Financial impact of forensic proceedings in ICT
Saa Aksentijevi1, Edvard Tijan2, Alen Jugovi3
1
Aksentijevi Forensics and Consulting, Ltd.
Gornji Sroki 125a, Vikovo, Croatia
Tel: +385 51 65 17 00 Fax: +385 51 65 17 81 E-mail: sasa.aksentijevic@gmail.com
2,3
University of Rijeka, Faculty of Maritime Studies
Studentska 2, 51000 Rijeka, Croatia
Tel: +385 51 33 84 11 Fax: +385 51 33 67 55 E-mail: etijan@pfri.hr, ajugovic@pfri.hr
Abstract Application of scientific forensic methods in
ICT has become a mainstream methodology not only in
criminal and civil proceedings, but also in preventive
maintenance of various aspects of ICT systems used by
corporations, governmental and other institutions.
However, despite efforts of solution providers to create
forensic hardware, software and procedures that are
purported to be easy to use even by those that are not
forensic experts, in most cases forensic proceedings are
connected with high utilization of financial and temporal
resources. Accelerated changes in information technology
and architecture also require additional regulation that
will pre-emptively ensure adequate amount and form of
forensic trail left for possible future investigations. This
paper is an attempt to describe current state of affairs of
forensic proceedings, the latest trends and to provide
comment on their financial impact and consequential
real-world feasibility.
Key words: forensic proceedings, forensic investigations,
financial impact, ICT
I INTRODUCTION
Generally, forensic science or forensics is the application of
scientific principles and techniques to matters of criminal
justice especially as relating to the collection, examination
and analysis of physical evidence [1]. The main characteristic
of forensics is that it produces results and reports suitable to
be used in courts or judicature, and for public discussion or
debate. Therefore, forensics is indubitably tied to the legal
context and explaining complex facts and their mutual
connection in simple, straightforward language and layman
terms to those who are not subject experts, but have to reach
certain conclusions or make decisions based on the presented
facts.
Digital forensics is one of the latest branches of general
forensic science dealing with digital traces and artefacts. One
of possible definitions of digital forensics is given by the
following: The application of computer science and
investigative procedures for a legal purpose involving the
analysis of digital evidence after proper search authority,
chain of custody, validation with mathematics, use of
validated tools, repeatability, reporting, and possible expert
presentation [2]. As it is clearly visible from comparison of
definitions of general forensics and the digital one, digital
forensics deviates from general definition because it does not
analyse material (physical) evidence. Material nature of
evidence was initially included in the definition of forensics
because reliance on physical properties of the evidence
1698
clearly demonstrated validity of the used method. While one
can argue that evidence digital forensics is dealing with is
material, in a sense that it is usually inextricably tied to
material media that contains them, their nature is clearly not
material. This demonstrates how technical developments of
the present and near future will test and challenge some
definitions that seemed to be solid in the past.
Over the past two decades, dematerialization of the IT world
has caused detachment of the data, media that contains them
and physical locations where such media is stored. Internet
became a new transport layer for such evidence, crossing
geographical barriers and further pushing the envelope of
well-established legal framework whose jurisdiction is
usually defined by physical national borders. While crime
and other events are always one step ahead of codified
legislation, described course of events made it very difficult
even for those very best in the legal profession of digital
forensics, and those who use their services (district attorneys,
lawyers and courts) even to apply existing legislature, let
alone understand the presented facts that are usually dealing
with very complex technical architecture, facts and
conclusions.
Most authors agree that until events of 9/11 [3], separation of
non-material world of digital networks and systems according
to national and geographical borders was one of the main
obstacles in front of experts in the field of digital forensics
and users of their services. After 9/11, new legislative acts
have been passed all over the world to support the agenda of
fight against terrorism [4], further facilitating cooperation
between national bodies in charge of ICT infrastructure and
legislative bodies of various countries, in provision of digital
evidence during investigations. However, facilitation of this
process has caused some major concerns among privacy
advocates. Civil liberties implications of counterterrorism
policies are a hot topic of debate in the European Union
whose directives still protect the privacy of its countries
citizen. Findings of Julian Assanges WikiLeaks organization
and those of Edward Snowden have clearly demonstrated
how pre-emptive acting on behalf of the governments creates
a myriad of more or less coordinated global surveillance
programs with cooperation of telecommunication companies
and European governments [5] that are clearly creating
breaches on behalf of privacy of their own citizens.
It is clear that there are several concerns to be addressed by
experts in digital forensics and legislative branches outlining
the operational framework. Privacy of citizens and security of
corporate business information has to be leveraged against
national and international security; digital evidence is
extremely volatile in nature, therefore it has to be carefully
MIPRO 2017/DE-GLGPS
 collected and examined, and it has to be done quickly, in
order to avoid data expiration. Requirements related to digital
data handling have to be respected. Furthermore,
international cooperation is often the main prerequisite for
most forensic investigations.
