Monday, January 21, 2008


Sometime back I promised to introduce forensic computing and discuss its relevance to our nascent ICT sector. I will outline these aspects as a series.

In a previous article I mentioned that we cannot ignore the security of our ICT infrastructure. Just as we protect other resources, we need to appreciate the importance of safeguarding the Kenyan cyber highway from virtual fraudsters, muggers and other malignant characters. Note that computer forensics and security differ in definition though they are fundamentally complementary. ICT security involves the implementation of safeguards that protect against intrusion, mishaps and mistakes. Our dependence on ICT is steadily growing and is present in many different aspects of our lives e.g. public utilities (KPLC), communications (mobile telephony e.g. Safaricom), financial institutions (ATM’s), medical (diagnostic equipment) and others. ICT security will therefore involve the implementation of a security fabric that covers and protects the ICT resources of an organization.

This security fabric has various components woven into it and they include: physical security, operational security, information security, disaster recovery, access control, cryptography, auditing, laws and ethics. It is the responsibility of organizational management in Kenya to set the tone for what role security will play in their companies. Management must decide what data is valuable and needs to protected, who is responsible for protecting it and to what extent, to what extent employees may access and use the data, and what the consequences are for noncompliance.

Forensic computing on the other hand is about the detection and investigation of criminal activities committed online. To achieve this, the process of evidence gathering is fundamental. Forensic computing like any other forensic science involves the use of sophisticated and modern technology tools and procedures that must be followed to guarantee the accuracy of the preservation of evidence and the accuracy of results concerning computer evidence processing. Due to the special characteristics of digital evidence it is necessary to consider it separately and with special consideration.

Digital evidence comes in many forms and will include all physical evidence for example the computer the crime was committed against or used, peripherals, mobile devices and other physical storage devices like DVDs, CDs, memory pens, paper evidence, documentation and others. Evidence will also involve the examination of non-physical evidence e.g. registers, memory cache, virtual and physical memory, network status, all running processes and logical file systems.

Good practice must be adhered to in the evidence gathering process otherwise a case or prosecution would be easily jeopardized by sloppy handling. Evidence must comply with the rules for the same. One must account for any changes and the original evidence must be handled as little as possible. Evidence must be of high enough standard to withstand the test of a court process. This involves its admissibility, authenticity, completeness, reliability and believability. When handling digital evidence good practice principles must be adhered to. They are;

Principle 1 No action should be taken by a law enforcement agency or investigator to change data held on a computer, device or storage medium which may be relied upon in court.
Principle 2 In rare circumstances where original data must be accessed, that person accessing it must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3 An audit trail or other record or all processes applied to digital evidence should be created and preserved. An independent third party should be able to scrutinize these processes and arrive at the same result.
Principle 4 The person in charge of the investigation, the case officer, has overall responsibility for ensuring that the law and these principles are adhered to.

Due to the high quality demanded from gathering digital evidence, the computing forensic investigator must have substantial expertise in the methods and technology used. It is also necessary for the forensic expert to be well versed in legal procedures. We can therefore observe that substantial demands are made to the training and capacity of the computing forensic expert. He/she also requires a physical and legal environment that facilitates professional digital evidence gathering.

In the next part of this series I will discuss the various challenges (e.g. legislative/legal, financial, training etc) computer forensic experts face in Kenya and suggest various approaches we should adopt in surmounting these challenges.

No comments: