Cyber Forensic Investigation

  • We encourage our users to use Real Names to build a real community, friendships and networking opportunities.

    [more information]

syafiqah

New Member
Nov 22, 2018
3
Ratings
2
3
#1
Hello all,

"There have been some changes in data protection and privacy regulation in difference countries around the globe. This had lead to the complexity in collecting forensic evidence"

Anyone had encountered/ experienced this matter?


Thanks!
 

twicesafe

Administrator
Staff member
Sep 4, 2018
84
Ratings
20
8
Vancouver, Canada
www.computerforensicsworld.com
Twitter
Forensic_Notes
#2
Hey @syafiqah

Thanks for posting. The laws are going to be very different depending on the country you are working in, with Europe area being the most strict in regards to privacy laws, as far as I know.

When including a quote, please include the source.

Is there a specific area you are looking at?
Criminal or civil case?
What specific type of data are you looking to acquire and from who?

Answering these questions will help you get more detailed responses.
 

Lids

New Member
Experienced Member
Oct 23, 2018
22
Ratings
19
3
#3
It's a great point - here in Switzerland for instance, it's illegal to enter the country in order to perform a collection with a plan to then take that data out of the country without informing the federal authorities first. From an eDiscovery standpoint, you can in most cases provide access to the data via a review platform for external countries, but cannot allow the ability to download the data; before physically handing over the data (or allowing it be downloaded), in most cases, a redaction review needs to take place and/or allow the custodian the ability to review the data that will be transferred cross-border beforehand.

I remember talking with a police officer from Australia who was putting together his PhD in Digital Forensics a few years back, who had performed some analysis on cross-border collection issues - one he mentioned was trying to perform a Cloud collection on servers based in France can cause legal issues due to their very strict data transfer laws.

To end my ramble :) For EU countries, there are usually restrictions in place that you cannot transfer data to a country that does not have data privacy / handling rules in place that meet the same standard as the EU / your country. Countries that the EU has determine do offer the same protections are: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (dependent on the rules under the Privacy Shield agreement).

I'm not even touching GDPR, haha

-Sean
 

RobertM

New Member
TRUSTED Contributor
Sep 30, 2018
21
Ratings
9
3
#4
Lots of great information @Lids

he mentioned was trying to perform a Cloud collection on servers based in France can cause legal issues due to their very strict data transfer laws.
If doing a cloud acquisition, I don't see many people actually checking to see where the data is located or even knowing how to determine this.

Assumption: the person has the username/password for a service like Gmail or Twitter and legal authority within their country to acquire the data.

And when you refer to legal issues, do you mean that the person acquiring the data could be in legal trouble in France or is it simply that the data may not be recognized within the local courts due to the laws in France?
 

syafiqah

New Member
Nov 22, 2018
3
Ratings
2
3
#5
Hey @syafiqah

Thanks for posting. The laws are going to be very different depending on the country you are working in, with Europe area being the most strict in regards to privacy laws, as far as I know.

When including a quote, please include the source.

Is there a specific area you are looking at?
Criminal or civil case?
What specific type of data are you looking to acquire and from who?

Answering these questions will help you get more detailed responses.
Hey @syafiqah

Thanks for posting. The laws are going to be very different depending on the country you are working in, with Europe area being the most strict in regards to privacy laws, as far as I know.

When including a quote, please include the source.

Is there a specific area you are looking at?
Criminal or civil case?
What specific type of data are you looking to acquire and from who?

Answering these questions will help you get more detailed responses.
Hey..thanks for your respond.

Act, this quote i've got from article Digital forensic evidence in the courtroom: Understanding content and quality by Garrie and Morrissy, 2014.

I'm looking for both cases criminal and civil.As I know, in Malaysia there is a law regarding data protection which is Personal Data Protection Act and this law is purposely to protect data of individual. So, if there is investigation such as machine of suspect, its quite challenging for investigator to get that information.So, as an investigator, do you have any experienced regarding this matter? How do you solved it?
 

Lids

New Member
Experienced Member
Oct 23, 2018
22
Ratings
19
3
#6
Lots of great information @Lids



If doing a cloud acquisition, I don't see many people actually checking to see where the data is located or even knowing how to determine this.

