Forensic computing : exploring paradoxes : an investigation into challenges of digital evidence and implications for emerging responses to criminal, illegal and inappropriate on-line behaviours

This research thesis explores technical, legal and organisational challenges of digital evidence and the implications of their inter-relationships for responses to criminal, illegal and inappropriate on-line behaviours. From a forensic computing perspective the solutions to these challenges have tended to focus on discrete sets of technical, legal or organisational issues individually. Lack of understanding of the inter-relationships between these issues is inhibiting the development of integrated and coordinated solutions that can effectively balance requirements for the generation of legally admissible digital evidence, e-security and privacy. More significantly, this research highlights that the fragmented nature of these discrete approaches may be impairing the overall effectiveness of the responses developed. The methodological framework underpinning this exploratory research adopts a subjective ontology and employs an interpretative epistemology. The research strategy involves the examination of three cases on technical, legal and organisational challenges of digital evidence respectively. Each case is analysed independently and the interpretation and discussion adopts a forensic computing perspective to interpret and discuss the inter-relationships across these areas and to explore the implications for digital evidence and the underlying problematic on-line behaviours. Case A examines the validity of quantitative data collected by running a network intrusion detection system (NIDS) SNORT on University network. Case B examines an Australian Federal Court case illustrating legal arguments applied to digital evidence, its discovery and presentation. Case C examines the Cyber Tools On-line Search for Evidence (CTOSE) project highlighting the difficulties of developing and implementing organisational level processes for digital evidence handling. Analysis of Case A involves descriptive statistical analysis of network data and reveals significant problems with the validity and quality of the data. The results of the case analysis show that data collected by SNORT are not sufficient to track and trace the sources of the attacks. The analysis also reveals that the data sets collected may be flawed, erroneous or already have been tampered with. Despite significant fine tuning, SNORT continued to generate numerous false positive alerts and/or wrongly identified sources of attacks. This case highlights that intrusion detection systems can play an important role in protecting information systems infrastructure, but to be effective they require the attention of highly trained security personnel/system administrators. These personnel also need to engage in regular monitoring and analysis of alerts and other log files, and to ensure regular updating of the rule sets used by these systems. Analysis of Case B reveals the impact of legal misconceptualisations about the nature of digital systems on court decisions and on the generation of legal precedents that have potentially broader social implications. The results of the analysis reveal serious flaws in understanding amongst all participants in the case over the nature of digital evidence and how it should best be collected, analysed and presented. More broadly, the judgement also appears to have worrying implications for individual privacy and data protection. Analysis of Case C highlights the practical challenges faced at the organisational level in the implementation of models and tools for digital evidence handling. The analysis highlights that models and tools that have been developed for handling digital evidence are by their very nature and complexity highly problematic to adopt and utilise in organisational settings. A key element that continues to inhibit their use is the lack of early and comprehensive end-user education. The results from this case highlight the critical need for organisations to have greater 'forensic readiness' for dealing with criminal, illegal or inappropriate on-line behaviours.