There are a number of digital forensic frameworks in use by private companies and law enforecement agencies. The one discussed here is one of the simplest. All the other are variations on this theme, making sub-divsions of certain steps to create additional stages or looping around to emphasise the iterative nature of some steps i.e Evidence assessment may reveal evidence which in turn exposes new evidence which may trigger further evidence assessment.
Notice that each step has been created in line with a specified principle. These 'principles' are in line with the principles used to support the gathering, examination, documentation and reporting on digital evidence
1. Policy & Procedure Development
Computer forensics requires specially trained personnel in sound digital evidence recovery techniques.
As the primary aim of any digital forensics investigation, is to allow others to follow the same procedures and steps and still end with same result and conclusions, considerable effort must be spent on developing policies and standard operating procedures (SOP) in how to deal with each step and phase of the investigation.
2. Evidence Assessment
All sources of possible digital evidence should be thoroughly assessed with respect to the scope of the case. This will help establish the size of the investigation and determine the next steps.
Special attention should be given to reviewing the scope of search warrant(s) and other other legal authorisations to establish the nature of hardware and software to be sezied, other potential evidence sought together with the circumstances surrounding the acquisition of the evidence to be examined.
- Do other forensic processes need to be performed on the evidence e.g. DNA analysis, fingerprinting etc.
- Decide if other avenues of avenuses of investigation need to be pursued e.g sending a preservation order to an Internet service provider (ISP), identifying remote storage locations, obtaining e-mail
- Establish the nature of potential evidence being sought (e.g., photographs, spreadsheets, documents, databases, financial records
- Decide whether if additional information regarding the case is required (e.g., aliases, e-mail accounts, e-mail addresses, ISP used, names, network configuration and users, system logs, passwords, user names). This information may be obtained through interviews with the system administrator, users, and employees.
- Other non-computer equipment that might be used in forgery or fraud cases, such as laminators, credit card blanks, check paper, scanners, and printers. In child pornography cases consider digital cameras.
- The skill level of those involved. Skilled users may used advanced techniques to conceal or destroy evidence (e.g., encryption, booby traps, steganography).
3. Evidence Acquisition
Digital evidence is fragile and can be easily altered, damaged, or destroyed by improper handling or examination. Even the act of opening files can alter timestamp information destroying information on when the file was last accessed. So special precuations are needed to preserve this type of evidence. Failure to do so may render it unusable or lead to an inaccurate conclusion.
- Fully document the hardware and software configuration of the examiner system as well as the digital devices being examined. This includes boot settings, the exact hardware configurations, log on passwords etc
- Verify that the hardware and software of the examiner's system is working properly so as to be sure that anything found by the examiner is not due to mis-configuration of the examiner's equipment.
- Disconnect storage devices (using the power connector or data cable from the back of the drive or from the motherboard) to prevent the destruction, damage, or alteration of data.
- Identify and obtain storage devices required to 'image' - make an exact copy -the original data, so that forensic examination can be conducted on a copy rather than the original.
4. Evidence Examination
The same general forensic principles apply when examining digital evidence as they do to any other crime scene. However, different types of cases and media may require different methods of examination. Only trained personnel should conduct an examination of digital evidence.
It is important to make a distinction.:-
- Extraction refers to the recovery of data from whatever media the data is stored on.
- Analysis refers to the interpretation of the recovered data and placement of it in a logical and useful format, answering such questions as how did it get there, where did it come from, and what does it mean?
Separating the forensic examination this helps the examiner in developing procedures and structuring the examination and presentation of the digital evidence.
Step 1 Preparation
Prepare working directory/directories on separate media to which evidentiary files and data can be recovered and/or extracted. These should be checked to make sure they are 'forensically clean' so that investigators can be sure any evidence belongs to case being investigated, rather than leftover from other cases.
Step 2 Extraction
This is the actual process of extracting the data from digital devices. There are two different types of extraction, physical and logical.
- Physical extraction phase: identifies and recovers data across the entire physical drive without regard to file system.
- Logical extraction phase: identifies and recovers files and data based on the installed operating system(s), file system(s), and/or application(s).
Data is extracted at the physical level without regard to any file systems present on the drive. Essentially, any image is made and then subjected to the following methods: keyword searching, file carving, and extraction of the partition table and unused space on the physical drive.
- Keyword searching: Performing a keyword search across the physical drive can be useful as it allows the examiner to discover & extract data that may not be accounted for by the operating system and file system.
- File Carving: Using file utility programs to scan the physical drive and help recover and extract useable files and data that may not be accounted for by the operating system and file system.
- Looking at the Partition Table: The partition structure will help identify the file systems present and determine if the entire physical size of the hard drive is accounted for. (i.e If there is a 1Tb hardisk present, but partion table only shows 900Gb then where is the missing 100Gb?)
Data is from the drive is based on the file system(s) present on the drive. This will involve an examination of active files, recovering deleted files, looking at file slack (i.e unusual space between files) and unallocated file space: May contain remnants of deleted files not found during the recovery process. Steps may include:
- Extraction of the file system information to reveal characteristics such as directory structure, file attributes, file names, date and time stamps, file size, and file location.
- Data reduction to identify and eliminate known files through the comparison of calcu-lated hash values to authenticated hash values.
