Forensic computing : exploring paradoxes : an investigation into challenges of digital evidence and implications for emerging responses to criminal, illegal and inappropriate on-line behaviours

摘要

This research thesis explores technical, legal and organisational challenges ofuddigital evidence and the implications of their inter-relationships for responsesudto criminal, illegal and inappropriate on-line behaviours. From a forensicudcomputing perspective the solutions to these challenges have tended to focusudon discrete sets of technical, legal or organisational issues individually. Lack ofudunderstanding of the inter-relationships between these issues is inhibiting theuddevelopment of integrated and coordinated solutions that can effectivelyudbalance requirements for the generation of legally admissible digital evidence,ude-security and privacy. More significantly, this research highlights that theudfragmented nature of these discrete approaches may be impairing the overalludeffectiveness of the responses developed.udThe methodological framework underpinning this exploratory research adoptsuda subjective ontology and employs an interpretative epistemology. Theudresearch strategy involves the examination of three cases on technical, legaludand organisational challenges of digital evidence respectively. Each case isudanalysed independently and the interpretation and discussion adopts a forensicudcomputing perspective to interpret and discuss the inter-relationships acrossudthese areas and to explore the implications for digital evidence and theudunderlying problematic on-line behaviours. Case A examines the validity ofudquantitative data collected by running a network intrusion detection systemud(NIDS) SNORT on University network. Case B examines an AustralianudFederal Court case illustrating legal arguments applied to digital evidence, itsuddiscovery and presentation. Case C examines the Cyber Tools On-line Searchudfor Evidence (CTOSE) project highlighting the difficulties of developing andudimplementing organisational level processes for digital evidence handling.udAnalysis of Case A involves descriptive statistical analysis of network data andudreveals significant problems with the validity and quality of the data. Theudresults of the case analysis show that data collected by SNORT are notudsufficient to track and trace the sources of the attacks. The analysis also udreveals that the data sets collected may be flawed, erroneous or already haveudbeen tampered with. Despite significant fine tuning, SNORT continued toudgenerate numerous false positive alerts and/or wrongly identified sources ofudattacks. This case highlights that intrusion detection systems can play anudimportant role in protecting information systems infrastructure, but to beudeffective they require the attention of highly trained security personnel/systemudadministrators. These personnel also need to engage in regular monitoring andudanalysis of alerts and other log files, and to ensure regular updating of the ruleudsets used by these systems.udAnalysis of Case B reveals the impact of legal misconceptualisations about theudnature of digital systems on court decisions and on the generation of legaludprecedents that have potentially broader social implications. The results of theudanalysis reveal serious flaws in understanding amongst all participants in theudcase over the nature of digital evidence and how it should best be collected,udanalysed and presented. More broadly, the judgement also appears to haveudworrying implications for individual privacy and data protection.udAnalysis of Case C highlights the practical challenges faced at theudorganisational level in the implementation of models and tools for digitaludevidence handling. The analysis highlights that models and tools that have beenuddeveloped for handling digital evidence are by their very nature andudcomplexity highly problematic to adopt and utilise in organisational settings.udA key element that continues to inhibit their use is the lack of early andudcomprehensive end-user education. The results from this case highlight theudcritical need for organisations to have greater 'forensic readiness' for dealingudwith criminal, illegal or inappropriate on-line behaviours.