Glen Dario Rodriguez And Fernando Molina, Digital Forensics Researchers

Tell us a bit about your backgrounds and how you came to be interested in digital forensics.

Fernando: I work as a computer expert and teacher in the computer area. In my work experience, I have found that digital forensics is a pending issue. Additionally, there is the global phenomenon of continuous growth of cybercrime, the high number of trials where digital evidence is not admitted due to erroneous manipulation or technological change, as well as a personal commitment to improve delivery of justice; those are factors that motivate a deeper study on techniques, processes and models that collaborate with digital forensics.Glen: My original background is wireless communication research. I did my PhD on propagation of 3G mobile communications. An important issue in the wireless industry is security of communications. After a few years, I began to move slowly onto the wireless and network security area, protocols, etc. When Fernando began his PhD, he asked me to become his research advisor, and he proposed to research in the area of digital forensics and management of evidence. Then I clearly saw the need to address it and accepted his proposal.

You recently published a new model for digital evidence preservation in criminal research institutions. Why is this such a critical area of research?

Fernando: Currently, any digital device that is part of the life of a person or institution can generate information that can become valuable evidence in the event of a security incident; it could be a photograph, a document, a geo-location record, a text message, an email or even a phone number registered as part of a call.

This evidence is useful to investigate cases related to cybercriminal activities or computer attacks, the problem is that often the collection, management and preservation of this information are not carried out properly.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

For this information to become evidence, forensic computer processes must be applied. Once the information on the devices has been obtained, it is very important to maintain and preserve said information from the beginning of the process, during the investigation and until the end of the trial or investigation to ensure that there is no contamination, damage, alteration, or manipulation of the evidence and in this way, maintain integrity and reliability in the process.

Digital preservation is a process used by institutions that have the responsibility of guarding long-term data. It includes techniques and skills in the field of information science and information technology. One of the benefits of digital preservation is to make the digital material of these entities accessible at any future time, regardless of whether this digitally available material was created digitally from its origin or generated from analogue material. Institutions or personnel that require the preservation of digital material include hospitals, libraries, museums, prosecutor offices, criminal investigation institutions or any other entity that has the responsibility or legal obligation to safeguard digital data. Digital preservation at the beginning had historical implications. It was created in order to preserve digital cultural inheritance in digital libraries.

In the forensic field, the preservation of digital evidence is an aspect of special importance now for deciding the admissibility of said evidence in a current judicial process, or in a future process, reopened by appeals, or as a source of historical information. Although the first reason that led to the collection of evidence about a criminal case is the resolution of that case, the process can be started months later; the personnel must clearly document how the evidence has been preserved after its collection. Or, if the case is reopened in the future, or if some information is required for other judicial processes as a reference.

In preservation, it is essential to define methods, procedures, and adequate models for the handling of evidence. Finally, the technological implications have a high impact on digital preservation, since it affects both the different processes and the data preservation model in an information unit.

In an institution that carries out digital preservation processes, if the adequate technology is not available to support the preservation of data, such preservation processes cannot be executed. In any case, there is no generally accepted technological model, although standards and practical criteria have been created in the first decade of this century. In the case of criminal investigation institutions, there is a need for a comprehensive approach to digital preservation, in order to better guarantee the integrity of evidence and increase its admissibility before the courts. The approach should also support long-term preservation techniques, focused on the management of the archives.

Glen: The long-term preservation is a neglected issue in criminal justice administration. Many law enforcement organizations are good at collecting and presenting evidence, but do not have the foresight to keep all information and technical environment needed to access the evidence in a long term future. In computing, long term could mean 10 or 15 years. For example, what good is it to keep an image file if the file format is not an open standard and the format’s proprietary went out of business? How do you open it when the last version available of the viewer software is so old that is not compatible with your modern operating system?

On a criminal case, the evidence was ruled out because law enforcement presented the evidence using a different software than the suspect was using. The original software was not available to the prosecutors nor the police. The defense lawyer convinced the judge that there was no guarantee that the file was rendered exactly in the same form that the creator (the suspect) crafted it.

Can you briefly outline your model, PREDECI?

Glen: PREDECI is an acronym for “PREservation model for Digital Evidence in Criminal research Institutions“ and it is based on the OAIS model. OAIS means Open Archival Information System, and it is a reference or conceptual model for long-term management and preservation of documents. It was created to support preservation of documents in digital libraries. It has been used at the USA Library of Congress, British Library, the Bibliothèque nationale of France, the JSTOR journal archive and many other important institutions and projects. But the challenges of preservation in justice administration is quite different than in libraries.

Fernando: PREDECI is a reference model for the preservation of digital evidence in criminal investigation institutions that have the responsibility of guarding it in the long term to increase the admissibility of digital evidence in court or the availability of evidence to a community designated for the handling of evidence, and guarantees the fidelity and integrity of the same in the long term. PREDECI is aligned to most responsibilities determined in laws and regulations for this environment, and it is based on the OAIS preservation model and metadata concepts.
Our previous research indicates that OAIS must include fourteen new aspects for becoming suitable in the criminal investigation environment:

1. Legality of the evidence, that the evidence complies with the legal provision for preservation.
2. Confidentiality, as defined by ISO: “ensuring that information is accessible only to those authorized to have access”.
3. Intake quality control, allowing the validation of formats, contents, or active applications (e.g.: virus).
4. Partial intake, allowing the receipt of information or content divided into parts. It allows you to inherit data or receive new data from other trusted systems. It allows you to update incremental data.
5. Preservation of metadata of the evidence’s environment. It provides technical and descriptive information about the environment of the collection of evidence, allows you to demonstrate that data have a legal support, that there is someone in charge of the contents of the data and there is a complete specification of the environment where the digital evidence was generated.
6. Transmission of digital evidence (Archival Information packages or AIP, Submission Information Packages or SIP, and Dissemination Information Packages or DIP).
7. Museum of Tools. It allows you to preserve tools (e.g.: software) used to access digital objects. The metadata of the object maintains information about the tool that will be used.
8. Guarantee the integrity of the original, establish additional techniques for the security, integrity, reliability, and accessibility of the data (imposed by the organization). Documents the authentication mechanisms and provides authentication information to ensure that the content is not modified in an undocumented manner. It allows you to certify the original data or implement another monitoring mechanism for access.
9. Distributed storage. It allows you to store data in shared repositories.
10. Terminology; it allows you to use terms of interpretation that are unique to this environment.
11. Risk assessment; it allows you to determine and to monitor risks (threats, consequences, threshold).
12. Preservation time, in order to determine the conservation time horizon (the institution must decide if it will keep the evidence until some change in technology, until discontinuation of use, for a limited number of years, or “forever”).
13. Certifications of the strategy. It establishes the digital certificates with an applied conservation strategy or a combination of them (migration, emulation, encapsulation, re-engineering approaches, not digital).
14. Traceability and Continuity of preservation, that is, the ability to reconstruct the history of the use or location of an item through registered identification, control, and recording of any transaction.

In addition, the option to update content already entered must be eliminated from the OAIS model, because the evidence must remain intact.
PREDECI provides a framework for the understanding and greater awareness of the concepts necessary for the preservation of digital evidence in the long term, including terminology and concepts, to describe and compare architecture.

The model addresses the preservation functions of the OAIS model, including fundamental aspects in the environment of criminal investigation institutions, maintaining the global structure such as intake, administration of preservation, storage, data management, preservation plan, access. It also addresses the preservation of the evidence creation environment, and the ability to increase evidence, as well as managing digital evidence in external trust repositories, very different from having a single file, a single technique or a single strategy as proposed by OAIS.

PREDECI uses some functions and procedures of the OAIS model:

a) The functional entity “INGEST”, that provides the storage capacity to receive a producer SIPs (e.g.: an email retrieved by a detective), which can be delivered via electronic media or simply mounted on a justice administration file system. This function represents a legal transfer of custody of the information contained in the SIP and may require special access controls on the content. It maintains data formats, standards, and standards documentation of the digital evidence. It does not involve file format conversions, because that could be considered as an alteration of evidence by many judges.

b) The functional entity “DATA MANAGEMENT”, responsible for creating any chart or table definitions required to support data management functions; to provide the capability of creating, maintaining, and accessing customized user views for the contents of this storage; and to provide internal validation (for example, referential integrity) of the contents of the database.

c) Functional entity “ACCESS” deals with co-ordinated accessing to copies of the evidence, validating profile of consumers (users viewing evidence) and managing the responsibilities and liabilities.

d) The functional entity “STORAGE”, for moving AIPs to permanent storage after ingestion, backup management, failure recovery, error checking.

e) The functional entity “PRESERVATION PLANNING” deals with development of strategies, standards, and risk assessment to enable file exchanges; and with the making of informed exchanges that set standard policies and manages the infrastructure of the system. This function provides the analysis of periodic risk management to address the risks and to make possible mitigation of those risks.

In all functional entities, the relationships between the entities considered by OAIS are maintained.

Glen: PREDECI adds a traversal monitoring activities to OAIS. For example, an evidence can be ingested only with previous approval of some competent authority and the verification of the producer’s profile. The received SIPs undergo quality control, including extracting metadata, environmental information (operating system, hardware, software version ,etc.).

There is also an activity designed for certifying that the preservation techniques, strategies and standards meets policies and laws.

One of the challenges about large-scale digital forensic investigations is that they often transcend state (or even national) laws. Is this something PREDECI can help address, and if so, how?

Fernando: PREDECI can be considered a frame of reference for future research and diverse application environments. It has a flexible structure that allows adaptation.

PREDECI can be extrapolated to all nations that maintain a judicial system of common law, civil law or other.

Glen: If the evidence is to be shared with a foreign law enforcement body, there is a risk that some information about the environment of the evidence or the circumstances of its collection and usage was not considered important in the country of origin and, therefore, it was not recorded. PREDECI could help multi-national justice administration in the sense that it obliges law enforcement agencies to store metadata about the evidence and its environment, even if that information is not of immediate use.

In which kinds of situations is PREDECI designed to be used?

Fernando: The PREDECI model may be applicable to any digital file, especially applicable to organizations with the responsibility to preserve, or guard or make available reliable digital evidence in the long term, which maintains its informational context. This includes organizations with other responsibilities, such as processing and distribution.

Did you come across any surprising results in the course of your research?

Fernando: In the field of digital preservation, many projects work in specific areas, mostly in national libraries and archives; this suggests that there are areas where digital preservation has not been applied considering the specific needs of each application environment. The existence of several projects and standards demonstrates the importance of digital preservation and the need to improve existing projects adjusting to the circumstances of each institution.

In criminal investigation institutions, very little progress has been made in terms of models for the preservation of evidence to ensure the long-term admissibility of evidence. Currently, most countries have laws on computer crimes, although very few of them regulate the process of preservation of digital evidence for admissibility before the courts.

Many digital conservation models focus on specific aspects, but do not consider that digital evidence requires digital technology to preserve the environment, as well as additional content related to ensure its admissibility, thus avoiding manipulation, and that the evidence must be considered as a single information unit or “data package”.

For the validation of the model, data was collected from the personnel involved in the justice system of Ecuador, who evaluated PREDECI on four dimensions: (a) Organizational infrastructure, (b) Administration of digital objects, © Infrastructure management and security risks, and (d) Management of integrity aspects in criminal investigation institutions. They assigned average ratings above 4 of 5 points in all dimensions. We did not expect this positive reaction to our proposal.

Glen: There was also a bit of surprise regarding the attitudes of judges and prosecutors vs justice administration’s technical personnel. The first group considered the management of infrastructure as a lesser concern, but they valued positively a web-based software tool we created in order to support PREDECI functions.

Are you working on any new research projects at the moment?

Fernando:

• Adaptation of the PREDECI model to different domains of the government besides criminal justice but with funxtions similar to the judiciary or the prosecutors (e.g.: regulation agencies, ombudsman).
• Implementing the PREDECI model in more countries with different legal systems, to prove the global appeal of this model.
• Preservation of digital evidence in the cloud.

Glen: I have a project, with another student, about integration of data sources and data streams in networks, in order to collect evidence of hackers’ activities in an integrated format. And a second project regarding human factors affecting security on smartphones.

Finally, when you're not researching, what do you enjoy doing in your spare time?

Fernando: Hehehe, there is not much free time, but I try to take advantage of it with my family, in walks and activities outside of my city, likewise I dedicate a little of that time to classic cars.

Glen: I am a bit of a gourmet / foodie. I like to explore and try different food on different restaurants. I live in Lima, Peru, considered the Gastronomy Capital of South America, with 2 restaurants in the top 10 of best restaurants in the world, and 3 in the top 50.

Fernando Tiverio Molina Granja, an Ecuadorian born in 1974, is a Systems Engineer with an Master degree in Applied Informatics and an MSc. in Distance Education and E-learning.

He got his PhD in Systems and Informatics Engineering at National University Major of San Marcos, of Perú. He has worked as a university teacher for the past 20 years. He has presented research works and papers at national and international events and has written a book regarding the science and technology of informatics. He was a president of the System, Informatics, and Computer Engineers Association of Chimborazo, was a director of the School of System and Computer Engineering at Universidad Nacional de Chimborazo, and a member of research groups in Ecuador and Latin America.

Fernando on ResearchGate | fmolina@unach.edu.ec

Glen Rodriguez was born in Lima, Peru. He received the B.S. degree in system engineering from the Universidad Nacional de Ingenieria, Lima, Peru, in 1994, and the M.E. degree in information and computer science engineering and the Ph.D. degree in electronic and information engineering from the Toyohashi University of Technology, Toyohashi, Japan, in 2001 and 2004, respectively. Since 2006, he has been a Lecturer and later a Professor with the Universidad Nacional de Ingenieria. He also teaches in the Graduate School of Universidad Nacional Mayor de San Marcos, Lima. His research interests are search-based software engineering, mobile communications, and information security.

Glen on ResearchGate | grodriguez@uni.edu.pe

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles