Digital Forensics

5. Recording Steps of the Investigation

Recording Actions

Maintaining an accurate record of each and every action together with the reasons is an extremely important principle. As it's already been made clear, the aim is to provide a detailed list of steps, which others can work along with and reach exactly the same conclusion with the same evidence.

The previous page explained there are three principal sets of documents to any forensic process.

  1. Investigators notes: This is a detailed record of all the actions undertaken by the investigator, together with reasons of why it was done. To maintain a chain of evidence, forensic investigators have to record in considerable detail all the identifying features of hardware and software used.

    Fortunately, much of this recording work is automated by the digital forensic software. But the investigator still has to make notes of why actions were undertaken and their results. In many cases these notes are only attached to the case and would only be consulted if there was a dispute.

  2. Investigators report: This is the main section of the report which is followed by the findings. The investigators notes may be provided separately or attached as an appendix. The note would only be referred to, if there was a dispute over the findings.

    The report would begin with a description of the context of the case. Essentially, this is briefing from the commissioning agent: i.e. the police or agency who is asking for the investigation.

    The briefing determines how the investigation proceeds as it sets out the suspected crime, what evidence should be looked at, what should be looked for and consequently guide how it should be looked for.

  3. Investigators findings: These are the conclusions that can be drawn from the results of the analysis. The idea is that there is an unbroken chain from the initial briefing, to the analysis, to the findings that leaves no doubt as to what was done, how it was done, why it was done and who did it.(who, what, why and how)

Forensic Report

Autopsy Revisited

Having used other forensic tools, it's time to look again and appreciate the power of Autopsy.

Create a new page. Call it Recording Steps. Answer the following questions.

  1. Download the image. Create new case in Autopsy with a suitable name. Add a Host and then add an image file.
  2. Watch and follow along with the image file provided.
  3. Explain the difference between Created time, Access Time and Modified time
  4. Describe the significance of the different shades of red. Which colour represents files that are more likely to be successfully recovered.

Recording the forensic tools used, together with all the other details to enable others to repeat the same operations to end up with the same result along with such details as the hash values, file lists etc can be extremely time consuming.

Fortunetely, programs like Autopsy can automate much of the process.

  1. Watch and follow along with the movie with an image file of your own.
  2. Explain the term evidence locker.
  3. Understand how Autopsy manages the Case Callery, Host Gallery and Host Manager
my video explaining more details and search

Timeframe Analysis

When carrying out forensic investigations, the order in which events took place can be significant. Especially if it can be shown that a particular suspect modified a file at a specific time. It can also help fix them at a particular location and show an awareness of something that they can be denying - "It was nae me"

  1. Download a practice image or use you own of your pen-drive.
  2. If you haven't used the image in Autopsy:
    1. Start Autopsy
    2. Click new case. Provide suitable title and details
    3. Add new host: You can name this after the image source
    4. Choose Add new image. Provide a location. eg. /root/Desktop/example.dd
    5. Choose disk or partition depending on type.
    6. Choose import method - mostly this will be Symlink
  3. Open the image from the Case Gallery

Now you should be ready to complete a File Activity Time Analysis.

Doing The Analysis

Completing a time analysis is a two steps process. First create a datafile - think of this, as a temporary space into which all the file details (name, creation datae, time, location etc are stored). The second step, involves creating a timeline. Essentially, all the files are sorted into order of date in an automated process, saving hours and hours of work.

  1. Click on the File Activity Time Lines button.
  2. Choose Create Data File.
    1. Make sure you select the source drive
    2. Check the boxes for allocated files and/or unallocated space - this is free space or deleted files freeing up space for new file storage
    3. Leave the output file as body
    4. Check the box so that the MD5 hash value is generated.
  3. Choose Timelines
    1. Choose a start date or enter a very early year, say 2000
    2. Choose an end date or the current date.
    3. Choose normal (normal save the file at txt which can be opened in notepad)or csv output. (csv - comma separate values - will allow the file to be opened in spreadsheet format)
    4. Enter a name for the output text eg timeline.txt
  4. Viewing the ouput, is sometimes best acived by going to:
    1. Start at Home --> Other Locations --> Computer
    2. Computer --> var --> lib
    3. lib --> autopsy --> [name of the case file]
    4. Finally [name of the case file], [name of the host] then output then choose:-
      1. The text file which shows the list of the files in order.
      2. The sum file which shows the number of files changed or created each day.

Can you now do?

  • Understand the importance of having complete and proper documentation.
  • Explain the aim and important of keeping accurate investigators notes.
  • Can complete an analysis, generate and explain reports produced by forensic reporting tools.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee