Digital Forensic Investigation Process

Published Date: 02 Nov 2017

1. Introduction

The meaning of forensic originally came from Latin which used to denote to the process of settling legal disputes. Currently, the term "forensic" is used to describe the process of investigation and establishing facts or evidences which could be used in a court of law. Nowadays forensics brought together science and law enforcement together to determine the facts and evidences. Due to high increase and reliance on computer systems, we use computerized devices in our daily life and depended on them. That is why computer forensics has taken its own place in investigating the crimes conducted in cyber world whether its is embezzlement, hacking, digital forgery, dealing with pedophilia (Polastro and Eleuterio, 2012) to network traffic analyses or electronic voting machines. In this essay, I would like to research on steps required to conduct forensic investigation, tools required and used to establish facts and evidences and preparing the evidence to a court of law. Investigation steps and following well established frameworks are crucial part and may play role in accepting the evidence or declining it in the court of law ("Computer forensics," 2013).

1.1 Objectives

Securing the Crime Scene

Acquisition Process

Authentication and Integrity of Evidence

Analyses

Preparation to hand to a Court of Law

1.2 Scope

Due to the time limitation and taking into account the complexity of forensic investigation, we will limit ourselves to part of the crime investigation process, which are in our case: securing the Crime Scene, Acquisition, Authentication, Analyses process and chain of custody. We endeavor to research how they are performed and what tools and steps are taken. Real case scenarios may be referenced for further research or investigation. We will be using only few tools when discussing the practical process like: EnCase and FTK Forensic Toolkit.

2. Digital Forensic Investigation Process

2.1 Planning and Securing Crime Scene

As a computer forensic investigator, our responsibility is to plan and process crime scene before even starting handling the physical evidence. The steps in planning could be as follows (Kleiman et al., 2007)(Nelson et al., 2009):

Identify the Chain of Custody and First Responder

Identify the nature of the case - whether it is hacking, child pornography, embezzlement and etc.

Take screenshots of the crime scene

Identify the type of Computer system

Determine whether the Computer can be removed

Create a detailed description of the location

Determine the person in charge (head investigator, detectives, IT Manager and etc.)

Determine what tools are needed to process the crime scene

The job of a forensic technician is to secure and collect the evidence by avoiding cross contamination. It is necessary to take the screenshots of the evidences location, object location and bigger picture of the scene. We need to identify what evidences are available and whether they are included in the warrant to collect as if not, than that is not admissible in a court of law. It is necessary to eliminate access to the crime scene of personals who are not in the chain of custody list or not part of the investigation team. This applies even if the crime scene is in the server room or place where non forensic team must access. Otherwise this could cross contaminate the crime scene by producing the finger prints or altering the log files in the server. Once, these steps are taken in order and ensured that the crime scene is not tampered we can start collecting the evidence for forensic research in the lab. We need identify how the evidence should be collected and whether the equipment ready for transferring the evidence. The forensic technicians must always use properly sanitized clean media for storing evidence, where each bit of memory cells are flipped to zero to comply to forensic investigation framework. The evidence could be obtained by copying the hard drive bit by bit. A standard requirement in forensics is practicing due care (Nelson et al., 2009). Examiner needs to be extremely careful as to how evidence is handled, and that every action is documented and accountable. At no time should there be any confusion as to who had possession of evidence, or what was done to it during that time. By taking precautions to protect the data, you will ensure it isn’t compromised in any way.

2.1.1 Preparation for the investigation

Before the preparation for the investigation the technician/ investigator must be already equipped with necessary tools of trade, like (Kleiman et al., 2007):

laptop with necessary software installed to conducted tasks on the scene,

bootable disks that will enable the investigator to start off the suspect machine forensically without writing anything to the hard drive,

digital camera to take crime scene,

anti static bags, tags and stickers. These anti static bags will prevent the evidence to be contaminated and tampered.

