VIII

FRN 4301, Principles of Digital Forensics 1

Course Learning Outcomes for Unit VIII Upon completion of this unit, students should be able to:

1. Analyze forensic procedures for investigation. 1.13 Explain trends in digital forensics.

2. Perform data reconnaissance activities.

3. Explain methods for using forensic tools.

4. Discuss legal implications for electronic crimes.

4.4 Explain how new laws affect evidence collection. 5. Examine procedures for law enforcement reporting.

Required Unit Resources Chapter 15: Trends and Future Directions

Unit Lesson

Future Trends In Unit VII, you learned about the importance of having forensics as a part of your incident response team. You also learned that disaster recovery and business continuity differ from each other and the importance of good disaster planning. In Unit VIII, you will learn about the rapid changes in technology and the difficulties that law enforcement and digital forensics face in trying to keep pace with the never-ending changes. Technical innovation is a driving factor in how we do business and how we spend our free time. These changes happen now more rapidly than at any other time in history. With the convenience of each new advancement in innovation, security concerns soon follow. The corporate world has come to terms when utilizing innovation fraught with security flaws, which can and often does result in a major loss of business. These hidden dangers can result in the loss of revenue, investor trust, and a loss of confidence in the brand (Hollywood et al., 2018).

Trends in Technology In 1965, Intel cofounder, Gordon Moore, composed a paper that expressed how the number of segments present in an integrated circuit (IC) had multiplied each year since the conception of the integrated circuit. Moore later revised his theory to state that the number of transistors on a chip would double each year, which has largely held true. Moore’s obscure law has underpinned much of the innovation developed by Silicon Valley in the 20th and 21st centuries. Moore’s law implies that personal computers (PCs) will continue to get smaller while becoming faster and storing more information. This type of rapid innovation results in access to better technology at a lower price. Moore's law turned out to be an exact representation of a pattern of innovation that currently drives technology development today. Further, Moore's law applies to a portion of the other essential drivers of computing capability: storage capacity; processor speed, capacity and cost; fiber optic communications; and more (Bell, 2016).

UNIT VIII STUDY GUIDE

Future and Global Implications

FRN 4301, Principles of Digital Forensics 2

UNIT x STUDY GUIDE

Title

Data Storage and Analysis The amount of information produced and stored in our daily activities continue to grow rapidly. An ongoing study at the University of California at Berkeley estimated that nearly 800 megabytes of data are generated each year for every individual in the world, and per individual, the figure is increasing at a rate of 30% each year. Such growth in the amount of personal information being generated requires forensic investigators to examine enormous amounts of digital information stored on a myriad of systems. A single case with more than 100 terabytes of information needing examination is common (Lyman & Varian, 2003). Statista estimates that the volume of data created, captured, copied, and consumed worldwide will reach 180 zettabytes by 2025 (Taylor, 2023). The number of bytes in a zettabyte is equal to 270, or 1 sextillion bytes. Put a different way, 1 zettabyte is equal to 1 billion terabytes (Fitzgibbons, 2022). Storage Area Networks (SANs) These are extraordinary high-speed networks that interconnect with different information storage devices with enormous data servers. SANs allow for the storage and fast access of information from various sources to be backed up and stored to a centralized system by investigators. SANs provide long-term information storage solutions by ensuring information availability and integrity. The legal ramification of using a SAN for storing a vast amount of evidence shows promise. Another procedure for managing large case records is to apply data control models to filter relevant information both quickly and reliably. Two such data control models are data reduction and data mining. Scientific examiners can utilize data reduction techniques, including known file types and hash sets; however, these are restricted in both scope and execution. Data mining utilizes a mix of machine learning, statistical analysis, and modeling techniques to retrieve significant data from substantial information collections (Ot, 2023). Specialized Devices There are varieties of digital devices available for storing digital data. Forensic investigators can extract digital data from fax machines, smart cards, cell phones, Global Positioning System (GPS) devices, digital cameras, and others. Fax machines store phone numbers of senders and recipients while some upscale machines can store the entire contents of the entire fax message in memory (Brecht, 2018). Cell phones can easily store digital data, including numbers dialed and received, missed calls, contact lists, photographs, and text messages sent and received. Information stored in smart cards may include toll road access data, prepaid phone cards, and supermarket purchases (Brecht, 2018). GPS devices can contain detailed path information that, once extracted, can be used successfully in a criminal investigation. Embedded devices are also an emerging trend. Researchers should identify these devices and extract digital evidence as far as possible to ensure a proper and thorough investigation (Brecht, 2018). The Cloud Information is found not just on PCs or networks. Mobility and the Cloud are two areas where data is stored and retrieved globally. In the Cloud, an extensive number of delivery models, such as hosting, computing, and storage, are now the standard for an expanding number of organizations and individuals. From new companies to multinationals, the use of the Cloud is rapidly spreading (Dodt, 2019). With the Cloud comes complexity in managing portable digital forensic evidence or directing criminology examinations in a Cloud setup. The one fundamental issue is in the extensive variety of services offered in the Cloud. The Cloud provides a vast selection of hardware, software, and service models. Cloud technologies are consistently evolving, presenting a challenge for examiners to stay fully informed regarding current innovations. These short product cycles make it vital for forensic toolkit developers to create and refresh their comprehension of how these new frameworks and parts work (Cameron, 2018).

FRN 4301, Principles of Digital Forensics 3

UNIT x STUDY GUIDE

Title

Hard disk storage requirements are a major concern. Onsite storage is delicate, and the expense of maintaining a large storage database makes the cloud an enticing alternative. Cloud storage utilizes flash memories, which provide moderately quick access times and better shock resistance when compared to hard disks (Cameron, 2018). When looking at the evidence, the fundamental principle is to leave the information unaltered on the seized storage medium. For the flash memory used by most mobile devices, this guideline needs more testing. Even turning mobile devices off and on again results in data loss. Mobile devices utilize diverse file systems explicitly intended for flash memory features (Cameron, 2018). In a Cloud setting, it should be conceivable that information (genuine information or logs) can be reproduced, showing the type of access and what events occurred. The problem is identifying the source device (e.g., the specific virtual instance that was running or supporting that specific service at that specific time). Also, time is a critical aspect; if the logging is not legitimately synchronized between the diverse sides of the framework, it is hard to show it as substantial proof. That is why next generation forensic acquisition instruments must distinguish all of the physical and logical components among different use cases, designs, and executions of delivery models. There are other challenges associated with the cloud, including the complication of data acquisition. Investigators must be aware of the rules of seizure, privacy, and so forth in each location from which they will retrieve data (Easttom, 2022). In the Cloud, there are three essential delivery models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) (Cameron, 2018). LaaS LaaS is the delivery of virtualized hardware and would be the most open of the conveyance models, with access to the supplier side. It is the special case where conventional forensic methods for acquiring evidence may apply by using snapshots and machine images. There are still challenges that IaaS presents. For example, information is not constantly persistent. In Amazon's EC2, for example, a service called EBS (Elastic Block Store) must be utilized to allow information persistency to move freely from the lifetime of an instance. Logs and information may also be divided and dispersed, which may influence the acquisition. Multi- tenancy aspects, shared resources, and how the storage space is utilized may contaminate the imaging and acquisition. Likewise, even though there is a relative availability of the metadata, a low-level examination is still not possible nor is physical access to the hardware (Dodt, 2019). PaaS and SaaS PaaS and SaaS provide development and software deployment models with access to subscribed applications and software provided by the supplier. These are usually proprietary and closed-off builds. An examination would be subject to Cloud access and logging features in order to show service execution and how the services are deployed, which are specific to the supplier. Isolating a particular process is a difficult task in this case. The developing pattern of multi-Cloud deployment makes it challenging to follow and analyze applications and information. Numerous platforms, such as VMware’s Cloud Foundry, and different libraries (e.g., libcloud or jclouds) support multi-cloud deployment so a client can easily deploy interoperable applications between Cloud suppliers (Dodt, 2019). Another immense test for forensic investigators in these setups and conditions is to acquire proof utilizing forensically satisfactory techniques so the law can concede the proof as valid in a court of law. Evidence admissibility requires a legitimate pursuit and the exacting adherence to the chain of custody rules including proof-gathering, protection, examination, and reporting. The way used in obtaining the information is subject to more scrutiny than the evidence recovered. An imperative piece of the conservation of proof is in verifying and separating the device from any network. A portion of the cell phones, for example, can be remotely cleaned (e.g., iPhone). Keeping the gadget associated with the carrier's network or Wi-fi can also prompt potential updates from the network, messages, and so forth, which may change or degenerate the information and possibly change the evidence. Information persistence is a difficult issue to handle in a Cloud environment (Dodt, 2019).

FRN 4301, Principles of Digital Forensics 4

UNIT x STUDY GUIDE

Title

Emerging Devices and Technologies More capable and powerful existing technologies are not the only challenge facing digital forensic investigators. The emergence of new devices and technologies arguably pose an even greater challenge. Global positioning systems (GPS) in mobile devices and cars now include hard drives to store and play music and provide a rich source that a suspect’s car was at the scene of a crime when the crime took place. Vehicles are reliant on computer technology and especially connections to the outside world for software updates and operating system enhancements as well as to provide services to occupants. Two well-known examples of infotainment systems include Apple’s CarPlay and Google’s Android Auto. All of these items represent new attack vectors for an adversary and represent monitoring and data recovery possibilities for evidence collectors. Another area of rapid growth is medical devices. Think of pacemakers, which have been around for decades but only recently equipped to “call home” and share data with medical professionals. Another example is insulin pumps. These devices will no doubt play a part in forensic examinations that you conduct in your future career. Finally, with the rise of ChatGPT and other large language models, much attention has been focused on Artificial Intelligence (AI) since 2022. Thurzo et al. (2021) observed that conventional forensic analysis is largely based on a forensic investigator’s manual extraction and analysis of devices to build a probable scenario that is not only time-consuming, but also (sometimes highly) subjective in nature. The researchers assembled a software approach based on the Python programming language and three deep learning libraries TensorFlow, PyTorch and MONAI, powered on multiple-GPU equipped hardware. AI and AI systems will shift how digital forensic investigations are conducted and significantly aid in the correlation and analysis of large amounts of data as well as help guide and conduct routine forensic analyses.

Legal and Procedural Trends Network Forensics Network forensics is an area of specialty in the field of digital forensics. Network forensics is the scientific approach to analyzing, recording, and capturing network traffic as it relates to a forensic investigation (Easttom, 2022). The difference between a digital forensics investigation and a network forensics investigation is the capture of volatile and dynamic data that is originating from outside of the network. A specific set of special techniques and tools must be developed to deal with the scale, jurisdictional, and dynamic participation issues required of network forensic investigation (Cameron, 2018). Forensic Tools and Processes In the past decade, advancements in forensic tools have been substantial. A variety of software can now be utilized across different platforms for the proper investigation. Future research needs to be made that will validate the authenticity of an investigation (Cameron, 2018).

Criminal Investigation The Fourth Amendment protects individuals from unreasonable search and seizure. U.S. federal law relating to the acquisition of digital evidence by law enforcement agencies is covered under the Wiretap Statute (18 U.S.C. § 2510–22), the Electronic Communications Privacy Act (ECPA) of 1986 (18 U.S.C. § 2701–02), and the Pen/Trap Statute (18 U.S.C. § 3121–27). The Fourth Amendment limits the ability of government agents to obtain evidence without a warrant. A warrantless search does not violate the Fourth Amendment if:

• the agents’ conduct does not violate an individual’s “reasonable expectation of privacy,” or

• the search falls within an exception to the warrant requirement.

Therefore, agents must consider if a search violates the expectation of privacy. Even if a search does violate this expectation, it may still be reasonable if it falls within an exception to the warrant requirement. The Fourth Amendment prohibits law enforcement agents from accessing and viewing computer information

FRN 4301, Principles of Digital Forensics 5

UNIT x STUDY GUIDE

Title

without a warrant if they would be prohibited from opening a closed container and examining its contents in the same situation. However, courts have reached differing conclusions on whether or not individual computer files should be treated as separate closed containers (Kerr, 2017).

The USA PATRIOT Act The USA PATRIOT Act now applies to communications on computer networks in addition to telephone communications as a part of nationwide pen/trap orders [26] Section 816 of the USA PATRIOT Act, titled “Development and Support of Cybersecurity Forensic Capabilities.” This amendment to the USA PATRIOT Act also calls for the U.S. Attorney General to establish several regional computer forensic laboratories. This amendment has led to the creation of the Electronic Crimes Task Force, which has established several computer forensic labs nationwide (U.S. Department of Justice, n.d.).

Summary In this lesson, we learned how the changes in technology and the law could affect digital forensic procedures. How data is moved, stored, and assessed requires new evidence-gathering techniques to keep pace with the changes.

References Bell, L. (2016, August). What is Moore's law? Wired explains the theory that defined the tech industry. Wired.

https://www.wired.co.uk/article/wired-explains-moores-law Brecht, D. (2018, January 26). Computer crime investigation using forensic tools and technology. InfoSec

Institute. https://resources.infosecinstitute.com/topics/digital-forensics/computer-crime-investigation- using-forensic-tools-and-technology/

Cameron, L. M. (2018, March 1). Future of digital forensics faces six challenges in fighting borderless

cybercrime and dark web tools. IEEE Security & Privacy. https://publications.computer.org/security- and-privacy/2018/03/01/digital-forensics-security-challenges-cybercrime/

Dodt, C. (2019, July 7). Computer forensics: FTK Forensic Toolkit overview [updated 2019]. InfoSec Institute.

https://resources.infosecinstitute.com/topics/digital-forensics/computer-forensics-ftk-forensic-toolkit- overview/

Easttom, C. (2022). Digital forensics, investigation, and response (4th ed.). Jones & Bartlett Learning.

https://online.vitalsource.com/#/books/9781284226065 Fitzgibbons, L. (2022, November). Zettabyte: What is a zettabyte? TechTarget.

https://www.techtarget.com/searchstorage/definition/zettabyte Hollywood, J. S., Woods, D., Lauland, A., Jackson, B. A., & Silberglitt, R. (2018, March 26). Emerging

technology trends and their impact on criminal justice [Research brief]. Rand Corporation. https://www.rand.org/pubs/research_briefs/RB9996.html

Kerr, O. (2017, August 22). D.C. circuit forbids seizing all electronic storage devices in computer warrant

cases. The Washington Post. https://www.washingtonpost.com/news/volokh- conspiracy/wp/2017/08/22/d-c-circuit-forbids-seizing-all-electronic-storage-devices-in-computer- warrant-cases/?noredirect=on&utm_term=.c806c35870ef

Lyman, P., & Varian, H. R. (2003). How much information? 2003. Regents of the University of California.

http://groups.ischool.berkeley.edu/archive/how-much-info-2003/ Ot, A. (2023, August 10). What is a storage area network (SAN)? Enterprise Storage Forum.

https://www.enterprisestorageforum.com/storage-networking/storage-area-networks-in-the- enterprise.html

FRN 4301, Principles of Digital Forensics 6

UNIT x STUDY GUIDE

Title

Taylor, P. (2023, November 16). Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025. Statista. https://www.statista.com/statistics/871513/worldwide-data-created/

Thurzo, A., Kosnáčová, H. S., Kurilová, V., Kosmeľ, S., Beňuš, R., Moravanský, N., Kováč, P., Kuracinová, K.

M., Palkovič, M., & Varga, I. (2021). Use of advanced artificial intelligence in forensic medicine, forensic anthropology and clinical anatomy. Healthcare, 9(11), 1545. https://doi.org/10.3390/healthcare9111545

U.S. Department of Justice. (n.d.). Highlights of the USA PATRIOT Act: Preserving life and liberty.

https://www.justice.gov/archive/ll/highlights.htm

FRN 4301, Principles of Digital Forensics 1

Course Learning Outcomes for Unit VIII Upon completion of this unit, students should be able to:

1. Analyze forensic procedures for investigation. 1.13 Explain trends in digital forensics.

2. Perform data reconnaissance activities.

3. Explain methods for using forensic tools.

4. Discuss legal implications for electronic crimes.

4.4 Explain how new laws affect evidence collection. 5. Examine procedures for law enforcement reporting.

Required Unit Resources Chapter 15: Trends and Future Directions

Unit Lesson

Future Trends In Unit VII, you learned about the importance of having forensics as a part of your incident response team. You also learned that disaster recovery and business continuity differ from each other and the importance of good disaster planning. In Unit VIII, you will learn about the rapid changes in technology and the difficulties that law enforcement and digital forensics face in trying to keep pace with the never-ending changes. Technical innovation is a driving factor in how we do business and how we spend our free time. These changes happen now more rapidly than at any other time in history. With the convenience of each new advancement in innovation, security concerns soon follow. The corporate world has come to terms when utilizing innovation fraught with security flaws, which can and often does result in a major loss of business. These hidden dangers can result in the loss of revenue, investor trust, and a loss of confidence in the brand (Hollywood et al., 2018).

Trends in Technology In 1965, Intel cofounder, Gordon Moore, composed a paper that expressed how the number of segments present in an integrated circuit (IC) had multiplied each year since the conception of the integrated circuit. Moore later revised his theory to state that the number of transistors on a chip would double each year, which has largely held true. Moore’s obscure law has underpinned much of the innovation developed by Silicon Valley in the 20th and 21st centuries. Moore’s law implies that personal computers (PCs) will continue to get smaller while becoming faster and storing more information. This type of rapid innovation results in access to better technology at a lower price. Moore's law turned out to be an exact representation of a pattern of innovation that currently drives technology development today. Further, Moore's law applies to a portion of the other essential drivers of computing capability: storage capacity; processor speed, capacity and cost; fiber optic communications; and more (Bell, 2016).

UNIT VIII STUDY GUIDE

Future and Global Implications

FRN 4301, Principles of Digital Forensics 2

UNIT x STUDY GUIDE

Title

Data Storage and Analysis The amount of information produced and stored in our daily activities continue to grow rapidly. An ongoing study at the University of California at Berkeley estimated that nearly 800 megabytes of data are generated each year for every individual in the world, and per individual, the figure is increasing at a rate of 30% each year. Such growth in the amount of personal information being generated requires forensic investigators to examine enormous amounts of digital information stored on a myriad of systems. A single case with more than 100 terabytes of information needing examination is common (Lyman & Varian, 2003). Statista estimates that the volume of data created, captured, copied, and consumed worldwide will reach 180 zettabytes by 2025 (Taylor, 2023). The number of bytes in a zettabyte is equal to 270, or 1 sextillion bytes. Put a different way, 1 zettabyte is equal to 1 billion terabytes (Fitzgibbons, 2022). Storage Area Networks (SANs) These are extraordinary high-speed networks that interconnect with different information storage devices with enormous data servers. SANs allow for the storage and fast access of information from various sources to be backed up and stored to a centralized system by investigators. SANs provide long-term information storage solutions by ensuring information availability and integrity. The legal ramification of using a SAN for storing a vast amount of evidence shows promise. Another procedure for managing large case records is to apply data control models to filter relevant information both quickly and reliably. Two such data control models are data reduction and data mining. Scientific examiners can utilize data reduction techniques, including known file types and hash sets; however, these are restricted in both scope and execution. Data mining utilizes a mix of machine learning, statistical analysis, and modeling techniques to retrieve significant data from substantial information collections (Ot, 2023). Specialized Devices There are varieties of digital devices available for storing digital data. Forensic investigators can extract digital data from fax machines, smart cards, cell phones, Global Positioning System (GPS) devices, digital cameras, and others. Fax machines store phone numbers of senders and recipients while some upscale machines can store the entire contents of the entire fax message in memory (Brecht, 2018). Cell phones can easily store digital data, including numbers dialed and received, missed calls, contact lists, photographs, and text messages sent and received. Information stored in smart cards may include toll road access data, prepaid phone cards, and supermarket purchases (Brecht, 2018). GPS devices can contain detailed path information that, once extracted, can be used successfully in a criminal investigation. Embedded devices are also an emerging trend. Researchers should identify these devices and extract digital evidence as far as possible to ensure a proper and thorough investigation (Brecht, 2018). The Cloud Information is found not just on PCs or networks. Mobility and the Cloud are two areas where data is stored and retrieved globally. In the Cloud, an extensive number of delivery models, such as hosting, computing, and storage, are now the standard for an expanding number of organizations and individuals. From new companies to multinationals, the use of the Cloud is rapidly spreading (Dodt, 2019). With the Cloud comes complexity in managing portable digital forensic evidence or directing criminology examinations in a Cloud setup. The one fundamental issue is in the extensive variety of services offered in the Cloud. The Cloud provides a vast selection of hardware, software, and service models. Cloud technologies are consistently evolving, presenting a challenge for examiners to stay fully informed regarding current innovations. These short product cycles make it vital for forensic toolkit developers to create and refresh their comprehension of how these new frameworks and parts work (Cameron, 2018).

