Nowadays, victims, suspects, and witnesses usually own several smart devices. Therefore, police departments have to deal with the constantly increasing amount of data that is personally sensitive probative ones, being continuously created, accessed, and altered. It is primarily related to automation that enables to produce data persistent and invariable in nature. It allows wearable devices to provide investigators with the means of establishing causation for conducting their investigations. Currently, more than 80% of all court cases have some type of digital evidence. The evidence also includes smartwatch wearable data that is applied to deny or agree with the uphold witness statements. Hence, smartwatch wearable devices provide a number of investigation-related benefits, and can effectively interact with multiple media sources through the possibility of using different connection modes. This makes these devices play a key role in the arena of the Internet of Things (IoT). Hence, the collection and further analysis of the smartwatch wearable deices has gained its importance, increasing the need for the investigation and examination of their computing capabilities and connection modes. The fields of computer forensics and privacy protection are the areas in computer security that conflict with each other. The tools of computer forensics are developed to contribute to the discovery and extraction of digital evidence associated with a specific crime. At the same time, the techniques of privacy protection seek to protect the privacy of data owners. Consequently, finding the right balance between the computer forensics and privacy protection fields is a considerable challenge. The currently existing solutions of privacy-preserving computer forensics take into account all data of data owners as private ones. Consequently, these solutions gain the possibility of collecting and encrypting the entire data. However, this contributes to the investigation cost in terms of resources and time, implying that that there is growing need for acquiring privacy levels for computer forensics to ensure the collection of only relevant data. It will result in the encryption of merely private relevant data. The current research proposes different privacy levels for computer forensics. Hence, it begins with the classification of forensic data and the analysis of all possibilities of data access in the field of computer forensics. Moreover, it defines several privacy levels, considering the access possibilities. The defined levels of privacy lead to the opportunity to develop more efficient and effective solutions in terms of computer forensics that aims at preserving privacy.
The digital forensic investigators and researchers express increased interest in the IoT. It relates to the fact that the networks created by these interconnected wearable smart devices constitute huge information repositories, capable of producing digital evidence of a much broader depth and scope compared to physical evidence (7). Smartwatch wearable devices primarily perform the function of a mini computer stuffed with a variety of physiological and mechanical sensors, providing users with a number of communication functionalities. Therefore, the storage capabilities of these devices require further investigation (8). Prior research indicates that there is a possibility to get access to such data as health and fitness information, events, e-mails, messages, contact, and notifications from datasets received from various paired smartwatch wearable devices. It highlights the forensic value and worthiness of investigating these devices (9). The current study is imperative as it makes an attempt to solve a couple of digital forensics issues. The first one is a limited research base that relates to the smartwatch wearable device emanation, while the second one is a heavy workload that affects the work of digital forensic investigators. It has been found that only some of these studies address the acquisition of smartwatch wearable data. In addition, they have been conducted using limited methods which are either forensically unsound and incomplete or time-consuming (6, 9). The studies conducted in this sphere are manual reviews of the information stored electronically in the devices, using its native interface. However, it restricts the acquisition to what the examiner gets from the screen. Also, one of the studies discussed a physical extraction that allows reading the information from the flash memory of the device. Moreover, it enables to access the deleted data. However, it is necessary to root the device before physical extraction and it is often referred to as a less forensically strong approach due to modifications of the system and possible user data (3, 10). Hence, there is a need for a forensically sound methodology that is most suitable for the advanced data acquisition directly from a smartwatch wearable device. Finally, it is critical to triage items for the analysis within the case because of the fact that the current backlogs which result from the time required to analyze data from various devices in combination with the rate of technology evolution and update.
