Digital Forensics

4. Phases of the Digital Forensics Process

The Forensics Process

There are a number of digital forensic frameworks in use by private companies and law enforecement agencies. The one discussed here is one of the simplest. All the other are variations on this theme, making sub-divsions of certain steps to create additional stages or looping around to emphasise the iterative nature of some steps i.e Evidence assessment may reveal evidence which in turn exposes new evidence which may trigger further evidence assessment.

Notice that each step has been created in line with a specified principle. These 'principles' are in line with the principles used to support the gathering, examination, documentation and reporting on digital evidence

Computer Forensics

1. Policy & Procedure Development


Computer forensics requires specially trained personnel in sound digital evidence recovery techniques.

As the primary aim of any digital forensics investigation, is to allow others to follow the same procedures and steps and still end with same result and conclusions, considerable effort must be spent on developing policies and standard operating procedures (SOP) in how to deal with each step and phase of the investigation.

Forensic Process

2. Evidence Assessment


All sources of possible digital evidence should be thoroughly assessed with respect to the scope of the case. This will help establish the size of the investigation and determine the next steps.

Special attention should be given to reviewing the scope of search warrant(s) and other other legal authorisations to establish the nature of hardware and software to be sezied, other potential evidence sought together with the circumstances surrounding the acquisition of the evidence to be examined.

Evidence Bag

Other Considerations

  • Do other forensic processes need to be performed on the evidence e.g. DNA analysis, fingerprinting etc.
  • Decide if other avenues of avenuses of investigation need to be pursued e.g sending a preservation order to an Internet service provider (ISP), identifying remote storage locations, obtaining e-mail
  • Establish the nature of potential evidence being sought (e.g., photographs, spreadsheets, documents, databases, financial records
  • Decide whether if additional information regarding the case is required (e.g., aliases, e-mail accounts, e-mail addresses, ISP used, names, network configuration and users, system logs, passwords, user names). This information may be obtained through interviews with the system administrator, users, and employees.
  • Other non-computer equipment that might be used in forgery or fraud cases, such as laminators, credit card blanks, check paper, scanners, and printers. In child pornography cases consider digital cameras.
  • The skill level of those involved. Skilled users may used advanced techniques to conceal or destroy evidence (e.g., encryption, booby traps, steganography).

3. Evidence Acquisition


Digital evidence is fragile and can be easily altered, damaged, or destroyed by improper handling or examination. Even the act of opening files can alter timestamp information destroying information on when the file was last accessed. So special precuations are needed to preserve this type of evidence. Failure to do so may render it unusable or lead to an inaccurate conclusion.

Special Considerations

  • Fully document the hardware and software configuration of the examiner system as well as the digital devices being examined. This includes boot settings, the exact hardware configurations, log on passwords etc
  • Verify that the hardware and software of the examiner's system is working properly so as to be sure that anything found by the examiner is not due to mis-configuration of the examiner's equipment.
  • Disconnect storage devices (using the power connector or data cable from the back of the drive or from the motherboard) to prevent the destruction, damage, or alteration of data.
  • Identify and obtain storage devices required to 'image' - make an exact copy -the original data, so that forensic examination can be conducted on a copy rather than the original.

4. Evidence Examination


The same general forensic principles apply when examining digital evidence as they do to any other crime scene. However, different types of cases and media may require different methods of examination. Only trained personnel should conduct an examination of digital evidence.

It is important to make a distinction.:-

  • Extraction refers to the recovery of data from whatever media the data is stored on.
  • Analysis refers to the interpretation of the recovered data and placement of it in a logical and useful format, answering such questions as how did it get there, where did it come from, and what does it mean?

Separating the forensic examination this helps the examiner in developing procedures and structuring the examination and presentation of the digital evidence.


Step 1 Preparation

Prepare working directory/directories on separate media to which evidentiary files and data can be recovered and/or extracted. These should be checked to make sure they are 'forensically clean' so that investigators can be sure any evidence belongs to case being investigated, rather than leftover from other cases.

Step 2 Extraction

This is the actual process of extracting the data from digital devices. There are two different types of extraction, physical and logical.

  • Physical extraction phase: identifies and recovers data across the entire physical drive without regard to file system.
  • Logical extraction phase: identifies and recovers files and data based on the installed operating system(s), file system(s), and/or application(s).
Data Extraction
Physical Extraction

Data is extracted at the physical level without regard to any file systems present on the drive. Essentially, any image is made and then subjected to the following methods: keyword searching, file carving, and extraction of the partition table and unused space on the physical drive.

  • Keyword searching: Performing a keyword search across the physical drive can be useful as it allows the examiner to discover & extract data that may not be accounted for by the operating system and file system.
  • File Carving: Using file utility programs to scan the physical drive and help recover and extract useable files and data that may not be accounted for by the operating system and file system.
  • Looking at the Partition Table: The partition structure will help identify the file systems present and determine if the entire physical size of the hard drive is accounted for. (i.e If there is a 1Tb hardisk present, but partion table only shows 900Gb then where is the missing 100Gb?)
Logical Extraction

Data is from the drive is based on the file system(s) present on the drive. This will involve an examination of active files, recovering deleted files, looking at file slack (i.e unusual space between files) and unallocated file space: May contain remnants of deleted files not found during the recovery process. Steps may include:

  • Extraction of the file system information to reveal characteristics such as directory structure, file attributes, file names, date and time stamps, file size, and file location.
  • Data reduction to identify and eliminate known files through the comparison of calcu-lated hash values to authenticated hash values.
  • Extraction of files pertinent to the examination. Methods to accomplish this may be based on file name and extension, file header, file content, and location on the drive.
  • Recovery of deleted files.
  • Extraction of password-protected, encrypted, and compressed data.
  • Extraction of file slack and unallocated space

Step 3 Analysis

Analysis is the process of interpreting the extracted data to determine their significance to the case. Various analytical methods exist, examples of which include:-

  • Timeframe,
  • Data hiding,
  • Application and file,
  • Ownership and possession.

Analysis may require a review of the request for service, legal authority for the search of the digital evidence, investiga-tive leads, and/or analytical leads.

Digital Analysis
Police Tape

Timeframe Analysis

Timeframe analysis is useful in determining a sequence of events on digital systems which can be used as a part of associating usage of the computer to an individual(s) at the time the events occurred. Two principal methods used are:

  • Examining the time and date stamps contained in the file system metadata (e.g., last modified, last accessed, created, change of status) to link files of interest to the time-frames relevant to the investigation. An example of this analysis would be using the last modified date and time to establish when the contents of a file were last changed.
  • Reviewing system and application logs that may be present for example error logs, installation logs, connection logs, security logs, etc. For example, security logs may indicate when a user name/password combination was used to log into a system.

File time stamps have to be compared to the time values contained in the BIOS, not just that returned by the operating system which can be easily altered by the user.

Hiding Data

Data Hiding

Data can be concealed on a computer system. Data hiding analysis can be useful in detecting and recovering such data and may indicate knowledge, ownership, or intent. Methods used to reveal possible hidden data include:

  • Comparing file headers to the corresponding file extensions to identify any mismatches i.e the file extension doesn't match the application supposed to have used to create. Mismatches may indicate that the user intentionally hid data
  • Steganography: Hiding secret messages or data within ordinary messages or pictures.
  • Gaining access to a host-protected area (HPA) - a separate password protected area. The presence of user-created data in an HPA may indicate an attempt to conceal data.
Police Tape

Application & File Analysis

Many programs used by the owner and files created by them, can provide insight into the capability both of the system and the knowledge of the user. Results of this analysis may indicate additional steps that need to be taken in the extraction and analysis processes. Examples include:

  • Reviewing file names for relevance, naming conventions and patterns.
  • Identifying the number and type of operating system(s).
  • Examining the users’ default storage location(s) for applications and the file structure of the drive to determine if files have been stored in their default or an alternate location(s).
  • Looking at the file contents
  • Examining user configuration settings.
  • Correlating the files to the installed applications, to discover whether there are missing applications, applications without files.
  • Reviewing relationships between files. For example, correlating Internet history to cache files and e-mail files to e-mail attachments.
Possession & Ownership

Ownership & Possesion

In most cases it is essential to identify the individual(s) who created, modified, or accessed a file. It also important to establish ownership and that they knew they possessed the questioned data.

