Weaknesse in Computer Forensics

A Backup Article Contributed by Andrew Whitehead

Weaknesses in Computer Forensics

Within the field of computer forensic science, as in any relatively young discipline, there are weaknesses to be found. In computer forensics the main culprits are training, operational standards, and international standardization.

Computer Forensic Training

There are many private organizations offering computer forensic seminars and classes. With the growth of computer crime, computer forensic training is a worthwhile investment for any organization - but who should receive it? Computer forensic evidence is very volatile, to preserve it law enforcement personnel should be trained to handle it. Network operators should also be trained, to improve their abilities in intrusion detection, and lawyers should receive some training to give a basic understanding of computer evidence.

Operational Standards in Computer Forensics

Computer crime, perhaps more than any other, can be international in scope. There is a need for basic guidelines for the evidence collection process to be established worldwide. This ranges from broad principle that apply to nearly every investigation, through organizational practices so that a minimum standard of planning, performance, monitoring, recording, and reporting is maintained, to recommended procedures, software, and hardware solutions.

International Standardization of Computer Forensics

Different countries each have their own computer forensic methods, standards, and laws. What is acceptable evidence in one country may not be in another. This is a serious problem when dealing with international crimes, as computer crime often is. The Internet may have no boundaries, but law enforcement does. Investigations that leap from server to server, from country to country, crossing many borders on the way are complicated not only by evidence handling differences, but also by political differences and legal differences.

There are some countries in which the networks are owned and controlled by government agencies, who may have little or no reason to cooperate with foreign governments investigating a crime. What is considered to be hacking in the US is not considered to be a crime in other countries, protecting the individual that committed the crime. Fortunately efforts are being made to bring some standardization to procedures regarding digital evidence. The G8 group has recommended six principles for digital evidence gathering:-

1) All standard forensic and procedural principles must be applied.

2) Upon seizing digital evidence, actions taken should not alter the evidence.

3) People accessing the original digital evidence should be trained to do so.

4) All activities relating to the seizure, access, storage, or transfer of digital

evidence must be completely documented.

5) Individuals are responsible for all actions taken while the digital evidence is

in their possession.

6) Any agency that is responsible for seizing, accessing, storing, or transferring

digital evidence is responsible for complying with these principles.

This is a start in standardizing computer forensic evidence gathering procedures but there is still a long way to go. Many countries have not adopted these recommendations, and probably will not if they do not have the necessary training resources. The sting in the tail is that these are the countries that pose the greatest computer crime threat.