Digital Forensics in the United States
In terms of the law-enforcement operations, there is an essential distinction between the investigation with and without a search warrant. Hence, the investigation with a warrant implies that there are limitations on what the government can do as the search targets should be taken into consideration with the warrant. For example, in the case the government has a warrant to search for the drug laundering evidence in financial records on a PC, they are unable to look for the cases that deal with child pornography. Inconsistencies that exist in the standards between different jurisdictions imply that some warrants have been improperly justified (Losavio and Keeling, 2014). At the same time, investigation without a warrant indicate the need for the ‘probable cause’ of criminal activity to a standard similar to the one that allows entering a house to search it. This shows that most devices, including computers, cannot be searched by the government without a warrant.
There are several exceptions to the general privacy protections of digital devices and computers. Hence, if a device or a computer is not a ‘closed container’ analogue in one’s home, there are no obstacles to freely search it. This refers to the devices owned by the government, public terminals, and information provided to a third party, including a business, or the data received during a lawful arrest. In addition, here belongs voluntarily revealed information, and information in ‘plain view’ or easily visible during a search. This may also include the storage services shared remotely, for example, servers. However, it may be argued that these are often used as backup for the secondary storage of privately owned devices and computers, being protected from random searches.
It has been found that the US government has recently claimed an exception to the protection of general in regard to data that describes other data, metadata, including phone numbers called by users. However, as metadata can be sensitive information it remains unclear whether this claimed exception will remain valid (Schneier, 2015). Other directions also address the ability of law enforcement to execute warrants in the cases when freedom of expression, relating to medical, journalism, and legal records. Thus, it is necessary to get additional approvals before continuing the search.
Privacy Concerns in Digital Forensics
Considering the previous discussion, digital forensics provides some essential challenges to traditional individual privacy notions.
- Data centralization presupposes the use of forensic methods to get the ability to see all the digital data on a device or computer. This allures the investigators to violate the privacy right of a user as they may find many interesting items not originally authorized during the search (Hong et al., 2013). In addition, there analogous non-digital limits in the USA that indicate what police officers can search for in certain situations, for instance, traffic stops if they find things that do not relate to driving (Shipler, 2011).
- Data misjudgment is a related issue, implying that forensic investigators often have a limited insight into the digital contents and formats. Therefore, they may misclassify data and violate legitimate privacy of users. For example, they may experience difficulties telling whether an individual in a photo is under the age of 18 and it is a significant problem in the case of child pornography. Other difficulties may relate to the inability to tell whether a meeting is an email-documented one between suspects conspiracy part. In addition, there may be a misunderstanding in terms of the financial-transaction documents due to the inability to indicate an alleged Ponzi scheme. Hence, investigators may open a variety of files if they seek to find something related and see things far beyond their authorization bounds.
- The issue of violating privacy of third parties indicates the investigation of a shared resource, for example, could site, a server computer, or a family computer to have a look at the data owned by different individuals. If only one person become the subject of the investigation, then, it is necessary to avoid the analysis of other data during investigation (van Staden, 2013). A big danger with server forensics is unjustified for the US government to search the local servers to find any terrorism clues, for example, terrorism-related users are extremely rare and the searching benefits are tiny compared to the privacy risks.
- Surreptitious searches constitute a key problem in digital forensics. It implies that the data owner may not be aware of what is being searched. However, in the case of a house search in the USA, it is necessary to inform about the target of a search and serve a warrant. It is possible to seize and carry off a drive for investigation. In addition, it is possible to investigate the case remotely with the right protocols. It is also possible that the drive owner is watching an investigation, but fails to understand what will happen in the near future. Hence, they are unable to tell whether there is a violation of their privacy.
- Unwarranted reporting of forensic findings occurs due to the difficulty of judging data. It relates to the fact that investigators are allowed to report private data irrelevant to the investigation to other authorities. For example, it is usually difficult to ascertain a child abuse by looking at photographs. However, the forensic investigator’s reports that regain the suspicion of a child abuse in the US has a number of consequences, including a loss of parental access to a child, subsequent permanent harm to a child until the case of abuse is proved, and others.
- Selling of private forensic data is another challenge. As the private user data have monetary value, there is some temptation for an unscrupulous investigator to sell those data to the many Internet user information brokers that are ready to pay much for it. This can significantly extend the damage of a privacy violation. Governments are often unlikely to do this, but businesses and individuals have fewer restrictions.
- The criminal use of digital forensics implies that unscrupulous investigators can use private data they find directly. It means that they may use bank-card numbers they find to further use them for stealing from bank accounts, using passwords they found with the aim to break into systems, or apply the baffling private information they find for blackmail. It has been found that the Chinese government endeavors to steal technology secrets from the US corporate computer systems (Surowiecki, 2014). At the same time, similar techniques can be applied against people.
- Difficulty of assessing damage to privacy occurs in the case it is difficult to assess the data damage. It relates to the fact that digital forensics covers a variety of digital data. Hence, it implies that a single user may experience difficulties suing for damages in a civil court in the USA. However, there is a possibility of class-action lawsuits in the case of large data breaches.
- Lack of privacy management support by forensic tool vendors is one more challenge. The major forensic tools are FTK, the SleuthKit, and EnCase and all of them do not provide any support for keeping privacy issue track during a forensic investigation. Although they could indicate the way to mark sensitive data for further avoidance, they fail to do it.
The privacy levels are usually implemented to explain the privacy protection levels that should be provided by the data collector. The analysis of the recent studies on computer forensics implies that researchers consider all owners’ data as private. Therefore, they encrypt the entire data. However, the consideration of all the forensic data to be private needs protection of these data (for instance, encrypting). It is evident that this requires more time to encrypt and decrypt data. In general, the definition of privacy levels requires the classification of the targeted data (for example, forensic data) into several groups. It is possible to apply them to determine all data access possibilities that results in the definition of the required privacy levels. The data classification may be performed considering several factors such as relevancy, privacy, and others. In digital forensics, a conflict occurs because the data owner can prevent the investigator from obtaining his private data. In addition, the data owner can make a decision whether his data are private and can ask for privacy protection under any policy or privacy act used in the area where the computer crime was committed. At the same time, the investigator can collect any data (both private and non-private) relevant to the crime. Thus, the forensic data classification is the task that requires cooperation between the data owner and an investigator. It is necessary to take the following steps to define privacy levels for computer forensics:
- the classification of the forensic data into groups, considering privacy and relevancy;
- the analysis of all data access possibilities of the classified data groups;
- the privacy level definition.
Two branches may be identified while classifying the existing solutions such as cryptographic and policy-based approaches. Hence, the cryptographic approaches protect the private data of data owners during the process of investigation, encrypting both relevant and irrelevant data (either they are private or not) through the use of some cryptographic techniques, for instance, a searchable encryption technique. All data of a data owner are referred as relevant and private, indicating the collection and encryption of the entire data. This contributes to the investigation cost in terms of resources and time. Therefore, it is necessary to collect only relevant data and encrypt only private relevant data. The policy-based approaches may undergo a further classification and be divided into policy statements and privacy policies. The primary aim of implementing the policy-based approaches is to inform the data owner about the collection, use, and disclosure of private data.
Police departments are now finding that victims tend to ownup to three smart devices, as do suspects and witnesses, leadingto greater amounts of personally sensitive probative data beingcreated, modified, and accessed (2). A large part of this is dueto automation, which may produce data that are persistent andinvariable, allowing wearables to provide investigators the meansto establish causation for investigations (3). Approximately 80%or more of current court cases contain some type of digital evi-dence, including those where smartwatch wearable data havebeen used to uphold or refute witness statements (4). In additionto these investigational advances, smartwatch wearable devicesare also capable of interacting with multiple media sourcesthrough various modes of connection, making them big playersin the Internet of Things (IoT) arena (2,5). Therefore, the collec-tion and subsequent analysis of these devices is becomingincreasingly more important, as is the study of their computingcapabilities and modes of connection (6).