Risk sensitive digital evidence collection

Authors:
Erin E. Kenneally;Christopher L. T. Brown
Affiliations:
University of California San Diego, Pacific Institute for Computer Security, San Diego Supercomputer Center, 9500 Gilman Dr., La Jolla, CA 92093-0505, USA;Technology Pathways, LLC, San Diego, CA 92118, USA
Venue:
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Year:
2005

Citing 0
Cited 9

Next-generation digital forensics

Communications of the ACM - Next-generation cyber forensics
Deriving cse-specific live forensics investigation procedures from FORZA

Proceedings of the 2007 ACM symposium on Applied computing
Evidential notions of defensibility and admissibility with property preservation

iNetSec'10 Proceedings of the 2010 IFIP WG 11.4 international conference on Open research problems in network security
Windows Vista and digital investigations

Digital Investigation: The International Journal of Digital Forensics & Incident Response
The growing need for on-scene triage of mobile devices

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Distributed forensics and incident response in the enterprise

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Improving evidence acquisition from live network sources

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Selective and intelligent imaging using digital evidence bags

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Post-retrieval search hit clustering to improve information retrieval effectiveness: Two digital forensics case studies

Decision Support Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Over the past decade or so, well-understood procedures and methodologies have evolved within computer forensics digital evidence collection. Correspondingly, many organizations such as the HTCIA (High Technology Criminal Investigators Association) and IACIS (International Association of Computer Investigative Specialists) have emphasized disk imaging procedures which ensure reliability, completeness, accuracy, and verifiability of computer disk evidence. The rapidly increasing and changing volume of data within corporate network information systems and personal computers are driving the need to revisit current evidence collection methodologies. These methodologies must evolve to maintain the balance between electronic environmental pressures and legal standards. This paper posits that the current methodology which focuses on collecting entire bit-stream images of original evidence disk is increasing legal and financial risks. The first section frames the debate and change drivers for a Risk Sensitive approach to digital evidence collection, which is followed by the current methods of evidence collection along with a cost-benefit analysis. Then the methodology components of the Risk Sensitive approach to collection, and then concludes with a legal and resource risk assessment of this approach. Anticipated legal arguments are explored and countered, as well. The authors suggest an evolved evidence collection methodology which is more responsive to voluminous data cases while balancing the legal requirements for reliability, completeness, accuracy, and verifiability of evidence.