Digital forensic process

Digital forensic process
A Tableau forensic write blocker

The Digital forensic process is a recognised scientific and forensic process used in digital forensics investigations.[1][2] Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings.[3] The process is predominantly used in computer and mobile forensic investigations and consists of three steps: acquisition, analysis and reporting.

Digital media seized for investigation is usually referred to as an "exhibit" in legal terminology. Investigators employ the scientific method to recover digital evidence to support of disprove a hypothesis, either for a court of law or in civil proceedings.[2]

Contents

Personnel

The stages of the digital forensics process require differing specialist training and knowledge, there are two rough levels of personnel:[3]

Digital forensic technician
Technicians may gather or process evidence at crime scenes, in the field of digital forensics training is needed on the correct handling of technology (for example to preserve the evidence). Technicians may be required to carry out "Live analysis" of evidence - various tools to simplify this procedure have been produced, most notably Microsoft's COFEE.
Digital Evidence Examiners
Examiners specialise in one area of digital evidence; either at a broad level (i.e. computer or network forensics etc.) or as a sub-specialist (i.e. image analysis)

Seizure

Prior to the actual examination digital media will be seized. In criminal cases this will often be performed by law enforcement personnel trained to as technicians so as to ensure preservation of evidence. In civil matters it will usually be a company officer, often untrained. Various laws cover the seizure of material. In criminal matters law related to search warrants is applicable. In civil proceedings the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are observed.

Acquisition

Example of a portable disk imaging device

Once exhibits have been seized an exact sector level duplicate (or "forensic duplicate") of the media is created, usually via a write blocking device, a process referred to as Imaging or Acquisition.[4] The duplicate is created using a hard-drive duplicator or software imaging tools such as DCFLdd, IXimager, Guymager, TrueBack, EnCase, FTK Imager or FDAS. The original drive is then returned to secure storage to prevent tampering.

The acquired image is verified by using the SHA-1 or MD5 hash functions. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state. In corporate environments seeking civil or internal charges, such steps are generally overlooked due to the time required to perform them.[citation needed]

Analysis

After acquisition the contents of image files are analysed to identify evidence that either supports or contradicts a hypothesis or for signs of tampering (to hide data).[5] In 2002 the International Journal of Digital Evidence referred to this stage as "an in-depth systematic search of evidence related to the suspected crime".[6] By contrast Brian Carrier, in 2006, describes a more "intuitive procedure" in which obvious evidence is first identified after which "exhaustive searches are conducted to start filling in the holes"[7]

During the analysis an investigator usually recovers evidence material using a number of different methodologies (and tools), often beginning with recovery of deleted material. Examiners use specialist tools (EnCase, FTK, etc.) to aid with viewing and recovering data. The type of data recovered varies depending on the investigation; but examples include email, chat logs, images, internet history or documents. The data can be recovered from accessible disk space, deleted (unallocated) space or from within operating system cache files.[3]

Various types of techniques are used to recover evidence, usually involving some form of keyword searching within the acquired image file; either to identify matches to relevant phrases or to parse out known file types. Certain files (such as graphic images) have a specific set of bytes which identify the start and end of a file, if identified a deleted file can be reconstructed.[3] Many forensic tools use hash signatures to identify notable files or to exclude known (benign) ones; acquired data is hashed and compared to pre-compiled lists such as the Reference Data Set (RDS) from the National Software Reference Library[4]

Once evidence is recovered the information is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialist staff.[6] Digital investigators, particularly in criminal investigations, have to ensure that conclusions are based upon data and their own expert knowledge.[3] In the US, for example, Federal Rules of Evidence state that a qualified expert may testify “in the form of an opinion or otherwise” so long as:

(1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.[8]

Reporting

When an investigation is completed the information is often reported in a form suitable for non-technical individuals. Reports may also include audit information and other meta-documentation.[3]

