Misusing the term "Forensics" in OSINT and Cyber Investigations.

Introduction

Open-source intelligence (OSINT) and cybercrime investigations often lead to formal proceedings. Therefore, it is concerning that the term "forensics" is frequently used, or more accurately, misused, to describe various tools and techniques.

However, this trend can be misleading and potentially dangerous, especially when many tools need more rigorous safeguards in established and mature digital forensic technologies[1]. This article explores what forensics means, discusses the pitfalls of arbitrarily labelling tools as forensic and offers constructive suggestions for OSINT practitioners.

What Does Forensics Mean?

Forensics encompasses methods and techniques applicable in or appropriate for use in courts of law. The term derives from the Latin words “forensic”, meaning "public," and forum, referring to "court"[2]. While definitions may vary, a consistent principle ties them together: the emphasis on preserving the integrity of processes and outputs to ensure their admissibility in formal legal proceedings[3].

The National Institute of Standards and Technology (NIST) defines digital forensics as:

"The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data."

This definition underlines the critical role forensic tools play in ensuring evidence is collected and handled in a manner that meets legal and scientific standards. For a tool to be considered forensic, it must have features that preserve data integrity and support its admissibility in court. This would include maintaining a documented chain of custody, being tamper-proof, and ensuring processes are reproducible and defendable in court.

Distinguishing Digital Forensics from Intelligence Practices

While digital forensics operates under established guidelines, policies, procedures, and best practices to ensure its methodologies are scientifically sound and legally defensible, disciplines like OSINT and other intelligence fields currently need more universally accepted frameworks.

Digital forensics relies on standards like the NIST guidelines ISO/IEC 27037[4] and the Association of Chief Police Officers (ACPO) Good Practice Guide for Digital Evidence[5], which dictate how evidence should be identified, collected, preserved, and analysed. These frameworks ensure consistency, transparency, and adherence to legal standards. Conversely, OSINT and related intelligence practices often operate in a less structured environment, relying on investigator expertise and organisational policies, which can result in variations in methodology and challenges in ensuring evidentiary integrity for formal proceedings. This highlights the need to develop standardised practices within these evolving disciplines.

What are the critical differences between Digital Forensics and OSINT?

Digital forensics and OSINT are complementary ways of gathering and analysing information for investigations, yet distinct in many other ways[6].

Digital forensics is the recovery, examination, and preservation of digital evidence from electronic devices and systems, mainly relating to data that is often not normally visible or accessible to users. This latter science maintains evidential integrity, intending for such evidence to be presented in court in support of any legal matters or formal proceedings.

On the contrary, OSINT collects and analyses public information from different sources. In other words, it applies to data that openly exists on the Internet and in other domains and is used for intelligence and evidential purposes, threat assessments, and investigating activities[7].

Digital forensics and OSINT have different domains. While digital forensics analyses data from secured sources such as computers, smartphones, IoT devices, and cloud platforms with the help of special tools[8] to extract hidden or deleted information, OSINT is performed by gathering information from open-sourced sources such as social media, public records, and online databases without access to private or restricted data unless authorised. OSINT often complements digital forensics by providing context or additional intelligence in investigations. These disciplines, though interrelated, differ in their methodologies and legal thresholds, emphasising the importance of their different but complementary roles in modern investigative practices[9].

Methodologies and operational approaches

Digital forensics and OSINT use different methodologies suited to their goals and operational contexts.

Digital forensics is a branch of forensic science that deals with the recovery and analysis of digital evidence by following a strict chain of custody and maintaining the integrity of the data. Analysts work with physical devices, virtual environments, or forensic data images to uncover artefacts such as deleted files, metadata, and communication logs. The process is designed to produce evidence admissible in court, often requiring rigorous validation and documentation.

OSINT Intelligence collects and analyses publicly available information utilising online tools, techniques, and methods. Unlike digital forensics, OSINT typically does not require handling procedures or forensic tools to maintain data integrity. Instead, it relies on data mining, social network analysis, and pattern recognition to extract actionable insights from social media, websites, and public records. These techniques help find associations, identify trends, and develop leads but lack the rigorous evidentiary controls of digital.

While both methodologies serve investigative purposes, their differences highlight their complementary nature: digital forensics ensures the integrity of hard-to-access data, while OSINT provides context and intelligence from open sources[10].

Legal, Ethical and Professional Considerations

Legal and ethical considerations are crucial in both fields but manifest differently. Digital forensics must adhere to strict legal standards to ensure evidence is admissible in court[11]. This requires proper authorisation and often involves collaboration with law enforcement or legal teams. Conversely, OSINT generally does not require special legal authorisation since it deals with publicly available information; however, it still needs to consider ethical implications[12] and privacy concerns when gathering and using data.

As it handles publicly available information, OSINT generally does not require special legal authorisation. However, ethical and privacy considerations remain essential in its application. Practitioners are called to comply with data protection laws such as GDPR and avoid invasive practices, including accessing restricted or private information without permission. Ethical principles, such as transparency, accuracy, and respect for privacy, must guide the collection and use of OSINT data. Such considerations point out the balance that OSINT investigators have to maintain to avoid violating individual rights and legal standards while using publicly available data for intelligence purposes.[13] [14].

Lastly, the expertise required in each area varies. Digital forensics demands specialised technical knowledge in data recovery, analysis, and preservation techniques. Many professionals in this field require certification and training to keep up with evolving technologies[15]. On the other hand, OSINT requires skills in online research, data analysis, and critical thinking but may use general-purpose and specialised OSINT tools and, in some instances, forensic tools such as those that analyse image metadata[16].

Where digital forensics often focuses on recovering and analysing hidden or protected digital evidence with rigid legal considerations, OSINT involves gathering and interpreting openly available information. Both are important in modern investigations, often complementing each other to provide a complete understanding of digital landscapes and human activities.

What Professionals Expect from Digital Forensic Tools

Key features of authentic forensic tools include but are not limited to:

1. Preservation of Evidence:

Ensuring that the data is collected and preserved in a manner which maintains its integrity and admissibility in legal proceedings[17].

2. Chain of Custody:

Keeping a detailed record of how evidence is handled and by whom it is collected until it is presented in court[18].

3. Repeatability and Reproducibility:

The ability to achieve the same results consistently using the same methods and tools[19].

Additionally, digital forensic tools can face significant challenges in court, mainly because many rely on proprietary code. This means that the person producing the evidence needs to be equipped to explain to a court the byte-by-byte details of how the tool works.

While well-known commercial tool providers will often send expert witnesses to vouch for their reliability, explain how their product works, and answer any questions the court may have, the companies or individuals behind many lesser-known tools, especially those that are free or obtained from online sources, do not typically provide the same level of support.

This lack of backing can raise doubts about the accuracy and trustworthiness of the intelligence and evidence derived via the tool. As a result, it becomes crucial for investigators to select their forensic tools carefully, ensuring that they perform well and can withstand scrutiny when challenged during legal proceedings[20].

The Risks of Mislabelling Tools

Mislabelling a tool as “forensic” when it cannot meet basic requirements can lead to several significant issues:

1. Inadmissible Evidence:

Tools that don’t meet forensic standards may produce evidence that cannot be used in court or withstand legal scrutiny, putting cases at risk and damaging the reputations of those who relied upon them[21].

2. Data Tampering Risks:

Without proper safeguards, data could be altered, intentionally or accidentally, which can compromise the integrity of an investigation. Additionally, there would not be an audit trail with sufficient robustness to refute any allegations of data tampering[22].

3. Misplaced Confidence:

Inexperienced users may place too much trust in the results generated by these tools, leading to incorrect conclusions and decisions. This is a significant risk, particularly for practitioners who have yet to gain experience in legal proceedings.

Recommendations

To help tackle these challenges, professionals in the OSINT and cyber investigation fields can take several proactive steps:

1. Establish Clear Definitions and Standards:

• Develop clear OSINT-focused standards which define what qualifies as a forensic tool. NIST recommends collaboration with legal experts to help ensure compliance with legal requirements.

2. Document Limitations:

• Where the scope and objectives of any given assignment require tools that cannot meet forensic requirements, and there is a possibility of formal proceedings, any associated limitations should be highlighted and documented before commencing so that stakeholder expectations are managed.

3. Raise Awareness:

• Educate practitioners about proper forensic tools and techniques, primarily when evidence may be used in formal proceedings.

• Discourage the arbitrary application of the term forensic to tools, techniques and online services, unless they clearly meet the required standards.

4. Implement Rigorous Testing:

• Regularly test and validate tools to ensure they meet forensic standards and can produce reliable, admissible evidence.

5. Enhance Transparency:

• Encourage tool developers to provide more transparency about their methodologies and algorithms, allowing for better scrutiny and validation.

6. Continuous Training:

• Provide ongoing training for OSINT and cybercrime investigators on the latest forensic techniques and legal requirements.

Conclusion

The misapplication of the term "forensics" within the OSINT and cyber investigation space can be an opportunity for course correction and collaboration.

An increase in definition clarity, awareness, and the tightening of contractual documentation will help the international community of OSINT and cyber investigations practitioners to share an understanding of what makes a tool forensic and how those tools can be utilised effectively and responsibly.

This is increasingly important as digital evidence becomes crucial in formal proceedings, and the OSINT and cyber investigation community must move towards standards and practices commensurate with those expected by the principles of digital forensics.

Authored by: The Coalition of Cyber Investigators

Paul Wright (United Kingdom) & Neal Ysart (Philippines)

© 2024 The Coalition of Cyber Investigators. All rights reserved.

The Coalition of Cyber Investigators is a collaboration between

Paul Wright (United Kingdom) - Experienced Cybercrime, Intelligence (OSINT & HUMINT) and Digital Forensics Investigator; and

Neal Ysart (Philippines) - Elite Investigator & Strategic Risk Advisor, Ex-Big 4 Forensic Leader.

With over 80 years of combined hands-on experience, Paul and Neal remain actively engaged in their field.

They established the Coalition to provide a platform to collaborate and share their experience and analysis of topical issues in the converging domains of investigations, digital forensics and OSINT. Recognizing that this convergence has created grey areas around critical topics, including the admissibility of evidence, process integrity, ethics, contextual analysis and validation, the coalition is Paul and Neal’s way of contributing to a discussion that is essential if the unresolved issues around OSINT derived evidence are to be addressed effectively. Please feel free to share this article and contribute your views.

[1] https://www.legalpracticeintelligence.com/blogs/technology-intelligence/digital-forensics-revolutionising-the-court-practice (Accessed December 12, 2024)

[2] Legal Information Institute. (n.d.). Forensic. Cornell Law School. Retrieved December 12, 2024, from https://www.law.cornell.edu/wex/forensic

[3] Belnick, M. (2024, April 22). How digital forensics can empower law firms. FACT. Retrieved December 12, 2024, from https://www.fact-uk.org.uk/how-digital-forensics-can-empower-law-firms/

[4] IsecT Ltd. www.isect.com. (n.d.). ISO/IEC 27037 eForensics. Copyright � IsecT Ltd. 2023. https://www.iso27001security.com/html/27037.html#:~:text= (Accessed December 12, 2024)

[5] https://www.digital-detective.net/digital-forensics-documents/ACPO_Good_Practice_Guide_for_Digital_Evidence_v5.pdf (Accessed December 12, 2024)

[6] Digital Forensics & OSINT. https://ubnetdef.org/slides/spring2023/14_Digital_Forensics.pdf (Accessed December 12, 2024)

[7] Secretariat. (2023, November 15). The evolution of OSINT. The Association of British Investigators. https://www.theabi.org.uk/news/the-evolution-of-osint (Accessed December 12, 2024)

[8] Sip-Admin. (2024, September 9). Computer forensics vs Digital Forensics: What’s the Difference? SIP International. https://sip-international.com/blog/computer-forensics-vs-digital-forensics-whats-the-difference/ (Accessed December 12, 2024)

[9] https://ubnetdef.org/slides/spring2024/OSINT.pdf (Accessed December 12, 2024)

[10] Efim, & Efim. (2024, September 2). The Power of OSINT in Digital Forensics: Tapping into Publicly Available Data. ESPY - Data Enrichment. https://espysys.com/blog/osint-in-digital-forensics /(Accessed December 12, 2024)

[11] Francis, A. (2022, June 9). The impact of digital forensics on legal proceedings. Lawyer Monthly. https://www.lawyer-monthly.com/2022/05/the-impact-of-digital-forensics-on-legal-proceedings/ (Accessed December 12, 2024)

[12]Wright, P. & Ysart, N. (2024c, September 30). Black OSINT vs White OSINT: The Dual-Use Dilemma in Open Source Intelligence. https://www.linkedin.com/pulse/black-osint-vs-white-dual-use-dilemma-f2onc (Accessed December 17, 2024)

[13] Jweber. (2023, July 10). Is OSINT legal? OSINT legal and ethical concerns. Corma Investigations. https://corma-investigations.com/uncategorized/is-osint-legal-the-legal-and-ethical-concerns-of-using-open-source-intelligence/#:~:text= (Accessed December 12, 2024)

[14] Hidden, U. (2024, October 15). Is OSINT Legal? A Guide on OSINT Ethics & Laws - Intel Guard. Intel Guard. https://intelguard.co.uk/is-osint-legal/ Accessed December 12, 2024)

[15] Admin, J. (2024, May 15). Computer Forensics Expert - Computer Forensics Lab | Digital Forensics Services | Digital Detectives. Computer Forensics Lab | Digital Forensics Services | Digital Detectives. https://computerforensicslab.co.uk/computer-forensics-expert/ (Accessed December 14, 2024)

[16] Hidden, U. (2024, October 15). Is OSINT Legal? A Guide on OSINT Ethics & Laws - Intel Guard. Intel Guard. https://intelguard.co.uk/is-osint-legal/ (Accessed December 14, 2024)

[17] Team, V. (2024, July 23). Evidence Management Practices for Protecting Digital evidence. Enterprise video streaming solutions for businesses, enterprises, government, local, state government, healthcare, education, law enforcement agencies, justice, public safety, manufacturing, financial & banking industry. https://blog.vidizmo.com/protect-digital-evidence (Accessed December 14, 2024)

[18] Mcmillan, J. (2000). Global Information Assurance Certification Paper. [online] Available at: https://www.giac.org/paper/gsec/349/importance-standard-methodology-computer-forensics/100950. (Accessed December 12, 2024)

[19] https://computerforensicslab.co.uk/role-of-digital-forensics/ (Accessed December 12, 2024)

[20] https://www.bcs.org/articles-opinion-and-research/presenting-digital-evidence-in-court/

[21] Niemi, K. (2024, October 23). The hidden dangers of entrusting forensic data collections to your internal IT team. TCDI. https://www.tcdi.com/the-hidden-dangers-of-entrusting-forensic-data-collections-to-your-internal-it-team/ (Accessed December 14, 2024)

[22] In. (2024, April 24). Data Tampering: Understanding threats & protection strategies. Endida. https://endida.com/news/preventing-data-tampering-understanding-threats-implications-and-protection-strategies/ (Accessed December 14, 2024)