Class: CYBR-405

Notes:

Introduction to Digital Forensics

Forensic Science

Forensic science (forensics) is the practical application of science to matters of the law. In criminal law, forensic science can help prove the guilt or innocence of the defendant. In civil actions, forensics can help resolve a broad spectrum of legal issues through the identification, analysis, and evaluation of physical evidence.

Therefore, it is vital that proper forensic information obtained by law enforcement be incorporated into the evidentiary system for evaluation by both prosecutors and defense attorneys. The difficulties involved in forensics are widespread. Law enforcement officers collect and integrate forensic evidence without the defense attorney having any control or input.

Types Of Cases Involving Forensics

The science of forensics is the study of legal issues and the pursuit of answers to legal questions by applying scientific knowledge. The legal system and, therefore, forensics becomes involved in two specific types of cases:

1. A private party, such as a business, requires facts to support a civil action (such as a lawsuit) or business decision with potential legal consequences (such as dismissing employees for violating company policy).
2. A crime has been committed or a crime is suspected.

In both cases, a forensic examiner must analyze available items or data to find facts that are supported by those items and data. Similarly, the facts help answer the questions asked or expected by the legal system.

The Role of Forensic Examiners

Forensic examiners apply skills from many sciences and disciplines. The legal system must have confidence in the results presented by forensic examiners. Therefore, forensic examiners must remain objective to avoid even the appearance of bias and must remain current in their area of expertise.

Forensic Examiners:

• Geology
• Physics
• Chemistry
• Toxicology
• Odontology
• Others

Challenges in Forensic Science

Crime scenes are subject to degradation almost immediately after the event occurs. Continual environmental changes such as light, temperature, and physical or biological changes/body decomposition resulting from human intervention all affect the crime scene.

Understanding these challenges as they are applied to digital forensics, a discipline within forensic science, is even more challenging due to the rapid change of technologies. Understanding what forensics is and how evidence is used and applied helps to build a base from which the evidence can be used appropriately and expertly to produce strong, admissible evidentiary reports.

Introduction to Digital Forensics

Computers and other electronic devices are a part of many investigations. An expert in the field of digital forensics should conduct the collection and analysis of this electronic information.

When a user accesses a computer or device to create, view, or access information, system artifacts are generated that a trained digital forensics examiner can identify. These artifacts paint a picture of this user activity.

Concepts of Digital Forensics

The forensics examiner must be familiar with how data is stored and arranged on digital devices. Assessing this information through forensically sound methods is critical to the success of the investigation. To fully investigate a digital crime scene, examiners must use specialized tools and techniques to preserve, extract, analyze, and present the evidence so the evidence obtained is admissible as evidence in legal proceedings.

A digital forensics examiner must be able to successfully:

• Identify what data and information is relevant evidence.
• Identify individuals involved in the activity.
• Implement a variety of forensic tools and techniques to obtain possible evidence.
• Maintain the integrity of evidence collected.

Defining Digital Forensics

The job of a forensic examiner is to search through digital data in order to answer certain questions about an event or incident. The examiner uses accepted methods and procedures to identify evidence on the computer or device in order to answer the set of questions.

The investigation may involve a criminal case being conducted by law enforcement (local police, FBI, DHS), a case involving the gathering of intelligence being conducted by an intelligence agency (e.g., NSA, CIA, DIA), an administrative or internal security case being conducted by corporate security, or a civil case involving parties to a lawsuit.

Digital forensics covers any electronic device capable of storing information, such as GPS navigation systems, drones, and Apple watches. Digital forensics examiners must have basic knowledge of how information is organized on a given digital storage device.

Locard's Exchange Principle and Digital Forensics

Locard's Exchange Principle is the theory that anyone committing a crime leaves something behind or takes something away from the crime scene.

Locard's Exchange Principle holds true in digital forensics even though a hacker will not leave latent fingerprints, footprints, or DNA evidence. Instead, digital artifacts of the invasion may be found in logs showing when something was accessed or if data was transmitted over the network.