- Extraction of files pertinent to the examination. Methods to accomplish this may be based on file name and extension, file header, file content, and location on the drive.
- Recovery of deleted files.
- Extraction of password-protected, encrypted, and compressed data.
- Extraction of file slack and unallocated space
Step 3 Analysis
Analysis is the process of interpreting the extracted data to determine their significance to the case. Various analytical methods exist, examples of which include:-
- Data hiding,
- Application and file,
- Ownership and possession.
Analysis may require a review of the request for service, legal authority for the search of the digital evidence, investiga-tive leads, and/or analytical leads.
Timeframe analysis is useful in determining a sequence of events on digital systems which can be used as a part of associating usage of the computer to an individual(s) at the time the events occurred. Two principal methods used are:
- Examining the time and date stamps contained in the file system metadata (e.g., last modified, last accessed, created, change of status) to link files of interest to the time-frames relevant to the investigation. An example of this analysis would be using the last modified date and time to establish when the contents of a file were last changed.
- Reviewing system and application logs that may be present for example error logs, installation logs, connection logs, security logs, etc. For example, security logs may indicate when a user name/password combination was used to log into a system.
File time stamps have to be compared to the time values contained in the BIOS, not just that returned by the operating system which can be easily altered by the user.
Data can be concealed on a computer system. Data hiding analysis can be useful in detecting and recovering such data and may indicate knowledge, ownership, or intent. Methods used to reveal possible hidden data include:
- Comparing file headers to the corresponding file extensions to identify any mismatches i.e the file extension doesn't match the application supposed to have used to create. Mismatches may indicate that the user intentionally hid data
- Steganography: Hiding secret messages or data within ordinary messages or pictures.
- Gaining access to a host-protected area (HPA) - a separate password protected area. The presence of user-created data in an HPA may indicate an attempt to conceal data.
Many programs used by the owner and files created by them, can provide insight into the capability both of the system and the knowledge of the user. Results of this analysis may indicate additional steps that need to be taken in the extraction and analysis processes. Examples include:
- Reviewing file names for relevance, naming conventions and patterns.
- Identifying the number and type of operating system(s).
- Examining the users’ default storage location(s) for applications and the file structure of the drive to determine if files have been stored in their default or an alternate location(s).
- Looking at the file contents
- Examining user configuration settings.
- Correlating the files to the installed applications, to discover whether there are missing applications, applications without files.
- Reviewing relationships between files. For example, correlating Internet history to cache files and e-mail files to e-mail attachments.
In most cases it is essential to identify the individual(s) who created, modified, or accessed a file. It also important to establish ownership and that they knew they possessed the questioned data.
The other methods of analysis can help establish 'knowledgeable possession'. Other evidence can gained from:-
- Fixing the subject at a computer and particular time and dates discovered from timeframe analysis can help establish ownership.
- File names and naming conventions discovered in application and file analysis may be of value.
- If application and file analysis show files are stored in user created folder rather than default folders can indicate 'planned action'
- Hidden data revealed in hidden data analysis can indicate deliberate attempts to avoid detection and conceal activities.
- Passwords discovered in hidden data analysis to access to encrypted or password protected files may show possession or ownership.
- Finally, the contents of files from application and file analysis can indicate ownership if they refer to specific users.
Step 4 Conclusion
Single pieces of evidence from one source will probably be insufficient to reach a definite conclusion. Conclusions have to be based on all evidence in the round, including the associations between each part of the evidence.
5. Documentation & Reporting
The investigator must document completely and accurately their each step in thier investigation from the start to the end. The aim is to allow others following the steps outlined in the documentation to reproduce the investigation and reach the same conclusions.
Notes taken in the investigation must be 'contemperaneous' i.e. made at the same time as the investigation proceeds. The notes are used as the basis for the report.Notes should include:
- Notes taken with the case investigator, together with the initial request for assistence and a copy of the search warrent.
- Notes of what happened when and why to allow others to reproduce the investigation
- Any irregularities discovered in the course of the investgation and how they were treated.
- Additional information regarding network connections, authorised users, passwords and user agreements found.
- Notes on the digital devices themselves with regards hardware and any software installed
- Other information on remote storage, remotes user access and any offsite backups taken.
This is the report given to the investigator who taking into account the findings will decide on what happens next. Forming the basis for use in possible legal proceedings, the report is formal in tone, with a definite structure defined by departmental policy and procedures. It should though include:
- Identity of the reporting agency (i.e the organisation that is submitting the report)
- Essential information, such as the case number, the case investigator (the person who requested the investigation) and the name of the person writing the report.
- Date of receipt of the investigation request and the date when the report was written.
- A detailed list of all items submitted along with the request
- Description of steps and tools used in the analysis and how erased files were recovered.
- Name of the investigator together results and conclusions.
The findings are based on what is described in the report. These are what should be found, if someone else reproduce the investigation and may include:-
- Specific files related to the initial request.
- All other files, including any deleted files found that support the findings.
- Internet-related evidence, such as Web site traffic analysis, chat logs, cache files, e-mail, and news group activity.
- Results of string searches, keyword searches, and text string searches.
- Results from data analysis and graphic image analysis.
- Techniques used to hide or mask data, such as encryption, steganography, hidden attrib-utes, hidden partitions, and file name anomalies.