The other methods of analysis can help establish 'knowledgeable possession'. Other evidence can gained from:-

  • Fixing the subject at a computer and particular time and dates discovered from timeframe analysis can help establish ownership.
  • File names and naming conventions discovered in application and file analysis may be of value.
  • If application and file analysis show files are stored in user created folder rather than default folders can indicate 'planned action'
  • Hidden data revealed in hidden data analysis can indicate deliberate attempts to avoid detection and conceal activities.
  • Passwords discovered in hidden data analysis to access to encrypted or password protected files may show possession or ownership.
  • Finally, the contents of files from application and file analysis can indicate ownership if they refer to specific users.

Step 4 Conclusion

Single pieces of evidence from one source will probably be insufficient to reach a definite conclusion. Conclusions have to be based on all evidence in the round, including the associations between each part of the evidence.


5. Documentation & Reporting


The investigator must document completely and accurately their each step in thier investigation from the start to the end. The aim is to allow others following the steps outlined in the documentation to reproduce the investigation and reach the same conclusions.

Investigators Notes

Investigator's Notes

Notes taken in the investigation must be 'contemperaneous' i.e. made at the same time as the investigation proceeds. The notes are used as the basis for the report.Notes should include:

  • Notes taken with the case investigator, together with the initial request for assistence and a copy of the search warrent.
  • Notes of what happened when and why to allow others to reproduce the investigation
  • Any irregularities discovered in the course of the investgation and how they were treated.
  • Additional information regarding network connections, authorised users, passwords and user agreements found.
  • Notes on the digital devices themselves with regards hardware and any software installed
  • Other information on remote storage, remotes user access and any offsite backups taken.
Investigators Report

Investigator's Report

This is the report given to the investigator who taking into account the findings will decide on what happens next. Forming the basis for use in possible legal proceedings, the report is formal in tone, with a definite structure defined by departmental policy and procedures. It should though include:

  • Identity of the reporting agency (i.e the organisation that is submitting the report)
  • Essential information, such as the case number, the case investigator (the person who requested the investigation) and the name of the person writing the report.
  • Date of receipt of the investigation request and the date when the report was written.
  • A detailed list of all items submitted along with the request
  • Description of steps and tools used in the analysis and how erased files were recovered.
  • Name of the investigator together results and conclusions.
Investigators Findings

Investigator's Findings

The findings are based on what is described in the report. These are what should be found, if someone else reproduce the investigation and may include:-

  • Specific files related to the initial request.
  • All other files, including any deleted files found that support the findings.
  • Internet-related evidence, such as Web site traffic analysis, chat logs, cache files, e-mail, and news group activity.
  • Results of string searches, keyword searches, and text string searches.
  • Results from data analysis and graphic image analysis.
  • Techniques used to hide or mask data, such as encryption, steganography, hidden attrib-utes, hidden partitions, and file name anomalies.

Surprise Surprise! Create a new page in your notebook titled Phases in the Forensic Process and answer the following questions.

  1. Make a list of the general forensic principles that should govern forensic investigations.
  2. Research and explain the difference between physical and logical extraction
  3. Explain the main phases of the Forensic Process.
  4. List the four main analytical methods providing an explanation of what each group of methods attempts to uncover in the analytical phase.
  5. Explain steganography and provide an example that shows it in action.
  6. For credit points explain how you could discover whether an images was hiding data.
Digital Methods

Data Extraction - File carving

Users believe that deleting files removes all trace of their existence. Some recognise files hang around in the 'wastebasket' waiting to be recovered in emergencies or a change in mind i.e those 'Woops! I shouldn't have done that' moments.

To remove files altogether, users think that all it takes, is to delete the file and then empty the wastebasket. They also think that their internet history can be deleted along with incriminating emails. The following exercise shows how easy it is to recover deleted files.

  1. Watch the movie which reveals the process of recovering files.
  2. Try to recover deleted files from the image you made of your USB drive in the previous exercise.
  3. Take a before and after screen shots showing your recovered file. Include them in your notebook.

If you haven't got an image file to practice on, download Practice Image and use that instead.

The above movie demonstrates the use of recoverjpeg. As the label says on the tin, the program filters out and recovers just jpeg files.

More Data Extraction - File carving with Foremost

As the previous excercise revealed specific types of file types can be searched out from the image and placed in a specific folder for further analysis.

The downside of recoverjpeg is that it only recovers or extracts jpeg files. Fortunately there are other forensic tools ...

  1. Watch and work along with the movie using Foremost to extract and separate out the files into different folders, each folder representing a different file type.
    • Use the image of the pen drive created in earlier excercises as the input file (if) or source file.
    • Or use the image file of a friends pen drive. This has the advantage of representing a real life situation where you don't know what's on the drive.
  2. Explain why you think this 'file filtering' process is an advantage in digital forensics.

The start of the movie shows another method of making byte for byte image files using dcfldd. If you have an image file, you can skip this, but if you have borrowed a pendrive feel free to try it.

Notice the use of fdisk - l command to list drives.

Alternative Data Extraction Tools

File carving with Photorec

Like imaging tools, there are range of data extraction/recovery tools available for 'carving out' files. Photorec has the advantage of being available for use on Windows operating systems.

The following exercise uses Photorec in Kali Linux. It may not have come with your version of Kali. Photorec comes as part of an overall package called testdisk. It can be installed by the following command.

root@kali:~# apt-get install testdisk

  1. Try the Photorec tool on your image file of your pen drive. Don't forget you don't have to have this physically mounted. Right click on the image file and choose mount with image viewer. Then use fdisk -l to discover disk name.
  2. See how the recovered files are stored and explain in your notebook how the files are stored compared to Foremost

There's no soundtrack to the video, so don't bother increasing the volume. It shows how install testdisk and use photorec. Also has quite a cool wallpaper.

File carving with Scalpel

Scalpel is another standard file carving tool. The advantage of scalpel is that it easy to customise to look for particular file types. Each different file type is recognised by it's header (hex code at the top of the file and optionally hex code at the foot of the file.).

Wherever scalpel finds a particlar type of hex code at the start of the file as it searches through the image, it places that file in a folder that matches that file type.

To customise the scalpel.conf file find it by:-

  1. Start at Home --> Other Locations --> Computer
  2. Find etc --> Scalpel --> scalpel.conf
  3. Remove/delete # symbol at the start of each file type line to uncomment the file types you want to look for.
  4. Save the file and you're good to go
  1. Find and customise the scalpel.conf file to look for a wide variety of file types.
  2. Watch and work along with the movie.
    • As the default configuration file is being used, the myScalpel.conf command be left out.
  3. Use Scalpel to carve out files from an image file.
  4. Explain how Scalpel works in your notebook.

We're all going on a Rhino hunt, we're not scared!

Time to put put your file carving skills to use. In Kali Linux

  1. Download the zipped folder Rhino Challenge.
  2. Unzip the folder - right click and choose extract
  3. Read the scenario.
  4. Carve out from the image file, using which ever tool you think best, files containing pictures of 11 Rhino's. One is hidden somewhere ...

The scenario and image was created by Dr. Golden G. Richard III.


The city of New Orleans passed a law in 2004 making possession of nine or more unique rhinoceros images a serious crime. The network administrator at the University of New Orleans recently alerted police when his instance of RHINOVORE flagged illegal rhino traffic. Evidence in the case includes a computer and USB key seized from one of the University’s labs. Unfortunately, the computer had no hard drive. The USB key was imaged and a copy of the dd image is on the CD-ROM you’ve been given.

In addition to the USB key drive image, three network traces are also available—these were provided by the network administrator and involve the machine with the missing hard drive. The suspect is the primary user of this machine, who has been pursuing his Ph.D. at the University since 1972.

MD5 Hashes

c0d0093eb1664cd7b73f3a5225ae3f30 *rhino.log

cd21eaf4acfb50f71ffff857d7968341 *rhino2.log

7e29f9d67346df25faaf18efcd95fc30 *rhino3.log

80348c58eec4c328ef1f7709adc56a54 *RHINOUSB.dd

Can you now do?

  • Provide a list of the essential principals that should be followed in the forensic process
  • Describe the main steps of the Forensic Process
  • Identify four analytical methods and explain the role of each in the analytical process.
  • Know the difference between Physical drive and the logical drive.
  • Use a common forensic programmes to forensically recover deleted files.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee