dfirlabs submission on the cybercrimes and cybersecurity...

DFIRLABS (Pty) Ltd Reg. No.2014/097774/07 Directors: J. Jordaan

1

Thursday 10th August 2017

The Portfolio Committee on Justice and Correctional Services [email protected]

SUBMISSIONS ON THE CYBERCRIMES AND CYBERSECURITY BILL

Dear Committee Members

1. INTRODUCTION

1.1. Cybercrime is a growing phenomenon that shows no signs of decreasing, but every sign of increasing as we move forward. Cybercrime is an offence, which while it impacts on the people pf South Africa, is a borderless and transnational crime that affects humanity. South Africa needs to play its part in the global effort to address cybercrime, and I feel that the Cybercrime and Cybersecurity Bill is a credible effort on the part of the Republic of South Africa.

1.2. Digital evidence plays a significant role in the successful investigation of cybercrime. However, digital evidence also plays a significant role in virtually every other form of criminal activity worldwide, and with the growing adoption of smarter digital technologies and the Internet of Things, it is conceivable that soon no crime will be committed without there being some digital evidence that could play a part in the successful investigation and prosecution thereof.

1.3. Digital forensics is the branch of forensic science that deals with the identification, preservation, examination, analysis, and interpretation of digital evidence. For this Bill to successfully be implemented as an Act, the capacity of digital forensics practitioners must be addressed.

2. CREDENTIALS

2.1. I have been practicing in the field of forensic investigation since January 1991 specialising in the investigation of commercial crime and organised crime, and since August 1998 as a forensic scientist practicing in the digital and multimedia evidence discipline, specialising in commercial crime, cybercrime, and corruption matters. As well as being an active forensic scientist in this discipline, I am also experienced in forensic science research in this discipline, and am a published academic researcher in this discipline.

DFIRLABS (Pty) Ltd 9 Cranbrook Road

Sunnyridge East London, 5201

Republic of South Africa WWW.DFIRLABS.COM [email protected] +27 (0) 83 556 7112


2

2.2. I began my career in the South African Police Service in the Commercial Branch as a detective, before moving to the Special Investigating Unit, where I was responsible for digital forensics as the national head of the Cyber Forensics Laboratory. In 2014, due to my increasing involvement with international digital forensics development, I left the Special Investigating Unit to become an independent digital forensics scientist.

2.3. During my career, I have testified in numerous occasion in both the High Court and Regional Courts, where I have been recognised as an expert witness. Also significant is that during my career, I have maintained a 100 percent success rate with investigations taken to prosecution. I have attributed that success to a simple focus on the evidence and the forensic science, and ensuring that the courts are provided with the evidence that they need and can rely upon.

2.4. I am currently a visiting lecturer at Rhodes University for the subject Digital Forensics and Incident Response for the Master of Science degree in Computer Science. I am also an active member of the Security and Networks Research Group at Rhodes University, where my focus of my research currently is on digital forensics standards and quality assurance.

2.5. I was a visiting lecturer at the University of Cape Town from 2010 to 2011 for the postgraduate subject INF4016W Computer Forensics, and a visiting lecturer at the University of Pretoria for the Certificate in the Investigation and Management of Cyber Crime from 2011 to 2014.

2.6. I am currently a member of the advisory board for the Department of Computer Science at the University of Pretoria, focusing on advising on their digital forensics curriculum and teaching activities, as well as research in this field.

2.7. I am a research fellow in the Faculty of Law of the University of Fort Hare working in the Law, Science and Justice research niche area, focusing on the intersection between digital forensics, digital evidence, and the law of evidence. The focus of my research here is on legal issues relating to digital evidence and digital forensics.

2.8. I am the current chairperson of the Cyber Crime forum of the South African Chapter of the Association of Certified Fraud Examiners. The role of the forum is to improve the capacity of forensic investigators in South Africa to investigate cybercrimes. I was an Executive Director of the South African Chapter of the Association of Certified Fraud Examiners from 2011 to 2015.

