Digital Forensics and Enforcement of the Law
By Alison Lytle, Noah Stephens, James Conner, Sajad Bashiri, and Steve Jones, PhD
Ball State University, Center for Information and Communication Sciences
IEEE Internet Policy Newsletter, March 2018
Digital forensics is a critical aspect of modern law enforcement investigations, and deals with how data is gathered, studied, analyzed, and stored. This includes the recovery and investigation of data found in electronic devices. Due to the nature of flash memory, and a lack of sufficient protocols in place to outline effective data-retrieval techniques for solid state discs (SSDs) and universal serial bus (USB) flash drives, data forensic examiners face many challenges that sometimes impede their ability to operate successfully. In addition to the numerous technical complications that investigators face, there are also many legal matters to consider. These legal issues are not secondary considerations whereas having valid search authority is a primary requirement. It is important not to overlook or minimize the importance of the legal difficulties surrounding digital forensics investigations.
The Fourth Amendment Protection Act protects against unlawful search and seizure and serves as a deciding factor in all governmental investigations. Any evidence obtained in violation of the Fourth Amendment is inadmissible in a court of law. The Fourth Amendment does not apply to certain aspects of information access by law enforcement, such as information that is knowingly given to others, like on a shared drive. Private searches are not covered as well, and information found by private citizens, like computer technicians, is admissible in a court of law.
In Katz v. United States (1967), the U.S. Supreme Court ruled that intrusion through technology counted as a search and extended Fourth Amendment protection to any area that an individual has a reasonable expectation of privacy. This privacy is ultimately based on what society would deem reasonable. If the expectation for privacy is reasonable, a search warrant must be obtained before seizure, unless the search meets one of the six documented exceptions to the warrant requirement. One of these exceptions is consent. With authorized and voluntary consent, a search is legally permissible. Keep in mind that consent can come with restrictions that must be abided by. Also, consent can be revoked at any time, however, the cessation does not apply to any copies that were made because a defendant does not have a reasonable expectation of privacy with a forensic clone.
When it comes to complicated issues such as how to search the vast amount of information that can be stored on a computer, and the numerous ways in which it can be stored, it seems the courts often differ in opinion. Consider the opposite rulings given in United States v. Slanina (2002) and United States v. Walser (2001), concerning how individual files should be viewed regarding privacy. In United States v. Slanina, the Fifth Court of Appeals ruled that defendants no longer have a reasonable expectation of privacy regarding separate files, if a proper search is conducted on a portion of a disk. Alternatively, in United States v. Walser, the Tenth Circuit Court of Appeals ruled that there was potential for “intermingling” due to the vast amount of information stored in a computer, and that invasion of privacy could occur during a search.
There are many important cases that can be discussed in terms of privacy and governmental reach. One such case is United States v. Kim (2015), in which the government seized a laptop from Kim as he was leaving on an international flight in 2012. The laptop’s hard drive was copied and searched, revealing evidence of arms dealing. The case was dropped after a federal court found that the agents lacked authority to conduct a warrantless search, and had violated Kim’s right to privacy, and ultimately barred the evidence. The court cited the Supreme Court’s observation in Riley v. California (2014) stating that Riley, “made it clear that the breadth and volume of data stored on computers and other smart devices make today’s technology different in ways that have serious implications for the Fourth Amendment analysis…”
In United States v. Ganias (2016) the Second Circuit of Appeals detailed the complexity of search and seizure of digital evidence. In earlier proceedings the court agreed that the government had violated Ganias’ Fourth Amendment rights by holding evidence that was unrelated to the scope of the original warrant and overturned the conviction. Additionally, they ruled that the government cannot indefinitely retain every file on a computer for future use. During an en banc session, the court declined to rule on the matter of the Fourth Amendment violation stemming from the retention of the mirror image, refused to suppress the evidence, and reversed the earlier decision. However, two critical observations were mentioned by the judges: One, electronically stored data is not always in one location but “fragmented” on a storage device, potentially across physical locations, and two, metadata can be stored in various locations across a system, supporting the imaging of an entire drive. These observations will have a significant impact on future proceedings.
A study by University of California at Berkeley scientists determined that 93 percent of all information never leaves the digital domain. This shows that most information is created, stored, modified, and accessed purely in digital form. This knowledge highlights the importance of digital investigations, because most of our daily activities and interactions are digitally recorded in some form, meaning that critical evidence in criminal investigations must be extracted from an electronic device.