"It is impossible for a criminal to act, especially considering the intensity of a crime, without leaving traces of this presence."
Dr. Edmond Locard

The Role of the Digital Forensic Examiner

The main task of a digital forensic examiner is to extract information from digital storage media. In order to do this, it is important to be familiar with how data and information are organized on storage media.

• All information is stored digitally on computer systems.
• The Internet has created a high degree of connectivity in the modern world.
• Most computers storing valuable information are connected to the Internet and other networks, including systems in the Cloud.

The combination of these facts has led to the need for new investigative techniques for digital forensic examiners to address this ever-growing amount of digital information.

Forensics Examiners: Education and Training

All digital forensic examiners should possess training, expertise, and experience in the field of digital forensics. This includes knowledge of computers and their operation.

As a digital forensic examiner progresses from "novice" to "expert," more validation is required. Validation takes the form of certifications from external approving bodies that are considered experts on a particular subject. The legal system also requires validation of a forensic investigator's skillset, especially early in their career.
For example, EnCE (the EnCase Certified Examiner) is produced by the manufacturer of EnCase (OpenText) and certifies that the recipient of the certification is qualified to use the EnCase forensic product.

Forensic Examiners: Certifications

Examples of industry-recognized professional certifications.

• EnCase Certified Examiner (EnCE)
• Magnet Certified Forensic Examiner (MCFE)
• CompTIA A+
• ISFCE Certified Computer Examiner (CCE)
• Cellebrite Certified Operator (CCO)
• GIAC Certified Forensics Analyst (GCFA)
• IACIS Certified Forensics Computer Examiner (CFCE)

Forensic Examiners: Continuing Education

Digital forensic examiners should have a range of skills that span a broad spectrum of computer science, computer engineering, and information security. It is unlikely that a single person can represent expertise in more than two or three subject areas. As the examiner's career progresses, they may become specialized in only a few areas of digital forensics.

In order to stay current on the latest changes in software, hardware, networking, operating systems, and latest forensic techniques, the examiner must dedicate time and energy towards continuing education and re-certifications.

Continuing Education

There are several ways of obtaining continuing education credits, including:

• Attend vendor-specific courses conducted by software manufacturers.
• Attend vendor-specific courses conducted by software manufacturers.
• Complete research papers.
• Stay current with the latest digital forensic journals, magazines, and book releases.
• Present topics of significant research to peers.
• Routinely keep and review a journal of achievements to keep the experience fresh.

Continuing education must be formally documented through transcripts and certificates of completion.

Evidence Collection Overview

How Computers Are Used In Crimes

Criminal investigations may involve the collection and analysis of digital evidence in order to identify the "who, what, when and where" associated with the crime being investigated.

Computers and other digital devices can be used in crimes in the following ways:

• The computer is the target: Examples include unauthorized access to computer systems where protected data may have been stolen; and incidents where computer systems or network resources rendered unavailable through DoS attacks.
• The computer is the instrument of the crime: Examples include cyber terrorism, e.g., crimes where computers are used to obtain unauthorized information over public networks; sending an email containing a threat; production and distribution of child pornography; crypto mining; online illegal gambling; producing and distribution of malware.
• Computers are incidental to another crime: Examples include copyright infringement, money laundering, drug distribution, etc.

Evidence

The facts of a case emerge from the evidence presented. Evidence is best defined as anything that tends to prove or disprove a fact in question. Each fact or conclusion must be supported by the evidence.

During a digital examination, two different phases emerge.

Evidence Collection

The process of collecting the evidence requires a basic understanding of computers and other electronic device operations to ensure evidence is not lost.

Evidence Analysis

The process of reviewing and analyzing digital artifacts contained on the evidence to formulate facts and conclusions.

Although these roles differ, a single person may be employed for both.

Types of Evidence

Digital forensics examines data and information from digital storage media or devices in order to present the data as evidence in a court of law or to answer specific legal questions. Evidence will always fall into one of two broad categories.

• Inculpatory evidence
  • Evidence that tends to establish guilt or incriminates a particular person.
• Exculpatory evidence
  • Evidence that tends to exonerate or exclude a particular person.

The job of a digital forensic examiner will be to accurately present both inculpatory and exculpatory evidence.

Digital Evidence Collection Roles

As with the general field of forensics, the collection of evidence may have several prominent roles.

Physical Technology Collection

Investigators will collect the physical media. Physical media is any technology that stores data or information. Examples include internal and external hard disks, optical discs (CD/DVD), USB drives, SD cards, mobile phones, and other electronic devices.

Digital Evidence Collection

Investigators will collect the digital data from the physical device. Here, the evidence is the full set of files, folders, and bits stored on the physical media.

Acquiring Digital Evidence

Generally, cases should answer specific questions for the legal system. As a result, no work on an investigation should begin without certain basic facts to help investigators examine the evidence more efficiently and protect the integrity and legality of the investigation.

There are three guiding principles which should be answered prior to any digital forensics examination.

1. The permission and scope to examine the evidence
2. The answers being sought
3. The urgency of the request

General Procedures for Acquiring Digital Evidence

Next, the investigator should understand the general procedure for evidence gathering. The high-level steps of this procedure include:

1. Identify the evidence.
2. Secure the evidence.
3. Preserve/collect the evidence.
4. Transport and store the evidence.

Digital Evidence Challenges

Digital evidence has several unique challenges and questions that must be addressed.

User Attribution

Multi-user systems such as servers with potentially hundreds of users. Evidence must reveal facts, making it critical to know who owns the data, how it got on the system, and where it originated. This is commonly referred to as user attribution, a critical element for any criminal, civil or administrative investigation.

Legal Search Authority

Another concern is the legal search authority surrounding the collection and examination of evidence. Everyone has an expectation of privacy under the 4th Amendment of the U.S. Constitution.

This privacy concern may be resolved through implied consent of the user through the use of correctly worded and executed acceptable user agreements (AUPs) authorizing the examination of systems pursuant to organizational policies and directives. Law enforcement may also collect and examine devices by securing a court authorized search warrant.

Encryption

A significant challenge to forensics examination is the result of implementation of full disk encryption technologies such as Windows BitLocker, macOS FileVault2 as well as file system encryption implemented by default on mobile operating systems such as iOS and Android. While limited technology exists to enable law enforcement to bypass some file encryption technologies, courts have often been used to compel users to produce passwords for law enforcement to gain access to encrypted data. However, the courts may be limited in the sanctions that may be imposed should the user refuse to comply.

Privacy and Plain View Doctrine

This issue of privacy raises the question of plain view doctrine while collecting evidence from digital sources. To understand the complexity, let's look at an example of plain view for a digital forensics examination.

Plain view doctrine is a rule of criminal procedure which allows an officer to seize evidence of a crime without a warrant when the evidence is clearly visible. This doctrine acts as an exception to the Fourth Amendment's right to be free from searches without a warrant. Also referred to as clear-view doctrine or plain sight rule. Source: Legal Information Institute

Search Warrant

A computer forensic examiner has a warrant to search a computer for evidence related to drug trafficking. During the examination of the suspect's computer, the examiner stumbles upon a number of image files depicting child pornography. While child pornography images are clearly illegal, it does NOT mean the examiner can expand the scope of the examination to include evidence of child pornography.
The investigation team must obtain an additional search warrant to allow the forensic examination to include evidence relating to child pornography images.

As in any other search, it is vitally important to define exactly what you are searching for. Going outside the scope of the search authorization may result in the suppression of evidence.

Forensic Investigations Overview

Four-Step Process for Conducting Investigations

The role of a digital forensic examiner is to identify artifacts and other information stored on digital devices that may show certain events occurred as well as who was responsible for these events. Such examinations may involve legal proceedings in either criminal or civil courts. Digital forensic examiners use a four-step process to conduct their investigations to ensure their findings are considered both credible and reliable. The three steps include collection, examination, analysis, and reporting.

Collection

The first phase in the process is to identify, label, record, and acquire data from the possible sources of relevant data, while following guidelines and procedures that preserve the integrity of the data. Collection is typically performed in a timely manner because of the likelihood of losing dynamic data such as current network connections, as well as losing data from battery-powered devices (e.g., cell phones, PDAs).

Analysis

The next phase of the process is to analyze the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.

Reportiing

The final phase is reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, guidelines, procedures, tools, and other aspects of the forensic process. The formality of the reporting step varies greatly depending on the situation.

Forensics Investigations

While the technology and tools for performing digital forensic investigations are the same for cases involving the private sector and law enforcement, the procedure for collecting evidence may involve different procedures. Both require the use of forensically sound tools and methods. Both also require adherence to established procedures and policies, commonly referred to as Standard Operating Procedures, or SOPs, in order to maintain confidence levels in the results of the examination.

Standard Operating Procedure (SOP) is a document that outlines the required steps to complete specific tasks within an organization. Its purpose is to ensure consistency, efficiency, and quality in operations, and to comply with industry regulations.

Private Investigations

Private investigations are started at the request of private citizens or businesses in non-criminal cases. The purpose of private investigations is to assess:

• Whether a person has been wronged by another (such as a person entering into a contract without the intention of ever fulfilling the contract)
• Whether a company policy has been violated (such as a violation of an appropriate use policy)
• If a computer incident involves a criminal element (such as a person intentionally causing a business to lose revenue by making unavailable specific key computer systems)

Criminal Investigations

The second type of investigation is initiated when a crime is alleged to have been committed. A law enforcement agency initiates the investigation based on a referral from a complainant or witness, or through information developed from a proactive investigation (e.g., an undercover drug investigation). Once sufficient evidence is gathered by law enforcement, charges may be filed through a criminal complaint.

Steps in a Criminal Investigation

Steps in a criminal investigation include:

1. Initial Information is Received
   • The complaint provides details about the crime such as the time, circumstances, and participants. The complaint should outline the facts surrounding the crime.
2. The Investigation
   • The facts of the complaint are scrutinized by law enforcement. Further investigation is conducted. Charges may be filed and referred for prosecution. The threshold for arrest is probable cause-facts that would cause a reasonable person to believe that the named suspect committed the offense.
3. Prosecution
   • The attorneys representing the government will attempt to prove a specific set of events occurred that resulted in a crime being committed, and that a particular person or persons criminally participated in those events. Each element of the alleged offense must be proven beyond a reasonable doubt.

Investigation Questions

The attorneys for the prosecution continually provide feedback to the investigators in the form of questions. Following are examples of typical investigation questions which often include the " 5 Ws " (who, what, when, where, why) of the case:

◯ What information is missing from the complaint?
◯ Who committed the crime?
◯ Is this scenario plausible?
◯ At what time did the event occur?
◯ Are the facts of the complaint correct?
◯ Did the event occur?
◯ What events led up to the crime?

Planning the Examination: Investigative Plan

The first step in any digital forensic examination is developing an investigative plan. The investigative plan should include details regarding the various stages of the examination from the collection of evidence to the submission of reports documenting the examination results. Proper planning will help minimize many of the challenges to a successful forensic examination.

Investigative plans:

• Determine what information is being requested, or specify the goal of the examination
• Divide the work among several examiners for faster turnaround
• Speed up the resolution of the investigation by reducing wasteful and unproductive actions
• Ensure that established policies and procedures are adhered to
• Increase confidence in both the evidence and procedures used to gather the evidence

Planning the Examination: Questions for Developing an Investigative Plan

To aid in developing an investigative plan, the examiner will need to answer many questions.

Once these issues are resolved and the questions are answered, an examiner can produce an investigative plan. There is no standard for how a plan should be structured or formatted. Once the investigative plan is prepared, the collection of evidence and the examination can begin.

1. Question 1: What is the objective of the investigation?
   • This question addresses issues directly related to the investigations. A good plan will specify the evidence and the procedures to collect it.
2. Question 2: Where is the digital evidence likely to be located?
   • Knowing where to look helps focus the investigation. A case involving a harassing email would focus on the email contained on the computer's hard drive, cloud email application, or on the company server.
3. Question 3: What tools/skills do I need to gather the evidence?
   • The answer to this question allows the lead investigator additional time to schedule resources that are scarce in the forensics lab or to validate if the case will need to be referred to another forensics lab for supplementary work.
4. Question 4: Is there sufficient legal search authority?
   • Has there been a court-issued search warrant? Has the user or owner of the device signed a proper consent to search form? What is the scope of the search?
5. Question 5: What local laws or court processes affect the case?
   • Certain federal districts require a different search procedure for digital evidence compared to other districts. Is the examination restricted as a result of a unique language listed in the search authorization or warrant?
6. Question 6: What exactly will be done?
   • This question helps the investigation by producing an itemized list of steps that will be completed during the investigation. These steps are generally high-level and in the form of a checklist.
7. Question 7: Who will do what?
   • There are several roles during the examination. Some roles may be performed by multiple examiners:
     • Evidence collection may be performed by a crime scene technician, another investigator, or a forensic examiner.
     • Acquiring forensic images of the digital evidence may be assigned to multiple examiners to speed up the task. Some organizations assign technicians to only perform forensic acquisitions and imaging of evidence while the analysis is performed by other examiners.
     • Will specific types of devices be assigned to examiners with specific expertise? For example, mobile devices may be assigned to examiners with mobile device expertise.
     • Does a particular piece of evidence have a higher priority over others?
     • Is there a need for evidence triage to produce critical evidence that will be of immediate use to the investigation? Does all of the evidence collected actually need to be the subject of a thorough forensic examination that could take months?

Things to Consider When Planning an Investigation

One of the most critical points in any forensics plan is having the right person do the right job. The lead investigator must plan for each task to be performed by an examiner with sufficient training and experience to perform the work.

The ideal environment for digital forensics work would contain a private area that is separate from other unrelated tasks. The facility will include a secure work area with dedicated forensics equipment and software.

• Personnel
  • Adequately trained, experienced, and skilled forensics experts will need to be hired with sufficient salary to retain them. Support staff may be needed, such as a dedicated evidence custodian, technicians, and administrative staff.
• Secured Storage
  • A secured evidence storage facility is critical for any digital forensics lab. This can be as simple as a locking steel cabinet with the keys or combination code held by an assigned staff member or evidence custodian. Larger organizations may need a more formal evidence room with a rotating staff checking evidence in and out to investigators. The evidence storage area is separated from the staff and forensics workspaces by additional security controls (cameras, guards, and/or locked doors). An alarm system should be in place that is monitored 24/7. All evidence disposition or access should be recorded with a chain of custody.
• Sufficient Budget
  • Operating a digital forensics lab is expensive. The cost of equipment and software licenses for even a one-person lab can be thousands of dollars annually. Several areas that will need to be budgeted for include the following:
    • Storage hardware (hard disk drives, solid-state drives, optical media, servers, etc.)
    • Forensic workstations and laptops
    • Network storage for evidence and case data
    • Annual training budget to maintain staff expertise
    • Software licensing costs that often involve annual licensing fees
• Lab Facility
  • The lab facility could be a secured private office area in a secure building. The lab itself may be used to store evidence associated with multiple investigations. Only employees assigned to the digital forensics tasks should have access. All staff with access will have successfully passed a proper background screening process.

Separation of Duties

Separation of duties allows work to be divided even further for evidence collection and analysis. Physical and digital evidence can be separated along with dividing the acquisition and extraction of data. This separation may also be done by expertise as one person may become an expert in either mobile phone devices, macOS, Linux, or Windows operating systems. Areas of expertise include:

• Malware Reverse Engineering
• Mobile Device Analysis
• Network Forensics
• GPS Device Analysis
• Image Video Analysis
• Cloud Forensics
• Vehicle Forensics

Processes and Procedures

Establishing processes and procedures are required for every forensics lab.

• Procedures describe the "how", such as: proper usage of software, application of computer hardware, and handling of evidence for the forensic examiner performing a task.
• A process is the "what" and "when" during an examination. You will find these in a manual or an internal website. These are formal documentation, meaning they have timestamps and change logs.

Standard Operating Procedures

All organizations operating a digital forensics unit must have documented technical standard operating procedures (SOPs) for the analysis of digital media. SOPs are a set of written instructions that document a routine or repetitive activity followed by an organization. The development and use of SOPs are an integral part of a successful quality system as they provide individuals with the information to perform their jobs properly and help facilitate consistency in the quality and integrity of the forensic examination. Personnel should adhere to the SOPs when performing any digital forensics examination. This ensures the results of any examination are valid and reliable. The SOPs must be updated as technology changes.

If it is necessary to deviate from an SOP, the reason should be documented and, if necessary, approved.

Documented Processes and Procedures

Processes and procedures provide a means to ensure that everyone is performing tasks using a standard method and order. The evidence will have a good chance of standing up in court if processes and procedures are followed.

If you do not have a procedure in place, it will be very easy for the opposing attorney to question everything you did. The attorney may question the professionalism and qualifications of the forensics lab, staff, and the validity of the evidence.

These documented processes and procedures must also be reviewed and updated as needed.

Proposed Standards for the Exchange of Digital Evidence

The Proposed Standards for the Exchange of Digital Evidence provided by the International Organization on Computer Evidence (IOCE) provides a set of principles for the standardized recovery of computer-based evidence.

When necessary for a person to access original digital evidence, that person must be forensically competent.

Any agency responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.

All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.

Upon seizing digital evidence, if at all possible, actions taken should not change the evidence.

An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.

Legal Consequences of Not Following Processes and Procedures

The argument of the attorney will be that the processes and procedures should cover all possible scenarios. Not following a process or procedure could be:

• A failure to understand what is required to perform forensic evidence gathering.
  • Here, such an understanding would result in a process or procedure that covered the particulars at hand. If the staff cannot prepare for this simple eventuality, how can any of the other evidence be trusted?
• Failure due to incompetent or unqualified staff.
  • If the process or procedure did exist and was not followed, then how can any of the evidence be trusted? What if you have to develop a new process or procedure?

Processes and Procedures: Keeping a Detailed Log

Even though you are using formally documented processes and procedures, you must keep a detailed log of what you did to include the following:

• Procedure name or number
• Revision date
• Software versions used
• Hardware used
• Changes made
• Approvals
• Etc.

Again, you may have to defend your methodology in court. Proper documentation (forensic notes) is a true mark of a professional.

Note Taking

Each step of the process should be recorded in detailed notes. The notes will document the results of the work performed and will also include the tools, techniques, and processes used during collection and analysis of the evidence. The notes should be well formatted and consistent, including the dates of events.

Notes should be void of speculation. Opinions may be provided as long as the opinion is based on the evidence. Any opinions should be marked as such within the notes.

Each examiner that is involved in the examination will maintain their own notes. The original notes with signatures and dates signed will be included with the case file. All notes and reports may be subject to discovery by all parties in any court litigation.

Post-Morterm

The post-mortem is when the group of investigators and specialists review a case that has been completed. The goal is to identify any issues that could have impacted the success of the case (lessons-learned) and to build experience and improve future investigations.

Lead investigators examine which steps of the plan produced the most critical pieces of evidence, teaching them how to better prioritize the action items. They also learn from the specialists what additional steps must be incorporated into future plans, and what equipment needs to be added. Peer review sessions become invaluable mentoring and training sessions for the less experienced examiners.

Innovated or improved processes may be discovered and should be presented at the postmortem review.

Post-Morterm Questions

Both the specialists and the lead investigator gain experience and perspective from the legal system. Since investigations often take years to complete, perspective can easily be lost. The post-mortem session should, at a minimum, address the following questions:

• Were there issues with any of the evidence in any legal proceedings?
• Was the evidence sufficiently convincing to the court?
• Were the results of forensics examinations clearly understood by the parties, court or jury?
• Were there any errors in the evidence gathering process?