Untrusted Network

How do you isolate the data or target media device source system you would like to capture when it may exist in an internet environment where you cannot control change, and the data or source system is potentially shared among many users?

Any virtual or physical device connected to the internet—whether local or remote—may contain relevant evidence that is electronically stored. Examples include web applications, web application accounts, email accounts, cloud storage such as Dropbox or Google Drive, remote backup services such as Carbonite, network traffic captures, and activity logs.

There may be trade-offs between agility and speed of capturing remote evidence before it is potentially lost. It is important to follow a meticulous digital forensics investigation process, including obtaining proper authorizations, following department or agency policies, complying with criminal unauthorized access laws, and complying with civil privacy laws and Health Insurance Portability and Accountability Act (HIPAA)—even while working quickly.

What limitations do common digital forensic tools have regarding capturing internet artifacts? Many of the popular tools are primarily designed to acquire and analyze local, physical evidence. What challenges might these limitations present to the digital forensics investigator and how are these challenges overcome? Think about the value of obtaining voluntary consent.

References

Homem, I., & Dosis, S. (2015). On the network performance of digital evidence acquisition of small scale devices over public networks. The Journal of Digital Forensics, Security and Law, 10(3). http://ojs.jdfsl.org/index.php/jdfsl/article/download/340/252