2.2 Securing the evidence.

Evidence must be kept secure and its integrity unharmed from the time the crime is committed to the time when the investigation is finished. Even after the end of the trial and justice is done, the evidence must be kept in a secure location for future possible hearings, trials or reopening the case. When the suspect hardware or software is not used or being investigated it should be stored in a secure location where the doors are sealed and only authorized personal can enter (US Department of Commerce, n.d.). These places could be police forensic storage area, safes or locations with alarms and cameras. If there will be personal who are not forensic examiners, like lawyers, police, detective and so on, the log must be kept to keep record of visitors. Otherwise, the data could be tampered and the defendant may ask the evidence as not admissible the case could be thrown out of court room.

3 Investigation

3.1 Acquisition.

Once the crime scene is secured and the warrant for search and acquisition is obtained, the acquisition process starts. Acquisition process is mainly about gathering evidence. The evidence can be both in physical format or in virtual format, they are hardware and software respectively. "Acquisition is the act or process of gathering information and evidence. However, in computer forensics, the evidence not only pertains to a computer that’s been seized, but the data stored on that computer." - Certified Hacking Forensic Investigation (Kleiman et al., 2007). But mainly as a forensic investigator, we will be using software or data inside the hardware to determine the crime or other incidents. These data are the ones that will be used to as an evidence to convict the suspect or prove the innocence of the suspect. During the acquisition technician creates exact copy of the data located in the suspect storage device and this is where the authentication process starts.

3.2 Authentication

Authentication process ensures that the data collected is authentic to the original and its of exact copy as originally acquired suspect data. The integrity is checked by comparing the has values of the images or files. Usually bit by bit copy copying is used to create a backup image ("National Center for Forensic Science," n.d.). The evidence form is used to keep records of the evidence, which states who handled it, time and description and notes, but the description is not limited to the list we are noting. Suspect objects are placed in the correct containers and stored in the sanitized storage device of the technician. Plastic bags, magnetic field isolating containers can be used to handle and transfer the objects acquired in the crime scene. The technician creates another backup image as an extra precaution, and he/she will be working on one of the backups. Once the backup images are created the hashes of the copies are created and compared to the suspect storage hash, to make sure that the copy is original and no alteration has taken place ("National Center for Forensic Science," n.d.). Hashing is the one way function to create unique value for the target file or image. There will be often cases when the data is stored in the volatile storage. Volatile storage is the storage where the data is kept for faster access in the ROM, RAM and CMOS, hence the live as long as power supply is on. These types of data must have immediate attention and be dealt accordingly. The following is the list obtained from the draft of IEEE guidelines of collecting and archiving evidences (Kleiman et al., 2007).

Registers and cache

Routing tables, ARP cache, process tables, and kernel statistics

Contents of system memory

Temporary file systems

Data on disk

If the above mentioned procedures are not followed to collect the evidence and the acquired data is tampered it won't be accepted as a valid evidence to convict the suspect. Even the data acquired, which is key to solving the case is obtained without a warrant, the evidence will be dismissed by judge.

3.3 Analyses - Evidence Investigation

After the evidence and the data is obtained, the evidence analyses will start. Most of the time, there are a lot of information contained in the suspect evidence, and most of them are not relevant to the case and are not useful in solving the case. In collecting evidence, the investigator must be able to identify the priority of the evidence, and collect the most volatile evidence, first. After the most volatile evidence is collected, one can move to the next non volatile evidence. That is why the examiner must be skillful to be able to filter the data relevant to the case as close as possible. The process of auditing, analyzing and evaluating the information is very tedious, long and requires skills. These types of evidence prioritization requires non computing skills but there are tools available for the forensic examiner to do the auditing, like EnCase, FTK Toolkit hex auditor and so on, which we will discuss soon.

3.3.1 Investigation Process.

Having conducted necessary steps, the technician will start the evidence investigation. There are best practices on how to start the process and the following list will outline the best one taken from "Certified Hacking Forensic Investigator" preparation book for CHFI Certificate. The are as follows (Nelson et al., 2009):

Preparation - Well preparation is key to success and the investigator must be ready for challenges ahead. Once the data is collected from the crime scene the technician must ensure he/she has got right conditions to conduct examinations. There must be right tools for all cases of forensic investigations scene, i.e. need for virtual machines, isolation tools, decryption tools, anti-stegenography tools and so on.

Detection - This steps determines whether the accident occurred before, first time or possibility of occurrence again. The examiner should interview the person in charge or the IT department about the occurrence instances of the crime or possible motivation for the crime. This will help the technician to draw the scenario.

Containment - Isolate the spread of possible contamination by the evidence, that is why the isolation of the lab is essential. Opening alien hardware and software is considered to be dangerous and all precautions must be in place if danger gets out of hands, like spreading virus in the network range or hardware explosion.

Eradication - Eradication process will attempt to remove the cause of harm which could be caused by evidence, as they may contain malware.

Recovery - In this process, the technician must be able to recover from any incident that happened, and restore to normal operation.

Follow Up - This step is to analyze what and how previous steps were taken and if they need any improvements. This is evaluation of the previous tasks.

4 Using EnCase or FTK Forensic Toolkit

Nowadays, it is possible to retrieve deleted files and data from the hard drives or media, with right tools and skills. For example, when the file is deleted, the data is not actually deleted from the hardrive but it is marked as available to be overwritten and the disk space marker is set to add the size of that file as available space. The memory cells where the deleted file is located can be pointed with right tools and to read the data in those regions, but those areas can also be over written by other activities which must allocated space to store data, like cache of video streaming or of Internet Browser. By this mean, even the deleted images, e-mails, visited WebPages can be restored. These skills provide retrieving an evidence to support the criminal case.

As we mentioned earlier, we will be using right software for the right job. In our case we will be mostly concentrating on the EnCase forensic tool kit, which is considered to be one of the most reliable tools, along with FTK Forensic toolkit.

Using EnCase we are able to do the tasks from acquisition to preparing the report to the court which would include the snapshots and details of the findings. The software supports most of the hardware storages, mail backups, network capture recognitions and so on and eliminate the well known files based on the signature to reduce the data search scope. Another good feature of the software is to support UNICODE, which enable auditing of foreign characters, like shown in the image in appendix -1.

EnCase has got the nice features that would enable the investigator to decrypt files and folders (EDS Module), VFS Module to mount evidence as read only and offline network drive, and PDE Module which emulates physical drive. EnCase can create bootable disk to start the suspect machine in DOS mode to start acquiring the target. This necessary to prevent writing any alien data or even any one bit to the suspect drive, and create bit by bit image of the suspect drive. The appendix-2 illustrate the User Interface ("EnCase Forensic - Computer Forensic Data Collection for Digital Evidence Examiners," n.d.). The figure in appendix 3 illustrates the view from EnCase GUI acquiring from the parallel port. Once the acquisition has taken place, the technician can start running the search, hash and signature analyses. This is just one of the method of acquiring the suspect hard drive, but there are plenty more options for the investigator to deal with acquisitions. EnCase contains pre-written scripts that enables the investigator to select and carve the data in the storage.

5 Chain of Custody and Preparation to Court

5.1 Chain of Custody.

Chain of Custody is part when presenting the evidence and proving the court of law about the process how the evidence made it all the way to the court and how it was handled (Nelson et al., 2009). That is why it is very important to keep the log of people who handle the evidence, as it will be required to show about the access time, who handled it or reason. The process of evidence handling and logging begins from the time when the evidence was first discovered and tagged. The evidence bags are usually made of single sealable bags, and the only way to open them is by ripping or tearing them. All the information on the sealable bag tag is also present separately on the sheet or digital record.

5.2 Preparation to Court Room

Once the investigation is over, the evidence is presented in the court of law and the examiners are expected to provide expert testimony about their findings ("National Center for Forensic Science," n.d.). The investigator might provide in the court room supporting evidence about their findings. During the hearing and trial the attorneys might not have right knowledge to evaluate or estimate the importance of evidence, hence the examiner provides supporting materials and correct terminology. Using right terminology enables the other non-technical personal to understand and anticipate the investigation. Examiner often must be able to provide evidence of how he found the evidence, describe it and explain the nature of the evidence and its relationship to the case. What ever the case or how serious it is, the examiners are not allowed to prosecute or to be biased. They are only allowed to provide their opinion and provide presentation (Nelson et al., 2009).