FRN 4301, Principles of Digital Forensics 3

UNIT x STUDY GUIDE

Title

Hard disk storage requirements are a major concern. Onsite storage is delicate, and the expense of maintaining a large storage database makes the cloud an enticing alternative. Cloud storage utilizes flash memories, which provide moderately quick access times and better shock resistance when compared to hard disks (Cameron, 2018). When looking at the evidence, the fundamental principle is to leave the information unaltered on the seized storage medium. For the flash memory used by most mobile devices, this guideline needs more testing. Even turning mobile devices off and on again results in data loss. Mobile devices utilize diverse file systems explicitly intended for flash memory features (Cameron, 2018). In a Cloud setting, it should be conceivable that information (genuine information or logs) can be reproduced, showing the type of access and what events occurred. The problem is identifying the source device (e.g., the specific virtual instance that was running or supporting that specific service at that specific time). Also, time is a critical aspect; if the logging is not legitimately synchronized between the diverse sides of the framework, it is hard to show it as substantial proof. That is why next generation forensic acquisition instruments must distinguish all of the physical and logical components among different use cases, designs, and executions of delivery models. There are other challenges associated with the cloud, including the complication of data acquisition. Investigators must be aware of the rules of seizure, privacy, and so forth in each location from which they will retrieve data (Easttom, 2022). In the Cloud, there are three essential delivery models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) (Cameron, 2018). LaaS LaaS is the delivery of virtualized hardware and would be the most open of the conveyance models, with access to the supplier side. It is the special case where conventional forensic methods for acquiring evidence may apply by using snapshots and machine images. There are still challenges that IaaS presents. For example, information is not constantly persistent. In Amazon's EC2, for example, a service called EBS (Elastic Block Store) must be utilized to allow information persistency to move freely from the lifetime of an instance. Logs and information may also be divided and dispersed, which may influence the acquisition. Multi- tenancy aspects, shared resources, and how the storage space is utilized may contaminate the imaging and acquisition. Likewise, even though there is a relative availability of the metadata, a low-level examination is still not possible nor is physical access to the hardware (Dodt, 2019). PaaS and SaaS PaaS and SaaS provide development and software deployment models with access to subscribed applications and software provided by the supplier. These are usually proprietary and closed-off builds. An examination would be subject to Cloud access and logging features in order to show service execution and how the services are deployed, which are specific to the supplier. Isolating a particular process is a difficult task in this case. The developing pattern of multi-Cloud deployment makes it challenging to follow and analyze applications and information. Numerous platforms, such as VMware’s Cloud Foundry, and different libraries (e.g., libcloud or jclouds) support multi-cloud deployment so a client can easily deploy interoperable applications between Cloud suppliers (Dodt, 2019). Another immense test for forensic investigators in these setups and conditions is to acquire proof utilizing forensically satisfactory techniques so the law can concede the proof as valid in a court of law. Evidence admissibility requires a legitimate pursuit and the exacting adherence to the chain of custody rules including proof-gathering, protection, examination, and reporting. The way used in obtaining the information is subject to more scrutiny than the evidence recovered. An imperative piece of the conservation of proof is in verifying and separating the device from any network. A portion of the cell phones, for example, can be remotely cleaned (e.g., iPhone). Keeping the gadget associated with the carrier's network or Wi-fi can also prompt potential updates from the network, messages, and so forth, which may change or degenerate the information and possibly change the evidence. Information persistence is a difficult issue to handle in a Cloud environment (Dodt, 2019).

