The exponential rise in cybercrimes has warranted the specialized field of computer forensics to grow rapidly in recent years. Digital forensics is the method of analyzing a computer system after an attack has taken place and looking for footprints to trace in the hopes of finding or tracing evidence back to the culprit. This method was first used by the FBI and other law enforcement agencies to examine files and computer programs that contain digital evidence.

Our earlier blog, ‘3 Ways Digital Forensics Investigations Will Blow your Mind’, stated that digital forensics as a field is only three decades old. Today, it is a vital part of the incident response process. It has steps laid out so the evidence is credible enough to be presented in the court of law. The main elements of computer forensics include the use of a scientific method, collection of data, its preservation, validation, analysis, interpretation, documentation and presentation, etc. The digital forensics methodologies may vary from company to company, but some of the methods used by digital forensics experts are unknown to the general public.  

Identifying, extracting and analyzing – The devil is in the details

Identification is the first step in the digital forensics methodology. In this stage, the evidence is examined by type, location, format and condition. How the evidence will be stored is also identified. The storage media can be any digital source such as mobile phones, personal computers, servers, networks, etc. The steps include identifying possible sources of data, acquiring volatile and non-volatile data, and verifying the integrity of the data to ensure chain of custody. Volatile data changes over time; this is why the order in which data is collected is important. One suggested order in which volatile data should be acquired is network connections, ARP cache, login sessions, running processes, open files, RAM contents, and other pertinent data.

In the extraction process, the examiner considers whether there is enough data to proceed with the investigation. Part of the digital forensics methodology requires the examiner to validate every piece of hardware and software after being brought and before they have been used. The examiner must also back up the forensic data and verify its integrity. A forensics image is an exact copy of the data in the original media. The relevant data is extracted and added to a list. The remaining information is added to another list called the “Extracted Data List.” Examiners repeat the identification process for each item on the Extracted Data List, just in case the previous examiner has missed anything. Finally, the irrelevant data is filtered out.

In the analysis phase, the examiner tries to understand why this information is significant to the investigation. First, they try to visualize the series of events that unfolded during the attack against the organization. Next, they try to investigate the creation, modification or deletion of any item. Finally, in the digital forensics methodology, the expert tries to uncover the manifesto of the attacker, which will support proving a theory before law enforcement.  

It is all about documenting and presenting

All the written and digital documents based on the attack are created. The documentation helps recreate and review the crime scene and present it in the court of law. In addition, the photographs, mapping and methodology must be included. In the end, it all must be summarised, and conclusions must be drawn. The terminology used must be easy enough for the general public to understand. The audience can be law enforcement, company management, legal experts or a judge in the court. Unnecessary technicalities may not be needed and should be avoided. However, at the same time, to be in line with the digital forensics methodology, technicalities should be mentioned as many details as available and reference all specific information.

Preserving digital evidence to ensure authenticity

The digital evidence must be preserved properly not just to use as evidence after the breach or crime but also for future use, as legal cases at times may run for weeks, months and sometimes years. Preservation also ensures that the evidence is not tampered with. Time is crucial when it comes to the protection of digital evidence. The forensics team uses drive imaging, hash values and chain of custody to preserve evidence. Imaging a drive is a forensic process in which an analyst will create a bit-by-bit duplicate of the drive. The process generates cryptographic hash values like MD5, SHA1, etc., which are used to verify the authenticity and integrity of the image so that it can be admitted as unaltered evidence in court. Forensic investigators collect media from the client and transfer it. They document all the steps conducted during the transfer of media and the evidence on the Chain of Custody (CoC) forms and capture signatures, date, and time upon the media handoff.

Conclusion

The steps or activities in the digital forensics methodology may need to be repeated to find conclusive evidence. All this means that the investigation is thorough with no room for error or doubt. The result is to uncover the motive, identify the culprit and present the evidence in the court of law. Still, many people are not aware of what goes behind digital forensics and what methodologies are used to arrive at conclusive evidence.