On the Trustworthiness of Digital Evidence and How It Can Be Established
In this thesis, we investigate how digital evidence can lose trustworthiness and how trustworthiness can be established. Digital evidence can lose trustworthiness if certain properties of trustworthy evidence are no longer fulfilled for some reason. For example, if the provenance of the evidence cannot be traced back or if the evidence collection process is nontransparent, the trustworthiness of the evidence can suffer. Digital evidence can also lose its trustworthiness if the evidence becomes (partially or fully) unreliable because of evidence tampering.
Therefore, we study the loss of trustworthiness through digital evidence tampering by conducting two studies on main memory and browser evidence tampering. Both studies consist of a part conducted with graduate-level students and a second part conducted with teams of professionals. In the part conducted with students, the participants must tamper with the evidence so that an investigator would reach a certain conclusion. Afterward, the students have to analyze a given evidence dump and decide whether it was tampered with or not. Thus, we gain knowledge about how digital evidence tampering can be detected. We repeat the analysis part with teams of professionals in order to study the effect of training and repetition.
Since the trustworthiness of digital evidence can also suffer if the collection process is unclear or incomplete, we study the effect of ambiguous file system structures on common forensic analysis tools and the quality of their analysis results. We show that it is possible to create ambiguous file system partitions, i.e., to create a partition containing several fully functional file systems. Finally, we present four examples where we integrate several file systems into each other. We use these examples to test how common forensic analysis tools handle such ambiguities and whether this leads to a loss of trustworthiness. In addition, we describe how ambiguous file system partitions can be detected and how they should be handled.
Establishing the provenance of digital evidence is essential for forensic purposes; without it, no statement can be made about how data got onto a storage device. Poor sanitization practices have been reported for second-hand HDDs a long time ago, but recently it has also been reported that data from previous owners could be found on newly purchased storage devices based on flash technology. It appears that the problem stems from poor, or absent, data sanitization practices during informal NAND flash chip recycling. This has a major impact on the trustworthiness of digital evidence as it can lead to situations where the provenance of found data becomes unclear. Therefore, we conducted the first large-scale study on newly purchased USB drives containing old data originating from NAND flash chip recycling. We forensically analyzed 1,211 low-cost USB drives purchased from Chinese suppliers and 435 higher-priced branded USB drives from German suppliers to assess the risk of finding data originating from chip recycling.
Furthermore, we developed a formal model, called LAYR, that can be used to establish trustworthiness, improve forensic analysis results, and combine different forensic analysis and reconstruction techniques in novel ways. The model formalizes the interpretation and analysis of data across several different abstraction layers and uses the insights we gained from studying the loss of trustworthiness to create a traceable, transparent, and repeatable digital evidence analysis and collection process.