Future of Forensic Labs: Government Forensic Labs versus Private Forensic Labs

Cases are piling up in Courts and one of the major cause of delay in delivering justice is delay in forensic investigation reports from forensic labs. In India, legal cases go to government (central forensic science laboratories and/ or state forensic science laboratories). Forensic labs cite the reason of delay to lack of trained manpower, space and infrastructure, which is true in most cases. The average number of cases handled by forensic scientist in India outnumber their counterpart worldwide. Hence most experts do not get time and opportunity to upgrade their knowledge which in turn again leads to further delay in execution of forensic investigation. Area like digital forensic is most neglected as most of forensic scientist dealing with such cases do not have educational background and in depth knowledge to handle such cases. Active research is declining as there is not time for research. The government forensic labs have equipments, which are lying unused as there are not enough skilled personnel's, who could use this expensive infrastructure, which is leading to slow death of government forensic labs in India.

I would like to draw a parallel here with health care system where many of private hospitals are able to deliver quality health care by optimally using their resources and by providing scope for research and knowledge upgrade to the employees.

I foresee that slow death of government forensic lab and pressure from judiciary and industry readiness will open the doors of opportunity for private forensic labs in India especially private digital forensic labs as the world is getting more and more connected and our dependency on technology is increasing on each passing day. We need experts who know their state of the art and carry out research to develop innovative, efficient and scalable solutions. this will also be in line with out National Cyber Security Policy 2013 as announced by Government of India. There has be a clear policy to monitor the working on private forensic labs. These private forensic labs need to meet highest level of standards to remain operational and law should allow them to be used in place of government forensic labs. This healthy competition will help both government and private forensic labs and thus society in general.

Digitized Document Fraud Detection and Fixing

In our daily life, we still depend on printed documents like judicial papers, currency notes, certificates, bank cheques, property papers, security documents, licenses etc. As these sensitive documents play a very important role, criminals very often indulge in producing counterfeit version of such documents for unlawful and malicious gain. Modern technology has enabled the easy conversion of the hardcopy of the documents to digitized form. With the help of cheap and sophisticated scanning technology or digital camera, such digitization can be achieved. For the documents, scanners are preferred as the capturing can be done in a controlled manner. Thus, in the modern system, the documents can be archived in the digitized form and copies can be generated as and when required through the computerized system.

Furthermore, the digital printing technology has enabled the generation of documents maintaining the desired level of quality. Thus, the advent of digital scanning and printing technology has rendered an easy and safe way for generating fake documents. Once a hardcopy of a target document is available, it can be captured through scanner, tampered using image processing software and printed. As a result, frequency of the occurrences of fake stamp paper, scorecard, licenses, currency etc. has risen significantly. Such malpractices are referred as Digitized Document Frauds (DDF)

Current process of detecting counterfeiting requires an expert to manually use sophisticated hardware tool viz. Video Spectral Comparator and/ or Microscopes which are slow and their efficiency is limited by many constraints and on the other hand chemical analysis of paper and ink is destructive in nature. There is no standard procedure for linking the questioned counterfeit document to its source.

In this light, the first objective of our research work funded by Department of Information Technology, is to develop an efficient, portable, non-destructive automated system for tackling digitized document frauds (including counterfeit currency) in forensic context. This will be achieved by developing a new methodology for efficiently detecting a fraudulent document and then linking this fraudulently generated document to scanning/ printing device (including printing press, color laser printers and/ or color inkjet printers and/ or color photocopying machines and/ or scanners) in a closed set of suspect devices. 

The second objective of the study is to identify suitable parameters from magnified image of document under question using high quality microscopes, Scanning electron microscopes and or VSC 5000, VSC 6000 and hand held microscopes which can be quantified using image processing techniques.

Next objective is to test large number of commonly used documents including currency notes to identify robust features, which are independent of a manufacturer rather, will depend on the defects present in each device.

The basis of this proposed research work is that the scanning and or printing devices are made perfect only for naked eyes but when a magnifying device is used to investigate defect specific to each device (device fingerprint) is unique and these defects are quantifiable, which can be used to develop an automated system for tackling DDF. This is useful for law enforcement agencies as the automated tool will provide potential evidence to be used in Court of Law.

We are also conducting study of available security features present in documents to identify suitable parameters, which will also be used to develop an automated tool to assist investigative agencies to detect and fix digitized document frauds (DDF) to its source in forensic context. There is an urgent need of develop a method for detecting digitized document fraud and then linking it to its origin in forensic context to minimize the negative consequences on society and the economy.

