digital evidence. The investigating agencies and forensic laboratories are working on the guidelines of their own. Due to this, the potential of digital evidence has been destroyed. |
Â
   2 |
Limitation of the Indian Evidence Act, 1872 |
The Indian Evidence Act, 1872 have limited approach, it is not able to evolve with the time and address the E-evidence are more susceptible to tampering, alteration, transposition, etc. the Act is silent on the method of collection of e-evidence it only focuses on the presentation of electronic evidence in the court by accompanying a certificate as per subsection 4 of Sec. 65B[12]. This means no matter what procedure is followed it must be proved with the help of a certificate. |
Other Legal Challenges
- Privacy Issues[13]
- Admissibility in Courts[14]
- Preservation of electronic evidence[15]
- Power for gathering digital evidence[16]
- Analyzing a running computer [17]
Resource Challenges
As the rate of crime increases the number of data increases and the burden to analyze such huge data is also increases on a digital forensic expert because digital evidence is more sensitive as compared to physical evidence it can easily disappear. For making the investigation process fast and useful forensic experts use various tools to check the authenticity of the data but dealing with these tools is also a challenge in itself.
Types of Resource Challenges are:-
- Change in technology
Due to rapid change in technology like operating systems, application software and hardware, reading of digital evidence becoming more difficult because new version software’s are not supported to an older version and the software developing companies did provide any backward compatible’s which also affects legally.
- Volume and replication
The confidentiality, availability, and integrity of electronic documents are easily get manipulated. The combination of wide-area networks and the internet form a big network that allows flowing data beyond the physical boundaries. Such easiness of communication and availability of electronic document increases the volume of data which also create difficulty in the identification of original and relevant data.
CONCLUSION & SUGGESTION
The scope of cyber forensics is wider in itself and the use of various tools and techniques and their different way of working raise lots of issues in front of legal as well as technical experts. Some common challenges are lack of availability of proper guidelines for collection acquisition and presentation of electronic evidence, rapid change in technology, big data, use of anti-forensic techniques by criminals, use of free online tools for investigation, etc. are pointing towards the need of new enactments and amendments in present law and technologies with patches.
To deal with the above-mentioned issues we must have a specific national law which is applicable on every person who is involved in a digital forensic investigation or dealing with it or provide any service, tool or software which is used for investigation purpose. The investigation organizations need to conduct training and awareness programmers for their digital forensics officers so that they will be familiar with new technologies and also the companies who made tools for digital forensic investigation must provide proper instruction manuals that have a proper explanation, pros, and cons regarding the tools. The mobile or software developing companies need to provide patches related to outdated technology so the experts can easily analyze and preserve data for evidence purposes if they found any old mobile model or old computer system on the crime scene. Investigating offices also need to take due diligence during an investigation.
REFERENCES
- Philip Craiger, Assistant Director for Digital EvidenceNational Center for Forensic Science & Department of Engineering Technology University of Central Florida, Mark Pollitt President DigitalEvidencePro& Jeff Swauger National Center for Forensic Science University of Central Florida, “Law Enforcement and Digital Evidence”, Handbook of Information Security. New York: John Wiley & Sons, Version: 4/1/2005.
- William J. Buchanan, “The Increasing Challenge of Digital Forensics”, the Texas Investigator, 2015 www.naylornetwork.com/tli-nxt, www.tali.org
- Available at <http://www.expertsminds.com/content/sample-paper/digital-forensics-challenges-assignment-help-6097.html>
Citations:
[1] Vishal R. Ambhire, Dr. B.B. Meshram, “Digital Forensic Tools,” Published by IOSR Journal of Engineering, March.2012, Vol. 2(3) pp:392-398, ISSN: 2250-3021.
[2] Available at <https://articles.forensicfocus.com/2017/06/29/an-introduction-to-challenges-in-digital-forensics/> accessed on 14/04/2020.
[3] Example: – different media formats, encryption, steganography, anti-forensic, live acquisition and analysis.
[4] Example: – jurisdictional issues, confidentiality or privacy issues and a lack of standardized international legislation.
[5]Example: – big data, time taken to acquire and analyze forensic media.
[6]Anti- forensics is “an attempt to negatively affect the existence, amount, and/or quality of evidence from a crime scene, or make the examination of evidence difficult or impossible to conduct.”  Available at < https://www.garykessler.net/library/2007_ADFC_anti-forensics.pdf> accessed on 16/04/2020.
[7] The increasing trend of storing data on cloud makes the investigation process more complex because the trace of finding evidence on a computer disk is less which makes traditional digital forensic techniques useless.
