In: Accounting
Based on the material from the "U.S. Department of Justice Forensic Examination of Digital Evidence: A Guide for Law Enforcement" document, explain some important parts of the computer forensic process.
Provide short and concise answers to the following questions:
What are some of the key considerations for an "on-site" examiner, also known as a "first responder"?
What are two attributes of a timestamp that could be located on a computer system? (List and explain.)
When documenting and reporting a computer forensic examination (investigation), what are some common notes that should be maintained? (List and explain.)
What are the four major steps to completing the processing of digital evidence?
The digital forensic approach is a recognized scientific and
forensic approach utilized in digital forensics
investigations.Forensics researcher Eoghan Casey defines it as a
number of steps from the usual incident alert via to reporting of
findings.The system is predominantly utilized in pc and cellular
forensic investigations and contains three steps: acquisition,
analysis and reporting.
Digital media seized for investigation is most of the time referred
to as an "exhibit" in authorized terminology. Investigators employ
the scientific process to recuperate digital evidence to help or
disprove a hypothesis, either for a courtroom of legislation or in
civil lawsuits.[2]
Personnel
The stages of the digital forensics system require distinct
professional training and talents. There are two hard stages of
personnel:[3]
Digital forensic technician
Technicians collect or procedure proof at crime scenes. These
technicians are expert on the proper handling of technology (for
instance easy methods to keep the proof). Technicians is also
required to hold out "are living evaluation" of evidence. More than
a few tools to simplify this system had been produced, most
principally Microsoft's COFEE.
Digital evidence Examiners
Examiners specialize in one field of digital proof; either at a
vast level (i.E. Laptop or network forensics and so on.) or as a
sub-professional (i.E. Image analysis)
system units
There have been many makes an attempt to boost a method mannequin
but thus far none had been universally permitted. Part of the
reason for this can be considering that that a number of the system
items had been designed for a detailed atmosphere, such as
legislation enforcement, they usually hence could no longer be with
no trouble applied in other environments equivalent to incident
response. this is a list of the foremost items considering the fact
that 2001 in chronological order:
The abstract Digital Forensic mannequin (Reith, et al., 2002)
The built-in Digital Investigative method (service & Spafford,
2003)
An elevated model of Cybercrime Investigations (Ciardhuain,
2004)
the enhanced Digital Investigation procedure model (Baryamureeba
& Tushabe, 2004)[1]
The Digital Crime Scene evaluation mannequin (Rogers, 2004)
A Hierarchical, goals-situated Framework for the Digital
Investigations process (Beebe & Clark, 2004)
Framework for a Digital Investigation (Kohn, et al., 2006)
The 4 Step Forensic procedure (Kent, et al., 2006)
FORZA - Digital forensics investigation framework (Ieong,
2006)
procedure Flows for Cyber Forensics coaching and Operations
(Venter, 2006)
The normal method model (Freiling & Schwittay, (2007)
the 2-Dimensional evidence Reliability Amplification system
mannequin (Khatir, et al., 2008)
The Digital Forensic Investigations Framework (Selamat, et al.,
2008)
The Systematic Digital Forensic Investigation model (SRDFIM)
(Agarwal, et al., 2011)[5]
The advanced data Acquisition mannequin (ADAM): A process mannequin
for digital forensic follow (Adams, 2012)
Seizure
prior to the precise examination, digital media will likely be
seized. In criminal instances this will in most cases be carried
out via legislation enforcement personnel trained as technicians to
be certain the upkeep of proof. In civil matters it will regularly
be a enterprise officer, commonly untrained. Quite a lot of laws
cover the seizure of material. In criminal issues, legislation
regarding search warrants is relevant. In civil court cases, the
idea is that a company is capable to investigate their possess gear
with out a warrant, as long as the privateness and human rights of
employees are preserved.
Once displays were seized, an unique sector level replica (or
"forensic duplicate") of the media is created, customarily by way
of a write blocking off gadget. The duplication procedure is known
as Imaging or Acquisition.The replica is created utilizing a
difficult-drive duplicator or software imaging tools corresponding
to DCFLdd, Ditto Forensic FieldStation], IXimager, Guymager,
TrueBack, EnCase, FTK Imager or FDAS. The usual force is then again
to cozy storage to hinder tampering.
The obtained image is confirmed by utilizing the SHA-1 or MD5 hash
services. At critical elements for the duration of the evaluation,
the media is established again to ensure that the evidence
continues to be in its common state. The method of verifying the
snapshot with a hash operate is known as "hashing."
Given the issues related to imaging enormous drives, more than one
networked desktops, file servers that are not able to be shut down
and cloud assets new systems have been developed that combine
digital forensic acquisition and ediscovery techniques.
Evaluation
After acquisition the contents of (the HDD) photo records are
analysed to determine evidence that either helps or contradicts a
hypothesis or for signs of tampering (to hide information).In 2002
the international Journal of Digital evidence referred to this
stage as "an in-depth systematic search of proof related to the
suspected crime".against this Brian carrier, in 2006, describes a
more "intuitive process" wherein apparent evidence is first
identified after which "exhaustive searches are carried out to
filling in the holes"
in the course of the analysis an investigator traditionally
recovers proof material utilizing a number of distinct
methodologies (and instruments), as a rule commencing with
restoration of deleted material. Examiners use professional
instruments (EnCase, ILOOKIX, FTK, and so forth.) to help with
viewing and recuperating knowledge. The style of information
recovered varies relying on the investigation, but examples include
electronic mail, chat logs, graphics, internet history or
documents. The info may also be recovered from obtainable disk
area, deleted (unallocated) space or from inside working method
cache documents.
various forms of techniques are used to recover evidence, mainly
involving some type of key phrase shopping within the bought
snapshot file, both to establish fits to relevant phrases or to
filter identified file types. Precise files (equivalent to
photograph pix) have a designated set of bytes which identify the
and end of a file. If recognized, a deleted file may also be
reconstructed.[3] Many forensic tools use hash signatures to
determine tremendous records or to exclude recognized (benign)
records; bought knowledge is hashed and compared to pre-compiled
lists such as the Reference knowledge Set (RDS) from the national
application Reference Library
On most media forms, together with general magnetic difficult
disks, as soon as information has been securely deleted it might
never be recovered.
once evidence is recovered the know-how is analysed to reconstruct
pursuits or actions and to arrive conclusions, work that may most
likely be carried out via less specialized employees. Digital
investigators, chiefly in crook investigations, have to make sure
that conclusions are established upon information and their possess
trained talents.In the united states, for illustration, Federal
ideas of evidence state that a certified expert may just testify in
the type of an opinion or otherwise provided that:
(1) the testimony is centered upon sufficient information or data,
(2) the testimony is the product of nontoxic ideas and approaches,
and (3) the witness has utilized the ideas and methods reliably to
the data of the case
Reporting
When an investigation is completed the understanding is
traditionally reported in a type suitable for non-technical
members. Experiences may additionally comprise audit knowledge and
different meta-documentation.
When accomplished, reviews are mostly handed to those commissioning
the investigation, reminiscent of law enforcement (for crook cases)
or the employing organization (in civil cases), who will then make
a decision whether to use the proof in court docket. More commonly,
for a criminal court docket, the file bundle will encompass a
written educated conclusion of the evidence as well as the evidence
itself (on the whole offered on digital media)