Data Challenges in Digital Forensics


In 2013, in what the prosecution described as “the largest, most prolific cyberattacks … against IT systems in Singapore”, as many as 19 government websites were taken down, servers of a town council website were illegally accessed, media blogs, server containing confidential data belonging to 650 of Standard Chartered Bank’s clients was compromised.  The hacker “The Messiah” was caught and sentenced to nearly five years in jail, after pleading guilty to 39 charges under the Computer Misuse Act.

This Act together with the recent Cybersecurity bill and Personal Data Protection Act, Act adds a further dimension to Singapore’s data privacy, cybersecurity and cybercrime legal framework, reflecting the increasingly digital era we live in. 

The High Technology Crime Investigation Association (HTCIA) Singapore Chapter 2nd Annual Conference hosted by Deloitte (29th November 2018) in the heart of Singapore’s Commercial Business District was timely and informative on recent regulations and bills passed in Singapore and globally:

  • the EU General Data Protection Regulation (GDPR) which came into force in May 2018, with new measures such as mandatory breach reporting.
  • the Singapore’s Cybersecurity Act 2018 which came into force on 31 August 2018, in which the relevant CII owners are subject to statutory duties to comply with codes and directions, and report incidents to the Commissioner of CyberSecurity.
  • amendments to Singapore’s Computer Misuse and Cybersecurity Act in 2017, such as making it an offense to trade, for example hacked credit card information or to deal in tools such as malware and port scanners for hacking use.

Enforcement was also a topic of focus.  While Information sharing and training to keep up with technological changes and the latest criminal tactics are necessary, digital forensics also plays an important part.

Digital forensics is not straight forward in this Internet-of-Things era, where rapid pace of innovations means a relentless proliferation of devices.

Aside from ensuring a robust chain of “digital asset and data” custody to avoid allegations of evidence tampering (as with physical evidence), the extraction of this evidence is notoriously challenging.

Terry Loo (VP Sales, APAC, Cellebrite) at the Counter Terror Asia Conference (CTAC) 2018 (Marina Bay Sands, 4th -5th December 2018) pointed out that for most cases, the initial problem to overcome is gaining access to the device and its data.

Coping with variety is inevitable. Each new feature, hardware, operating systems and applications requires the development of new tools and techniques. Additionally, as case evidences typically reside on several devices, ability to integrate data from these heterogeneous sources for analysis is crucial.

Digital data intelligence gathering also means processing unstructured and contextual information, corroborating consistencies, correlating identities/ locations / timings, and frequently also recovering deleted data.

The process is performed on multi-platforms, multi-media, and multi-channels, including social media. In fact, the growing use of social media as a channel for groups to recruit new members and to intimidate opponents is exemplified by the live-streaming of the perpetrator of the 2015 Paris attacks.

“Terry Loo (VP Sales, APAC, Cellebrite) at the Counter Terror Asia Conference (CTAC) 2018”

Clearly intelligence gathered helps in counter-surveillance to thwart the Terrorist Planning Cycle.

Moses Remero, speaking on “Counter-Surveillance against Hostile Surveillance in Soft Target Businesses”, explained this as “the measures taken, mostly by intelligence agencies, police, or military units, to conduct surveillance operations … to observe, follow, and collect evidence for an arrest, ligation or so on.”

Terry also pointed to the Manchester terror attack in 2017, in which “hundreds of devices were seized, and data extracted and triaged, which helped to prevent immediate simultaneous attacks, and identify sleeper cells involved while leaving others untouched for monitoring.”

With voluminous data, automating the organization of digital data for meaningful cross-referencing and triaging, instead of the time-consuming manual search process is critical for effective and timely action.

“Machine learning algorithms can automatically detect and pinpoint images that contain similar items such as faces, objects, symbols and themes. Immediate identification of only the relevant media items saves investigative cycles. Expanded language search capabilities including enhanced Arabic OCR (Optical Character Recognition) and key-word search that immediately identify text and image artifacts that contain Arabic textual elements significantly reduces time spent on manual searches,” said Terry.

As digital data plays an increasingly important role in investigations and operations, the challenge of storing the voluminous digital evidence cannot be underestimated.  As more look to Cloud, governance becomes an important aspect of the operations.

“Many customers believe that once they signed up with a Cloud Service Provider (CSP), the responsibility of the data and applications; incident response and forensic investigation lies with CSP. But almost all CSPs set a clear line of their responsibilities in their contracts, so it is important for customers to work with their CSPs to define the boundaries of respective parties and the areas of joint responsibilities and develop an incident response approach with clear understanding and communications,” stressed Felix Lum (HTCIA Singapore Chapter, President).

Today’s forensics data easily ranges from several gigabytes on a single device to multiples of petabytes across digital services.  With higher speeds of connectivity enabling more communication and transmission of digital data, the storage practicalities and governance is undoubtedly a next challenge for law enforcement agents to tackle.


Comments are closed.