Digital forensics problems and challenges
Evidence is no longer confined within a single host but scattered among different physical or virtual locations, such as online social networks, cloud resources, and personal network–attached storage. More expertise, tools, and time are needed to completely and correctly reconstruct evidence. Partially automating some tasks has been highly criticised, because it could quickly deteriorate the quality of investigations.
Collecting information to reconstruct and locate an attack can severely violate users’ privacy and is linked to other hurdles when cloud computing is involved.
Modern infrastructures are becoming complex and virtualised, often shifting their complexity at the border. The traditional rules are not suited to deal with:
A “cyberspace” without borders (problem with territorial jurisdiction)
Computer data in the cloud as objects of seizure (because they are not precisely “located”).
Subscribers (suspects) to cloud services offered by foreign corporations may be residents of the state of the law enforcement in charge of an investigation, and so “virtually” be considered to be under its jurisdiction.
Digital forensics is comprehensive and challenging work by itself. And certain techniques such as media wiping and encryption and obfuscation are used to make forensic analysis of digital evidence even harder.
For example, malware developers use anti-forensics mechanisms and techniques making forensic analysis of both the functionality and origin of malicious software difficult. Encryption of configuration files is a typical technique, especially for botnet malware where the botnet masters want to avoid breaches of the C&C mechanisms used to control the bots.