Digital forensics practitioners work for many types of organizations: government, accounting firms, law firms, banks, software development firms and corporate. Essentially, any kind of organization that has a computer system may need a digital forensics specialist. Digital forensics experts need to be well versed in the collection, examination, preservation, and presentation of digital evidence. Experts must be thorough, treating every investigation like it’s going to court, so their methods and documentation need to be incredibly detailed.
These experts follow standard best practices to ensure that their investigation is thorough and the evidence they present is credible. Here are a few digital forensics best practices that forensic experts follow while conducting their investigations.
- Accurate identification of evidence: There are many best practices and small steps that digital forensic experts need to follow when they land at the crime scene or instead at the beginning of their investigation. In the very beginning itself, they should document the location and condition of everything before touching anything. Recording with a digital camera can help. They should record the manufacturer, type and serial number (if possible) and place each item in a separate appropriate collection bag. They need to record the date, time, personnel and purpose for every transfer on a Chain of Custody Form and store evidence in a secured, climate-controlled location, away from other items or personnel that might alter or destroy digital evidence.
Instead of working on the original copies, they should make other copies so the integrity of the original data is preserved. Since the experts get data from several sources, the timestamps may be different. By gathering data based on timeframes, experts can build a comprehensive picture of events and pinpoint supporting evidence.
- Thorough and systematic analysis: Digital Forensic experts need to be systematic about their analysis by making a hypothesis and running tests to refute or support all the theories. The proper collection and analysis of the incident data help in the investigation to uncover any illegal activity. Identifying relationships between fragment of data, analyzing hidden data, determining the significance of the information obtained from the examination phase, reconstructing the event data based on the extracted data and arriving at proper conclusions etc. are some of the activities to be performed at this stage.
- Proper preservation of evidence: Adhering to proper evidence handling procedures will be of paramount concern for digital forensics experts. Evidence must be preserved as best it can be without being altered or deleted. Evidence should be stored in a secured, climate-controlled location, away from other items that might alter or destroy digital evidence.
- Documentation is vital to the investigation process: The investigation report must be detailed, understandable, factual, and must include only defensible data. Everything captured is recorded just as they are, dated, and signed. Ensure that the record is not littered with technical jargon, so even non-technical audiences can understand the results. Findings must be presented without any bias to maintain credibility. Include dates and present events in chronological order for the organization. Create an additional appendix where additional information, data, or evidence can be included. While a report summarizes your findings, experts still need to ensure that the report is detailed. In a more critical case, other certified forensic interviewers may be called upon to validate their findings.
- Follow regulatory guidelines and policy: One of the digital forensics best practices that the experts need to follow is to adhere to every relevant regulatory guideline and policy. For example, they should be aware of ISO/IEC 27037:2012, a standard that provides guidelines for identifying, collecting, acquiring, and preserving digital evidence. Furthermore, ISO/IEC DIS 27042 standard needs to be followed that guides analysis and interpretation of potential digital evidence for identifying and evaluating digital evidence that may be used to investigate an information security incident. Similarly, there are a plethora of other regulatory guidelines to adhere to.
- Observe the highest ethical standards and maintain neutrality: If serving as an expert for the defence in a legal setting, the forensic expert should remain relatively neutral, performing essentially the same functions as the prosecution. Any examinations they perform would involve examining, preserving, and presenting evidence and requiring collecting additional evidence that was missed during the investigation. In doing so, an expert should identify possible alternative reasons for the presence of data, such as identifying whether a malicious software was present on the machine.
- Follow ethical standards: Ethical standards are crucial in maintaining credibility, and legal proceedings especially are full of guidelines on how and to what extent expertise can be imparted. It is important that any attorney-client information that is inadvertently acquired is kept private and is not divulged without the attorney’s consent or under the order of a judge.
Awareness of cybersecurity and digital forensics best practices is always worthwhile. Regardless of the type or size of your organization, it is always important that your IT security team or those responsible for handling your security always follow an informed, structured, and effective process if and when a security incident happens. This will support and strengthen the digital forensics investigations that will follow.