The described situation requires regular engagement of
significant resources: time needed to perform analysis and
create reports, sophisticated software and technology to
analyse media and networks, and skilled experts who are able
to explain digital findings. Therefore, both the required
technology and time of experts are major constraints in
forensic examination of digital evidence and if improperly
utilized, they could results in sunk cost or even
misinterpretation of findings.
II DIGITAL FORENSICS PRINCIPLES AND
LAWS
Modern forensics has its roots in ancient China, with Song Ci
being the most famous forensic medial expert during
Southern Song Dynasty whose book Collected Cases of
Injustice Rectified is still regarded as a seminal book of
forensic science in China. Developments in the field of
forensics in Europe became rapid only in the 19th century and
especially in the beginning of the 20th century with wide
adoption of fingerprint analysis invented by Juan Vucetic in
1891. Widespread adoption of forensic and scientific
methods and introduction of expert witnesses in most
legislative systems had as a consequence the dissemination of
forensics in almost all fields of human life (and related legal
proceedings).
Digital forensics is only a logical development of the above
mentioned and became a discipline with the introduction of
computers first used as mainframes for mass data processing.
In the past two decades and with further development of
information society, computers, smartphones, networks,
servers and Internet usage are very often the usual and even
expected part of many other legal proceedings, in the areas of
both the criminal and civil law.
Digital forensics adheres to several classical laws of forensics
sciences that are also used in other areas of science. While
different sources quote different versions of these laws, they
can be summarily explained in the following way when
applied to the digital world:
1. Law of individuality, stating that every digital
artefact has the characteristics that are not
duplicated in any other object.
2. Principle of exchange (otherwise known as
Locards Exchange Principle, as a hommage to its
founder, professor Edmond Locard) according to
which when the perpetrator or the instrument (s)he
uses comes in contact with the victim or
surrounding objects, they leave traces, but they also
pick up graces from them. This principle is
extremely important in digital forensics.
3. Law of progressive change applied to digital
forensics means that every digital trace changes
with the passage of time. The impact of this
principle in digital forensics is immense because
the passage of time logarithmically alters it. Digital
MIPRO 2017/DE-GLGPS
data evidence is among the most volatile evidence
forms [9].
4. Law of comparison states that only the likes can be
compared, meaning that only like samples and
specimens can be compared.
5. Law of probability claims that all definite or
indefinite identifications made consciously or
unconsciously are based on probability.
6. Law of circumstantial facts, otherwise known as
facts do not lie, men can and do requires reliance
on digital data and evidence and not oral evidence,
power of observation or suggestion.
Except basic forensic laws that are more or less common for
all forensics disciplines, there are a few more principles of
digital forensics that are specific for the field of digital
investigations [10].
1. No action taken during the forensic investigation
should change data which may have to be relied
upon in court
2. In case that an investigator has to access original
digital evidence, he has to be competent to do so
and give evidence explaining the relevance and
implications of their actions. Considering that
operating systems and programs alter the content of
digital evidence without the user being aware of
such change, forensic analysis is usually performed
using relevant media images.
3. An audit trail has to be created and preserved
demonstrating that the chain of custody over digital
evidence is maintained. An independent expert
should be able to examine the utilized methodology
and achieve the same result.
4. There has to be a single instance in charge of
investigation and ensuring that the forensic laws
and principles are being adhered to.
The golden standard in digital forensics nowadays is the
Abstract Digital Forensics Model, created as a generic,
technology-independent model, composed of nine different
phases (Figure 1).
Figure 1. Abstract Digital Forensic Model [11]
1699
 This model assumes that the incident type is well recognized
and determined. In comparison to previous models, this
model consists of detailed pre- and post- investigation
procedures.
III FINANCIAL IMPACT OF DIGITAL
FORENSICS
Digital forensics trends are largely dictated by rapid advances
in information technology over the past decades. In the latest
period, we saw rapid growth and development of concept of
Internet of Things (IoT), where ubiquitous computing
principles are applied to a variety of devices and sensors in
media, manufacturing, energy management, medical and
healthcare, transportation, building and home automation,
environmental monitoring and personal use. Each of these
devices may serve as a source of digital data stream to be
analysed as a part of forensic process. With the introduction
of IoT, literally almost anything can become an object of
digital forensic investigation, from wearable technologies and
cars, to sensor grids. An interesting analysis of diverse topics
in journals covering different areas is shown in Figure 2.
