Lecture 3 Digital Forensics Crime Scene Investigation Notes

General Forensics Guidelines

  • Cause as little impact on the evidence as possible; examine but do not alter.

  • Document everything, ensuring reproducibility with timestamps and details; maintain an audit trail (contemporaneous notes).

  • Secure the evidence by taking it offline, restricting access, and hashing evidence files to maintain integrity. Maintain a Chain of Custody for traceability.

Documenting Everything: Note Taking

  • Notes should be clear, intelligible, accurate, and contemporaneous (up-to-date, in chronological order, timestamped).

  • Examiners should record anything they see, hear, and do during the examination.

  • If you are not available to present the evidence when the time comes, your notes should be detailed enough to allow someone else to explain what you did at the time of the investigation

  • Notes should enable recall of actions long after (could be years after) the details are forgotten and allow peer review.

ACPO Principles Applied to Crime Scene

  • The process of collecting, securing, and transporting digital evidence should not change the evidence.

  • Digital evidence should be examined only by trained personnel.

  • Everything done during seizure, transportation, and storage should be fully documented, preserved, and available for review.

Before Attending the Crime Scene

  • Ensure legal authority exists to seize evidence (e.g., search warrant) including scope of warrant (all premises or some rooms)
    and warrant validity (expiration date).

  • Determine the resources needed such as forensics paraphernalia and computer tools kit.

At the Crime Scene

  • Recognize, identify, seize, and secure all digital evidence.

  • Document the entire scene and the specific location of the evidence.

  • Collect, label, and preserve the digital evidence;
    package and transport it securely.

  • Regardless, any evidence collection should comply with best practice principles to be acceptable by a court of law

Steps at the Scene

  • Secure the scene to limit access and protect evidence using adequate protection such as gloves.

  • Walk through/Survey the scene to identify obvious, not-so-obvious, hidden, and fragile sources of digital evidence.

  • Document the scene before moving anything, including taking field notes, sketches, videos, tagging cables, recording connections, models, serial numbers, and photographing the scene.

Before Seizing an Item

  • Ensure any interference meets necessity and proportionality objectives.

  • Interference must not be arbitrary, unfair, or heavier than the crime committed.

  • Consider whether the item is likely to hold evidence (e.g., family vs. suspect computer).

  • Record where the item was found (e.g., office, living room).

  • Consider when the offense was committed to narrow down evidence (e.g., CCTV).

  • Differentiate between mobile phones found on a suspect vs. in a drawer.

Bag-and-Tag

  • All evidence collected must be marked as exhibits for easy identification and to ensure chain of custody.

  • All software and manuals relating to the seized evidence should also be seized.
    -Use Faraday bag for mobile devices found powered on.

Decisions to Be Made

  • A mobile device contains physical evidence as well as digital evidence

  • Decide whether to seize evidence, and whether to do live or partial acquisition.

  • Balance circumstances, cost, time, available resources, and priorities.

  • Consider the risk of unnecessary disruption and/or violation of human rights and the likelihood of destruction of potential digital evidence.

Reasons for Live Acquisition

  • When volatile data is relevant (e.g., data in active memory, running processes).

  • When full disk encryption is suspected (to recover decryption keys).

  • When the system is too critical to be powered off (e.g., servers running 24/7, medical/surveillance systems).

  • When malware is suspected (analysis of volatile data may reveal backdoors).

  • When data in transit contains potential evidence (e.g., network traffic).

Decisions to Be Made: Device States

  • If the device is off, leave it off.

  • If the device is on, decide between graceful shutdown (software shutdown) or hard shutdown (interrupting power).

  • Hard shutdown preserves the original state better (ACPO Principle 1).

Digital Forensics Investigation: Methodology

  • Investigators must select the most appropriate process model for the circumstances.

Core Phases of Digital Forensics Investigation

  • 1. Preparation Phrase: Creating a plan of action, Developing an strategy for handling a type of investigation and obtaining necessary resources.

  • 2. Survey Phrase: Also called identification phase. Identifying potential sources of evidence & Prioritisation of sources of evidence (what digital evidence to acquire in which order)

  • 3.Preservation Phrase: Also referred to as acquisition. Follow ACPO guidelines Cataloguing, storing original evidence, and making digital duplicates using write blockers, (The use of a write blocker device is the best practice to prevent the original media from changing during acquisition)
    Keeping the Chain of Custody up‐to‐date,
    Making exact digital duplicates of the original evidence to be examined/analysed by investigators
    & Preventing alterations/changes

  • 4.Examination Phrase: Extracting and viewing information from the evidence & Making it available for analysis

    typically involves:

    – (i) Recovery (Deleted/hidden/camouflaged files & Reconstruction of data fragments to recover files)

    – (ii) Harvesting (Gathering data and metadata about all recovered files)

    – (iii) Organisation & search (Grouping / tagging / bookmarking / searching (e.g., keyword/ search / patterns search / search for known files)

    Physically organising data into meaningful units to facilitate access

    – (iv) Reduction Eliminating irrelevant data ( Criteria used to eliminate data are very important and maybe ques􏰀one → should be based on the case and search warrant

  • 5.Analysis Phrase: Analyzing content, correlating information, and explaining provenance.
    The output of this phase should be validated facts and reasoned findings around a “theory” which explains the crime/offense with a degree of certainty

  • 6. Presentation Phrase: Documenting processes, methods, and tools used, and generating reports.( Documenting each conclusion with thorough description the evidence and methodologies employed is crucial for ensuring transparency and accountability in the investigative process. of

    supporting evidence and analysis
    Documenting any alternative theories eliminated because they were

    contradicted or unsupported by evidence

    “Translating”technical details into narrative for non‐technical decision makers (e.g., attorneys, jury, CEOs)