Digital forensic process
Encyclopedia
The Digital forensic process is a recognised scientific and forensic process used in digital forensics
investigations. Forensics researcher Eoghan Casey
defines it as a number of steps from the original incident alert through to reporting of findings. The process is predominantly used in computer
and mobile
forensic investigations and consists of three steps: acquisition, analysis and reporting.
Digital media seized for investigation is usually referred to as an "exhibit" in legal terminology. Investigators employ the scientific method
to recover digital evidence
to support of disprove a hypothesis, either for a court of law or in civil proceedings.
Digital forensic technician
Digital Evidence Examiners
personnel trained to as technicians so as to ensure preservation of evidence. In civil matters it will usually be a company officer, often untrained. Various laws cover the seizure of material. In criminal matters law related to search warrants is applicable. In civil proceedings the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are observed.
level duplicate (or "forensic duplicate") of the media is created, usually via a write blocking
device, a process referred to as Imaging or Acquisition. The duplicate is created using a hard-drive duplicator or software imaging tools such as DCFLdd, IXimager, Guymager, TrueBack, EnCase
, FTK Imager or FDAS. The original drive is then returned to secure storage to prevent tampering.
The acquired image is verified by using the SHA-1 or MD5
hash function
s. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state. In corporate environments seeking civil or internal charges, such steps are generally overlooked due to the time required to perform them.
During the analysis an investigator usually recovers evidence material using a number of different methodologies (and tools), often beginning with recovery of deleted material. Examiners use specialist tools (EnCase, FTK, etc.) to aid with viewing and recovering data. The type of data recovered varies depending on the investigation; but examples include email, chat logs, images, internet history or documents. The data can be recovered from accessible disk space, deleted (unallocated) space or from within operating system cache files.
Various types of techniques are used to recover evidence, usually involving some form of keyword searching within the acquired image file; either to identify matches to relevant phrases or to parse out known file types. Certain files (such as graphic images) have a specific set of bytes which identify the start and end of a file, if identified a deleted file can be reconstructed. Many forensic tools use hash signatures
to identify notable files or to exclude known (benign) ones; acquired data is hashed and compared to pre-compiled lists such as the Reference Data Set (RDS) from the National Software Reference Library
On most media types including standard magnetic hard disks, once data has been securely deleted it can never be recovered.
SSD
Drives are specifically of interest from a forensics viewpoint, because even after a secure-erase operation some of the data that was intended to be secure-erased persists on the drive.
Once evidence is recovered the information is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialist staff. Digital investigators, particularly in criminal investigations, have to ensure that conclusions are based upon data and their own expert knowledge. In the US, for example, Federal Rules of Evidence state that a qualified expert may testify “in the form of an opinion or otherwise” so long as:
. Reports may also include audit information and other meta-documentation.
When completed reports are usually passed to those commissioning the investigation, such as law enforcement (for criminal cases) or the employing company (in civil cases), who will then decide whether to use the evidence in court. Generally, for a criminal court, the report package will consist of a written expert conclusion of the evidence as well as the evidence itself (often presented on digital media).
Digital forensics
Digital forensics is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime...
investigations. Forensics researcher Eoghan Casey
Eoghan Casey
Eoghan Casey is a digital forensics investigator and author. He is co-founder of digital forensics company cmdLabs. Casey has a B.S. in Mechanical Engineering from the University of California, Berkeley and an M.A. in Educational Communication and Technology from New York University.-Career:Casey...
defines it as a number of steps from the original incident alert through to reporting of findings. The process is predominantly used in computer
Computer forensics
Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...
and mobile
Mobile device forensics
Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions...
forensic investigations and consists of three steps: acquisition, analysis and reporting.
Digital media seized for investigation is usually referred to as an "exhibit" in legal terminology. Investigators employ the scientific method
Scientific method
Scientific method refers to a body of techniques for investigating phenomena, acquiring new knowledge, or correcting and integrating previous knowledge. To be termed scientific, a method of inquiry must be based on gathering empirical and measurable evidence subject to specific principles of...
to recover digital evidence
Digital evidence
Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial...
to support of disprove a hypothesis, either for a court of law or in civil proceedings.
Personnel
The stages of the digital forensics process require differing specialist training and knowledge, there are two rough levels of personnel:Digital forensic technician
- Technicians may gather or process evidence at crime scenes, in the field of digital forensics training is needed on the correct handling of technology (for example to preserve the evidence). Technicians may be required to carry out "Live analysis" of evidence - various tools to simplify this procedure have been produced, most notably MicrosoftMicrosoftMicrosoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
's COFEE.
Digital Evidence Examiners
- Examiners specialise in one area of digital evidence; either at a broad level (i.e. computerComputer forensicsComputer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...
or network forensicsNetwork forensicsNetwork forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and...
etc.) or as a sub-specialist (i.e. image analysis)
Seizure
Prior to the actual examination digital media will be seized. In criminal cases this will often be performed by law enforcementLaw enforcement agency
In North American English, a law enforcement agency is a government agency responsible for the enforcement of the laws.Outside North America, such organizations are called police services. In North America, some of these services are called police while others have other names In North American...
personnel trained to as technicians so as to ensure preservation of evidence. In civil matters it will usually be a company officer, often untrained. Various laws cover the seizure of material. In criminal matters law related to search warrants is applicable. In civil proceedings the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are observed.
Acquisition
Once exhibits have been seized an exact sectorDisk sector
In computer disk storage, a sector is a subdivision of a track on a magnetic disk or optical disc. Each sector stores a fixed amount of user data. Traditional formatting of these storage media provides space for 512 bytes or 2048 bytes of user-accessible data per sector...
level duplicate (or "forensic duplicate") of the media is created, usually via a write blocking
Forensic disk controller
A forensic disk controller or hardware write-block device is a specialized type of computer hard disk controller made for the purpose of gaining read-only access to computer hard drives without the risk of damaging the drive's contents. The device is named forensic because its most common...
device, a process referred to as Imaging or Acquisition. The duplicate is created using a hard-drive duplicator or software imaging tools such as DCFLdd, IXimager, Guymager, TrueBack, EnCase
EnCase
EnCase is a computer forensics product produced by Guidance Software used to analyze digital media . The software is available to law enforcement agencies and corporations.EnCase includes tools for data acquisition, file recovery, indexing/search and file parsing...
, FTK Imager or FDAS. The original drive is then returned to secure storage to prevent tampering.
The acquired image is verified by using the SHA-1 or MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
hash function
Cryptographic hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
s. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state. In corporate environments seeking civil or internal charges, such steps are generally overlooked due to the time required to perform them.
Analysis
After acquisition the contents of image files are analysed to identify evidence that either supports or contradicts a hypothesis or for signs of tampering (to hide data). In 2002 the International Journal of Digital Evidence referred to this stage as "an in-depth systematic search of evidence related to the suspected crime". By contrast Brian Carrier, in 2006, describes a more "intuitive procedure" in which obvious evidence is first identified after which "exhaustive searches are conducted to start filling in the holes"During the analysis an investigator usually recovers evidence material using a number of different methodologies (and tools), often beginning with recovery of deleted material. Examiners use specialist tools (EnCase, FTK, etc.) to aid with viewing and recovering data. The type of data recovered varies depending on the investigation; but examples include email, chat logs, images, internet history or documents. The data can be recovered from accessible disk space, deleted (unallocated) space or from within operating system cache files.
Various types of techniques are used to recover evidence, usually involving some form of keyword searching within the acquired image file; either to identify matches to relevant phrases or to parse out known file types. Certain files (such as graphic images) have a specific set of bytes which identify the start and end of a file, if identified a deleted file can be reconstructed. Many forensic tools use hash signatures
Cryptographic hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
to identify notable files or to exclude known (benign) ones; acquired data is hashed and compared to pre-compiled lists such as the Reference Data Set (RDS) from the National Software Reference Library
National Software Reference Library
The National Software Reference Library , a project of the National Institute of Standards and Technology, is supported by the United States Department of Justice's National Institute of Justice, federal, state, and local law enforcement, and the National Institute of Standards and Technology...
On most media types including standard magnetic hard disks, once data has been securely deleted it can never be recovered.
SSD
SSD
-Computing:* Solid-state drive, a type of data storage device which uses memory rather than rotating media* Seven-segment display, a display which uses 7 segments to display mostly numbers* System sequence diagram, a type of UML software engineering diagram...
Drives are specifically of interest from a forensics viewpoint, because even after a secure-erase operation some of the data that was intended to be secure-erased persists on the drive.
Once evidence is recovered the information is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialist staff. Digital investigators, particularly in criminal investigations, have to ensure that conclusions are based upon data and their own expert knowledge. In the US, for example, Federal Rules of Evidence state that a qualified expert may testify “in the form of an opinion or otherwise” so long as:
Reporting
When an investigation is completed the information is often reported in a form suitable for non-technical individualsLayman
A layperson or layman is a person who is not an expert in a given field of knowledge. The term originally meant a member of the laity, i.e. a non-clergymen, but over the centuries shifted in definition....
. Reports may also include audit information and other meta-documentation.
When completed reports are usually passed to those commissioning the investigation, such as law enforcement (for criminal cases) or the employing company (in civil cases), who will then decide whether to use the evidence in court. Generally, for a criminal court, the report package will consist of a written expert conclusion of the evidence as well as the evidence itself (often presented on digital media).
External links
- U.S. Department of Justice - Forensic Examination of Digital Evidence: A guide for Law Enforcement
- FBI - Digital Evidence: Standards and Principles