Though there are many issues that law enforcement officers encounter when attempting to retrieve digital data, the two that will currently present the biggest challenges are cloud computing and encryption. Cloud computing has changed the way that data is stored. It is possible to store data blocks in different jurisdictions, meaning officials in the U.S. could be faced with trying to retrieve cloud stored data that is in another country.
Keyun Ruan, at the Centre for Cyber Crime Investigation in Ireland, stated, “Cloud forensics is difficult because there are challenges with multi-tenant hosting, synchronization problems and techniques for segregating the data in the logs...”. With this type of investigation, it is harder to control the evidence in terms of accessibility, collection, preservation, and validation. The fact that data can be stored across multiple locations increases the time, cost, and difficulty associated with investigations. Numerous technical difficulties arise, and legal access to the data becomes an issue as well. The non-localized nature of the cloud raises issues about jurisdiction, particularly with those that exist on foreign servers. Ownership of data and privacy concerns may be issues as well.
A current case that should be followed closely by industry professionals is United States v. Microsoft (2016). This case began in 2013 when Microsoft was served a warrant for access to emails in a drug trafficking investigation. However, some of that data was stored on servers in Ireland, and Microsoft refused to hand over the data, stating that it would lead to claims from other countries wanting access to data stored in the United States. The warrant was upheld by a judge but was overturned by a Second Circuit panel for the U.S. Court of Appeals. The full court was split in their decision, and the case will ultimately be decided by the Supreme Court.
In addition to the aforementioned issues, encryption poses its own share of difficulties for forensic investigators. Yuri Gubanov, CEO of Belkasoft, said, “The challenges and acquisition approaches vary greatly between devices…full-disk encryption on Windows desktop computers can be attacked by capturing a memory dump…and analyzing that memory dump to extract the binary decryption key.” However, with Apple products, it may be easier to target the cloud-based storage due to their (i.e., Apple’s) high bit security. Additionally, in instances where only some data is encrypted the hardest task will be locating the data.
In short, digital forensics is, and will continue to be, a highly valuable tool in criminal investigations. The research presented here demonstrates the need for law enforcement agencies to be equipped with the proper people, tools, and resources to legally conduct these types of investigations. As society becomes increasingly reliant on various communication technologies, more evidence will be found digitally. This area poses significant challenges for investigators, due to rapidly changing technologies, accessibility, retrieval, and legal issues. It is imperative that law enforcement agencies have highly-qualified and specially-trained investigators in various fields of forensics. It will also be necessary for agencies to focus on collaborations with academics and corporate entities who specialize in the fields of computer science and law.
1 The six warrant exceptions are: search incident to lawful arrest, plain view exception, consent, stop and frisk, automobile exception, and emergencies/hot pursuit.
 J. Sammons, The basics of digital forensics: the primer for getting started in digital forensics., Waltham, Mass.: Syngress/Elservier, Inc., 2012.
 United States v. Megahed, 2009 WL 722481, at *3 (M.D. Fla. Mar. 18, 2009).
 A. &. J. M. Pumariega, "Federal agents lacked authority to search airplane passengers laptop, court says.," Of Digital Interest, 27 May 2015. [Online]. Available: https://www.ofdigitalinterest.com/tag/united-states-v-jae-shik-kim/.
 Y. Gubanov, "Retrieving digital evidence methods, techniques, and issues," Forensic Magazine, May 30, 2012. [Online]. Available: https://www.forensicmag.com/article/2012/05/retrieving-digital-evidence-methods-techniques-and-issues.
 G. Lawton, "Cloud computing crime poses unique forensic challenges," Tech Target, Jan. 2011. [Online]. Available: http://searchcloudcomputing.techtarget.com/feature/Cloud-computing-crime-poses-unique-forensics-challenges.
 F. Focus, "Current challenges in digital forensics," Forensic Focus, 2016. [Online]. Available: https://articles.forensicfocus.com/2016/05/11/current-challenges-in-digital-forensics/.
 Katz v. United States, 389 U.S. 347, 88 S. Ct. 507, 19 L. Ed. 2d 576, (1967).
 Riley v. California, 134 S. Ct. 2473 (2014).
 United States v. Ganias, 2016 WL3031285, F.3d (2d Cir. May 27, 2016).
 United States v. Kim, Karham Eng. Corp., 103 F. Supp. 3d 32 (D.D.C. 2015).
 United States v. Microsoft, 5. 829 F. 3d 197 (2d Cir. 2016).
 United States v. Slanina, 283 F.3d 670, 680 (5th Cir. 2002).
 United States v. Walser, 275 F.3d 981, 986 (10th Cir. 2001).
Sajad Bashiri is a graduate student at Ball State University in the Center for Information and Communication Sciences (CICS. Mr. completed his undergraduate degree from Ball State University in Computer Science. He has been part of various projects during his undergraduate Studies such as creating a content management system (CMS)-based application for First Presbyterian Church of Muncie. In addition, he has research interests in the areas associated with smart health. He is currently a graduate assistant for Unified Communication and is working towards pursuing his AWS Solutions Architect certification.
James Conner is a research associate at the Center for Information and Communication Sciences pursuing research in digital forensics and security issues in automotive systems (auto-drive and WiFi vulnerabilities). James received a Master’s degree in Sports Administration in 2013 and is currently pursuing a Master’s in Information and Communication Sciences, while working full-time at Ball State University’s L.A. Pittenger Student Center as the Technology Coordinator.
Alison Lytle is a dedicated researcher, writer, and entrepreneur. She holds a Bachelor in Psychology and is currently pursuing a Master's degree at the Center for Information and Communication Sciences at Ball State University. Ms. Lytle lives in Indiana with her four clever and spirited little girls. She is passionate about global resource conservation, women's issues worldwide, and green technology.
Noah Stephens is currently pursuing his masters degree with the Center for Information and Communications Sciences, while also holding a graduate research position with the Digital Policy Institute. He earned his undergraduate degree through Ball State University's Human Resource Management program in 2012. Before joining CICS, he worked for the National FFA in Indianapolis, Indiana and Concentrix in Daleville, Indiana.
Stephan S. Jones, Ph.D.
Stephan S. Jones, Ph.D., Director, Center for Information and Communication Sciences, Ball State University joined the Center for Information and Communication Sciences faculty in August of 1998. He came to Ball State University (BSU) from completing his doctoral studies at Bowling Green State University where he served the Dean of Continuing Education developing a distance-learning program for the College of Technology’s undergraduate Technology Education program. Dr. Jones was instrumental in bringing the new program on board because of his technical background and extensive research in the distance-learning field. Prior to coming to higher education, Dr. Jones spent over sixteen and a half years in the communication technology industry. He owned his own teleconnect, providing high-end commercial voice and data networks to a broad range of end users. Dr. Jones provided all the engineering and technical support for his organization that grew to over twenty employees and two and a half million dollars per year revenue. Selling his portion of the organization in December of 1994, Dr. Jones worked briefly for Panasonic Communications and Systems Company as a district sales manager providing application engineering and product support to distributors in a five-state area prior to starting doctoral studies.
Dr. Saman Iftikhar received her M.S and Ph.D. degrees in Information Technology in 2008 and 2014, respectively, from National University of Sciences and Technology (NUST), Islamabad, Pakistan. Currently she is serving Prince Mugrin University as an Assistant Professor in Medinah, Saudi Arabia. Her research interests include information security, cyber security, distributed computing, machine learning, data mining and semantic web. To her credit, ten research papers have been published in various reputed journals. Nine research papers have been presented in prestigious conferences in Pakistan, Dubai, Japan, Malaysia and America. One book chapter is also included in her publications. She is also a member of IEEE, IEEE WIE, IEEE IAS, IEEE Computer Society and IEEE Communication Society. She was also with “IEEE Academic Pakistan” initiative as a Speaker and Coordinator.
Article Contributions Welcomed
IEEE Internet Policy Newsletter Editorial Board
Dr. Ali Kashif Bashir, Interim Editor-in- Chief
Dr. Syed Hassan Ahmed
Dr. Mudassar Ahmad
Dr. Onur Alparslan
Dr. Muhammad Bilal
Dr. Syed Ahmad Chan Bukhari
Dr. Ankur Chattopadhyay
Dr. Junaid Chaudhry
Dr. Waleed Ejaz
Dr. Mohamed Elhoseny
Dr. Prasun Ghosal
Dr. Tahir Hameed
Dr. Y. Sinan Hanay
Dr. Shagufta Henna
Dr. Fatima Hussain
Dr. Rasheed Hussain
Dr. Saman Iftikhar
Dr. Stephan Jones
Dr. Mohammad Saud Khan
Dr. Jay Ramesh Merja
Dr. Mubashir Husain Rehmani
Dr. Hafiz Maher Ali Zeeshan
About: This newsletter features technical, policy, social, governmental, but not political commentary related to the internet. Its contents reflect the viewpoints of the authors and do not necessarily reflect the positions and views of IEEE. It is published by the IEEE Internet Initiative to enhance knowledge and promote discussion of the issues addressed.