Chapter 4: Digital Forensics Investigation Checklists

4.1 Computer Forensics Processing Checklist

The proposed checklist serves as an educational guideline for activities involved in digital forensic investigations. This checklist is contributed by Cmdr. Dave Pettinari from the Pueblo Sheriff Department.

Preliminaries

  • Track Man-Hours

    • Begin documenting the time spent on media analysis and administrative tasks.

  • Verify Legal Authority

    • Confirm the legal basis for analysis: whether a search authority, consent, warrant, or subpoena exists.

    • Determine the scope of the analysis including specific files to be examined (e.g., email types).

    • Obtain a copy of relevant legal documents and include it in the analysis case file.

  • Documentation File

    • Access the master documentation file of the case and add it to the analysis case file.

  • Forensic Software Preparation

    • Create a modified boot disk for forensic software (e.g., EnCase), ensuring it is the current version on the forensic machine.

Determine Best Method

  • Assess whether the forensic examiner has the necessary experience, training, and equipment to process the evidence.

  • If lacking, complete a Colorado Bureau of Investigation 'request for assistance' form to submit the evidence to the CBI lab.

Prepare the Case File

  • Complete all necessary initial case documentation to track pertinent details during the forensic examination:

    • Obtain a search warrant or consent to open the case file.

    • Instruct the submitting officer to fill out the “Official Request for Laboratory Examination.” This includes specifying relevant keywords for investigation.

Fill Out a Media Analysis Worksheet

  • The Media Analysis Worksheet is crucial for tracking the flow and process of media analysis.

    • Record key details of the support provided in the form.

    • This worksheet should also maintain information for reporting to agencies or internal units regarding provided support.

Create a Comprehensive Report

  • As you progress, maintain detailed notes, including but not limited to:

    1. Date and time of evidence collection

    2. Current date and time (indicating time zone)

    3. Significant problems or broken items discovered

    4. Any lapses in the analysis

    5. Findings or evidence uncovered

    6. Special techniques utilized (e.g., password cracking)

    7. External sources engaged for additional information or support.

Log Out Evidence - Visual Inspection and Inventory

  1. Document all computer media and machines that have been seized and will be analyzed.

  2. Label removable media (e.g., diskettes, JAZ cartridges) sequentially (A1, A2, A3, etc.) and ensure consistent labeling during evidence acquisition into the EnCase case image.

  3. Ensure evidence tags reflect all items seized, documenting any damage that is not noted on these tags.

  4. Conduct a visual inspection of the physical condition of the seized computer:

    • Open the CPU case to observe and record details about the internal circuitry, hard drives, removable drives, and other components (e.g., RAM, CPU speed).

    • Document any alternative storage devices present, like flash drives or disconnected hard drives.

    • Verify the configured boot mechanism of the system.

  5. Determine if the CPU contains information that justifies further analysis andConfirm its functionality.

  6. Record the arrangement and settings of internal devices (jumpers, cabling, etc.) essential for analysis.

  7. Photograph the system's condition upon arrival in the media analysis lab.

  8. Review all items for signs of mishandling or damage beyond what is documented.

Split Evidence Tag Procedures

  1. If a hard drive is removed from its system for analysis:

    • Tag it separately or use an indelible marker to note case number, suspect name, etc.

    • The new tag should be comparable to the original but designated with an additional letter (e.g., A, B).

  2. Document the person receiving the property alongside details of the forensic examiner who removed the drive.

  3. Maintain the chain of custody for the hard drive until the analysis is finalized, returning it to the original CPU afterward.

Create an Analysis Directory

  • Establish a dedicated directory on the forensic examination computer for analysis, where potential evidence and relevant files will be stored.

  • Develop a keyword list derived from reviewing case data to guide analysis and include it in the analysis file.

Subject’s Computer Evaluation

  1. Confirm the computer’s CMOS settings for booting procedures and the use of a modified EnCase boot disk.

  2. Ensure the system clock accurately represents the date and time, logging discrepancies found against the reported settings.

  3. Record detailed information about all hard drives (make, model, capacity, condition, internal/external).

  4. Power down the computer to identify and document hard drive settings.

  5. Modify the forensic workstation's settings as needed according to the hard drive specifications.

Government Computer Media Analysis Workstation

  1. Select appropriate backup utilities based on the media size and type for efficient imaging, typically EnCase.

  2. Attach the subject's hard drive to the forensic computer to begin analysis.

  3. Verify CMOS settings for proper booting and initiate imaging using the modified boot disk.

  4. During the imaging process, validate reported drive info against known specs to ensure accuracy.

  5. Use EnCase to create an image of the subject’s hard drive and securely return evidence afterward.

Diskette Analysis

  1. Separate floppy diskettes and enforce write protection on each.

  2. Image each diskette using EnCase and accumulate evidence files in the case.

  3. Scan each diskette for viruses before acquisition and reference any detected viruses in your notes.

Create Findings and Analysis CDs

  1. Copy evidentiary files from the evidence-processing computer to a CD-ROM, including necessary utilities for file reconstruction.

  2. Duplicate the evidentiary CD for safekeeping and ensure EnCase reports are included within the documentation.

Case Report Writing and Documentation

  1. Prepare an ”Investigative Analysis Report” detailing the entire computer media analysis and findings.

    • Deliver this report to the case officer with all relevant documentation and forms.

  2. Print out pertinent files for inclusion as attachments to the report where applicable and coordinate with authorities for printing large volumes if needed.

Notes of Importance During Report Writing

  1. Avoid making assumptions about evidence, particularly regarding email identities.

  2. Do not suggest leads in the report; only present findings for the case officer’s interpretation.

  3. Utilize spell check extensively prior to submission to ensure accuracy.

  4. Confirm that all generated findings media contains the correct data before handing it over.

4.2 Documenting and Reporting According to NIJ

The following procedures should be adhered to when documenting and reporting digital forensic examinations:

Examiner’s Notes

  • Importance of contemporaneous and consistent documentation throughout the examination.

  • General considerations to assist examiners:

    • Note consultations with case investigators/prosecutors.

    • Retain copies of search authority and initial requests.

    • Document dates, times, actions, descriptions, and outcomes during examination.

    • Keep details on irregularities encountered and responses from those irregularities.

    • Include information on system changes made by law enforcement.

    • Record details regarding operating systems, software versions, and patch statuses.

Examiner’s Report

  • Recommendations for report contents may include:

    • Agency identification and case submission number.

    • Investigator and submitter identification, along with pertinent dates.

    • Descriptive listing of items examined, including serial numbers.

    • Identity and signature of the examiner.

    • Brief overview of examination steps, results, and conclusions.

  • Summary of Findings:

    • A brief recap of examination results.

  • Details of Findings:

    • Provide extensive detail regarding results, including specific files, search methods, data analysis, and indicators of ownership.

  • Supporting Materials:

    • List all supporting materials such as evidence printouts and chain of custody documents.

  • Glossary:

    • Include a glossary of technical terms for clarity, referring to recognized definitions.

Source: Computer Forensics Processing Checklist, Pueblo High-Tech Crimes Unit by Cmdr. Dave Pettinari, Pueblo County Sheriff’s Office http://www.crime-research.org/library/Forensics.htm