FRN 4301, Principles of Digital Forensics 4

UNIT x STUDY GUIDE

Title

Emerging Devices and Technologies More capable and powerful existing technologies are not the only challenge facing digital forensic investigators. The emergence of new devices and technologies arguably pose an even greater challenge. Global positioning systems (GPS) in mobile devices and cars now include hard drives to store and play music and provide a rich source that a suspect’s car was at the scene of a crime when the crime took place. Vehicles are reliant on computer technology and especially connections to the outside world for software updates and operating system enhancements as well as to provide services to occupants. Two well-known examples of infotainment systems include Apple’s CarPlay and Google’s Android Auto. All of these items represent new attack vectors for an adversary and represent monitoring and data recovery possibilities for evidence collectors. Another area of rapid growth is medical devices. Think of pacemakers, which have been around for decades but only recently equipped to “call home” and share data with medical professionals. Another example is insulin pumps. These devices will no doubt play a part in forensic examinations that you conduct in your future career. Finally, with the rise of ChatGPT and other large language models, much attention has been focused on Artificial Intelligence (AI) since 2022. Thurzo et al. (2021) observed that conventional forensic analysis is largely based on a forensic investigator’s manual extraction and analysis of devices to build a probable scenario that is not only time-consuming, but also (sometimes highly) subjective in nature. The researchers assembled a software approach based on the Python programming language and three deep learning libraries TensorFlow, PyTorch and MONAI, powered on multiple-GPU equipped hardware. AI and AI systems will shift how digital forensic investigations are conducted and significantly aid in the correlation and analysis of large amounts of data as well as help guide and conduct routine forensic analyses.

Legal and Procedural Trends Network Forensics Network forensics is an area of specialty in the field of digital forensics. Network forensics is the scientific approach to analyzing, recording, and capturing network traffic as it relates to a forensic investigation (Easttom, 2022). The difference between a digital forensics investigation and a network forensics investigation is the capture of volatile and dynamic data that is originating from outside of the network. A specific set of special techniques and tools must be developed to deal with the scale, jurisdictional, and dynamic participation issues required of network forensic investigation (Cameron, 2018). Forensic Tools and Processes In the past decade, advancements in forensic tools have been substantial. A variety of software can now be utilized across different platforms for the proper investigation. Future research needs to be made that will validate the authenticity of an investigation (Cameron, 2018).

Criminal Investigation The Fourth Amendment protects individuals from unreasonable search and seizure. U.S. federal law relating to the acquisition of digital evidence by law enforcement agencies is covered under the Wiretap Statute (18 U.S.C. § 2510–22), the Electronic Communications Privacy Act (ECPA) of 1986 (18 U.S.C. § 2701–02), and the Pen/Trap Statute (18 U.S.C. § 3121–27). The Fourth Amendment limits the ability of government agents to obtain evidence without a warrant. A warrantless search does not violate the Fourth Amendment if:

• the agents’ conduct does not violate an individual’s “reasonable expectation of privacy,” or

• the search falls within an exception to the warrant requirement.

Therefore, agents must consider if a search violates the expectation of privacy. Even if a search does violate this expectation, it may still be reasonable if it falls within an exception to the warrant requirement. The Fourth Amendment prohibits law enforcement agents from accessing and viewing computer information

FRN 4301, Principles of Digital Forensics 5

UNIT x STUDY GUIDE

Title

without a warrant if they would be prohibited from opening a closed container and examining its contents in the same situation. However, courts have reached differing conclusions on whether or not individual computer files should be treated as separate closed containers (Kerr, 2017).

The USA PATRIOT Act The USA PATRIOT Act now applies to communications on computer networks in addition to telephone communications as a part of nationwide pen/trap orders [26] Section 816 of the USA PATRIOT Act, titled “Development and Support of Cybersecurity Forensic Capabilities.” This amendment to the USA PATRIOT Act also calls for the U.S. Attorney General to establish several regional computer forensic laboratories. This amendment has led to the creation of the Electronic Crimes Task Force, which has established several computer forensic labs nationwide (U.S. Department of Justice, n.d.).

Summary In this lesson, we learned how the changes in technology and the law could affect digital forensic procedures. How data is moved, stored, and assessed requires new evidence-gathering techniques to keep pace with the changes.

References Bell, L. (2016, August). What is Moore's law? Wired explains the theory that defined the tech industry. Wired.

https://www.wired.co.uk/article/wired-explains-moores-law Brecht, D. (2018, January 26). Computer crime investigation using forensic tools and technology. InfoSec

Institute. https://resources.infosecinstitute.com/topics/digital-forensics/computer-crime-investigation- using-forensic-tools-and-technology/

Cameron, L. M. (2018, March 1). Future of digital forensics faces six challenges in fighting borderless

cybercrime and dark web tools. IEEE Security & Privacy. https://publications.computer.org/security- and-privacy/2018/03/01/digital-forensics-security-challenges-cybercrime/

Dodt, C. (2019, July 7). Computer forensics: FTK Forensic Toolkit overview [updated 2019]. InfoSec Institute.

https://resources.infosecinstitute.com/topics/digital-forensics/computer-forensics-ftk-forensic-toolkit- overview/

Easttom, C. (2022). Digital forensics, investigation, and response (4th ed.). Jones & Bartlett Learning.

https://online.vitalsource.com/#/books/9781284226065 Fitzgibbons, L. (2022, November). Zettabyte: What is a zettabyte? TechTarget.

https://www.techtarget.com/searchstorage/definition/zettabyte Hollywood, J. S., Woods, D., Lauland, A., Jackson, B. A., & Silberglitt, R. (2018, March 26). Emerging

technology trends and their impact on criminal justice [Research brief]. Rand Corporation. https://www.rand.org/pubs/research_briefs/RB9996.html

Kerr, O. (2017, August 22). D.C. circuit forbids seizing all electronic storage devices in computer warrant

cases. The Washington Post. https://www.washingtonpost.com/news/volokh- conspiracy/wp/2017/08/22/d-c-circuit-forbids-seizing-all-electronic-storage-devices-in-computer- warrant-cases/?noredirect=on&utm_term=.c806c35870ef

Lyman, P., & Varian, H. R. (2003). How much information? 2003. Regents of the University of California.

http://groups.ischool.berkeley.edu/archive/how-much-info-2003/ Ot, A. (2023, August 10). What is a storage area network (SAN)? Enterprise Storage Forum.

https://www.enterprisestorageforum.com/storage-networking/storage-area-networks-in-the- enterprise.html

FRN 4301, Principles of Digital Forensics 6

UNIT x STUDY GUIDE

Title

Taylor, P. (2023, November 16). Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025. Statista. https://www.statista.com/statistics/871513/worldwide-data-created/

Thurzo, A., Kosnáčová, H. S., Kurilová, V., Kosmeľ, S., Beňuš, R., Moravanský, N., Kováč, P., Kuracinová, K.

M., Palkovič, M., & Varga, I. (2021). Use of advanced artificial intelligence in forensic medicine, forensic anthropology and clinical anatomy. Healthcare, 9(11), 1545. https://doi.org/10.3390/healthcare9111545

U.S. Department of Justice. (n.d.). Highlights of the USA PATRIOT Act: Preserving life and liberty.

https://www.justice.gov/archive/ll/highlights.htm