When completed reports are usually passed to those commissioning the investigation, such as law enforcement (for criminal cases) or the employing company (in civil cases), who will then decide whether to use the evidence in court. Generally, for a criminal court, the report package will consist of a written expert conclusion of the evidence as well as the evidence itself (often presented on digital media).[3]

References

  1. ^ "'Electronic Crime Scene Investigation Guide: A Guide for First Responders". National Institute of Justice. 2001. http://www.ncjrs.gov/pdffiles1/nij/187736.pdf. 
  2. ^ a b Various (2009). Eoghan Casey. ed. Handbook of Digital Forensics and Investigation. Academic Press. pp. 567. ISBN 0123742676. http://books.google.co.uk/books?id=xNjsDprqtUYC. Retrieved 4 September 2010. 
  3. ^ a b c d e f g Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4. http://books.google.co.uk/books?id=Xo8GMt_AbQsC&hl=en&dq=Digital%20Evidence%20and%20Computer%20Crime,%20Second%20Edition&ei=it1XTMncCMm44gbC_qyFBw&sa=X&oi=book_result&ct=result&resnum=1&ved=0CDQQ6AEwAA. 
  4. ^ a b Maarten Van Horenbeeck (24). "Technology Crime Investigation". http://www.daemon.be/maarten/forensics.html. Retrieved 17 August 2010. 
  5. ^ Carrier, B (2001). "Defining digital forensic examination and analysis tools". Digital Research Workshop II. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.14.8953&rep=rep1&type=pdf. Retrieved 2 August 2010. 
  6. ^ a b M Reith, C Carr, G Gunsch (2002). "An examination of digital forensic models". International Journal of Digital Evidence. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.13.9683&rep=rep1&type=pdf. Retrieved 2 August 2010. 
  7. ^ Carrier, Brian D (07). "Basic Digital Forensic Investigation Concepts". http://www.digital-evidence.org/di_basics.html. 
  8. ^ "Federal Rules of Evidence #702". http://federalevidence.com/rules-of-evidence#Rule702. Retrieved 23 August 2010. 

External links

Further reading


Wikimedia Foundation. 2010.

Игры ⚽ Поможем решить контрольную работу

Look at other dictionaries:

  • Digital forensics — Forensic science Physiological sciences …   Wikipedia

  • Digital imaging — For the digital forensic process, see Acquisition (forensic process). Digital imaging or digital image acquisition is the creation of digital images, typically from a physical scene. The term is often assumed to imply or include the processing,… …   Wikipedia

  • Forensic photography — Forensic photography, sometimes referred to as forensic imaging or crime scene photography, is the art of producing an accurate reproduction of a crime scene or an accident scene using photography for the benefit of a court or to aid in an… …   Wikipedia

  • Glossary of digital forensics terms — Digital forensics is a branch of the forensic sciences related to the investigation of digital devices and media. Within the field a number of normal forensics words are re purposed, and new specialist terms have evolved. Terms and definitions… …   Wikipedia

  • Forensic science — Forensics redirects here. For other uses, see Forensics (disambiguation). Forensic science …   Wikipedia

  • List of digital forensics tools — During the 1980s, most of digital forensic investigations consisted of live analysis , examining digital media directly using non specialist tools. In the 1990s several commercial and freeware tools (both hardware and software) were created to… …   Wikipedia

  • Forensic corporate collections — Forensic Corporate CollectionsForensic corporate collections refer to the type of debt collection and recovery tactics that apply computer forensics and scientific knowledge to the debt collection process. Forensic corporate collections are those …   Wikipedia

  • Forensic dentistry — Forensic science Physiological sciences …   Wikipedia

  • Forensic entomologist — Forensic entomologists are those involved in the branch of entomology that involves insects and violent crime or the law, known as forensic entomology. This includes three main branches: medicocriminal entomology, urban entomology, and stored… …   Wikipedia

  • Digital versus film photography — has been a topic of debate since the invention of digital cameras towards the end of the 20th Century. Both digital and film photography have advantages and drawbacks.[1][2] 21st century photography is dominated by digital operation, but the… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”