• A process that develops and tests hypotheses to answer questions about already occurred digital events
  • What/who caused the event
  • When/why did the event occur

• Driven by practical needs and available tools, not by fundamental theories

Forensic Investigation Process

American Board of Information Security and Computer Forensics

• Collection
• Examination
• Analysis
• Reporting

• Identify, isolate, label, record, and collect the data and physical evidence related to the incident being investigated, while establishing and maintaining integrity of the evidence through chain-of-custody

• Identify and extract the relevant information from the collected data, using appropriate forensic tools and techniques, while continuing to maintain integrity of the evidence

• Analyze the results of the examination to generate useful answers  to the questions presented in the previous phases
• The case is typically "solved" in this phase

• Reporting the results of the analysis, including:
  • Findings relevant to the case
  • Actions that were performed
  • Recommended improvements to procedures and tools

• DOJ guidelines - Late 90's
  • Preparation: prepare equipment and tools
  • Collection: Search physical location for possible digital evidence and acquire (e.g., collect or copy digital media)
  • Examination: review the media for evidence (initial screening)
  • Analysis: review the results for their value in the case
  • Reporting: document results of investigation

Digital Investigation in 6 Steps

Casey (2004)

• Identification/Assessment
• Collection/Acquisition
• Preservation 
• Examination
• Analysis
• Reporting

Digital Investigation Process Model

(Carrier, 2003)

Physical Phase Goals

• Preservation - Secure entrance/exit, Prevent changes
• Survey - Walking through scene, identify evidence
• Documentation - Photograph, sketches, evidence/scene maps
• Search & Collection - In-depth search
• Reconstruction - Develop theories

Computer being investigated is considered a digital crime scene

The end goal of most digital investigation is to identify a person who is responsible and therefore digital investigation needs to be tied to a physical investigation.

Digital Investigation Process Model

(Carrier, 2003)

Digital Phase Goals

• Preservation - Prevent changes (network isolation, collecting volatile data, copy entire digital environment)
• Survey - Identify obvious evidence (in lab)
• Documentation - Photo & description of digital device
• Search & Collection - Analysis of system for non-obvious evidence
• Reconstruction - Similar to physical

Computer being investigated is considered a digital crime scene

The end goal of most digital investigation is to identify a person who is responsible and therefore digital investigation needs to be tied to a physical investigation.

• Response to a computer crime, security policy violation, or similar event
• Secure, preserve, and document digital evidence
• Happens BEFORE the forensic analysis begins
• Incident responder is not necessarily the forensic specialist who will conduct the analysis of the digital evidence

• Large Company
  • incident responder might be a technician-level employee in security or information technology 

• Small company
  • Network administrator or security officer might also be the incident responder

• a sworn law enforcement officer or "crime lab" technician can be incident responder 

• In a company, after corporate personnel have done their own incident response, law enforcement personnel can be called in if there is a criminal activity

• Determining who is in charge (or who do you report to)
  • DFI is not in charge of the scene for sure
• Identify what is the crime scene
• what "area" is allowed to enter

Securing the scene

(by first responder or DFI)

• Safety first
• Integrity second (computer, data, network)
• Then secure evidence 
• Not just computers but any digital devices that can contain data (or encryption key)
  • Network switches, routers, servers
  • Mobile phone, printer, digital camera, USB, Flash memory, external HDD, activity/fitness tracking devices, MP3 players, digital audio recorder, etc. (use Faraday bags)
  • RSA secure-ID, USB dongle with encryption key
• Identify data sources
  • USB cables attached to a computer
  • Owner's manuals for any unidentified digital devices (DSLR, external HDD, etc.)
  • Internet storage, Cloud
  • Clues for passwords
  • Interview anyone who may have useful info.

Guideline for First Responder

When you see a computer

• If computer is on, leave it on (for now)
• If computer is off, leave it off
• No technical assist from anyone unauthorized should be allowed
• Avoid compromising physical evidence (fingerprint, blood, DNA, etc.)
• Protect yourself from biohazards

Guideline for First Responder

2 ways to turn off a computer

• Pull the plug
  • Immediately halts processing but destroys data in memory and can corrupt files
  • Data in memory could be collected using "cold boot" attack or DMA attack
• Shut down
  • Writes entries into system activity logs (change of the state of evidence)

Hard Drive Duplication Methods

American Board of Information Security and Computer Forensics

• Disk Imaging on a Dedicated Forensic System
  • Platform specifically built and designed to accommodate numerous types of hard drive connections
  • Specialized bit-level imaging software transfers an exact copy of the contents of the original hard drive (or other data source) to one or more blanks
  • Typically, an investigator will make more than one copy of the suspect hard drive using this method
    • If the forensic analysis is correct, the investigation should produce the same results on identical copies f the drive.

Hard Drive Duplication Methods (Cont)

American Board of Information Security and Computer Forensics

• System-to-System Disk Imaging
• This method uses two separate computer systems - the suspect and a specialized forensics imaging system
• Depending on the type of drives and connections available, both systems are booted from CD-ROM, DVD, USB drive, or floppy disk which loads the imaging software
• Data is transferred between the computers using serial, parallel, Ethernet, or USB ports
• This method can be slow, and is often not suited to on-the-scene incident response

Hard Drive Duplication Methods (Cont)

American Board of Information Security and Computer Forensics

• Using the original system
• Uses the original (suspect) computer to perform the disk imaging transfer process
• A blank drive matching the original hard drive's capacity and configuration is added to the system
• A forensic boot disk is used to create a bit-level image of the original disk
• This method id typically used in on-the-scene incident response when it is impractical to transport a computer to the investigator's laboratory