Digital forensic process

Last updated
A Tableau forensic write blocker Forensic tableau.JPG
A Tableau forensic write blocker

The digital forensic process is a recognized scientific and forensic process used in digital forensics investigations. [1] [2] Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings. [3] The process is predominantly used in computer and mobile forensic investigations and consists of three steps: acquisition, analysis and reporting.

Contents

Digital media seized for investigation may become an "exhibit" in legal terminology if it is determined to be 'reliable'. Investigators employ the scientific method to recover digital evidence to support or disprove a hypothesis, either for a court of law or in civil proceedings. [2]

Personnel

The stages of the digital forensics process require different specialist training and knowledge. There are two basic levels of personnel: [3]

Digital forensic technician
Technicians gather or process evidence at crime scenes. These technicians are trained on the correct handling of technology (for example how to preserve the evidence). Technicians may be required to carry out "Live analysis" of evidence. Various tools to simplify this procedure have been produced, such as EnCase, Velociraptor and FTK.
Digital Evidence Examiners
Examiners specialize in one area of digital evidence; either at a broad level (i.e. computer or network forensics etc.) or as a sub-specialist (i.e. image analysis)

Process models

There have been many attempts to develop a process model but so far none have been universally accepted. Part of the reason for this may be due to the fact that many of the process models were designed for a specific environment, such as law enforcement, and they therefore could not be readily applied in other environments such as incident response. [4] This is a list of the main models since 2001 in chronological order: [4]

Seizure

Prior to the actual examination, digital media will be seized. In criminal cases this will often be performed by law enforcement personnel trained as technicians to ensure the preservation of evidence. In civil matters it will usually be a company officer, often untrained. Various laws cover the seizure Archived 2014-08-21 at the Wayback Machine of material. In criminal matters, law related to search warrants is applicable. In civil proceedings, the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are preserved.

Acquisition

Example of a portable disk imaging device Tableau TD3 Forensic Imager 2014-06-26 07-05.jpg
Example of a portable disk imaging device

Once exhibits have been seized, an exact sector level duplicate (or "forensic duplicate") of the media is created, usually via a write blocking device. The duplication process is referred to as Imaging or Acquisition. [5] The duplicate is created using a hard-drive duplicator or software imaging tools such as DCFLdd, IXimager, Guymager, TrueBack, EnCase, FTK Imager or FDAS. The original drive is then returned to secure storage to prevent tampering.

The acquired image is verified by using the SHA-1 or MD5 hash functions. At critical points throughout the analysis, the media is verified again to ensure that the evidence is still in its original state. The process of verifying the image with a hash function is called "hashing."

Given the problems associated with imaging large drives, multiple networked computers, file servers that cannot be shut down and cloud resources new techniques have been developed that combine digital forensic acquisition and ediscovery processes.

Analysis

After acquisition the contents of (the HDD) image files are analysed to identify evidence that either supports or contradicts a hypothesis or for signs of tampering (to hide data). [6] In 2002 the International Journal of Digital Evidence referred to this stage as "an in-depth systematic search of evidence related to the suspected crime". [7] By contrast Brian Carrier, in 2006, describes a more "intuitive procedure" in which obvious evidence is first identified after which "exhaustive searches are conducted to start filling in the holes" [8]

During the analysis an investigator usually recovers evidence material using a number of different methodologies (and tools), often beginning with recovery of deleted material. Examiners use specialist tools (EnCase, ILOOKIX, FTK, etc.) to aid with viewing and recovering data. The type of data recovered varies depending on the investigation, but examples include email, chat logs, images, internet history or documents. The data can be recovered from accessible disk space, deleted (unallocated) space or from within operating system cache files. [3]

Various types of techniques are used to recover evidence, usually involving some form of keyword searching within the acquired image file, either to identify matches to relevant phrases or to filter out known file types. Certain files (such as graphic images) have a specific set of bytes which identify the start and end of a file. If identified, a deleted file can be reconstructed. [3] Many forensic tools use hash signatures to identify notable files or to exclude known (benign) files; acquired data is hashed and compared to pre-compiled lists such as the Reference Data Set (RDS) from the National Software Reference Library [5]

On most media types, including standard magnetic hard disks, once data has been securely deleted it can never be recovered. [9] [10]

Once evidence is recovered the information is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialized staff. [7] Digital investigators, particularly in criminal investigations, have to ensure that conclusions are based upon data and their own expert knowledge. [3] In the US, for example, Federal Rules of Evidence state that a qualified expert may testify "in the form of an opinion or otherwise" so long as:

(1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case. [11]

Reporting

When an investigation is completed the information is often reported in a form suitable for non-technical individuals. Reports may also include audit information and other meta-documentation. [3]

When completed, reports are usually passed to those commissioning the investigation, such as law enforcement (for criminal cases) or the employing company (in civil cases), who will then decide whether to use the evidence in court. Generally, for a criminal court, the report package will consist of a written expert conclusion of the evidence as well as the evidence itself (often presented on digital media). [3]

Related Research Articles

<span class="mw-page-title-main">Computer forensics</span> Branch of digital forensic science

Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

Disk cloning is the process of duplicating all data on a digital storage drive, such as a hard disk or solid state drive, using hardware or software techniques. Unlike file copying, disk cloning also duplicates the filesystems, partitions, drive meta data and slack space on the drive. Common reasons for cloning a drive include; data backup and recovery; duplicating a computer's configuration for mass deployment and for preserving data for digital forensics purposes. Drive cloning can be used in conjunction with drive imaging where the cloned data is saved to one or more files on another drive rather than copied directly to another drive.

In computing, data recovery is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, or formatted data from secondary storage, removable media or files, when the data stored in them cannot be accessed in a usual way. The data is most often salvaged from storage media such as internal or external hard disk drives (HDDs), solid-state drives (SSDs), USB flash drives, magnetic tapes, CDs, DVDs, RAID subsystems, and other electronic devices. Recovery may be required due to physical damage to the storage devices or logical damage to the file system that prevents it from being mounted by the host operating system (OS).

In evidence law, digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Before accepting digital evidence a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the original is required.

<span class="mw-page-title-main">Digital forensics</span> Branch of forensic science

Digital forensics is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and computer crime. The term "digital forensics" was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.

Electronic discovery refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format. Electronic discovery is subject to rules of civil procedure and agreed-upon processes, often involving review for privilege and relevance before data are turned over to the requesting party.

<span class="mw-page-title-main">The Sleuth Kit</span>

The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-based utilities for extracting data from disk drives and other storage so as to facilitate the forensic analysis of computer systems. It forms the foundation for Autopsy, a better known tool that is essentially a graphical user interface to the command line utilities bundled with The Sleuth Kit.

Anti–computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

Device configuration overlay (DCO) is a hidden area on many of today's hard disk drives (HDDs). Usually when information is stored in either the DCO or host protected area (HPA), it is not accessible by the BIOS, OS, or the user. However, certain tools can be used to modify the HPA or DCO. The system uses the IDENTIFY_­DEVICE command to determine the supported features of a given hard drive, but the DCO can report to this command that supported features are nonexistent or that the drive is smaller than it actually is. To determine the actual size and features of a disk, the DEVICE_­CONFIGURATION_­IDENTIFY command is used, and the output of this command can be compared to the output of IDENTIFY_­DEVICE to see if a DCO is present on a given hard drive. Most major tools will remove the DCO in order to fully image a hard drive, using the DEVICE_­CONFIGURATION_­RESET command. This permanently alters the disk, unlike with the host protected area (HPA), which can be temporarily removed for a power cycle.

<span class="mw-page-title-main">EnCase</span>

EnCase is the shared technology within a suite of digital investigations products by Guidance Software. The software comes in several products designed for forensic, cyber security, security analytics, and e-discovery use. EnCase is traditionally used in forensics to recover evidence from seized hard drives. It allows the investigator to conduct in-depth analysis of user files to collect evidence such as documents, pictures, internet history and Windows Registry information.

<span class="mw-page-title-main">Forensic disk controller</span> Forensic Hardware Device Prevent Writing

A forensic disk controller or hardware write-block device is a specialized type of computer hard disk controller made for the purpose of gaining read-only access to computer hard drives without the risk of damaging the drive's contents. The device is named forensic because its most common application is for use in investigations where a computer hard drive may contain evidence. Such a controller historically has been made in the form of a dongle that fits between a computer and an IDE or SCSI hard drive, but with the advent of USB and SATA, forensic disk controllers supporting these newer technologies have become widespread. Steve Bress and Mark Menz invented hard drive write blocking.

Forensic Toolkit, or FTK, is a computer forensics software originally developed by AccessData, an Exterro company. It scans a hard drive looking for various information. It can, for example, potentially locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.

<span class="mw-page-title-main">Forensic profiling</span> Study of trace evidence in criminal investigations

Forensic profiling is the study of trace evidence in order to develop information which can be used by police authorities. This information can be used to identify suspects and convict them in a court of law.

<span class="mw-page-title-main">Network forensics</span>

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

File carving is the process of reassembling computer files from fragments in the absence of filesystem metadata.

<span class="mw-page-title-main">Mobile device forensics</span> Recovery of evidence from mobile devices

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

<span class="mw-page-title-main">Audio forensics</span>

Audio forensics is the field of forensic science relating to the acquisition, analysis, and evaluation of sound recordings that may ultimately be presented as admissible evidence in a court of law or some other official venue.

Gates Rubber Company v. Bando Chemical Industries, Ltd., et al. is a decision by the U.S. district court for the District of Colorado from May 1, 1996. It is considered a landmark decision in terms of expert witness court testimony in questions of electronic evidence and digital forensics.

Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM. It does not write any part of its activity to the computer's hard drive, thus increasing its ability to evade antivirus software that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaving very little evidence that could be used by digital forensic investigators to identify illegitimate activity. Malware of this type is designed to work in memory, so its existence on the system lasts only until the system is rebooted.

References

  1. "'Electronic Crime Scene Investigation Guide: A Guide for First Responders" (PDF). National Institute of Justice. 2001.
  2. 1 2 Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN   978-0-12-374267-4 . Retrieved 4 September 2010.
  3. 1 2 3 4 5 6 7 Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN   0-12-163104-4.
  4. 1 2 Adams, Richard (2012). "'The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice" (PDF).
  5. 1 2 Maarten Van Horenbeeck (24 May 2006). "Technology Crime Investigation". Archived from the original on 17 May 2008. Retrieved 17 August 2010.
  6. Carrier, B (2001). "Defining digital forensic examination and analysis tools". Digital Research Workshop II. CiteSeerX   10.1.1.14.8953 .{{cite web}}: Missing or empty |url= (help)
  7. 1 2 M Reith; C Carr; G Gunsch (2002). "An examination of digital forensic models". International Journal of Digital Evidence. CiteSeerX   10.1.1.13.9683 .{{cite web}}: Missing or empty |url= (help)
  8. Carrier, Brian D (7 June 2006). "Basic Digital Forensic Investigation Concepts".
  9. "Disk Wiping – One Pass is Enough". 17 March 2009. Archived from the original on 16 March 2010. Retrieved 27 November 2011.
  10. "Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots)". 18 March 2009. Archived from the original on 2011-12-23.
  11. "Federal Rules of Evidence #702". Archived from the original on 19 August 2010. Retrieved 23 August 2010.

Further reading