Digital Forensic Investigation Process
Overview of the Forensic Process
The forensic investigation process is a methodological approach to managing a case from initial search and seizure to final reporting.
Digital evidence is incredibly fragile (stored in RAM, caches, and volatile buffers), thus adherence to established protocols is critical to maintain the integrity of evidence for legal purposes.
The Three Main Phases
Pre-Investigation Phase: Setting up the lab, building the team, and obtaining management approval.
Investigation Phase: The core actions of acquiring, preserving, and analyzing evidence to identify the culprit.
Post-Investigation Phase: Reporting findings and providing testimony.
Pre-Investigation: Building the Foundation
Before an investigation begins, an organization must establish its capabilities.
Setting up the Forensic Lab
A dedicated space is required, equipped with specialized hardware and software.
Physical Requirements:
Proper sizing
Storage areas
Evidence lockers
HVAC controls to protect sensitive hardware from heat/humidity
Security Measures:
Electronic sign-ins
Alarms
Camera recordings.
Workstations:
High-performance machines (e.g., FRED - Forensic Recovery of Evidence Device) instead of standard office PCs.
Hardware Tools:
Write blockers (to prevent accidental data modification)
Drive duplicators
Specialized cables.
Software Tools:
Data acquisition tools (e.g., FTK)
Password crackers
Packet analyzers (e.g., Wireshark).
The Forensics Team
A small, intelligent, and highly trained team is ideal. Roles often include:
Incident Responder: Takes immediate action upon breach.
Evidence Examiner: Acquires and sorts through data.
Expert Witness: Provides formal testimony in court.
Attorney: Offers legal counsel throughout the investigation process.
Investigation Phase
This phase involves the active stage of the investigation where critical actions occur. It consists of eight key steps:
Documentation: Keeping a meticulous record of the scene.
Search and Seizure: Legally securing evidence.
Preservation: Ensuring that data is not altered (using write blockers).
Acquisition: Making forensic copies of the data.
Analysis: Examining the data to find evidence of the crime.
Case Analysis: Identifying the culprit by piecing together evidence.
Reporting: Creating a clear, acceptable report for the intended audience.
Testifying: Presenting findings in court as an expert witness.
Key Concept: Established Precedents
Investigators must be aware of relevant Case Law.
Example: A "Welcome" banner on a network router has been used in court to exonerate attackers, as it was argued that they were "invited" in.
Understanding such precedents is essential for protecting the organization and ensuring the admissibility of evidence.
Ethical and Legal Considerations
Investigators must follow strict guidelines to maintain the integrity of evidence for court proceedings.
Deviating from established legal standards can jeopardize the entire investigation.
Post-Investigation Phase
Involves compiling findings and potentially providing testimony based on the investigation. Documentation must include:
Evidence handling procedures.
Testimonies about evidence handling and findings.
Documentation and Reporting Requirements
Reports should be structured in a clear language, contain all necessary information, and be technically sound.
Include a summary executive template on what was accomplished and details about the incident.
Successful Testimony
As an expert witness, familiarity with courtroom procedures and technology is necessary.
Preparation includes knowledge of how to present evidence effectively, and familiarity with the case and context surrounding the material presented in court.
Case Study Reflection: Connecticut vs. Julie Amero
Highlights the necessity for knowledgeable expert witnesses in forensic investigations due to the complexities of technological evidence.
Illustrates how misunderstanding tools and technologies can lead to wrongful convictions, emphasizing the need for informed legal representation and forensic examination.
Best Evidence Rule
States that the court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy. However, duplicate can be accepted as evidence, provided the court finds the party’s reasons for submitting the duplicate to be genuine
The principle underlying the best evidence rule is that the original evidence is considered as the best evidence
Scientific Working Group on Digital Evidence (SWGDE)
Principle 1
In order to ensure that the digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system
Principle 1.1
Association of Chief Police Officers Principles of Digital Evidence
No actions should be taken that may tamper with data held on a computer
Anyone that tampers, manipulates, or access the original data must be qualified and competent to do so
An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to replicate the actions taken
the person in charge of the overall investigation must be upheld and undertakes any legal action
Forensic Readiness & Business Continuity
Forensic readiness helps maintain business continuity by allowing quick and easy identification of the impacted components and replacing them to continue the service and business.
Forensic readiness allows business to:
Quickly determine the incidents
collect legally sound evidence and analyze it to identify attackers
minimize the required resources
quickly recover from damage with less downtime
gather evidence to claim insurance
legally prosecute the perpetrators and claim damages
Lack of forensics readiness may result in:
Loss of client due to damage the organization’s reputation
system downtime
data manipulation, deletion, and theft
inability to collect legally sound evidence