5.2.1 Appearance in Court

The hard work of examiners will be tested and evaluated in the court room. The examiners must be professionally dressed and well prepared to provide the testimony with correct wording and presentation. The copy of the reports are also provided to the witnesses. The investigator might be questioned by the attorneys, but he/she must be able to remain professional and answer questions without rush, even when they are being under pressure or loosing their cool. Here is the small list made from the book "Guide to Computer Forensics" (Nelson et al., 2009):

"

•This is the venue where all the investigations, examination, and long hours researching an incident pay off.

•All litigants must be aware of their actions and activities when in a public area.

•Before a trial starts, walk into the courtroom and become familiar with the location of witness char and the path to get there.

• It is essential to dress professionally.

• The court must hear your testimony. It is important to remember that witnesses are not talking to the attorneys; rather they are talking to the jurors.

• Witness must have a copy of the investigative report on the stand and should not be afraid to refer to it.

• The witness must answer all questions clearly and avid nodding as an answer.

• Witness must listen very carefully to every questions asked, and make sure the question is understood before responding.

• Attorneys may try to make witnesses lose their cool.

• Witnesses can make a mistake and respond incorrectly to questions questions.

• Witnesses must avoid looking at their counselors when answering questions.

"

5.2.2 Presenting the evidence

It is crucial to have a good presentation in the court room when showing and presenting evidence. The examiner will be presenting the evidence not only to professionals but to the audience as well, that is why right words must be chosen. Power Point slides can be used to enhance the presentation with graphics and explaining drawings. It is necessary to provide the magnitude of the case, description of the case, bullet point or emphasize the most important parts of the elements, point out the relevance of the evidence to resolving the case and provide description of supporting materials. The investigator will be asked to provide CRC, MD5, SHA-1 or similar hashing values for the authenticity of the evidence and explaining the tools used and their purpose ("National Center for Forensic Science," n.d.). The investigator must be also able to provide answers to how the data was obtained and the proof of it and who and who they were handled during the investigation if the examiner is not able to provide professional answers, he/she might lose the confidence and trustworthiness of his/her professionalism. The investigator must have right wordings to explain them well and present them in the Court.

6 Conclusion

Having researched and read article, presentation slides, tutorials and lecture notes, I am confident that the computer forensic will remain to increase because of the increase of computer criminals or computer related crimes. Majority of things we knew before are being digitized and we rely on their intended functionality, but criminals are taking advantage of them to commit cyber crimes. We can an example of cyber forensic case of a teacher in US, who was convicted in pedophilia in 90s. She got a virus in her work PC and was used to show child pornographic images on the desktop, that is why the school board stopped her activity at work and she was investigated by police [reference]. After awhile, using more evolved cyber forensic investigation the case was solved for the benefit of her and she was found not guilty. But this is another major challenge of computer forensics on relying on innovation and being able to stand up to the demand of solving complex cases (Nogueira and Celestino Júnior, 2009). The teacher was found not guilty, but her reputation and career was destroyed. The complexity of digital forensics is increasing, for example, if the crime is committed in a server location, the retrieval of the data might endanger the operation of the company and could influence the negatively to company reputation . Another challenging part is not being able to transfer the evidence to the lab for examination and auditing, which creates difficulties and possible hash values changes in the hard drive, especially when the hard drive is RAID and operation of the network depends on its existence. In these kind of cases, the question may arise in the court of law about legitimacy of the evidence and might lose its authenticity. I believe in order to overcome this kind of difficulties, IT management rules will be deployed, like making it mandatory to create hot swaps for the server, in case one is shut down, the other one is up.

6.1 Challenges facing Cyber Forensics

Cyber Forensic is considered to be new and it is still being shaped with new frameworks for investigation process. Steps and investigation procedures are different from one country to another and law doesn't support some forensic findings. That is why forensic investigation is still considered to be still evolving and young, despite its role in law and conviction process.

Another Challenge the cyber forensic faces is its magnitude of dealing with data. The examiner must process huge amount of information to find crucial information to solve case or at least to find the lead during the investigation. This is overwhelming, even the hash elimination is not always useful when dealing non hashed data to determine which files can be skipped and which ones are to be processed. Group of file auditors could be created or the department who deals with parsing the data, for example from the RAID drives