FORZA y Zachman Framework

How to Balance Privilege and Digital Forensics Investigation
Ricci S. C. IEONG Principal Consultant ricci@ewalker.com.hk Abstract
Privilege is defined as the basic rights that oneself can refuse to testify or withhold a document in litigation. How can this be implemented in digital forensics investigation? The first step is to apply the encryption technology to protect privileged datasystematically and automatically. A proposed scheme for balancing privilege and digital forensics investigation is also depicted in this paper. In this scheme, a systematic role-based digital forensics framework – FORZA is used for linking the encryption technology and privilege requirement together. privilege and (3) privilege arising from the statement made “without prejudice”. Under common law, aperson, unless in criminal proceedings, has the right to refuse to answer any questions or produce any documents in a litigation. It is the basic human rights of a person known as the privilege against self-incrimination. Another well known privilege is the legal professional privilege. Communication, such as legal advice from professional legal adviser to the client, could be protected and exemptedfrom being disclosed to the court both in civil and criminal cases. Similarly, communication used in negotiations could also be considered as privilege information. It is known as “without prejudice” statement. Normally, in digital world, this information would be kept in emails, documentations, message in instant messenger.

1. Introduction
Digital forensics as highlighted by Mark Pollitt [6] isa group of tasks or processes in investigation. It is not just a task for digging information from a disk, memory or anywhere from the computer. It has to comply with the legal requirement stated in different countries’ law. In an internal investigation of an email sexual harassment case, to what extend data collected from human resources or finance department of company could be revealed to aninternal IT staff? When an IT staff gains access to corporate confidential information of his or her manager, how could the confidential information be protected? If an unauthorized access incident happens in a law firm, should the field investigator clone hard disk from the law firm computer system? Would that be violating the legal professional privilege? To start tackling the issue, we shouldunderstand what is privilege in digital world?

1.2 When privilege is violated most?
Generally digital forensics investigation could be separated into 4 procedures [1],[2] namely, – data preservation, data acquisition, data analysis, and data presentation. Among these procedures, privilege is usually violated during the data acquisition and data analysis. When collecting or cloning hard disk ordata evidence, field investigators would have to access to suspect’s hard disk or machine, then they may access to some privilege data. In data analysis procedure, forensics examiner may also access to the content of privilege document. When recovering, previewing, copying and examining of the acquired data content, examiners may not know whether any privileged content exists in the document untilit was opened. Thus they are forced to open the file in order to examine that.

1.1 Privilege in Digital World
Privilege is defined as “a right which the law gives a person allowing him to refuse to testify about a particular matter or to withhold a document” according to the UK common law [3]. There are three main privileges – (1) privilege against self-incrimination, (2) legal professional1.3 How privilege could be protected?
In digital world, e-discovery process is different from the real world discovery. One can imagine that, unless emails, documents or data were encrypted, every piece of information and data, no matter it is

classified data or not, could be accessed and opened using different viewer in the digital forensics investigation tools. Thus, everyone in the...