Abstract
To discover, uncover, and stamp out digital crime while ensuring information security and assurance, there is a need to investigate the crime once it has occurred. This will help trace the criminals and also secure an organization against future attacks. Forensic readiness entails organizations being at alert as per digital evidence collection and storage – that is collecting and storing such evidence constantly in a forensically sound manner, not just when the need for such evidence arises. In the event litigation arises or is anticipated, digital evidence may need to be reviewed by the opposing parties prior to court proceedings to assess quality of the evidence; this is eDiscovery. Digital evidence for eDiscovery needs to be forensically sound and provided in an efficient timely manner – forensic readiness helps to ensure this. This chapter is an update on the chapter on “Forensic Readiness and eDiscovery” in the previous edition and still seeks to establish how forensic readiness is relevant to the eDiscovery process, taking into consideration current developments in the field.
Handbook of Research on Cyber Crime and Information Privacy
TopIntroduction
Most of our lives have virtually become completely intertwined with digital devices and information systems: virtually everything we do today is done through or in conjunction with a digital device or platform. This is the digital age, issues pertaining to information security and assurance abound; and with increased technological advancements, criminals are also improving on their skills and causing more and more havoc. Additionally there is also the use of digital systems for political and military purposes in such a way as to manipulate the way things happen in a jurisdiction the way the perpetrator wants; like the issue of the 2016 US Presidential elections allegedly being tampered with by a foreign country by way of influencing public opinion using information systems (CNN Library, 2019). Digital forensic investigations are used to ensure information assurance and security by discovering how an incident connected to an electronic device occurred and possibly tracing and apprehending those behind it. Knowledge of how such an incident occurred can also help an organization strengthen its defenses since it reveals where there are lapses in an organization’s information security infrastructure. Forensic readiness requires an organization to be constantly on alert as regards gathering, storing and analyzing digital data in a forensically sound manner – such data has the potential of serving as digital evidence in the event of an incident or litigation, without waiting for such an incident or litigation to occur. The digital evidence will come in handy in the event the need for it arises and will be readily available to be used by an organization to trace how an incident could have taken place; defend itself or indict a party. Forensic readiness can further serve to show regulatory compliance and best practices on the part of an organization. Forensic readiness can guarantee faster and more efficient investigations with minimal disruption to normal business operations, and it also enhances cost-effectiveness in terms of evidence gathering. Electronic evidence is constantly gathered and stored until a need for it arises as a result of an incident, regulatory or legal requirement whereby it would serve as evidence in incident response or be used as backup for disaster recovery and continuity – it is just like saving for a rainy day. Therefore in the event of an incident that requires investigation or a legal/regulatory requirement for the production of digital evidence, the evidence only has to be presented being that it was already collected and stored in a forensically sound manner. This helps make evidence presentation and investigation much faster and allows for business continuity with minimal disruption to normal operations, which would have arisen if investigators had to gather the evidence after-the-fact. It also helps ensure reduce the risk of the evidence being eroded or lost due to normal operations of an organization before the evidence source is isolated (if that is possible) or an attacker covering his/her tracks when an attack is carried out since evidence is collected before, during and after such an act – collecting evidence after the breach could afford an attacker time to wipe out his tracks before evidence gathering and investigations begin.
eDiscovery on the other hand comes up in the event of litigation or its anticipation, where opposing parties are required to review the others’ digital evidence to assess its quality prior to full court proceedings. eDiscovery may also be viewed as the sum total of the processes involved in a digital investigation including evidence gathering and analysis. eDiscovery works by the reduction of data volume that requires review from a large repository into a manageable and easily reviewable form by extracting only that which is relevant to the case at hand. This is apparent in the electronic discovery reference model (EDRM) which has a yellow triangle with the tip to the right, implying funneling of large amounts data beginning from the right resulting in the minimal quantity the process ends up with.
eDiscovery can be a very delicate issue, its rules and guidelines have to be safeguarded by the litigating parties. The digital evidence has to be forensically sound, timely, relevant, and in the format required by the requesting party or the court; failure to meet up with the rules and guidelines can result in severe consequences for any party that falls short. The case of AMD vs. Intel (2005) is a classic one, Intel failed to provide digital evidence as requested by AMD in good time, which resulted in heavy costs to Intel at the end of the day.
Key Terms in this Chapter
Digital forensics: Digital forensics may also be referred to as cyber forensics, electronic forensics or computer forensics. Digital forensics involves collection, retrieval, analysis, review and storage of digital evidence in a legally acceptable manner usually for civil or criminal investigations and proceedings or in-house investigations. There are different types of digital forensics like disk forensics, memory forensics, network forensics, mobile forensics malware forensics, and so on.
Adverse Inference: An unfavorable judgment against a party in a case arising from failure to provide requested evidence (whether requested by the court or the opposing litigant).
Litigation Hold: Litigation hold is a preservation order requiring an organization to preserve all data that may serve as evidence relating to current or anticipated legal proceedings involving it. This is required to ensure evidence is forensically sound, protected from corruption, damage and destruction. The litigation hold may be issued by an attorney, or issued internally by the organization to its employees. It is usually communicated through the legal department or human resources, to preserve ESI it would be issued to the IT department or end users directly. Preservation of data that has potential of becoming evidence in a legal case should begin once there is an anticipation of litigation.
ESI: ESI stands for electronically stored information. This is data and information that is generated on IT media and devices, like PCs, mobile devices, the Internet, CCTV footage, and so on. ESI is constantly generated in the normal course of operations of an organization and also personal individual use.
Bit Stream Image: A bit stream image of a disk drive is a clone copy of it. It copies virtually everything included in the drive, including sectors and clusters, which makes it possible to retrieve files that were deleted from the drive. Bit stream images are usually used when conducting digital forensic investigations in a bid to avoid tampering with digital evidence such that it is not lost or corrupted.
Chain of Custody: A chain of custody is a document that records all the processes digital evidence passed through from the point of collection through preservation to presentation as evidence in court or other proceedings. It details how the evidence was collected, analyzed, and stored are recorded, including who accessed it, when and why.
eDiscovery: eDiscovery is the process whereby opposing parties in litigation review digital evidence in the other’s possession to assess quality prior to full court proceedings. eDiscovery developed from discovery which involved review of evidence by litigating parties prior to court proceedings. eDiscovery may also be viewed as the sum total processes involved in a digital investigation from collection to analysis and review.
Forensic Readiness: Forensic readiness involves an organization habitually gathering and storing ESI in a forensically sound manner pre-empting an incident where the ESI could serve as potential evidence. The main goal is to maximize the potential of such ESI while minimizing cost and disruption involved in investigation.
Forensically Sound: Digital evidence is said to be forensically sound if it was collected, analyzed, handled and stored in a manner that is acceptable by the law, and there is reasonable evidence to prove so. Forensic soundness gives reasonable assurance that digital evidence was not corrupted or destroyed during investigative processes whether on purpose or by accident.
Predictive Coding: Predictive coding is the use of IT tools and techniques, and workflow processes along with human input to filter out key documents for eDiscovery. This is used to reduce the quantity of non-responsive and irrelevant files contained in ESI that will be subjected to manual review.