Digital forensics is a detailed, methodical process. Strict adherence to a methodology could mean the difference between success or failure of a computer forensics investigation. There are broadly five steps that a Digital Forensic Investigation follows:
Step 1: Identification
In this very first step, all potential sources of evidence that are capable of storing digital information are identified such as computers, phones, hard drives, pen drives, etc. Forensic experts then identify which of these devices require analysis to meet case objectives. The scope could range from a single laptop to a complete network. In the event that an entire network is under scrutiny, the investigator must identify any rogue devices on the network that are unknown to the organization. In such cases, the mapping and identification of all the machines and devices in the networked environment becomes a forensic expert’s first task.
Step 2: Preservation
Next, the scope of materials identified in the first step are isolated, secured, and preserved. Steps are taken to ensure that people do not use these devices so that the evidence is secured. Evidence is handled in a manner that in a manner that maintains the authenticity, and hence credibility, of data. Next, an image of the evidence is created. An image is a bit-by-bit copy of the evidence (hard drive, USB device, shared network folder, etc.). Evidence collection concludes when all relevant evidence is imaged. The following aspects are among the many issues to be considered in relation to data collection:
- To collect volatile data like RAM data or current users logged into the network, the system would remain on during the collection process.
- It is necessary to create a duplicate copy of the original source to create an image of the evidence. Hashing techniques should be used to ensure integrity.
- In the event that it is necessary to completely seize the physical devices and then collect data from them, the devices might need to be on or off depending on the specific situations.
Step 3: Examination
This step involves in-depth analysis of all the images or copies of evidence in place. The examination phase is never carried out on the actual evidence so that the original evidence remains intact in the event that something goes wrong. There are different types of data that are of interest to a forensic expert at this point:
- Saved Data - This is data that is not deleted or created temporarily and is simply present on the image. This could include files created by various users on the system under investigation and could also include operating system specific files.
- Temporary Data - A number of programs on a computer system create temporary files and archived files. For instance, try opening a Microsoft Word document and you will notice in the folder, where the file is located, that a number of temporary files are created that often start with a ‘~’ character or have a “.TMP” extension. Such files represent a snapshot of the original file at some point in time and could be important.
- Deleted Data - Data that is deleted is still present on a computer system or device. Deletion only instructs the operating system to “forget” that this data exists and notes that the location occupied by this data is now free to be overwritten. The data remains there until the computer writes new data on that part of the drive. With the right tools, this deleted data can still be extracted as long as it hasn’t been overwritten. It is also sometimes possible to reconstruct the file even if it has been partially overwritten. Deleted data is sometimes one of the most important pieces of the forensic puzzle.
- Metadata - Metadata is data that describes data. For instance, a file could have related information such as the time of creation of the file, the time it was last modified, the physical location of the file on the hard drive, etc. When data is deleted, it is this metadata that is deleted by the operating system. So, basically, the operating system does not “know” where the data is located anymore. But the fact remains that the data still exists on the drive or storage media.
- Slack Space Data - Slack space is the area on a hard drive or storage media that is not used by the operating system. Almost every file on a computer system has some associated slack space. If you were given 1.5 gallons of fuel and had 2 canisters of 1 gallon each to fill it, one of these would be full and the other would be half-full. The remainder of the second canister, which is the half-empty portion, is the slack space. This slack space on storage media can sometimes contain data that could change the course of a trial.
Step 4: Documentation
In this phase, an accurate record of all activities undertaken in relation to the investigation is created. This includes details of the methods used for retrieving, copying, storing, and testing data as well as methods used to examine and access evidence. The forensic expert creates a timeline of events that serves as a foundation for the investigation. Good documentation is critical and should demonstrate how the integrity of data was maintained and also prove that proper policies and procedures were adhered to by everyone involved in the investigation. An investigator’s failure to accurately document the process could compromise the validity and admissibility of the evidence.
Step 5: Reporting
A good report can serve as the invaluable link between the technical and non-technical elements of a case. A report needs to be comprehensive but at the same time it should be simple and offer an easily understandable explanation of the case-relevant sections of the evidence. The report is, essentially, the evidence itself in a form that everyone present in court can understand and interpret. At a minimum, a forensic report should identify the data and the events that took place, an independent evaluation of the sequence of events, and a conclusion or opinion at the end. There’s a rule of thumb that you need to follow in Digital Forensics – If You Didn’t Write It Down, It Didn’t Happen! This is a simple rule to live by when it comes to documenting all the activities involved in the investigation.