Same practice with a variety of steps

Plenty of digital investigator professionals and organizations have come up with their own documented steps and guides for conducting a digital investigation process. There is a wide variety in the steps involved in the processes described in the different instructions but we can identify a few steps common to most of the guides. The most common steps found are steps similar to collection, preservation and analysis of the digital evidence.

Process overview

The following is an extended digital forensics process which aims to cover all the typically involved steps. A description of each step is provided to support a fundamental understanding of the step in order to follow along with the process and to give a baseline to conduct further research.

1. Preparation

   Prepare and plan the case ahead of time. Obtain required authorizations, set up case management and prepare relevant documentation, tools and acquisition techniques.

2. Identification

   Recognize potential electronic devices and sources which could be considered digital evidence or store relevant electronic information. The investigator should limit the search to only look for potential evidence relevant to the ongoing case. In some cases, the investigation team might uncover potential evidence related to other crimes, in which case the police should be notified before the digital investigator return to the case at hand.

3. Preservation

   Preserve the original state of the digital evidence. Document the steps taken to secure and isolate the evidence. The documentation and the chain of custody will serve to protect the integrity of the digital evidence and the containing electronic information. Some might argue that the state of the evidence never can be a hundred percent unaffected during the digital forensic process. The bottom line is to preserve the state of the evidence to as close as to the original state as possible when the evidence was collected.

   The documentation connected to the preservation is meant to trail the movement, handling and integrity of the evidence to remove any potential doubt others may have to the forensic process and to make it possible to third parties to recreate the steps taken by the digital forensic examiner to achieve the same results. The preservation stage starts when potential evidence is identified on the scene and is continuous throughout the entire forensic process until the evidence is finally returned to the owner.

4. Collection

   The collection stage is where the physical digital devices and electronic information are gathered. In some cases, when the physical devices are unable to be seized, we are required to do on-site imaging to collect the electronic evidence. After the evidence is identified, inexperienced and unauthorized people / personnel should to be informed to keep a solid distance from the objects to prevent any case of accidental or intentional actions which could affect the integrity of the evidence.

   When collecting the electronic evidence, make sure to wear anti-static gloves and isolate the devices in separate containers including a chain of custody for that specific piece of evidence. For some devices where wireless communication is a feature, the investigator might consider using Faraday Bags. These bags are specifically made to prevent and block wireless signals from entering and leaving the sealed container.

   When storing the physical evidence later on, make sure to consider elements that may affect electronic devices and to include a detailed note describing the contents of the container. Considerations may include elements such as humidity, temperature, anti-static surfaces, signal-isolated storage and authorized access.

5. Imaging

   The imaging process takes place after the digital evidence are collected and brought in to the forensic lab or on-site if this is considered to be more appropriate and convenient. Following forensically sound practice and known guidelines, the investigator utilize forensic tools to capture an exact image of the electronic information contained within the digital devices. The information produced by this process, along with the contemporaneous written notes, is added to the chain of custody to continue the unbroken record of steps taken to preserve the integrity of the evidence.

   One of the most crucial pieces of information to note down is the hash value and the verification of the hash value against the original data. This is to make sure that the image process is complete and to ensure that the image file is a true duplicate of the original evidence. A hash value is an algorithm-based value with a fixed length that uniquely identifies data. By comparing the hash value of the created image to the original data we will know that the image file have not been altered or corrupted during the imaging process. The most common hash algorithms used to days date is MD5 and SHA1.

   There are a few ways to clone data of a digital device but the preferred method is to create a forensically sound bit-by-bit copy which should contain all the data of the original media, including hidden partitions and deleted files. Before beginning the imaging process, make sure the device is connected to the computer using a write blocker. Write blockers secure the evidence integrity by denying write access to the evidence device. After securing the connection, confirm that the device is showing up correctly on the computer. You may now open your preferred imaging software program and create your image file. There is an array of different imaging extensions to select from. The most common is the ".E01" EnCase image file format.

6. Examination

   Examining the image file created in the previous step. Working off the image file avoids the possibility of accidentally tainting the evidence. It is common practice to have a master image file and working copy in case something happens to the image during the examination and analysis. There is a variety of available software for examining image files.

   Larger and more sophisticated software often require a paid license to be used but there are also free software substitutes available. Forensic software allows the investigator to browse through the file hierarchy contained in the image file and search for relevant evidential information to the ongoing case.

7. Analysis

   This step focuses on analyzing the files, documents, data and information that were discovered during the examination stage. The information in the image is made available by the digital investigator but may be reviewed by other personnel or third parties who are involved or have interest in the case.

   A review team may consist of a variety of people specialized in different fields such as accountants, lawyers or roles within the law enforcement. The main purpose of the analysis stage is to mark the discovered information as relevant and admissible evidence in order to prove or disprove certain claims and hypotheses made by the involved parties.

8. Reporting

   All findings discovered in the examination and analysis stage must be included in a written discovery report along with the techniques and processes that were used. This will allow other parties to reach the same findings when applying the same discovery process.

9. Presentation

   Evidence uncovered throughout the investigation process should be communicated to the investigation team through a thorough presentation where questions and details to the case can be clarified. This is an important step where the team can group together and make sure that everyone is on the same page.

   After the team is unified on all matters relevant to the case, there should be no remaining uncertainties about the case or evidence among the team members. By this stage, the evidence should be complete and be able to be considered admissible to a court of law.

10. Returning evidence

    The final step of the investigation process is to return the seized evidence back to the original owner. This stage of the process may have to wait a long time before it can take place. Depending on the severity of the case or the crime committed, the evidence may not be returned at all. The return of evidence should take place when the evidence is no longer needed. This is usually at the end of the trial after the case is concluded and closed for archiving.

Content