2.9. I am the Chairperson for the Research and Development Committee of the International Association of Computer Investigative Specialists, which is responsible for advancing the state of the art internationally in the field of digital forensics. In addition to this I form part of the file system forensics subject matter expert team, where we are responsible for the development of all training materials relating to the forensic examination of computer file systems. I am a certified trainer for them and teach the Basic Computer Forensic Examiner training program internationally, where I have taught law enforcement officers from around the globe. I am also an active mentor for this organisation, and have been responsible for one on one mentoring of law enforcement digital forensic practitioners from Europe, Australasia and Asia.

2.10. I am a member of the SANS and GIAC advisory board since 2013, for the field of digital forensics. The SANS Institute is considered one of the world’s leading international cybersecurity institutions. I am also an instructor for the SANS Institute, and teach Advanced Windows Forensics. I have taught in Germany, France, the Czech Republic, the United Arab Emirates, and South Africa. I am currently the only African instructor on the digital forensics and incident response faculty.


3

2.11. I am an assessor for the Netherlands Register of Court Experts of the Ministry of Justice in the Netherlands. This body is responsible for the assessment of competency of digital forensic practitioners who wish to testify as expert witnesses in Netherland’s courts. Only practitioners that are assessed as being competent can testify as expert witnesses. I have conducted several assessments of senior Dutch government digital forensics practitioners working for the Netherland Forensics Institute.

2.12. I was also requested by the Department of Justice of South Africa, to serve on the advisory board of the Deputy Minister of Justice with regards to the Cybercrime and Cybersecurity Bill. In addition to playing an active role in the review of this Bill, I was also tasked with the review of the proposed initial Standard Operating Procedures of the South African Police Service in relation to digital evidence and digital forensics.

2.13. I am a member of the following professional bodies:

2.13.1. The International Association of Computer Investigative Specialists

2.13.2. The High-‐Tech Crime Investigation Association

2.13.3. The Chartered Society of Forensic Sciences

2.13.4. The Global Information Assurance Certification

2.13.5. The Association of Certified Fraud Examiners

2.13.6. The Institute of Information Technology Professionals of South Africa

2.13.7. The Association for Computing Machinery

2.13.8. The Institute for Electrical and Electronics Engineers

2.13.9. The Information Security Audit and Control Association

2.14. I have the following academic qualifications:

2.14.1. MSc degree in Computer Science (Cum Laude), thesis in Digital Forensics

2.14.2. MTech degree in Forensic Investigation, thesis in Financial Investigation

2.14.3. BComHons degree in Information Systems, majoring in Computer Forensics

2.14.4. BSc degree in Criminal Justice Computer Science (Summa Cum Laude), majoring in Computer Forensics and Computer Crime Investigation

2.14.5. BTech degree in Policing, majoring in Criminal Investigation

2.14.6. National Diploma in Police Administration

2.14.7. N4 in Electronics Engineering

2.15. I have achieved the following certifications:


4

2.15.1. Certified Forensic Computer Examiner (CFCE)1

2.15.2. Member of the Chartered Society of Forensic Scientists (MCFS)

2.15.3. Professional Member of the Institute of Information Technology Professionals of South Africa (PMIITPSA)

2.15.4. Global Information Assurance Certified Computer Forensic Examiner (GFCE)

2.15.5. Global Information Assurance Certified Computer Forensic Analyst (GFCA)

2.15.6. Certified Fraud Examiner (CFE)

3. CURRENT AREAS OF CONCERN IN DIGITAL FORENSICS IN SOUTH AFRICA

3.1. Digital forensics is the forensic science discipline that combines various methods from science, technology, and engineering, to acquire and interpret the data stored on digital devices to answer questions in a court of law. While initially focused on cases destined for the courtroom, digital forensics has been used in other applications such as pure and applied research, policy enforcement, information security incident response, and even intelligence gathering.

3.2. Digital forensics is a critical component in bringing digital evidence to court, as the use of digital forensics follows certain standard processes and procedures, which tend to persuade the court to admit digital evidence and give due and proper evidential weigh to it. In assessing the weight of digital evidence in South African courts, digital forensics plays an increasingly important role.

3.3. In recent years, courts began to recognise digital forensics as a legitimate scientific method for proving facts that can be used to prove matters in a court of law. This emphasis on digital forensics as a forensic science is important in that it shows that digital forensics is based on generally accepted scientific methods, including quality assurance practices. Quality assurance is a crucial aspect of digital forensics as a forensic science discipline, with the quality of the work done being considered the most important aspect owing to the actual or potential consequences of poor quality. The work of a forensic practitioner plays out in a court of law, where defects in the forensic process can produce a flawed product, which can result in an innocent person being punished (having to pay either a fine, receive a prison sentence, or both), as well as having to wrongfully pay out money in a civil lawsuit, or even resulting in a person who actually committed the transgression going unpunished to transgress again. It is important that forensic evidence is correct as the consequences of mistakes can have a very real human cost, and in addition to that cost, public confidence in the courts and justice system itself is damaged. There is a fundamental legal and philosophical maxim that states that it is better for ten guilty people to go free rather than let one innocent person suffer. The innocent can most certainly suffer when there is poor quality in forensic science, and this can never be acceptable. To avoid this happening, the competency of digital forensics practitioners, must be beyond reproach.

1 The CFCE certification is the world’s oldest digital forensics certification program, having been the program that birthed the digital forensics industry. It is the only digital forensics program that has been accredited by the Forensic Specialties Accreditation Board. I was the first African to achieve this international certification.


5

3.4. In recent years, there has been significant interest in problems in forensic science. While some of the research is generalised to the broader field of forensic science, many of the same problems can be applicable to digital forensics as a specific discipline within the forensic science field. Recent research in the United States identified a number of problems with the practice of forensic science in that country, including inadequate or inappropriate academic qualifications, training, and competency of forensics practitioners.

3.5. The need for continuing professional development for forensic practitioners to remain current and advance to an elevated level of expertise in their chosen discipline is crucial. When forensic practitioners have not kept up-‐to-‐date through continuing professional development, their skills and knowledge become outdated, and as a result many forensic cases are flawed owing to a lack of training and contemporary knowledge. The need for continuing professional development is especially critical in the field of digital forensics owing to the rapid changes not only in technology, hardware, and software that must be examined and analysed by digital forensic examiners, but also in the rapid development of tools and methodologies used in the digital forensic process itself, as well as in the legal landscape.

3.6. A common mistakes that can be made by digital forensic examiners, which can render digital evidence inadmissible, is when they fail to realise that they have reached the limits of their knowledge. One of the basic principles developed in the United Kingdom for computer-‐based digital evidence which are commonly used throughout the world is that digital forensics practitioners should be competent. The International Organisation on Digital Evidence also set a number of principles to ensure the integrity of digital evidence, including that digital forensic practitioners should be specially trained and have sufficient and relevant experience.

3.7. Forensic science is compromised if the competency of individual forensic examiners is not assured. A fundamental determination of quality in a forensic laboratory is the technical capabilities of the laboratory, as well as the abilities of the staff members. Quality in forensic science can only be achieved by using competent forensic practitioners that work under the guidance of a quality system. Competence is defined as the mixture of knowledge and skills, application thereof by a forensic practitioner, and the appropriate attitudes and behaviours of the practitioner. Another important element of ensuring the quality of digital forensic processes is to ensure that all digital forensic examiners are technically competent in the field of digital forensics, and do not simply have training in the use of specific forensic tools.

3.8. Previous research into quality assurance practices in digital forensics in South Africa by myself identified the qualifications, training and certification as an area of concern.

3.9. With an increasing use of digital forensics in South African courts of law to assist the courts in reaching legal decisions, it is crucial that the best evidence obtained through properly competent and qualified digital forensics practitioners, is presented. The hypothesis of this research is that digital forensic practitioners in South Africa may not have achieved the level of academic qualification, training and competence necessary for the courts to be able to rely upon their findings with confidence due to them meeting objective benchmarks

3.10. There are existing international standards which have set the minimum criteria for digital forensics practitioners, and I have conducted extensive research in South Africa as part of my MSc research regarding the actual competence of South African practitioners in relation to accepted minimum standards of practice.


6

3.11. Secondary School Education

3.11.1. Digital forensics is a forensic science discipline. Expertise in the field of digital forensics requires far more than product knowledge; it requires a wide range of expertise within the computer science discipline, ranging from basic concepts such as number systems and mathematics through to complex skills in computer science. Many of these foundation skills and expertise are developed in the secondary school system in South Africa, and as such understanding the extent to which digital forensic practitioners have mastered these skills and expertise provides a clearer picture of the foundation skills of digital forensic practitioners.

3.11.2. Currently the majority of digital forensics practitioners in South Africa have completed Grade 12. 34 percent have achieved a university exemption. Just over two thirds of practitioners did not pass Grade 12 with a pass mark that would enable them to study at a tertiary academic institution for degree studies. This does have an impact on tertiary studies that are important in the field of digital forensics.

3.11.3. Digital forensics as a forensic science, which itself is considered an applied science, is influenced by the STEM subjects at secondary school level, that is, all subjects in science, technology, engineering, and mathematics. In the context of this research, understanding the core STEM subjects completed by the respondents at secondary school level, establishes the levels of certain foundation skills, which are generally considered important in the practice of science.

3.11.4. 86 percent of practitioners have passed mathematics (not mathematics literacy) in Grade 12. 64 percent of practitioners have passed physical science in Grade 12. 27 percent of practitioners have passed information technology in Grade 12.

3.11.5. The majority of practitioners have completed mathematics as a subject at secondary school, which is considered an important foundation in the field of computing. Although physical science is not always considered important in computing, it does make students familiar with scientific principles such as the scientific method, and experimentation, and almost two thirds of respondents had completed this subject.

3.12. Undergraduate Tertiary Education

3.12.1. While secondary school provides the foundation skills in key STEM subjects crucial for a digital forensic practitioner, additional tertiary study is necessary in general to develop expertise and knowledge.

3.12.2. The National Academy of Science in the United States has recommended that as a minimum, digital forensic practitioners should have a Bachelor of Science degree in computer science or computer engineering. The European Network of Forensic Science Institutes recommends that digital forensic practitioners have a minimum of a degree in computer science or computer engineering. The United Nations Office on Drugs and Crime recommends that digital forensic practitioners should have a degree in information technology, computer science, mathematics, science, or electrical engineering.

3.12.3. 59 percent of practitioners have completed an undergraduate degree or diploma. While 59 percent of the practitioners have completed an undergraduate degree or diploma, only 34 percent had passed matric with a university exemption, which would normally allow them to register to study for a university qualification. However universities do allow mature entry based on age, and not all of the old Technikons required a university exemption to register for a National Diploma.


7

3.12.4. However when one looks at the undergraduate qualifications held by practitioners only 43 percent had an appropriate undergraduate qualification relevant to the practice of digital forensics. However when you look at a Bachelor’s degree level only 0.09 percent of practitioners have a Bachelor of Science degree in Computer Science, which is one of the specific qualifications recommended for digital forensics.

3.12.5. In general, computer science is recommended in the field of digital forensics, as it provides the necessary scientific foundations in the field of computing upon which the practice of digital forensics is based. In essence, computing or computer science is the foundation science for the specialised forensic science of digital forensics.

3.12.6. Not only is computer science a key foundation, a key aspect of computer science graduates is the fact that they never stop learning and continue to be deeply engaged in the learning process post completion of their initial degree in computer science. This is mostly by necessity, because the field of computing is far broader and deeper than that for which any formal education could prepare them and owing to the constantly changing and expanding computing environment.

3.13. Post Graduate Tertiary Qualifications

3.13.1. 23 percent of practitioners have a relevant post graduate qualification.

3.13.2. In South Africa, four tertiary academic institutions currently offer postgraduate taught modules in digital forensics. The University of Pretoria offers an Honours level module in Digital Forensics and Investigations as part of the BScHons Computer Science program, the University of Johannesburg offers an Honours level module in Computer Forensics as part of the BScHons Computer Science Program, Rhodes University offers a Masters level module in Digital Forensics and Incident Response as part of their MSc Computer Science Information Security degree, while the University of Cape Town (UCT) also offers an Honours level module in Computer Forensics as part of the Postgraduate Diploma and BComHons degree in Information Systems. It must be pointed out that neither of these four degrees is a digital forensics degree, but either a computer science or information systems degree with a digital forensics module.

3.13.3. The prerequisites for registration for the University of Cape Town course are a three year undergraduate degree in computer science or information systems and at least three years relevant commercial experience; a degree or NQF level 7 diploma in another field and at least three years commercial experience with some IT exposure; or a minimum of five years relevant high-‐quality full time IT work experience.

3.13.4. One concern however was the fact that most practitioners that had graduated from the University of Cape Town program had no undergraduate qualification in any of the fields recommended by the National Academy of Science, the European Network of Forensic Science Institutes, or the United Nations Office on Drugs and Crime. I am of the opinion that this is a cause for some concern, as while the UCT qualification teaches digital forensic fundamentals, students do not have the necessary computer science fundamentals from an appropriate undergraduate degree. Digital forensics is seen as a specialisation of computer science, and having a student complete a postgraduate degree in digital forensics without the appropriate academic foundation would be similar to allowing a student to study an advanced medical specialisation such as neurosurgery, without them having ever studied medicine or surgery. Forensic science is an applied version of the foundation scientific discipline on which it is based, and so for example, forensic toxicology would be the application by a toxicologist of his/her scientific knowledge of toxicology to a legal application. Similarly, in a computing environment, digital forensics would be the application of


8

scientific knowledge from the field of computer science to a legal application. This position is supported by other research, which compared the general discipline of forensic science to computer forensics.

3.14. Digital Forensics Training

3.14.1. The training of digital forensic practitioners in the field of digital forensics is crucial and a key determinant of quality. Before a digital forensic practitioner (or any forensic science practitioner for that matter) examines and analyses any evidence, they should have the basic scientific education in the form of an appropriate Bachelor’s degree, as well as discipline specific training.

3.14.2. 71 percent of practitioners had received some form of digital forensics training. It is however a cause for significant concern that just under a third had received no training at all.

3.14.3. Digital forensics training was classified in two categories. The first category related to vendor training, which is digital forensics training provided by vendors of specific hardware or software tools used in digital forensics, and focuses on the use of those tools in digital forensics. The second category of digital forensics training was vendor neutral training. Vendor neutral training is training that is provided by organisations other than vendors of specific hardware or software tools used in digital forensics, which focuses on the practice of digital forensics.

3.14.4. Most of the training received had been vendor training, in other words, training in how to use a specific tool, and not actual digital forensics training. This reflects the fact that most training available is vendor training pushed by the vendors who sell various products.

3.14.5. Another important element in ensuring digital forensic quality is that the competency of digital forensic practitioners must not be limited only to training in the use of specific forensic tools. Digital forensics training has been dominated by vendor specific training, which is little more than training on how to use specific tools, but this does little to develop the overall skills and competencies of a digital forensics practitioner owing to the often narrow product specific curriculum.

3.14.6. In essence this would be like teaching someone how to effectively use a scalpel, and then expecting them to perform heart surgery.

3.15. Competency Testing

3.15.1. It is recommended that digital forensics practitioners undergo an annual competency test to validate their skills. Apart from my practice, no digital forensics practitioners undergo an annual competency test as recommended by the Scientific Working Group on Digital Evidence.

3.16. Digital Forensics Certification

3.16.1. Digital forensics certifications are classified into two categories. The first is vendor certification, which certifies the competency of a holder of the certification in using a particular digital forensics tool. The second category is technical certifications that certifies the competency of the holder of the certification either in the general practice of digital forensics, or specialised practice in a specific area of digital forensics.

3.16.2. 30 percent of practitioners have earned a vendor certification, while only 11 percent had earned a technical certification.


9

4. THE ROLE OF THE CYBERCRIME AND CYBERSECURITY BILL IN DEALING WITH DIGITAL EVIDENCE AND DIGITAL FORENSICS

4.1. From the research, the level of competency and skills in the field of digital forensics in South Africa is generally poor, and can play a significant negative impact on the lives of people as a result.

4.2. While it may be easy to point the finger, and say that this problem is one that exists only with regards to the public-‐sector law enforcement agencies, the reality is that the problems of competence exist in all sectors equally. In fact, many of the people in the private sector who portray themselves as digital forensics experts are often the demographic with the most areas of concern.

4.3. I believe the current Bill provides opportunities for us to rectify this situation.

4.4. Clause 24 of the Bill provides for the issuing of Standard Operating Procedures which must be observed by the South African Police Service and “any other person or agency who or which is authorised in terms of the provision of any other law to investigate any offence in terms of any law, in the investigation of any offence in terms of Chapter 2 or section 16, 17 or 18 or any other offence which is or was committed by means of or facilitated by the use of an article”

4.5. I have some concerns with this clause for the following reasons:

4.5.1. As it stands, this clause only applies to the State, and does not apply to the many persons on the private sector that also deal with digital evidence daily and present this evidence in a court of law, often in criminal matters. We also often see investigations initiated in the private sector before transferring to the law enforcement agencies, and as such law enforcement agencies may then face the situation that they are having to deal with cases where the digital evidence may have already been compromised.

