Skip to content

Page291

Embedded Device Forensics

One of the greatest challenges facing the field of digital forensics is the proliferation of consumer-grade electronic hardware and embedded devices. While forensic investigators have had decades to understand and develop tools and techniques to analyze magnetic disks, newer technologies such as Solid State Drives (SSDs) lack both forensic understanding and forensic tools capable of analysis.

Vassilakopoulos Xenofon discussed this challenge in his paper “GPS Forensics, A systemic approach for GPS evidence acquisition through forensics readiness”: “The field of digital forensics has long been centered on traditional media like hard drives. Being the most common digital storage device in distribution it is easy to see how they have become a primary point of evidence. However, as technology brings digital storage to more devices with ever growing storage capacity, forensic examiners have needed to prepare for a change in what types of devices hold a digital fingerprint. Cell phones, GPS receivers and tablets are so common that they have become standard in today’s digital examinations. These small devices carry a large burden for the forensic examiner, with different handling rules from scene to lab and with the type of data being as diverse as the suspects they come from. Handheld devices are rooted in their own operating systems, file systems, file formats, and methods of communication. Dealing with this creates unique problems for examiners” [4].

Electronic Discovery (eDiscovery)

Electronic discovery, or eDiscovery, pertains to legal counsel gaining access to pertinent electronic information during the pre-trial discovery phase of civil legal proceedings. The general purpose of discovery is to gather potential evidence that will allow for building a case. Electronic discovery differs from traditional discovery simply in that eDiscovery seeks ESI, or electronically stored information, which is typically acquired via a forensic investigation. While the difference between traditional discovery and eDiscovery might seem miniscule, given the potentially vast quantities of electronic data stored by organizations, eDiscovery can prove logistically and financially cumbersome.

Some of the challenges associated with eDiscovery stem from the seemingly innocuous backup policies of organizations. While long-term storage of computer information has generally been thought to be a sound practice, this data is discoverable. To be discoverable, which simply means open for legal discovery, ESI does not need to be conveniently accessible or transferable. The onus falls on the organization to produce the data to opposing counsel with little to no regard to the cost incurred by the organization to actually provide the ESI.

Appropriate data retention policies as well as perhaps software and systems designed to facilitate eDiscovery can greatly reduce the burden felt by the organization when required to provide ESI for discovery. When considering data retention policies, consider not only how long information must be kept, which has typically been the focus, but also how long information needs to be accessible to the organization. Any data for which there is no longer need should be appropriately purged according to the data retention policy. Data no longer maintained due to policy is necessarily not accessible for discovery purposes.

Please see the “Legal and Regulatory Issues” section of Chapter 2, Domain 1: Security and Risk Management, for more information on related legal issues.