- Category: Member Blog
A brief article on digital forensics....
Last Wednesday May 28, 2014, Senate Blue Ribbon Committee Chairman, Teofisto Guingona had received a report coming from the National Bureau of Investigation (NBI), relating to the forensic analysis made on the “alleged” Files (which by the way and in some report was referred to as the hard disk drive)
Some pronouncement made by the NBI on the matter would puzzle most people. Technical IT people and lawyers alike are baffled on the hybrid concept now being put on center stage, Digital Forensics.
Here we see Lawyers and law-enforcement agencies on one-hand, and the Digital and Security Experts on the other. Lawyers and law-enforcers, being on the critical eye for ensuring the integrity of evidence, while IT experts trying to discover and gather all the data, artifacts, and information they can retrieve in the digital medium.
To simplify my, I had here some excerpt on some of the pronouncement made last Wednesday:
1.Erasing a File..Empty the Bin… Retrieving the Deleted
Some digital files of whistleblower Benhur Luy were allegedly “deleted” but were “retrieved” by forensic experts of the National Bureau of Investigation (NBI)
xxx xxx xxx
Question people would ask now about this statement is, whether it is really possible to retrieve deleted files from a computer/digital device. The answer is YES. The next question would be, “How?”, and the answer to that can be as easy as, trying to open the Windows Recycle Bin, or as complex as trying to analyze the File System (individual byte of your digital storage device). Now as complex as it might sound analyzing each and every byte in your hard disk drive can be done, and yes, deleted files on your system are not actually deleted. To put it in differently, files in your computers are assigned specific addresses in your hard disk, and when you delete a file, the data is not actually erased. The specific address on the data, are simply forgotten, so the operating system (in this case, a windows OS) would not see where the data actually reside.
“Na-retrieved natin yung ibang mga files that were deleted and part of the report would be those that were retrieved from the software and the contents,”
xxx xxx xxx
Question here, would be what software was used by the NBI in retrieving and making the analysis? In short, what was the digital forensic tool was used to retrieve the digital evidence. Although, I have read several book on the matter, (and had tried using different digital forensic software) it would be very difficult to set a standard tool in analyzing digital evidence. But for starters, there are two schools of thought, that are now being espoused by the digital forensic world, and these pertains, to the OPEN SOURCE TOOLS and the CLOSED SOURCE/COMMERCIAL TOOLS, there are several tools available (I would try to explain the tool used by the NBI once I information had been released on the specific forensic software that they had used). Corollary, it should be noted that all of this tools had their own strength and weaknesses.
3.Hardware…Preserving the Integrity of the Evidence
Asked again if the files could be modified, Aguto said there was a device attached in the hard drive to “preserve the integrity” of the files.
xxx xxx xxx
Question now, is what device (Hardware) had been attached to preserve the integrity of the hard drive? This would be fairly easy to answer because, in almost all digital forensic analysis procedure that I had read, I WRITE-BLOCK device is being used, before examining a storage device. A write-block device, is a hardware being attached in the middle of the device being examined and the computer which the examiner is using to analyze the same. So the write-block-device is a hardware that acts as a net/a safeguard to make sure that nothing is being written or unwritten in the device being examined, while it is being analyzed.
There are a couple of matters which had to be first put in issue before, accepting the forensic evidence being offered by the NBI.
First is the fact the even the NBI is unsure as to the origin of the hard disk.
Second is the fact that there are as of now, no other expert on digital evidence lab, in the Philippines, except those which are now under the control of the government which may be able to give a third person perspective on the evidence now in issue.
Atty. Jeremiah N. Crisostomo
6 years in the practice of law/litigation
computer science graduate
A Guide on How to Effectively Utilize LawyerHub.Net
For purposes of this guide, the user must understand that there are actually access level to this site.Read more...