Live Data Forensics: A quantitative study of the Norwegian Police University College students LDF examinations during their year of practice
Abstract
Traditionally, the computer specialist in the Norwegian police has performed most of the tasks dealing with electronic evidence. The technology development has put this way of working and thinking under pressure. Today, it is often a limited window of opportunity to obtain digital evidence. If this opportunity is not used, the evidence may be inaccessible or lost forever. Those who are in active service, the First Responders, will most likely be the ones who first come into contact with digital devices that contain electronic evidence.
The investigation of a live (on/running) electronic device, Live Data Forensics (LDF) is a clear deviation from the established methodology we strive to follow in all processing of potential electronic evidence. At the same time, it is absolutely necessary in many criminal cases. Despite the fact that the Norwegian Police University College (NPUC) students in their practical year (B2) lack sufficient LDF competence, we had the impression that they performed LDF. In this thesis we investigate to what extent they performed LDF and how the execution was carried out.
The discussion will include, among other topics, if there is a need to move the boundary between what should be considered First Responder (generalist) and specialist tasks. The analysis of data from the conducted survey shows that more than half of the students performed LDF during their year of practice. LDF on mobile phones is prevalent. The analysis also shows that many LDF examinations are not conducted according to methodology/principles. These types of deviations can cause digital evidence not to be detected, not secured, that they are altered, destroyed, degraded and subsequently leading to not being possible to use in a court of law. In the end, this can lead to errors of justice and weakening society's trust in the police.
Based on the findings in the study, we have some recommendations. Guidelines should be drawn up on how to conduct LDF on mobile phones. The First Responder in the Norwegian police must be able to perform LDF satisfactorily. The NPUC should adjust the education accordingly. The police districts must ensure that the First Responders have sufficient competence, and that LDF is carried out according to both Norwegian and other ratified legal framework.
Description
The degree of MSc. in Forensic Computing and Cyber Crime Investigation.
Oppgaven ble levert desember 2019, men sensurert høsten 2020.