Figure 2. Coverage of digital forensics topics in journal
papers [12]
While the number of overall papers shown in Figure 2. is low
and its sum is not statistically significant, it shows a variety
of topics covered by digital forensics. Some other papers
show that 77,8 % of all cases deal with single user computers,
44,4 % with network forensics, and 55,60 % with mobile
forensics [13]. It is worth noticing that the sum is above 100
% because in some investigations, there are multiple objects.
So, despite variety of various objects of digital forensic
investigation, some less complex or traditional objects still
make up the majority of all investigations. This can partially
be explained by the latency that is still prevalent in this field:
there is a significant passage of time since the moment when
certain digital evidence is created until the time it is fixed for
analysis. So, forensic investigators are still working with
delayed data.
On the other hand, there is an entire industry made around
log data analysis and even predictive algorithms, aimed
especially towards large enterprise server and network
systems that are creating automated environment for large-
scale data acquisition, analysis and alerting of administrative
and other personnel in relation to potentially occurring
anomalous events. These systems are in fact forensic in
nature: they create forensically viable environment for
analysis of various events. In most cases it is even possible to
program various actions that will be triggered by events.
These systems are primarily used to facilitate day-to-day
1700
operations and administration of various ICT systems, and to
provide audit trail for compliance purposes, but they can also
be used in forensic analysis and provide a valuable source of
information, especially if their usage and data storage follows
forensic principles and laws.
Legislative branch is also placing forensics-motivated
requests in form of various laws and requirements, especially
aimed towards telecommunications and IT service providers.
In most telecommunication acts, there are articles and
provisions requiring service providers to install and maintain
systems and software (often at their own cost) that tracks its
usage and provide full access to the police and investigators.
This trend is widespread in the United States and more and
more present in the European Union. Privacy is still one of
the main concerns and only communication meta-data and
not its content is preserved, unless measures of wiretapping
or surveillance are ordered by the court. It is reasonable to
expect that in the future there will be more and more
implementations of legislation-driven systems that will
monitor patterns of usage of various information systems in
order to collect data for later forensic analysis.
Anticipative inclusion of data logging in laws does not only
provide audit trail and basis for further forensic
investigations, it can also lower the cost of forensic analysis
because it contains data that would otherwise have to be
extracted using other, more costly methods, or it would not
be available at all. The cost of forensic investigations in the
USA is typically in the range of 10,000 US$ - 100,000 US$
with hourly rates in the range between 125 US$ and 650 US$
[14]. These costs can be significantly lowered with greater
inclusion of logging tools, some of which can also be
obtained as a open source data loggers and maintained as
such. It is worth noticing that there is significant overlapping
between solutions that are behind implemented controls in
systems of information security and forensic logging tools.
Organizations that have higher achieved levels of information
security will also have less security breaches, and probably
even less those that will result in serious consequences that
might be a matter of forensic investigation. Even if that
occurs, forensic investigation might be faster or easier, thus
incurring less related cost.
Inclusion of legislative requirements seems to be especially
important in the case of cloud computing forensics. The
National Institute of Standards and Technology of the U.S.
Department of Commerce has recognized this importance and
has included forensic science challenges in the draft of its
NISTIR 8006 standard. This draft anticipates almost all steps
of forensic process described in this paper and recognizes that
cloud forensics possesses certain specific traits and
challenges arising from the distinctive nature of the computer
cloud [15]. It further defines cloud computing stakeholders
and their roles, and collection and aggregation of challenges,
along with additional observations. The most distinctive are:
1. Time, either in terms of consistency or data
volatility in time,
2. Location, where even locating an evidence may be
a major hurdle in forensic investigation, and
3. Data sensitivity, where pervasive use of cloud
computing environments by users and employees
could elevate the risk of incidents that might end up
as forensic investigations.
MIPRO 2017/DE-GLGPS
 Additional requirements for laboratories performing forensic
investigations in ICT and especially data acquisition are
arising from some applicable ISO standards, and especially
the new edition of ISO /IEC DIS 17025: General
requirements for the competence and testing and calibration
laboratories, slated for the next revision issue in May 2017
[16]. In United Kingdom, there will be a mandatory required
certification of ICT forensic laboratories according to this
standard [17] something that was until now reserved for
wet evidence laboratories dealing with DNA testing and
organic evidence. This procedure will have far reaching
consequences for all involved parties because, at this
moment, four year long backlogs for analysis of seized
computer equipment are not unheard of in the industry [18].
Currently, the market of digital forensics field consists of a
small number of large players, and a large number of one-
man forensic investigators who are very important in the
process of provisioning forensic assistance to district
attorneys, police and judicial system, and decrease of current
forensic backlog. The anticipated certification of the process
will both increase the cost of service due to less competition
and lengthen (at least initially) the process of forensic
investigation until the market is fully consolidated.
