The case for zero trust digital forensics

Neale, Christopher; Kennedy, Ian; Price, Blaine; Yu, Yijun; Nuseibeh, Bashar

doi:10.34961/researchrepository-ul.25368367.v1

Nuseibeh_2022_Case.pdf (1.02 MB)

The case for zero trust digital forensics

journal contribution

posted on 2024-03-08, 12:33 authored by Christopher Neale, Ian Kennedy, Blaine Price, Yijun Yu, Bashar NuseibehBashar Nuseibeh

It is imperative for all stakeholders that digital forensics investigations produce reliable results to ensure the field delivers a positive contribution to the pursuit of justice across the globe. Some aspects of theseinvestigations are inevitably contingent on trust, however this is not always explicitly considered or critically evaluated. Erroneously treating features of the investigation as trusted can be enormously damaging to the overall reliability of an investigation's findings as well as the confidence that external stakeholders can have in it. As an example, digital crime scenes can be manipulated by tampering with the digital artefacts left on devices, yet recent studies have shown that efforts to detect occurrences of this are rare and argue that this leaves digital forensics investigations vulnerable to accusations of inaccuracy. In this paper a new approach to digital forensics is considered based on the concept of Zero Trust, an increasingly popular design in network security. Zero Trust describes the practitioner mindset and principles upon which the reliance on trust in network components is eliminated in favour of dynamic verification of network interactions. An initial Definition of Zero Trust Digital Forensics will be proposed and then a specific example considered showing how this strategy can be applied to digital forensic investigations to mitigate against the specific risk of evidence tampering. A definition of Zero Trust Digital Forensics is proposed, specifically that it is ‘a strategy adopted by investigators whereby each aspect of an investigation is assumed to be unreliable until verified’. A new principle will be introduced, namely the ‘multifaceted verification of digital artefacts’ that can be used by practitioners who wish to adopt a Zero Trust Digital Forensics strategy during their investigations. A qualitative review of existing artefact verification techniques is also conducted in order to briefly evaluate the viability of this approach based on current research efforts.