The Digital Forensic Process
The development of computing networks have led to an increase of electronic criminal activities and the demands to pay attention to such activities have grown. Digital forensics, a scientific method, and techniques become a resourceful application to bring the criminals to book. To have a standardized digital forensic process enables a standard practice to capture the criminal activities that could have gone undetected (Wang, Tang, Shao & Jin, 2016). The paper aims to document the process of conducting a digital examination, beginning from preparation step for the review to the conclusion of the case. The article intends to give a high-level overview of each phase of investigation considering and noting principles of forensic which are very important. The objective of the paper also seeks to incorporate best practices in the judicial field about published processes such as The Scientific Working Group for Digital Evidence (SWGDE.ORG) and other case laws on the digital evidence.
Digital forensics is a set of tools, techniques, and methods utilized to collect, preserve and analyze digital data obtained from the digital sources such as media, in an incident with the objective of extracting valid evidence to be presented to the court of law. The digital forensic can be either a proactive or reactive process (Grubor & Barać, 2014). The responsive digital forensic method has some limitations such as despite being useful; it is limited to anti-forensic incidents, or when handling volatile data or when reconstructing the event. The limitations of reactive digital forensic process overcome the proactive forensic process with a good overview of proactively collecting, preserving data, detection, analysis of the extracted evidence and reporting the incident as it occurs.
A good overview of the digital forensic process enables an investigator to stay on track and assure proper presentation of the digital evidence for the civil case or criminal case in court. The internal disciplinary actions and legal proceedings sail smoothly, unusual problem encounter during operations and handling of malware incidents are professionally guided. Besides, an excellent digital process overview provides a good starting point with a reasonable knowledge of the legal principles, procedures, guidelines, techniques, and tools to achieve the goal of an investigation. An acceptable overview of digital forensic process reflects on the accepted basic principles.
A well-documented process of conducting the digital examinations offers real-time guidelines that help to uncover information both of internal and external sources that otherwise could be unnoticed. A good overview provides a proactive network of forensics and reduces the costs of high-volume data storage to affordable devices. Furthermore, the provision of a proactive digital forensic process offers suggestions and tools to analyze big data with increased performance from hours to few minutes- such as the use of the Autopsy, and the Forensic Tool Kit (FTK) Imager (Grubor & Barać, 2014).
The digital forensic process has five fundamental principles that can be applied to both reactive and proactive cases. The first policy is to consider the entire system, for instance, the spaces, file system and the user. The second principle is an establishment of trust either in the user or the policies. The third principle is to analyze the cause and effects of events (Grubor & Barać, 2014). The fourth principle is to understand the context and interpretation of the event meaning. The fifth principle involves all actions and results done by the forensic investigators.
The digital forensic process is divided into three broad categories with several steps within them from the preparation of the examination till the representation of the evidence in the court of law. Most of the standard and fundamental digital investigations follow a specific standardized model and guidelines with different components. The precise scope of research entails four parts model to cover the three types of investigations, namely; internal investigations –sponsored by an organization, civil and criminal investigations. All the three involving the courts of law at different levels regardless of the fact that there will never be two identical cases but cases are always processed in a standard investigative model. The digital forensic process involves four parts, namely; the assessment, acquisition, analysis, and reporting. The four sections can be further broken down into investigation type (civil, internal or criminal), identification, and collection, preservation of the evidence, examination, analysis and then reporting.
Figure1: illustration of the digital forensic process steps
The digital forensic process begins with assessment/identification procedure. Before any investigation starts, the rules of operations must be outlined to be strictly followed until the end. It's critical for the investigator to be informed of what works and what will not avoid damaging of case pieces of evidence by failing to abide by the set of rules. For example, it is prudent to obtain warrants before seizing systems or media or even storage devices. Before a permit is obtained, sufficient evidence must be served to the judge that a crime has occurred, or about to be committed or is in the process of commission with the objective of obtaining a warrant.
The rules and assessment can lead to success or failure of an investigation, acceptance of the evidence before a court if its strict criteria are not followed. A good overview of the digital forensic process must provide a list of all legal documents required in a given case, warrants for the criminal cases, and court orders for civil cases. For the internal investigations, agreements must be signed and an outline of the scope of investigations marked. The potential sources of evidence must be identified once the ground rules have been assessed and established. The common places to look for evidence of digital forensics include flash disks, local systems, removable media, digital cameras, and printers.
The part of the acquisition is purposely obtaining both volatile and non-volatile data from the identified sources and verification of the integrity of data acquired. Volatile data change over time and require priority and unique selection of the method of acquisition. Volatile data are obtained first followed by non- volatile. Examples of volatile data include network connections, login sessions, open files and running processes among others. The collection and acquisition of evidence is the most technical part of any investigation. Errors made at the acquisition or gathering of the evidence can nullify the whole digital forensic process during scrutiny at trial. The investigator should ensure acquisition/collection of testimony focuses on the result that must present the following; the data collected must be authentic, an exact copy of the data used for analysis of the evidence, data must not be modified during collection. The tools used to collect data must be valid, both exculpatory and incriminating evidence must be obtained, and analyzed to support conclusions. The conclusions arrived through evidence must be consistent with the evidence/ data collected. The investigator must ensure that people gathering the evidence or data are adequately trained and qualified.
The cardinal rule of digital forensic process preservation part is that the original data shall never be altered or manipulated. The protection of evidence determines whether the success of other proper implementation and specific, well-accepted protocols and procedure encompassed in the digital forensic process. The preservation of the forensic evidence must be copied before examination and analysis of the data (Sahinoglu, Stockton, Barclay & Morton, 2016). The forensic processes are carried out on the copy and not on the original file/evidence. For instance, non-volatile media such as removable media, hard disks, and optical devices should be mounted as read-only files to ensure no modification of data occurs. Contamination of the original evidence can give rise to legal issues and copies can be acquired during the process of obtaining them to avoid such occurrences. In any unique situations that copies are not allowed, the investigator should give reasons that support such as decision.
The preservation of the storage devices demands a lot of care on both devices and data collected during the phases and necessitates proper documentation which can be easily tracked. The investigators are also required to verify that the preservation of the data shall never have a possibility of being tampered, corrupted, of analyzed by improper procedures.
The scope and complexity of the examination part keep on ever-changing each day. From floppy disks being initially used to flash disks currently used has made it possible for the investigators to look for evidence even on the unallocated space left behind by files which are deleted. Inadequate examination and lack of adherence to established rules of the case and protocols or procedures can result in evidence that does not meet the legal standards of admissibility or proof (Sahinoglu, Stockton, Barclay & Morton, 2016). The registry, hidden files, and slack spaces have a capacity of hiding large files of data and should be considered when examining digital records and systems (Graves, 2013). The examination part requires special data tools and methods to explore the data. The investigator tool also depends on the nature of the case to generate forensically sound presentations. The tools used to examine the data should be declared valid by courts. Some of the tools considered valid by courts include Encase by Guidance Software, the Autopsy, the Sleuth Kit by Brian and the Forensic Tool Kit (FTK) Imager by Access Data Corporation among others.
Technology plays significant roles since the tools used to examine as the new technology emerges, new devices will be required to explore the data created. The selection of tools and a balanced must be agreed on for the usage of new tools that are used to examine the data of which the lawyers and the court may not have been exposed. Lack of proper tool selection to carry out an investigation can fail to process the evidence/data accurately and not following the valid or acceptable procedures can lead to disqualification of the evidence itself (Sahinoglu, Stockton, Barclay & Morton, 2016). Defense of the tool must be included on the conclusions arrived at, and the formulation adopted during the examination part (Graves, 2013).
Analysis part gives the investigator a chance to determine what is constituted on the evidence and what constitutes the digital clutter. Various tools exist that investigators can use to analyze the data, separation of files, and for identifying and locating specific records of interest. Collecting data to assist in proofing a case is an art of science, and the exculpatory evidence is given weight same to the incriminating evidence. An analysis of data ensures that the digital evidence collected, and preserved generates information that is accurate and reliable to enforce laws in courts (Bulbul, Yavuzcan & Ozel, 2013). The analysis of data can be processed with the help of standard operating procedures (SOPs) to conform with the requirements and develop results that can either reject or rely on the digital forensic process towards determining and settling disputes.
Reporting is the final and critical phase of the digital forensic process and starts when an investigator gets a potential case documenting every step of the process in details (Graves, 2013). Reporting begins by documenting the likely suspects, who reported what, potential witnesses, and possible sources of evidence or help. Reporting also documents the details of the scene including the environment photographed. The investigator must record each step taken, defining what was done and how was it done, the results obtained when what was done or processed. For instance, Hash files which are data sources generated before and after acquisition whose difference or similarities can be explained. The reporting phase presents the results of the analysis, describes performed actions, determine other activities required to be carried out, recommend improvement of policies, procedures, guidelines, tools and other aspects of forensic processes.
The conclusion derived must be consistent and explained by the investigators (Graves, 2013). Inadequate documentation can destroy a meticulously investigated case, and automated documentation processes should be encouraged in supplementation to the manual documentation. The type of reporting styles depends on the audience the report is being reported to as the legal or administrative purposes.
In conclusion, various models exist, but an integrated model of the digital forensic process determines the evidence that can prevail in the court of law. The method of digital forensic and terminologies used in phases are necessarily implying that the process should be rigorously done to be accepted in the forensic community. A standardized digital forensic process model aids the investigators in following a universal approach to their investigations. An overview of excellent digital forensic processes offers sequential and a logical notation to generate acceptable evidence in courts of law in a forensic society. A satisfactory digital forensic method relies upon subsequent phases, and each stage depends on standardized procedures which in return depends on tasks and sub-tasks for the identified crime scene. Focusing on the accepted model of the whole digital forensic process, investigation phase, and the evidence results presentation in court or administrative purposes, analyzing the needs of the case at the beginning enables the success of the whole objective. A standardized methodology for conducting digital forensic processes allows accurate, efficient and robust in the investigation phases of assessments, collection or acquisition, identification, evaluation/ examination, and reporting or admission. The more sophisticated forensic digital processes keep on emerging to speed up the entire investigation processes and to solve disputes encountered daily in forensic investigations.
Read More