Digital Forensic Research Direction

Digital forensics have passed through its golden era as suggested by Simpson Garfinkle raises an important question in front of digital forensic research community i.e. whats next for digital forensics? What will be he future of digital forensics? What does end of golden era mean? Can we expect the platinum era to start sometime soon. What are the next generation challenges and what direction the digital forensic research take? These are some of the very important questions. However things which will not change are the speed of change of technology and quest for providing convenience, which will increase the scope of incidents and digital forensic research has to match up with speedy development of solutions which are not only scalable but also efficient, economical and do not hinder in the convenience of the users. The cycle of technological changes has gathered speed and hence technologies become obsolete before even they are fully utilized. Thus scalability and speed of development of digital forensic solutions  are the need of the hour.

Capacity building @National Cyber Security Policy 2013

National Cyber Security Policy 2013 talk about creating a workforce of 500,000 professionals to cater to national cyber security. In recently concluded Assocham event "11th India Knowledge Summit 2013 Cyber Era - securing the Future" experts emphasised that country indeed needs professional to cater to cyber security, however there is no road map mentioned to attain the target. To create the workforce, we need a clearly defined road map where experts from academia and industry has to come together to formulate right curriculum, resources and benchmarks including certifications. Thus need of the hour is to prepare these resources. Since security and forensic go hand in hand and forensic provides feedback to security hence digital forensics skills gains importance as they are available in abundance. Digital Forensic Group @ IIIT-Delhi is working on solving problems pertaining to real work challenges faced by law enforcement and other investigative agencies and would like to make a positive impact on the lives of citizens of India. The important problems we  are working on are:
1. Detecting and fixing digitized document fraud detection including counterfeit currency
2. Privacy preserving digital forensic investigation
3. Document integrity establishment in real time, efficient,offline manner through automated system.
4. Resource development for capacity building to support National Cyber Security Policy 2013

Digital Forensic Principles

Since time immemorial, crime has had a direct association with human civilization. This association generated a need for proper and thorough investigation, leading to the evolution of various investigation techniques and methodologies and in turn forensic science. The relationship of forensic science with law and pure science is very clear and they influence each other. Traditional forensic science uses pure science to answer questions pertaining to investigation in an admissible manner primarily using physicochemical and biological characteristics. The properties (physicochemical and biological) of entities (matter) change as a result of an incidence (events/ actions). This fundamental framework of entities and events along with their ever-changing physicochemical and biological properties (states) strongly influences the forensic principles, investigation process models, guidelines, standards, best practices and administrative/ legal requirements of forensic knowledge. The change to an entity due to any incidence leads to the transition of the entire system to a new state where the physicochemical and biological characteristics of entities (some/ all) gets transformed. The quantification of these state transformations before and after the crime results into potential evidences leading to reconstruction of the sequence of events of the incident. In today‟s world, digital realm is proving a ripe and ready stomping ground for crooks of all kinds and the evidence against them that may be used in a court of law, now mostly comes in digital format. Unlike other conventional forensic science branches (physical, chemical and biological), which have admissible and well defined principles, guidelines and methodologies, the digital forensics science is still evolving. As a result of this ongoing evolution, the IT Laws still treat digital forensic evidence as only corroborative evidence; so evaluating and enhancing forensics principles and forensic knowledge will help digital forensic science to acquire its rightful status in the eyes of the Court of Law. In this research work, we evaluated the established traditional forensic knowledge and principles in digital realm. These famous principles of traditional forensic science have yet to be evaluated in the realm of digital forensics. This evaluation leads to the evolution of new constraints and enhancement of existing traditional forensic science principles. This will help in the development of investigative framework and model for tackling computer frauds and cyber crimes by standardizing the digital evidences to be presented in the court of Law. It will also help in evidence dynamics and reconstruction of sequence of events (time-lining digital evidence) by realizing the properties of Individuality, Repeatability, Reliability, Performance, Testability, Scalability, Quality and Standards in analysis of computer frauds and cyber crimes. The evaluated and enhanced principle and knowledge will help in developing new solutions for unsolved problems and in scaling existing solutions to tackle rapid change of digital technology. The enhanced principles encompass the traditional crimes as well as the computer fraud and cyber crime (CFCC).

TRANSFORMABILITY PRINCIPLE
The division of matter due to forces of various kinds is a fundamental event of nature. In material world, force or action can produce deformations other than division. In the digital world, in most cases, there is no division or deformation of matter, but there may be complete or partial division or copying of information in the form of content and traits. Thus, due to some action, transformation(s) of information or shape, size, volume or appearance of entities takes place in both the physical and digital world. This transformation serves the same purpose as the divisibility of matter does in traditional world. This transformed information or trait becomes evidence by the virtue of its connection with criminal act. The Transformability principle can thus be derived from the Divisibility principle as follows:

“An entity gets transformed into one or more components due to specific actions. The components will acquire the properties traceable to the properties of the original entity or the process of transformation or both”.
 