VI CONCLUSION
Digital forensics deviates from the general definition of
forensics because its procedures are done over a set of non-
material evidence, which is one of the prerequisites of the
traditional forensics. However, media where such evidence
resides is still material in nature (hard drives, memory cards,
network storages, volatile memory).
There are several other characteristics that separate digital
forensics from other, more traditional forensic disciplines,
some of them being evidence volatility, remote geographical
placement of evidence, transition over several legal
jurisdictions, reliance on legal framework and implemented
measures of information security to obtain digital evidence,
and constantly changing technology.
Digital forensics follows the same well-established laws and
principles known in the other forensic fields. However, the
amount of analysed material, the inability to make data
acquisition automatic, high level of required skills,
knowledge, specialized hardware and software and time
required to perform the analysis are the main obstacles placed
in front of forensic investigators. Modern digital forensics
also has to perform the analysis of the new systems, like data
acquired from sensor arrays and grids connected to the
Internet of Things, personal devices like mobile phones or
cloud computing systems. Such forensic analysis is often
very complex and costly.
One possibility of control of possible forensic cost and
facilitating forensic analysis is the implementation of various
controls aimed to elevate the achieved level of information
security. These measures often provide a good level of audit
trail that has to be kept under forensically sound conditions
and it could be later used as such. Therefore, there is a
significant level of overlapping between the information
security management systems and tentative subsequent
forensic usage.
There is a noticeable global effort to standardize practices in
digital forensics by using standards already applicable to
other forensic fields and especially DNA and crime trace
MIPRO 2017/DE-GLGPS
analysis. The introduction of these standards will further
increase the cost of forensic services, and might render small
forensic investigation teams unable to compete with large
accredited laboratories, who possess capabilities to
forensically analyse large volumes of ICT equipment and
data.
REFERENCES
[1] Meriam-Webster, https://www.merriam-
webster.com/medical/forensic%20science (accessed 17th
December 2016)
[2] Lynch, V.A., Duval J.B. Forensic Nursing Science,
Elsevier Health Sciences, 2010, p. 97
[3] Kean, T.H. et al. The 9/11 Commission Report, The
National Commission on Terrorist Attacks Upon the United
States, August 21, 2014
[4] http://www.un.org/en/counterterrorism/ (accessed 17th
December 2016)
[5] https://www.theguardian.com/world/2013/jun/09/edward-
snowden-nsa-whistleblower-surveillance (accessed 17th
December 2016)
[6] Sung, T. et al. The Washing Away of Wrongs: Forensic
Medicine in Thirteenth-Century China (Science, Medicine,
and Technology in East Asia), Center for Chinese Studies,
University of Michigan, 1981
[7] Vucetich, J. Dactiloscopia comparada el nuevo sistem
Argentino, Establecimento Tipografico Jacobo Pkuser, La
Plata, 1904
[8] Locard's Exchange Principle, http://vjestak-
informatika.com/2016/12/13/locardov-princip-razmjene-u-
forenzici/ (accessed 17th December 2016)
[9] DOJ National Institute of Justice, Volatility of digital
evidence,https://www.policeone.com/Officer-
Safety/tips/1655664-Volatility-of-digital-evidence/, June 10
2008 (accessed 17th December 2016)
[10] http://www.computerforensicsspecialists.co.uk/blog/the-
principles-of-digital-evidence (accessed 17th December 2016)
[11] Reith, M. et al. An Examination of Digital Forensic
Model, International Journal of Digital Evidence, Volume 1,
Issue 3, fall 2002
[12] Dezfoli, F.N. et al. Digital Forensics Trends and
Future, International Journal of Cyber-Security and Digital
Forensics (IJCSDF) 2(2), 2013, p. 50
[13] M. Tu, K. Cronin, D.Xu, S.Wira,"On the Development
of Digital Forensics Curriculum",
http://www.dsu.edu/research/ia/documents/ [6]-On-the-
development-of-Digital Forensics-Curriculum (accessed 17th
December 2016)
[14]http://blog.securitymetrics.com/2016/08/what-do-
forensic-investigations-do.html1 (accessed 17th December
2016)
1701
 [15]http://csrc.nist.gov/publications/drafts/nistir-
8006/draft_nistir_8006.pdf (accessed 17th December 2016)

[16]http://www.iso.org/iso/home/store/catalogue_ics/catalogu
e_detail_ics.htm?csnumber=66912 (accessed 6th January
2017)

[17]http://www.forensicmag.com/article/2012/02/isoiec-
170252005-accreditation-digital-forensics-discipline
(accessed 6th January 2017)

[18] D. Lillis, B. Becker, T. OSullivan, and M. Scanlon,

Current Challenges and Future Research Areas for Digital
Forensic Investigation, 05 2016

1702 MIPRO 2017/DE-GLGPS