Understanding the Digital Forensics Profession and Investigations

Overview of Digital Forensics

  • Definition of Digital Forensics: This field involves the application of computer science and investigative procedures for legal purposes. The process includes the analysis of digital evidence conducted after establishing proper search authority. It relies on a rigorous framework of chain of custody, validation with mathematics, use of validated forensic tools, repeatability, official reporting, and the potential for expert presentation in a legal setting.
  • International Standards: In October 20122012, the International Organization for Standardization ratified an international standard for digital forensics known as ISO 27037: Information technology — Security techniques.
  • Constitutional Protections: In the United States, the Fourth Amendment to the Constitution protects the right of individuals to be secure from unreasonable search and seizure.
    • In the context of digital evidence, separate search warrants might not always be necessary depending on the circumstances.
    • Every U.S. jurisdiction relies on case law to determine the admissibility of evidence recovered from computers and other digital devices.
  • Core Tasks in Digital Device Investigation:
    • Collecting data in a secure manner.
    • Examining suspect data to determine specific details regarding its origin and content.
    • Presenting digital information to courts of law.
    • Applying existing laws to the practices involving digital devices.
  • Forensics vs. Data Recovery:
    • Data Recovery: Primarily involves retrieving information that was deleted by accident or lost due to hardware/software failures such as power surges or server crashes.
    • Digital Forensics: A legal process focused on evidence and investigation; forensics investigators often function as part of the "investigations triad."

Digital Forensics and Related Disciplines

  • The Investigations Triad: Digital forensics is categorized alongside two other major disciplines to manage security and investigations:
    • Vulnerability/Threat Assessment and Risk Management: This discipline tests and verifies the integrity of standalone workstations and network servers.
    • Network Intrusion Detection and Incident Response: This focuses on detecting intruder attacks through the use of automated tools and the monitoring of network firewall logs.
    • Digital Investigations: This discipline manages the investigation itself and conducts the forensic analysis of systems suspected of containing evidence.

History of Digital Forensics

  • Early Developments: By the early 19901990, the International Association of Computer Investigative Specialists (IACIS) introduced specific training for digital forensics software.
  • Agency and Private Tools:
    • The IRS developed search-warrant programs.
    • ASR Data created the tool Expert Witness for Macintosh.
    • ILook is a tool currently maintained by the IRS Criminal Investigation Division.
    • AccessData Forensic Toolkit (FTK) remains a popular and widely used commercial product for digital investigations.
  • The Role of Case Law: Because technology changes faster than statutes can be written, case law is essential. It enables legal counsel to apply rulings from previous similar cases to address ambiguities in current laws. Examiners must remain current on court rulings regarding search and seizure in electronic environments.

Preparing for Digital Investigations

  • Categories of Investigation:
    • Public-Sector Investigations: These involve government agencies (local, state, or federal) responsible for criminal investigations and prosecution. They are heavily restricted by the Fourth Amendment and must follow guidelines from the Department of Justice (DOJ), which updates computer search and seizure information regularly.
    • Private-Sector Investigations: These focused primarily on violations of company policy rather than criminal statutes.
  • Key Personnel Roles:
    • Digital Evidence First Responder (DEFR): The individual who arrives at the incident scene first. Their job is to assess the situation and take necessary precautions to acquire and preserve evidence.
    • Digital Evidence Specialist (DES): A professional with the specialized skills to analyze data. They are also responsible for determining if and when a more specialized expert is required.
  • Legal Documentation:
    • Affidavit: A sworn statement supporting facts or evidence regarding a crime. It must include exhibits that support the specific allegations made.

The Digital Forensics Professional Process

  • Primary Objective: To gather evidence that proves a suspect committed a crime or violated a company policy and then present that evidence in court or at a corporate inquiry.
  • Specific Duties:
    • Investigate the suspect’s computer.
    • Preserve the evidence on a separate, different computer.
    • Maintain the Chain of Custody: This is the documented route that evidence takes from the moment it is found until the case is closed or goes to court.
  • Computer Crime Investigation Goals: Computers are analyzed to determine the chain of events leading to a crime and to find evidence for a conviction. Investigators must follow strict procedures, as digital evidence is easily altered.
  • Technical Challenges: Investigators may encounter password protection on hard disks, necessitating the use of specialized forensic tools.
  • Corporate Policy Violations: Misuse of resources by employees (e.g., internet surfing, personal emails, personal tasks) can cost companies millions of dollars\text{millions of dollars}.

Conducting the Investigation: A Systematic Approach

  • Case Assessment: Investigators must outline the case details systematically, including:
    • The situation and nature of the case.
    • The specifics and known disk formats.
    • The type and location of the evidence.
  • Planning and Documentation:
    • Evidence Custody Form (also known as a Chain-of-Evidence Form): Used to document every action taken with original evidence and forensic copies.
    • Single-evidence form: Lists each piece of evidence on a separate page.
    • Multi-evidence form: Lists multiple pieces of evidence.
  • Evidence Seizure and Storage:
    • Use antistatic bags and antistatic pads to prevent damage.
    • Use well-padded containers for transport.
    • Secure all openings with evidence tape, including CD drive bays, power supply slots, and USB ports.

Private-Sector High-Tech Investigations

  • Procedures: Investigators should utilize both formal procedures and informal checklists to ensure high-tech investigations cover all necessary issues and utilize correct techniques.
  • Attorney-Client Privilege (ACP): When working for an attorney, findings must remain confidential. While attorneys often prefer physical printouts, investigators must often educate them on how to view digital evidence electronically. Binary files can present specific challenges in these cases.
  • Industrial Espionage: These cases should always be treated as criminal investigations and require a specialized team, including:
    • A Digital Investigator (disk forensic examinations).
    • A Technology Specialist (expert in the compromised technical data).
    • A Network Specialist (log analysis and network sniffers).
    • A Threat Assessment Specialist (typically an attorney).

Interviews and Interrogations

  • Definitions:
    • Interview: A process to collect information from a witness or suspect regarding specific facts of an investigation.
    • Interrogation: A process specifically intended to elicit a confession from a suspect.
  • Investigator Role: The digital investigator's role is to guide the person conducting the interview on what specific questions to ask and identify what the correct answers should be.
  • Key Traits for Success: A successful interviewer must be patient, tenacious, and capable of repeating or rephrasing questions to extract facts from reluctant subjects.

The Digital Forensics Lab and Workstation

  • Forensics Lab: Also known as a data-recovery lab; investigations are conducted here.
  • Forensics Workstation: A specially configured PC equipped with additional drive bays and forensic software.
  • Write-Blocker Devices: Crucial tools that allow an investigator to boot into Windows without writing any data to the evidence drive, thereby preventing evidence alteration.
  • Standard Workstation Requirements:
    • Operating system: Windows 77 or later.
    • A write-blocker device.
    • Digital forensics Acquisition and Analysis tools.
    • Target drive (to receive the source disk data).
    • Spare PATAPATA or SATASATA ports.
    • USB ports.

Data Acquisition and Analysis

  • The First Rule of Computer Forensics: Preserve the original evidence. Analysis should only be performed on a copy of the data.
  • Acquisition Tools: Various vendors provide tools for MS-DOS, Linux, and Windows. Windows-based tools require write-blockers for FAT or NTFS file systems.
  • Data Recovery Targets: Investigators look for deleted files, file fragments, and complete files. Deleted files remain on the disk until overwritten.
  • Tool Highlight: Autopsy:
    • Procedure for USB Drive analysis:
      1. Start Autopsy and create a new case.
      2. Enter the case name and select the working folder.
      3. Add source data by selecting the data source type and image file.
      4. Configure Ingest Modules (often keeping default settings).
      5. Expand "Views," "File Types," "By Extension," and "Documents" to display data.
      6. Use the "Tag and Comment" feature for analysis.
    • Data analysis is recognized as the most time-consuming task of the process.

Completing the Case and Reporting

  • The Final Report: A document stating what actions were taken and what was found. It should include the Autopsy report and show conclusive evidence (whether the suspect committed a crime or violated policy).
  • Repeatability: Findings must be repeatable, meaning the same steps must produce the same result.
  • Documentation and Journals: Investigators must keep a written journal of all actions to be used in court, answering the Six Ws: Who, What, When, Where, Why, and How.
  • Autopsy Report Generator: This tool can generate reports in various formats, such as plain text, HTML, and Excel.
  • Self-Critique: Investigators should always critique their own work to ensure quality and accuracy.