GENERALIZED EXCHANGE PRINCIPLE
In the material world, every contact and the consequent interplay of forces between the contacting objects result in the exchange of matter or trait. Even in some cases involving digital objects, the above phenomenon takes place. But CFCC constitutes of more generic type of exchanges and transfer, viz., exchange or transfer of information or digital traits. Not only that, the exchange or transfer in many cases involve transfer of even whole object or a large part of the object, instead of only a trace. Thus a generalized restatement of Locard‟s Exchange principle is

“Action involving an entity will result in the exchange of information or matter between the components or properties of the entity and the environment”.

This generalized exchange principle covers both conventional as well as digital realm. The transfer in the Generalized Exchange principle relies not only on physicochemical and biological transfer but it also includes transfer of information.

Possible Ideas for Digital Forensic Research Projects

Most difficult task in starting any research work is to find the right set of problem to work on. In digital forensics this is even bigger problem, hence I would like to discuss possible Digital Forensic Research Ideas where lot of scope of research exists:

1. How can we retrieve multiple times overwritten data?

2. How can we find the source of a counterfeit document?

3. How can we ensure authenticity of a printed document (including photocopy) in an offline, real-time manner? 

4. How can we do could forensic investigation as compared to media forensics?

5. Can we fully automate the digital investigation process?

6. Can we develop Anti-Anti Forensic solutions to tackle smart and knowledgeable criminals?

7. Can we differentiate between two copies of data on two as i.e. which one is original and which one of copy?
8. Cloud Forensic without  support of service providers.

Please feel free to comment on discussed ideas and add new ideas as your comments.

Privacy Preserving Digital Forensic Investigation

In today’s era, efficiency of digital forensic investigation process is the biggest challenge in front of Digital forensic community. The rapid increase in storage capacity of devices and decline in per bit cost has significantly outpaced the development of digital forensic investigation tools and techniques. The key challenge for investigator is to reduce the total investigation turnaround time, which heavily depends on the size of storage medium. The problem gains significance from the fact that most people store their personal and/or official data (generated using auxiliary digital devices like cellular phones, digital camera, memory cards, tablets, music players) mainly on their computing device (Laptop or desktop or external storage media). This voluminous data stored on computing devices leads to lengthier investigation time as finding relevant evidence becomes difficult and error prone (increased false positives and negatives). Throughout the literature, very little attention has been given to make digital investigation process fully automated, based on similarity of investigation (past experience) which can lead to faster discovery of potential evidences.

Our research work provides an efficient automated digital forensic framework to overcome the problem of finding potential evidence from large storage space. The idea of this framework builds on the fact that conventional investigator learns, by sharing and reusing the knowledge generated by other investigators. This knowledge sharing and reuse, if incorporated into the framework, we believe that the total investigation time will be reduced dramatically since not only criminal behavior but also the evidences remain similar in most cases. Learning thus will result into list of potential evidence files in order of importance. The main contribution of the framework is to shorten the total turnaround time in extracting forensically sound evidences thus saving the cost and time of investigation along with ensuring the privacy of accused.

Digital Forensics as I see it !

Since I started my research in the area of Digital Forensics in October 2001 in Central Forensic Science Laboratory-Hyderabad, One thing that have not changed is flamboyancy of the area. But on the other hand the rate of change of technology has increased tremendously resulting in very small window of opportunity for development of forensically sound new solutions. In most cases by the time a problem is solved technological changes make solution almost obsolete. For example most of us carry a laptop which has a CD/ DVD drive, which we rarely use. Similarly today most computer have hard disk drive, which will vanish soon as new storage technology i.e. solid state drives have started replacing them at a rapid pace. Thus, need of the hour in front of digital forensic research is to develop solutions by anticipating future technologies and their possible misuses. Time has come where such pro-activeness will play a crucial role along with need of development of economical, scalable and efficient digital forensic solutions. Digital forensics like many other fields follow 80:20 principle i.e. certain type of cases constitute the most of reported cases. Thus by developing solutions for a small set of recurring cases which are commonly reported to law enforcement agencies, researchers can bring a positive impact on perception of digital forensics in common man. Digital forensic group led by me is conducting research to develop forensically sound solutions to cater to law enforcement agencies tackle Computer Frauds and Cyber Crimes (CFCC). The prominent problems we are are working on include detection of counterfeit documents,  establishment of authenticity of date and time stamps of digital data, document integrity establishment, privacy preserving forensic investigation. The objective is to develop light footprint, economical, extremely portable and scalable solutions.