Digital forensic process

The digital forensic process is a recognised scientific and forensic process used in digital forensics investigations.^[1]^[2] Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings.^[3] The process is predominantly used in computer and mobile forensic investigations and consists of three steps: acquisition, analysis and reporting.

Digital media seized for investigation is usually referred to as an "exhibit" in legal terminology. Investigators employ the scientific method to recover digital evidence to support or disprove a hypothesis, either for a court of law or in civil proceedings.^[2]

Personnel

The stages of the digital forensics process require differing specialist training and knowledge, there are two rough levels of personnel:^[3]

Digital forensic technician: Technicians may gather or process evidence at crime scenes, in the field of digital forensics training is needed on the correct handling of technology (for example to preserve the evidence). Technicians may be required to carry out "Live analysis" of evidence - various tools to simplify this procedure have been produced, most notably Microsoft's COFEE.

Digital Evidence Examiners: Examiners specialize in one area of digital evidence; either at a broad level (i.e. computer or network forensics etc.) or as a sub-specialist (i.e. image analysis)

Process models

There have been many attempts to develop a process model but so far none have been universally accepted. Part of the reason for this may be due to the fact that many of the process models were designed for a specific environment, such as law enforcement, and they therefore could not be readily applied in other environments such as incident response.^[4] This is a list of the main models since 2001 in chronological order:^[4]

Seizure

Prior to the actual examination digital media will be seized. In criminal cases this will often be performed by law enforcement personnel trained as technicians to ensure the preservation of evidence. In civil matters it will usually be a company officer, often untrained. Various laws cover the seizure of material. In criminal matters law related to search warrants is applicable. In civil proceedings the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are observed.

Acquisition

Once exhibits have been seized an exact sector level duplicate (or "forensic duplicate") of the media is created, usually via a write blocking device, a process referred to as Imaging or Acquisition.^[5] The duplicate is created using a hard-drive duplicator or software imaging tools such as DCFLdd, IXimager, Guymager, TrueBack, EnCase, FTK Imager or FDAS. The original drive is then returned to secure storage to prevent tampering.

The acquired image is verified by using the SHA-1 or MD5 hash functions. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state.

Analysis

On most media types including standard magnetic hard disks, once data has been securely deleted it can never be recovered.^[6]^[7] SSD Drives are specifically of interest from a forensics viewpoint, because even after a secure-erase operation some of the data that was intended to be secure-erased persists on the drive.

Once evidence is recovered the information is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialist staff.^[8] Digital investigators, particularly in criminal investigations, have to ensure that conclusions are based upon data and their own expert knowledge.^[3] In the US, for example, Federal Rules of Evidence state that a qualified expert may testify “in the form of an opinion or otherwise” so long as:

(1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.^[9]

Reporting

When an investigation is completed the information is often reported in a form suitable for non-technical individuals. Reports may also include audit information and other meta-documentation.^[3]

When completed reports are usually passed to those commissioning the investigation, such as law enforcement (for criminal cases) or the employing company (in civil cases), who will then decide whether to use the evidence in court. Generally, for a criminal court, the report package will consist of a written expert conclusion of the evidence as well as the evidence itself (often presented on digital media).^[3]

References

^ "'Electronic Crime Scene Investigation Guide: A Guide for First Responders" (PDF). National Institute of Justice. 2001.
^ ^a ^b Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN 0-12-374267-6. Retrieved 4 September 2010.
^ ^a ^b ^c ^d ^e Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.
^ ^a ^b Adams, Richard (2012). "'The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice" (PDF).
^ Maarten Van Horenbeeck (24 May 2006). "Technology Crime Investigation". Retrieved 17 August 2010.
^ "Disk Wiping – One Pass is Enough". 17 March 2009.
^ "Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots)". 18 March 2009.
^ M Reith; C Carr; G Gunsch (2002). "An examination of digital forensic models". International Journal of Digital Evidence. CiteSeer^x: 10.1.1.13.9683. {{cite web}}: |access-date= requires |url= (help); Missing or empty |url= (help)
^ "Federal Rules of Evidence #702". Retrieved 23 August 2010.

Cite error: A list-defined reference named "carrier" is not used in the content (see the help page).

Cite error: A list-defined reference named "df-basics" is not used in the content (see the help page).

External links

U.S. Department of Justice - Forensic Examination of Digital Evidence: A guide for Law Enforcement
FBI - Digital Evidence: Standards and Principles
Warren G. Kruse; Jay G. Heiser (2002). Computer forensics: incident response essentials. Addison-Wesley. p. 392. ISBN 0-201-70719-5.

v t e Digital forensics
Branches	Computer forensics Mobile device forensics Network forensics Database forensics Software forensics
Hardware	Forensic disk controller
Software	ADF Solutions Digital Evidence Investigator EnCase Foremost FTK PTK Forensics The Sleuth Kit The Coroner's Toolkit COFEE HashKeeper Xplico
Certification	Certified Forensic Computer Examiner (CFCE) Global Information Assurance Certification
Processes	Digital forensic process Data acquisition Digital evidence eDiscovery Anti–computer forensics
Organisations	National Software Reference Library Department of Defense Cyber Crime Center National Hi-Tech Crime Unit (NHTCU) Australian High Tech Crime Centre (AHTCC)
People	Mary Aiken Annie Antón Rebecca Bace Josh Brunty Eoghan Casey Hany Farid Simson Garfinkel Clifford Stoll Robert Zeidman
Glossary of digital forensics terms