As some of you already know, I am currently enrolled in a graduate program at New York University to earn my master's degree in cybersecurity. My main interest is in digital forensics, so this has been my focus when it comes to research projects. Back in January, I shared my first project with you — an extended abstract titled, “The Role of Digital Forensics in Criminal Investigations.”

Turns out, I’m not the only one interested in this because that ended up being one of our most popular articles. So, with that being said, I invite you to join me on my journey as I continue to explore this area.

Below you will find my second abstract that expands on this idea and takes a deeper dive into the investigators themselves and the operating systems they analyze.

Since it's best practice in the science community to make research available for peer review, I’d love to hear your thoughts. Please feel free to email me to share your feedback or to offer insights into other problem domains.

 

mac and Linux operating system vulnerabilities
Table 1: A comparison of mac and Linux operating system vulnerabilities when analyzed by a Windows expert using the STRIDE method to identify threats and the DREAD system to rank them.

 

Abstract — Although the digital transformation has unfolded rapidly across the globe, impacting virtually every industry and individual in ways both large and small, the role of digital forensics in criminal investigations is still a foggy, gray area. While digital evidence can be used as a tool to guide investigators on the right path, it can also lead them blindly in the wrong direction. Unfortunately, even a small error in the identification, collection, analysis, interpretation, documentation, validation, preservation, and/or presentation of digital evidence can have dire consequences, resulting in the wrongful conviction of innocent suspects. This paper demonstrates the need for law enforcement, legal teams, government organizations, and educational institutions, among others, to employ digital forensics experts who specialize in the particular operating system or systems they will be working on.

I.     Introduction

The fact that technology has become integrated into nearly every aspect of our daily lives means that every crime will have some sort of digital dimension [1].

Computers are even being used to target the criminal justice system itself [1]. And, while efforts are being made to standardize a framework for digital forensics investigations, current models are still lacking in one area or another [2].

But, regardless of the steps and the order in which they appear, every digital forensics investigation requires a digital forensics investigator. If that sounds like a broad term, that’s because it is.

Just like detectives have specialties — homicide, robbery, insurance fraud, missing persons, etc. — digital forensics investigators should too. For example, some  digital forensics investigators are experts in macOS but not Windows or Linux. Likewise, some are proficient in home security systems while others shine when it comes to critical infrastructure. Whether it comes from a smartphone, IoT device, personal computer, private network, public infrastructure, or elsewhere, digital evidence must be abstracted, and it must be done so expertly as to not diminish the integrity of the data.

The purpose of this paper is to explore whether or not digital evidence can be misinterpreted or lost when applying principles from one operating system to another.

Section II includes related research and how it differs from my proposal. In Section III, I share a motivating example. My hypothesis and empirical evidence are presented in Section IV. And, finally, in Section V, I conclude the findings of my research and discuss future work.

II.     Motivating example

The Innocence Project is a nonprofit organization that exonerates wrongly convicted individuals and promotes the reformation of the criminal justice system to prevent similar cases of injustice from occurring in the future [5]. The misapplication of forensic science contributed to 52% of wrongful convictions in Innocence Project cases. False or misleading forensic evidence was a contributing factor in 24% of all wrongful convictions nationally, according to the National Registry of Exonerations, which tracks both DNA- and non-DNA-based exonerations [6].

III.     Hypothesis and evidence

Since operating systems and the forensic tools available for them vary, I believe there should be separate frameworks for each operating system, so the steps can be described in detail rather than be given in a broad generalization. My hypothesis is that identifying individuals as digital forensics experts and providing them with one basic framework for the process to follow in criminal investigations as opposed to certifying experts in particular operating systems and creating a detailed framework for them to follow results in a high risk score as it relates to the identification, collection, analysis, interpretation, documentation, validation, preservation, and presentation of digital evidence as a branch of the criminal investigation process.

For the purposes of this paper, I limited the scope just the Windows, Linux, and MAC operating systems. I used threat modeling to measure the risk of a digital forensic investigator who works primarily with Windows (since that is the most popular operating system in use by a longshot) and identified the vulnerabilities present when they try to apply their knowledge to the other operating systems. I compared 12 areas that have a significant impact on a digital forensics investigations to see if the analysis techniques would translate across systems.

Using the DREAD and STRIDE methods to measure the risk, I was able to determine that my original hypothesis was correct. The DREAD ranking system classifies a score of 5-7 as low, 8-11 as medium, and 12-15 as high. For this particular project, since there are 12 areas of focus, the scoring system is as follows: 60-84 is low, 96-132 is medium, and 144-180 is high. The results are shown below in Table 1.

IV.     Conclusion and future work

Based on the risk assessment, my original hypothesis was correct. I was able to identify 12 areas that play key roles in digital forensics investigations that differ significantly across operating systems. This means that, if a digital forensics expert who specializes in Windows – the most widely used operating system – could, in fact, overlook, misinterpret, or destroy data while attempting to recover or collect digital evidence.

Future work of this project should include a risk assessment with several parties involved, including but not limited to law enforcement from various geographical areas, lawyers, judges, lawmakers, cybersecurity experts, and the general public. This should be done with a series of groups, across all types of operating systems, so the results can be combined to provide a more thorough assessment. Once this is complete, careful consideration should be given to each threat in order to implement risk mitigation strategies.

The most critical threat based on my findings is that Windows is by far the leading operating system. While this means that it’s more likely criminal investigations will involve several Windows devices, it doesn’t change the fact that digital forensics analysts are presented in court as “experts,” and their findings often play a pivotal role in convictions.

You would not go to a “health expert” to have a spinal tumor removed — you’d go to a neurosurgeon. The criminal justice system shouldn’t rely on digital forensics experts — they should rely on digital forensics experts who specialize in the operating systems and/or devices that house the digital evidence they’re being trusted with.

V.     References

[1] E. Casey, Digital Evidence and Computer Crime, Baltimore: Elsevier Inc., 2011.

[2] M. Reith, C. Carr and G. Gunsch, "An Examination of Digital Forensic Models," International Journal of Digital Evidence, vol. 1, no. 3, p. 12, 2002.

[3] R. S. Ieong, "FORZA - Digital forensics investigation framework that incorporate legal issues," Digital Investigation, vol. 3S, pp. 29-36, 2006.

[4] J. Sachowski, Digital Forensics and Investigations: People, Process, and Technologies to Defend the Enterprise, Boca Raton, Florida: Taylor & Francis Group, 2018.

[5] The Innocence Project, "The Innocence Project - About," MADEO, 2021. [Online]. Available: https://innocenceproject.org/about/. [Accessed 2 December 2021].

[6] The Innocence Project, "The Innocence Project - Overturning Wrongful Convictions Involving Misapplied Forensics," MADEO, 2021. [Online]. Available: https://innocenceproject.org/overturning-wrongful- convictions-involving-flawed-forensics/. [Accessed 2 December 2021].