Attacks on Computer Forensics Tools – Legal Stand
Direct attacks on the computer forensics process are the newest type of Anti-Forensics and potentially the most threatening.
There are six phases in the process of digital forensics; all are open to attack:
1. Identification refers to the method by which an investigator learns that there is some incident to investigate. This phase can be undermined by obscuring the incident, or hiding the nexus between the
digital device and the event under investigation.
2. Preservation describes the steps by which the integrity of the evidence is maintained. This phase can be undermined by interrupting the evidence chain or calling into doubt the integrity of the evidence
3. Collection is the process by which data from the evidence medium is acquired. This step can be undermined by limiting the completeness of the data being collected or calling into question the
hardware, software, policies, and procedures by which evidence is gathered.
4. Examination addresses how the evidence data is viewed. This part of the process can be undermined by showing that the tools themselves are inadequate, incomplete, or otherwise not scientifically valid.
5. Analysis is the means by which an investigator draws conclusions from the evidence. This phase relies on the tools, investigative prowess of the examiner, and the rest of the evidence that was found. If a
case hinges solely on digital evidence, the interpretation of the evidence is the part most open to attack.
6. Presentation refers to the methods by which the results of the digital investigation are presented to the court, jury, or other fact-finders. If the evidence is otherwise solid, anti-forensics tools and methods will be used to attack the reliability and thoroughness of the reports -- or the examiner.
Courts throughout the world have long had to deal with scientific evidence and have had to establish rules for
what is acceptable and unacceptable in this realm.
In the U.S., the guiding principle in federal courts and many
state courts is patterned after the seminal case of Daubert v. Merrell Dow Pharmaceuticals (SC- United States-1993). According to Daubert, a judge can determine the admissibility of scientific evidence
based upon four factors:
• Testing: Can -- and has -- the procedure been tested?
• Error Rate: Is there a known error rate of the procedure?
• Publication: Has the procedure been published and subject to peer review?
• Acceptance: Is the procedure generally accepted in the relevant scientific community?