An Assessment of, and Improvements to, the Digital Forensics Acquisition Process of a Law Enforcement Agency

Abstract

Forensics addresses the collection and analysis of evidence. Digital forensics is forensics in the context of digital devices. It is a rapidly evolving field employed in various organizations such as law enforcement, government, and the private sector. The acquisition of digital evidence is the step in digital forensics where digital evidence is preserved. The preservation of digital evidence in its original form is customarily deemed a necessary property in the context of digital forensics, as such evidence may need to be re-examined in the future.

In this thesis, we first analyze the acquisition phase of the digital forensics process of the Ontario Provincial Police (OPP) to determine whether it is forensically sound. The OPP is a law enforcement agency that serves a population of 14 million people who reside in the province of Ontario in Canada. We extract a set of properties that OPP's acquisition phase does, and should, uphold to achieve forensic soundness. We then evaluate whether the desired properties are met by comparing OPP's process to three standards on forensic soundness for law enforcement. We conclude by proposing improvements to the parts of the process that do not uphold desired properties.

While our thesis evaluates and provides suggestions to OPP's current process, it also serves a greater purpose. Our contributions allow OPP, and any other law enforcement agency, the framework needed to analyze an existing process, identify areas that may jeopardize forensic soundness, and implement changes that mitigate those threats.