Analysis steps in Digital Forensics Investigation

DFI Part-6

What is Analysis in a Digital Forensics Investigation ?

Analysis in a Digital forensics investigation is said to be a scientific method which starts by gathering the evidence, their facts about evidence collected, then build hypothesis based on that to explain the incident, and atlast to extract the artifacts to prove the hypothesis build.

So in this article we are going to see the best practices and key points one have to take in consideration as an investigator when conducting their investigation and applying the specific method.

Whenever you are preparing for any new case, you should always prepare a fresh new special device ( Storage ). If this is not possible then try performing a forensics wipe on the disk to remove the old data and then store the new data. Some of the devices may need to do some extra steps before starting analysis, like a wireless device need to be kept in isolated from surroundings in-order to prevent a new connection which may lead to evidence/data alteration such as log changes.

When we think of a physical case, investigator collects minor to minor observations from the crime scene besides collecting evidence in order to determine how crime happened, when and by whom.

Digital Analysis also works in similar way as physical case; it starts by gathering observations from the evidence you have, building a hypothesis that explains what caused the evidence, and by whom to gain an understanding of the whole case. Your analysis may encompass recovering deleted files, decrypting and recovering encrypted files, specifying the time of creation and then linking it to suspect. Also the evidence you got could lead you to further different new evidence from different resources.

Let’s take an example, reading a suspect email may indicate the existence of important information that was sent to the suspect on CD, or the analyzer has to search the internet for evidences like chats between the suspect and victim.

There are some basic requirement that need to keep ready before starting the analysis :-

• A work station running an operating system,
• A write-blocker device (very important)
• Digital forensics acquisition tools
• Digital Forensics analysis tools
• Target drive to receive the source or suspect disk data

A Digital Forensic Investigator has a huge responsibility on his shoulders when they are investigating a case as their findings will bring justice to the innocent and punish the criminal. Therefore, there a set of steps that one should follow when they are investigating a case. The following are a generalized step of the investigation, whereas the Investigator can follow the steps prescribed by their Institution or the framework they follow. The common analysis steps within most cases are the following (even if its not the same in each case where you might use other steps and techniques):

1. Prepare a preliminary design or a method to approach the case

The investigator should prepare a method on how they will go about with the investigation and have a clear understanding of the crime scene. One should make sure that at a scene where the computer or a device is in a power-on state, they should not make the mistake of turning it off, or running any program or perform any other activity.

• Note : Before attaching the evidence to be copied, you should ensure that the evidence is connected to a write blocker (a device that blocks all write operations on the acquired media); if such a device is not available (example: maybe too expensive) you should install the appropriate software to allow only reading and viewing of the data and preventing alteration of the evidence (example: maybe use a forensic bootable disk).

• There is an interesting say in forensics “ It is not always about finding the evidence, in some cases the lack of evidence is the base for our hypothesis(or our case)”. This can be better understood with one real life example. The hypothesis on the Corcoran Group case was built on evidence that was missing. The Corcoran Group sold a building that was flooded with water during a storm. The company claimed that it had no idea about the flood. When the case started, a forensic expert conducted an analysis on the company computers. The interesting thing was the missing files and emails that should exist. The court judged the company based on misleading the investigation by deleting that evidence.

2. Determine the resources that are required for the case

The investigator need to understand the requirements of tools and technologies that are required for the case to be investigated further. They should be qualified enough and should make sure that they prevents data from being over-written.

3. Discover and obtain the evidence

The investigator has to make sure that they does not miss out on any evidence at the scene of the crime and obtains them within the most accurate way, which does not cause any damage to the evidence. The Investigator should make sure to collect the evidence sample in a Faraday Bag or an anti-static bag so that the evidence cannot be tampered with. They should make sure at every moment to maintain the chain of custody.

4. Make multiple Forensic copies of the evidence

In Digital Forensic Investigation, it is very essential to remember that as long as possible, one should never work on the original evidence item. The investigator should make sure to create multiple copies of the same and perform analysis on the copy of the original evidence. Before they creates a copy of the evidence, they should always calculate the hash value of the evidence that as recovered in the original form to maintain the authenticity of the evidence.

5. Identify and minimize the risks involved

The investigator should remember that the evidence that is collected is not always easy to analyse. There are a huge number of risks and consequences that are involved. They should be qualified enough to estimate the amount of risk and possible damage. They should try to come up with better alternatives to minimize the risk.

6. Analyze and Recover the evidence

Once the investigator has the evidence, they can now start analyzing the copy of the original evidence by using various commercial and open-source software that is suitable for that case. They can also use various software to recover the evidence that has been deleted. Some of the most famous software used are Autopsy, Wireshark, FTK Imager, Cellebrite UFED4PC etc.

7. Create a detailed case report about the investigation

Once the investigator has completed the analysis of the evidence and has found important artifacts on recovering data, they can then create a detailed report about his findings, methodologies, and tools used by them in the investigation. If required by the jury or the court, the investigator has to represent themself in the court as an expert witness to give his testimony on the case in simpler terms for the people from a non-technical background to have a better understanding of the case.

Conclusion

Before submitting the evidence to the court of law, you need to be sure that it was not tampered with intentionally; for example, before relying on the file associated time and date to determine the time of the incident, you need to be sure that the suspect has not altered the system date!. It is not hard even for a non-technical person to program a computer to send an email from a home desktop at a specific time, while they are somewhere else; so, it should be verified before, using it as an artifact to determine the suspect location.You also need to ensure that your analysis results are repeatable and reproducible, which mean that the same result will be produced when the evidences are tested again in the same or different lab using the same or different tools and equipment.

So be aware and handle all type of evidences with at most care.

That’s all i have for now, will be coming up with more such short articles on Digital Forensics.

Till then