[8] As disk drive becomes larger, often over 1TB, it takes a longer time to archive data for analysis.
[9] Due to the rapid change in technology, it is difficult for an investigator to keep him up-to-date, which also creates an issue while dealing with new devices or systems.
[10] The attacker used this technique for hiding information inside a file without changing its outer look which leaves a challenge for a forensic expert to find the hidden data in such a way that it will reveal further clues related to such offense.
[12] 65B. Admissibility of electronic records.— (1) Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein of which direct evidence would be admissible.
(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely:—(a) the computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer;
(b)Â during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities;
(c)Â throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and
(d)Â the information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities.
(3) Where over any period, the function of storing or processing information for the purposes of any activities regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by computers, whether—
(a)Â by a combination of computers operating over that period; or
(b)Â by different computers operating in succession over that period; or
(c)Â by different combinations of computers operating in succession over that period; or
(d)Â in any other manner involving the successive operation over that period, in whatever order, of one or more computers and one or more combinations of computers, all the computers used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer; and references in this section to a computer shall be construed accordingly.
(4) In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things, that is to say,—
(a)Â identifying the electronic record containing the statement and describing the manner in which it was produced;
(b)Â giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer;
(c)Â dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate; and for the purposes of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it.
(5) For the purposes of this section,—
(a)Â infomation shall be taken to be supplied to a computer if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment;
(b)Â whether in the course of activities carried on by any official information is supplied with a view to its being stored or processed for the purposes of those activities by a computer operated otherwise than in the course of those activities, that information, if duly supplied to that computer, shall be taken to be supplied to it in the course of those activities;
(c) a computer output shall be taken to have been produced by a computer whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment. Explanation.—For the purposes of this section any reference to information being derived from other information shall be a reference to its being derived therefrom by calculation, comparison or any other process.]
[13] The introduction of privacy legislation has created uncertainty in digital forensic about what is permissible behavior in collecting and retrieving personal informant. These privacy provisions have not been adequately tested in the court to provide a comprehensive common law background.
[14] The digital evidence collected from the scene of the crime is admissible in the court of law only if it is collected by the procedure given in law. In India’s legal system there is no such detailed legislation explaining the procedure of such collection. Certain circumstances are given in Section 65B of the Evidence Act, 1872 but that is not sufficient
[15] In the case where the electronic evidences could be admissible, an issue which is addresses the preservation guidelines uncovers the fact that preserving an electronic evidence, which may involve a technical process, is itself a challenge as there are instances where a case law lived up for more than 20 years. Practically, preserving an electronic evidence for more than 20 years is not possible as within that period the technology may evolve many folds. The preservation of electronic evidence for a long time takes a lot of money and technology.
[16] The power of digital evidence gathering is given in the form of a warrant to the investigating officer. The investigating officer has power only to do what is written in the warrant. If the scene of the crime demands some extra power and the officer is bound by the warrant then for reducing liabilities they did not collect some crucial evidence.
[17] When the investigator found a running system at the scene of the crime, it is very difficult to investigate and analyze such a system. Although the running system contains more evidence in forms of the volatile memory, cache files, temporary files, etc. but it seems a very tedious task. Analysis from such a system has the risk to destroy the potential evidence if any wrong happens. Sometimes the criminal planned a logic bomb (A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.) or Trojan horse (A Trojan horse is a type of malicious code or software that looks legitimate but can take control of your computer. It is designed to damage, disrupt, steal, or in general inflict some other harmful action on your data or network.) which will trigger any unusual click. Evidence collection from such a system required some prior expertise in handling the running system.
About Author: Krati Jain, Legal Intern (2020)
I Krati Jain have done my Post Graduation in Cyber Law and Information Security from NLIU, Bhopal, (M.P.) and have practical experience in the Techno-Legal domain.
During my Master’s I gained technical knowledge of Burp suite, DVWA, Microsoft Network Monitoring 3.4, Pro Discover Basic, and also worked on Information security standards like ISO 27001:2013, PCI DSS V3.2, and ISO 22301:2012, GDPR.
Also, I was served as a member of the Internal Complaint Committee of NLIU, Bhopal and as an intern to Madhya Pradesh Cyber Police. I also gained some practical experience in Ethical Hacking, while participating in a workshop at MANIT, Bhopal.
And also presented research papers on “Electoral Reforms in India,” “Right of women and Inheritance Laws in India,” and “Women Education & Employment, Importance, Challenges, and Solution.”