4.5.2. Secondly, the concept of a Standard Operating Procedure is a new feature in relation to our laws, and as far as I am aware does not exist in any other legislation. In most legislation when issues of this nature need to be addressed, they are done so through the issuing of Regulations, which are legally accepted as subordinate legislation, and can be legally enforced.

4.5. I would recommend that Clause 24 of the Bill be amended as follows:

4.5.1. The Section should be retitled “Regulations Regarding the Investigation of Cybercrime and the Identification, Preservation, Examination, Analysis and Interpretation of Digital Evidence”.

4.5.2. All reference to Standard Operating Procedures should be replaced with Regulations.

4.5.3. Clause 24(1)(c) should be added to state “any other person or organisation that conducts any investigation any offence in terms of any law, in the investigation of any offence in terms of Chapter 2 or section 16, 17 or 18 or any other offence which is or was committed by means of or facilitated by the use of an article”.

4.6. By amending the clause in this manner, the resulting directives, if they are then developed in line with international standards, will play a significant role in improving digital forensics and the use of digital evidence in South Africa.

4.7. Clause 51 deals with proof of certain facts by way of an affidavit. While in general I am happy with this proviso as similar sections already exist within the Criminal Procedure Act 51 of 1977, there are areas of concern for me.


10

4.8. The concerns that I have relating to this clause are as follows:

4.8.1. A person who uses any skills in the interpretation of data; the design or functioning of data, a computer program, a computer data storage medium or a computer system; computer science; electronic communications networks and technology; software engineering; or computer programing, can have their evidence submitted based on an affidavit only. In effect this places them in the position of an expert witness.

4.8.2. This set of criteria is so broad that virtual anyone working in the IT field could now be considered an expert witness. As already seen with the research presented, this has a significant impact.

4.8.3. This privilege of being able to submit an affidavit and the affidavit serving a prima facie evidence rests with the State only, even though in most instances most digital forensics practitioners are not in the employ of the State, but in the private sector.

4.8.4. There is no requirement for the practitioners to fully document their methodologies as is required in Section 212 of the Criminal Procedure Act 51 of 1977.

4.8.5. The right to cross examine witnesses has been specifically excluded in this clause, with the Court having the power to decide if oral evidence is necessary or not. This is a clear violation of our legal principles and may allow for a challenge to the Constitutional validity of this section as a result.

4.9. I would recommend that Clause 51 be amended as follows:

4.9.1. Clause 51(1)(ii) should be amended to state “possesses relevant qualifications, expertise and experience as defined in the Regulations issued in terms of Section 24”

4.9.2. Clause 51(1)(iii) should be amended to state “has establish such fact by means of a scientifically validated and documented examination or process, which is fully documented in the affidavit.

4.9.3. Clause 51(1)(i) should be amended to include “; or a digital forensics practitioner in the employ of a private body by notice in the Gazette”.

4.9.4. Clause 51(5)(d) should be introduced as follows “The opposing party may request that the person making the affidavit submit themselves for cross-‐examination.”

5. CONCLUSION

5.1. We have a serious problem in South Africa in relation the practice of digital forensics and the quality of our digital evidence as a result. Doing things wrong with a poor quality of evidence has a negative impact on the lives of people. The bottom line that getting things wrong damages lives.

5.2. I feel that the suggested amendments to the Bill will improve our ability to effectively digital evidence.

5.3. I would like to request that I be allowed the opportunity to present oral submissions in this regard.


11

Kindest Regards

Jason Jordaan: MCSFS, PMIITPSA CFCE, CFE, GCFE, GCFA, ACE MSc (Cum Laude), MTech, BComHons, BSc (Summa Cum Laude), BTech Principal Partner Mobile Number : +27 (0) 83 556 7112 Email Address : [email protected]

dfirlabs submission on the cybercrimes and cybersecurity...

Documents