The purpose of digital forensics is to answer investigative or legal questions to prove or disprove a court case. To ensure that innocent parties are not convicted and that guilty parties are convicted, it is mandatory to have a complete forensic process carried out by a qualified investigator who implements quality and quality control measures and follows standards. In this context, this article can be used as a starting point to understand the major phases of a digital forensics process and the key methods and guidelines applied. Furthermore, it details the critical components of a forensic examination to obtain consistent results.
What Are the Steps in Forensic Analysis?
Digital forensics is a computer forensic science that involves the process of seizure, acquisition, analysis, and reporting of evidence found in electronic devices and media to be used in a court of law. Following is a detailed description of each phase.
The seizure step involves marking the elements that will be used in later processes. Photographs of the scene and notes are taken. An important question to answer in this phase is whether or not to pull the plug on the network. Leaving the system online while proceeding may alert the attacker, allowing him to wipe the attack traces and destroy evidences. The attacker may also leave a dead man switch, which destroys the evidence once the system goes offline. In such circumstances, it may be necessary or advisable for to gather evidence from the system while it is running or in a live state, being fully aware that this causes changes to the system and reasons for taking this approach must be explained.
After the seizure phase comes the data collection/acquisition. The data must be acquired without altering or damaging the source to be analyzed later. Notice that an illegal seizure or improper methodology can affect the admissibility of the evidence in court. Following the applicable rules of evidence, evidence is admitted into court when permitted by the judge. For this reason, methods of acquiring evidence should be forensically sound and verifiable. Acquisition can be physical or logical. In physical acquisition, a bit stream image is captured from a physical storage media, while in a logical acquisition, a sparse or logical image is captured from storage media. In both cases, write blockers are to be used to prevent the evidence from being modified. The duplicate image must be verified that is identical to the source by comparing the hash value of the acquired image/copy and the original media data.
It is always recommended to start capturing from the most to the least data. The order of volatility is:
Network state (ARP cache and routing table)
Kernel modules and statistics
Temporary files on disk
There are several tools for acquiring data, most of which are software-based and require training to successfully perform the collection phase. InfoSec Institute offers hand-on labs to learn and practice data acquisition and evidence collection using popular commercial and open-source tools in a real forensics environment and real use-cases.
In the analysis phase, evidence should be extracted by interpreting the acquired information.
Appropriate methodologies and standards should be followed during this procedure (described in the next section). The investigator should examine the acquired copy/image of the media, not the original media.
The examiner may use additional tools to conduct special actions and help retrieve additional information, such as deleted files. Those tools must be validated to ensure their correctness and reliability, as noted above. Referring to the requestor documentation, the examiner extracts evidence from the collected data. Typically, there are two approaches: The examiner looks for something he doesn’t know within something he knows. This can be infected programs, opened programs, erased documents, Internet history, or chat/calls history. Otherwise, he looks for something he knows in something he don’t know, trying to extract meaningful information from unstructured data, such as URLs, email addresses, or cryptographic keys through the use of carving techniques. The evidence found is then assembled to reconstruct events or actions to provide facts. In the case of multiple sources, the evidence is aggregated and correlated together. The facts may identify the attack scenario, attacker identity, attacker location, or any other relevant information, which is provided to the requestor.
In contrast with the seizure phase (which can be conducted by non-experts), acquisition and analysis phases must be conducted by experts. Examiners must have knowledge and be properly trained. InfoSec Institute offers accelerated in-depth computer forensics boot camp sessions that include seminar-style lectures and hands-on labs focusing on identifying, preserving, extracting, analyzing, and reporting computer forensic evidence.
After the examination is complete, the results are reported, along with a detailed description of the steps conducted during the investigation. An examination report typically includes the following details: information related to the acquisition phase (the person who did the examination, when it was done, what software/hardware tools were used, and what version numbers), the original data hash and the acquired data hash, photographs taken. Detailed information related to the examination phase, such as descriptions of the examined media (volatile memory, hard disk, etc.), are also included in the report. This allows another examiner to be able to identify what has been done and to access the findings independently. Further actions are determined after the report is reviewed.
Quality, Quality Assurance, Quality Control
One important aspect of digital forensic examination is quality. Quality in this case means measuring the results of a forensic examination and its compliance with defined procedures, methodologies, policies, and standards. Hence, to ensure the reliability and the accuracy of the digital forensic examination, effective quality control must be established and maintained. Quality assurance will guarantee that forensics examination results can successfully be admitted in court. This should be implemented in every step of the forensic procedure. The acquisition phase must be carried out correctly by ensuring the use of documented and standard procedures, verified forensic tools, technical competencies of the examiner, and technical capabilities of the laboratory. In the analysis phase, results must be verified by performing the same steps using another forensic tool. In addition, documented procedures must still be followed for this step. In the reporting phase quality can be assured by subjecting the reports and analysis to rigorous peer review before submission to court.
What Are Standard Operating Procedures?
Standard operating procedures (SOPs) are documented quality control guidelines to be followed in performing routine operations. They contain detailed information on procedures, methodologies, report formats, and the approval process. SOPs are crucial components of digital forensic quality assurance practices. There are a few widely accepted guidelines that should be followed. Scientific working group on digital evidence (SWGDE) creates a number of standards for digital forensics. SWGDE has a set of useful documents on its website, https://www.swgde.org, that examiners and labs should consult to delve deeper into the nuances of proper digital forensics examination.
For example, SWGDE’s Model Standard Operation Procedures for Computer Forensics document defines examination requirements, process structures, and documentation. According to this document, there are four steps of examination:
Visual Inspection: The purpose of this inspection is just to determine the type of evidence, its condition, and relevant information to conduct the examination. This is often done in the initial evidence seizure. For example, if a computer is being seized, you would want to document whether the machine is running, what condition it is in, and what the general environment is like.
Forensic Duplication: This is the process of duplicating the media before examination. It is always recommended to work on a forensic copy and not the original.
Media Examination: This is the actual forensic testing of the application. By media, we mean hard drive, RAM, SIM card, or some other item that can contain digital data
Evidence Return: Exhibit(s) are returned to the appropriate location, usually some locked or secured facility.
These particular steps provide an overview of how a digital forensic examination should be conducted.
Case Notes and Documentation
Forensic evidence is not found only in computers. It can also be found in printers, smartphones, memory sticks, wearables, home routers, etc. The scope differs from one device to another. At a crime scene, it could happen that the examiner works simultaneously with more than device or in parallel with other examiners. In such situations, each case and evidence item should be uniquely identified. The examiner should document everything done on a case. A sound approach to keep case notes organized would be assigning a unique client identifier, along with evidence numbers. A laboratory case management system is also an option that allows multiple examiners to add, examine, report on, and track evidence at the same time. Finally, forensic examiners and laboratories should have guidelines on documentation also to obtain consistent documentation.
In this article, we detailed the steps of a digital forensic examination, focusing on the importance of using standard operating procedures as an essential component at each step to ensure acceptance of results. We explored administrative issues that can be encountered while conducting a forensic examination. We also discussed case notes and documentation to manage these issues. Thorough knowledge of this information will put you one step closer toward becoming a certified computer forensics specialist.