Assumption: the person has the username/password for a service like Gmail or Twitter and legal authority within their country to acquire the data.

And when you refer to legal issues, do you mean that the person acquiring the data could be in legal trouble in France or is it simply that the data may not be recognized within the local courts due to the laws in France?
@RobertM I haven't performed my own analysis so can only replay the conversation we had based on his research - I believe he made mention that if data was noticed to be getting exfiltrated, a notice similar to a "cease and desist" may be issued by the relevant French authorities. I'll try to track down a copy of his thesis and see if it's mentioned in there, this was a discussion after a few beers :)

In Switzerland my understanding is that a breach of the Data Protection Act lies with the private individual that performed the breach (even if operating on behalf of an employer) and can elicit fines of up to 10,000 francs. On top of that, the affected individuals are allowed to seek restitution / damages for the breach "if their personality has been violated without sufficient justification" Data Protected Switzerland | Insights | Linklaters. This link also indicates that a new Data Protection Act may come into effect in 2019, increasing potential fines to 250,000 francs.

Hey..thanks for your respond.

Act, this quote i've got from article Digital forensic evidence in the courtroom: Understanding content and quality by Garrie and Morrissy, 2014.

I'm looking for both cases criminal and civil.As I know, in Malaysia there is a law regarding data protection which is Personal Data Protection Act and this law is purposely to protect data of individual. So, if there is investigation such as machine of suspect, its quite challenging for investigator to get that information.So, as an investigator, do you have any experienced regarding this matter? How do you solved it?
It's a good question @syafiqah, and you are correct depending on jurisdiction the answer will be different -- within Australia for example, for the most part data stored on a company device (laptop, phone, etc) belongs to the company however in other countries it can still be considered "Personal" data depending on content. If performing a collection on a multi-user machine, you may not have the rights to obtain data for other users outside of your purview / warrant so you may need to perform a targeted collection -- tools such as FTK Imager can do Custom Content images that can be told to only retrieve the User folder of interest as well as other data associated with the SID of the user profile in question.
 

Lids

New Member
Experienced Member
Oct 23, 2018
22
Ratings
19
3
#7
Morning all -- just to add on to my post above, please see this link for a presentation at ACFE (Australian Certified Fraud Examiners association) that Dr Graeme Edwards (that I referenced in my previous post) made on the topic of cloud investigations, this was just before he finished his doctorate. I'll reach out to him directly to see if he is happy to provide a copy of his thesis.

https://www.acfe.com/uploadedFiles/...pac/2015/presentations/cpp/Graeme-Edwards.pdf
 

syafiqah

New Member
Nov 22, 2018
3
Ratings
2
3
#8
@RobertM I haven't performed my own analysis so can only replay the conversation we had based on his research - I believe he made mention that if data was noticed to be getting exfiltrated, a notice similar to a "cease and desist" may be issued by the relevant French authorities. I'll try to track down a copy of his thesis and see if it's mentioned in there, this was a discussion after a few beers :)

In Switzerland my understanding is that a breach of the Data Protection Act lies with the private individual that performed the breach (even if operating on behalf of an employer) and can elicit fines of up to 10,000 francs. On top of that, the affected individuals are allowed to seek restitution / damages for the breach "if their personality has been violated without sufficient justification" Data Protected Switzerland | Insights | Linklaters. This link also indicates that a new Data Protection Act may come into effect in 2019, increasing potential fines to 250,000 francs.



It's a good question @syafiqah, and you are correct depending on jurisdiction the answer will be different -- within Australia for example, for the most part data stored on a company device (laptop, phone, etc) belongs to the company however in other countries it can still be considered "Personal" data depending on content. If performing a collection on a multi-user machine, you may not have the rights to obtain data for other users outside of your purview / warrant so you may need to perform a targeted collection -- tools such as FTK Imager can do Custom Content images that can be told to only retrieve the User folder of interest as well as other data associated with the SID of the user profile in question.
Hi @Lids ...That's a long explanation..Thank you so much for sharing this information. :D
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu