Digital Forensic Readiness: Are We There Yet?

• Author: Antonis Mouhtaropoulos/Chang-Tsun Li/Marthie Grobler
• Pages: 173-179

JICLT

Journal of International Comm ercial Law and Technology

Vol. 9, No.3 (2014)

173

Digital Forensic Readiness: Are We There Yet?

Antonis Mouhtaropoulos

Department of Computer Science,

University of Warwick, Coventry,

CV4 7AL, United Kingdom

Tel No: +306946713146

a.mouhtaropoulos@warwick.ac.uk

Chang-Tsun Li

Department of Computer Science

University of Warwick

Coventry, United Kingdom

, c-t.li}@warwick.ac.uk

Marthie Grobler

Council for Scientific and Industrial Research

Pretoria, South Africa

mgrobler1@csir.co.za

Abstract. Digital Forensic Readiness is defined as the pre-incident plan that deals

with an organization’s ability to maximize digital evidence usage and anticipate litigation.

The inadequacy of technical research and legislations and the ever-increasing need for

evidence preservation mechanisms has brought the need for a common forensic readiness

standard. This article reviews a number of key initiatives in order to point out the directions

for future policy making governments and organizations and conducts an investigation of

the limitations of those initiatives to reveal the gaps needed to be bridged.

1. Introduction

The recent Apple vs. Samsung patent infringement case, where Samsung was accused of in fringing a

number of iPhone design and software patents, has highlighted the need for digital evidence preservation.

Following Apple’s infringement claims in 2010, Samsung did not succeed in preventing the destruction of

emails related to the case and as a result, the jury ordered an adverse inference instruction. The judge

stated that Samsung acted willfully in deleting th e emails and that the lost digital evidence could have

been used in c ourt in favor of Apple. The major cause behind the evidence preservation failure was that

Samsung’s in -house email s ystem automatically deleted all e mails after a period of two weeks. As a

consequence of t he patents’ infringement case, the jury awarded Apple $1.05bn1 ; however, the loss of

digital evidence and the lack of a proactive digital evidence preservation plan could increase the total fine.

The case above is a good example on why digital forensics should be planned in advance, well before

an incident occurs; such planning would effectively increase the p ossibility of a successful and cost-

effective Digital Forensic Investigation (DFI). The most common problem in a DFI is that the investigator

can onl y formulate hypothesis on a component's or artifacts previous state by making indirect

observations on the system. The acceptance of a hypothesis relies on the ability of the investigator to

identify, preserve, extract, interpret and infer the relevant data ( cited as digital evidence) in connection to

the crime.

1 Kelston, H., 2012. Proposed Spoliation Rules Would Impact Apple-Samsung Trial. Law Technology News.

Available at:

http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202564937466&slreturn=20130006055801#1

[Accessed November 10, 2012].