Forensic search

Last updated August 12, 2023

Forensic search is an emerging field of computer forensics. Forensic search focuses on user created data such as email files, cell phone records, office documents, PDFs and other files that are easily interpreted by a person.

Purpose

Forensic search has emerged due to a number of factors including:

Improvements in technologies to enable lesser qualified users to undertake search and analysis of data that would have previously been undertaken only by a computer forensic expert. (This trend can be seen in many industries).^{[ citation needed ]}
A need to reduce the high cost of undertaking a full computer forensic analysis of a user's computer, when in most cases the evidence found in the user created data is most useful and all that is required.^{[ citation needed ]}
The rise of Cloud computing which has seen a move away from data storage on local computer hardware to data storage in any number of remote locations.^[1]
A lack of qualified computer forensic experts
The need to address the backlog of cases in most policing agencies where computer-based information requires review.^[2]^[3]
The need to involve other types of expertise for proper assessment of evidence, e.g. knowledge of accounting regulations, legal knowledge, etc.

Objectives

The objective of forensic search software is to allow a person with only a general knowledge of computers, but skilled in document review or investigation techniques, to undertake and search user created electronically stored information (ESI). Data that is typically considered to be user created ESI is made up of emails, documents, pictures and other file types created by a user, as opposed to data created by the computer's operating system (i.e. registry files, link files, unallocated space. These are controlled or created by the computer and not the user). The objective of reviewing the user created data is to find information that may be used to base decisions on as part of an investigation.^{[ citation needed ]}

Forensic search software

Forensic search software differs from using the native applications (e.g. Outlook) or desktop search software (e.g. Google Desktop) to search the data in that no changes are made to the data during processing or searching that may impact the results or skew the findings. Forensic search software will also allow access to the base metadata of items not available via the native application. A good example of this would be the metadata in MS Word documents.^[4] A number of forensic search software products will be able to perform data recovery on a range of email file types.

Some examples of how using the native application or non-forensic application can affect the data:

Opening a Microsoft Word document in Microsoft Word may change the created, modified or last accessed dates in the document. This could lead to the incorrect dates being supplied in evidence.
Reviewing data in some native applications will trigger the systems antivirus software, again changing data or altering evidence.
Failure to freeze the evidence prior to opening the files, coupled with the fact that merely opening the files changes them, can and has invalidated critical evidence.^[5]

Forensic search software has become popular as a method of reducing the time and cost of search and analysis of larger data sets by focusing on the user data that most often yields evidence or results.^{[ citation needed ]}

E-mail tends to be personal, plentiful and candid. For most adults, e-mail is their primary means of written communication and is often sought after for evidence.^[6] A new generation of tools is being developed in order to address the challenges being faced by digital forensic and ediscovery practitioners.^[7]

Other types of review

Forensic search software has been likened to eDiscovery review software, however this is not strictly the case. eDiscovery review software, while dealing with many of the same type of computer records and search options, offer extra functionality to that of forensic search software. Features such as redaction and legal hold are standard in eDiscovery review software. It is also the case that Forensic Search software does not meet with the higher end tasks outlined in the widely accepted electronic discovery reference model (EDRM). Tasks such as identification, collection, reservation or presentation are generally not covered by forensic search software.^{[ citation needed ]}

However, true eDiscovery review is generally the domain of qualified legal practitioners or companies.^[8]^[9]

The use of the term eDiscovery has become a catchall in some circles for the processing and searching of electronically stored information (ESI). However, this is not a true representation of the term of eDiscovery. For a more detailed understanding of eDiscovery, the Electronic Discovery Reference Model (EDRM) is a good guideline. It could be said that forensic search is more closely related to early case assessment (ECA) than eDiscovery as ECA does not require the rigor of a full eDiscovery review.^{[ citation needed ]}

Evidence value of user created data versus other types of data

When presenting data as part of a report that may be used to form a decision or as evidence, it is important that the data be correctly represented so the reader can understand it. In the case of generating reports on system created data such as registry files, link files and other system created data this can be a costly exercise. It can also be the case that there is no straightforward answer or explanation.^{[ citation needed ]}

An example of this would be attempting to explain to a lay person the method and techniques of decoding the UserAssist Key in the Windows system registry. The UserAssist key can hold a great deal of information about the actions of the user of the computer. However to explain this key, the reviewer has to be able to identify the key and correctly interpret the key setting. The keys are often encoded by ROT 13.^[10]

Once these keys are decoded to human readable formats, the reviewer then has to show how a setting relates to the case. It is often time-consuming to review hundreds, even thousands, of settings that at times only deliver very circumstantial and sometimes contentious findings. When reviewing user created data such as e-mail or contracts, reporting and understanding the findings is often much more straight forward. The semi skilled user will usually have a good grasp of how email works as they use it in their day-to-day work. A person trained in law will understand a contract and does not need specialist forensic knowledge to do so. This can lead to much lower costs of review and less contentious or circumstantial findings.^{[ citation needed ]}

High-level functionality of forensic search software

The features of forensic search software are focused on allowing the user to search and view a range of data and users’ files at one time.

Specific features of forensic search software include:^{[ citation needed ]}

The ability to process varying types of data enabling it to be searched by the reviewer with little or no computer forensic knowledge
Keyword searching across all data and data types processed
The ability to create complex searches such as including or excluding data
Using MD5 and other algorithms to search and identify files and data
The ability to filter based on metadata such as dates, email addresses and file types
The ability to review different data typed in the same search results
The ability to view all results in the same user interface
The ability to export items to various formats i.e. email, Word, HTML
The ability to create shareable reports

Changes in computer forensics

There are many newer and emerging fields of computer forensics such as Cloud forensics, mobile phone forensics, network forensics, memory analysis, browser forensics, forensic triage and internet forensics.^[11] In the not so distant past a computer forensic expert's most common role was to attend a person's house, place of work or data center to forensically "image"^[12] all computers or devices that may be involved in a case. This was categorized as the collection phase.^{[ citation needed ]}

Once collection phase was complete these images were reviewed and the ESI that was relevant was supplied to the interested parties. This required the computer forensic investigator to have a good deal of experience and training in:

Identifying which computer, applications or devices may be involved
How to disassemble a computer and extract the hard drives of the computer without causing damage.
How to correctly take a forensic image to keep chain of custody
How to use the forensic analysis software to correctly interpret and supply the results

This process was time-consuming and costly. The computer forensic expert's primary role is to investigate the computer evidence (ESI). They may not have been as familiar with the entire case or objectives as that of the case agent, detective, forensic accountant or crime analyst. This often led to non-perfect or time-consuming identification of the correct evidence items between the differing parties. What would immediately flag the interest of a detective with a deep knowledge of the case and parties involved may go unnoticed by a computer forensic expert. An example would be an email from a suspect in another case to a suspect in this case, or contact / phone calls to a witness from a suspect.^{[ citation needed ]}

To compound the issue, there has been a massive increase in the size of the data that the computer forensic expert needs to collect. It is now often the case that the computer hard drive is not able to be imaged, for example if the computer that contains the evidence is too big, or the system cannot be shut down to take an image as it is a mission critical server such as an email server or company file server. The rise of Cloud computing has also added challenges to the collection of evidence. The data that requires collection and review may reside in the Cloud. In this case there is no computer available to image. The forensic expert then needs to collect the information using forensic software designed to work with certain Cloud providers.^[13]

In short the collection of evidence has changed significantly in the past few years. Recognizing these challenges, the concept of Hybrid Forensics has been discussed and the creation of tools that adopt a different approach to collecting data. The concept of Hybrid Forensics is the selective collection of data from 'live' systems in such a way that it may be considered as being reliable evidence in court.^[14]

Barriers to the adoption of forensic search in law enforcement

Law enforcement organizations like many other organizations are divided into skill specific units. In the computer forensic / cybercrime area these units take responsibility for all aspects of the ESI. These units are usually time poor and under resourced.^{[ citation needed ]}

Albeit that time and resources are low the main knowledge in the unit comes from officers or consultants with 7+ years of experience (this predates most computer forensic degrees available). These officers have become familiar over time with the methodology of using a forensic analysis software package as this is all that was on offer when they started in the field. Hence when new officers or resources become available it is forensic analysis software that is prioritized over newer more specific software and newer forensic field types.^{[ citation needed ]}

Related Research Articles

A web hosting service is a type of Internet hosting service that hosts websites for clients, i.e. it offers the facilities required for them to create and maintain a site and makes it accessible on the World Wide Web. Companies providing web hosting services are sometimes called web hosts.

Social software, also known as social apps or social platform includes communications and interactive tools that are often based on the Internet. Communication tools typically handle capturing, storing and presenting communication, usually written but increasingly including audio and video as well. Interactive tools handle mediated interactions between a pair or group of users. They focus on establishing and maintaining a connection among users, facilitating the mechanics of conversation and talk. Social software generally refers to software that makes collaborative behaviour, the organisation and moulding of communities, self-expression, social interaction and feedback possible for individuals. Another element of the existing definition of social software is that it allows for the structured mediation of opinion between people, in a centralized or self-regulating manner. The most improved area for social software is that Web 2.0 applications can all promote co-operation between people and the creation of online communities more than ever before. The opportunities offered by social software are instant connections and opportunities to learn.An additional defining feature of social software is that apart from interaction and collaboration, it aggregates the collective behaviour of its users, allowing not only crowds to learn from an individual but individuals to learn from the crowds as well. Hence, the interactions enabled by social software can be one-on-one, one-to-many, or many-to-many.

In computer science, a software agent or software AI is a computer program that acts for a user or other program in a relationship of agency, which derives from the Latin agere : an agreement to act on one's behalf. Such "action on behalf of" implies the authority to decide which, if any, action is appropriate. Some agents are colloquially known as bots, from robot. They may be embodied, as when execution is paired with a robot body, or as software such as a chatbot executing on a phone or other computing device. Software agents may be autonomous or work together with other agents or people. Software agents interacting with people may possess human-like qualities such as natural language understanding and speech, personality or embody humanoid form.

Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

In computing, data recovery is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, or formatted data from secondary storage, removable media or files, when the data stored in them cannot be accessed in a usual way. The data is most often salvaged from storage media such as internal or external hard disk drives (HDDs), solid-state drives (SSDs), USB flash drives, magnetic tapes, CDs, DVDs, RAID subsystems, and other electronic devices. Recovery may be required due to physical damage to the storage devices or logical damage to the file system that prevents it from being mounted by the host operating system (OS).

Digital forensics is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and computer crime. The term "digital forensics" was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.

Acronis Cyber Protect Home Office is a software package produced by Acronis International GmbH that aims to protect the system from ransomware and allows users to backup and restore files or entire systems from a backup archive, which was previously created using the software. Since 2020, Acronis Cyber Protect Home Office includes malware and Zoom protection. The software is used by technicians to deploy operating systems to computers and by academics to help restore computers following analysis of how viruses infect computers.

Electronic discovery refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format. Electronic discovery is subject to rules of civil procedure and agreed-upon processes, often involving review for privilege and relevance before data are turned over to the requesting party.

Anti–computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

<span class="mw-page-title-main">EnCase</span>

EnCase is the shared technology within a suite of digital investigations products by Guidance Software. The software comes in several products designed for forensic, cyber security, security analytics, and e-discovery use. EnCase is traditionally used in forensics to recover evidence from seized hard drives. It allows the investigator to conduct in-depth analysis of user files to collect evidence such as documents, pictures, internet history and Windows Registry information.

Electronically stored information (ESI), for the purpose of the Federal Rules of Civil Procedure (FRCP) is information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software.

Early case assessment refers to estimating risk to prosecute or defend a legal case. Global organizations deal with legal discovery and disclosure requests for electronically stored information "ESI" and paper documents on a regular basis.

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

The digital forensic process is a recognized scientific and forensic process used in digital forensics investigations. Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings. The process is predominantly used in computer and mobile forensic investigations and consists of three steps: acquisition, analysis and reporting.

Einstein v 357 LLC is a United States New York Supreme Court landmark decision which addresses a party's discovery obligations and the safeguarding of evidence. In particular, this decision addresses the issue of the intentional destruction of digital evidence when litigation has commenced or is reasonably anticipated. In short, this decision eradicates the excuse of ignorance in terms of how electronically stored information is saved, deleted, and retrieved.

Information Discovery is a term used in the legal and corporate industry which refers to the steps involved in distilling a corporation's data corpus down to the most pertinent evidence pertaining to a court-related matter or compliance directive. The major information discovery steps include: managing the entire data collection in a manner to identify all pertinent evidence associated with the matter, targeting that information for collection, processing and identification (culling) of relevant data, and processing for document hosting and legal document/information review.

Cloud collaboration is a method of sharing and co-authoring computer files via cloud computing, whereby documents are uploaded to a central "cloud" for storage, where they can then be accessed by other users. Cloud collaboration technologies allow users to upload, comment and collaborate on documents and even amend the document itself, evolving the document. Businesses in the last few years have increasingly been switching to use of cloud collaboration.

The fields of marketing and artificial intelligence converge in systems which assist in areas such as market forecasting, and automation of processes and decision making, along with increased efficiency of tasks which would usually be performed by humans. The science behind these systems can be explained through neural networks and expert systems, computer programs that process input and provide valuable output for marketers.

Gates Rubber Company v. Bando Chemical Industries, Ltd., et al. is a decision by the U.S. district court for the District of Colorado from May 1, 1996. It is considered a landmark decision in terms of expert witness court testimony in questions of electronic evidence and digital forensics.

X1 Discovery, Inc., previously known as X1 Technologies, Inc., is a privately held software company, based in Pasadena, California, United States, that develops and markets products for people and organizations that need to find information quickly. It is an operating company of Idealab, and is backed by U.S. Venture Partners.

References

↑ Crawford, Stephanie (2011-08-08). "HowStuffWorks "Are my files really safe if I store them in the cloud?"". Computer.howstuffworks.com. Retrieved 2012-10-24.
↑ "Backlog at Maine Computer Crimes Unit keeps child pornographers on the streets — State — Bangor Daily News — BDN Maine". Bangordailynews.com. 2011-11-25. Retrieved 2012-10-24.
↑ Matrix Group International, Inc. Alexandria, VA 2003. "View Article". Police Chief Magazine. Retrieved 2012-10-24.{{cite web}}: CS1 maint: multiple names: authors list (link)
↑ "Microsoft Word bytes Tony Blair in the butt". Computerbytesman.com. Archived from the original on 2012-10-18. Retrieved 2012-10-24.
↑ Ryan, Daniel J.; Gal, Shpantzer. "Legal Aspects of Digital Forensics" (PDF). Retrieved 26 January 2022.
↑ Ball, Craig (April 2005 – July 2013). "Musings on Electronic Discovery - "Ball in Your Court"" (PDF). Retrieved 26 January 2022.
↑ Richard, Adams; Graham, Mann; Valerie, Hobbs (2017). "ISEEK, a tool for high speed, concurrent, distributed forensic data acquisition". Research Online. doi:10.4225/75/5a838d3b1d27f.
↑ "Ethics Opinion 362: Non-lawyer Ownership of Discovery Service Vendors". Dcbar.org. 2012-01-12. Retrieved 2012-10-24.
↑ "District of Columbia Bar: eDiscovery Vendors with Non-Lawyers Can't Practice Law". IT-Lex. 2012-07-11. Retrieved 2012-10-24.
↑ Stevens, Didier. "UserAssist". blog.didierstevens.com. Retrieved 26 January 2022.
↑ "Facilitating a forensic search". www.e-discovery.co.nz. 26 July 2012. Retrieved 26 January 2022.
↑ "'image'". www.forensicswiki.org. Archived from the original on 2012-10-24. Retrieved 2012-10-24.
↑ "F-Response 4.0.4 and the new Cloud Connector". F-response.com. 2012-07-24. Retrieved 2012-10-24.
↑ Adams, Richard (5 November 2014). "Fusing digital forensics, electronic discovery and incident response". www.slideshare.net.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Crawford, Stephanie (2011-08-08). "HowStuffWorks "Are my files really safe if I store them in the cloud?"". Computer.howstuffworks.com. Retrieved 2012-10-24.

[2] "Backlog at Maine Computer Crimes Unit keeps child pornographers on the streets — State — Bangor Daily News — BDN Maine". Bangordailynews.com. 2011-11-25. Retrieved 2012-10-24.

[3] Matrix Group International, Inc. Alexandria, VA 2003. "View Article". Police Chief Magazine. Retrieved 2012-10-24.{{cite web}}: CS1 maint: multiple names: authors list (link)

[4] "Microsoft Word bytes Tony Blair in the butt". Computerbytesman.com. Archived from the original on 2012-10-18. Retrieved 2012-10-24.

[5] Ryan, Daniel J.; Gal, Shpantzer. "Legal Aspects of Digital Forensics" (PDF). Retrieved 26 January 2022.

[6] Ball, Craig (April 2005 – July 2013). "Musings on Electronic Discovery - "Ball in Your Court"" (PDF). Retrieved 26 January 2022.

[7] Richard, Adams; Graham, Mann; Valerie, Hobbs (2017). "ISEEK, a tool for high speed, concurrent, distributed forensic data acquisition". Research Online. doi:10.4225/75/5a838d3b1d27f.

[8] "Ethics Opinion 362: Non-lawyer Ownership of Discovery Service Vendors". Dcbar.org. 2012-01-12. Retrieved 2012-10-24.

[9] "District of Columbia Bar: eDiscovery Vendors with Non-Lawyers Can't Practice Law". IT-Lex. 2012-07-11. Retrieved 2012-10-24.

[10] Stevens, Didier. "UserAssist". blog.didierstevens.com. Retrieved 26 January 2022.

[11] "Facilitating a forensic search". www.e-discovery.co.nz. 26 July 2012. Retrieved 26 January 2022.

[12] "'image'". www.forensicswiki.org. Archived from the original on 2012-10-24. Retrieved 2012-10-24.

[13] "F-Response 4.0.4 and the new Cloud Connector". F-response.com. 2012-07-24. Retrieved 2012-10-24.

[14] Adams, Richard (5 November 2014). "Fusing digital forensics, electronic discovery and incident response". www.slideshare.net.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]