Digital Forensic Procedures

(OBJ 4.8)

Digital Forensics

• Systematic process of investigating and analyzing digital devices and data to uncover evidence for legal purposes
• Often in the context of criminal investigations or legal disputes

Four Main Phases of Digital Forensic Procedures

• Identification

  • Focus on scene safety, prevention of evidence contamination, and scope determination
  • Secure the scene, preserve evidence, and document the scene
  • Identify where relevant data might be stored (e.g., tablets, smartphones, servers)

• Collection

  • Requires proper authorization (e.g., warrant, executive authorization)
    • You may need authorization from:
      • CIO
      • CSO
      • CEO
      • or other high level executive
  • Follow the proper acquisition procedures
  • Order of volatility
    • Dictates the sequence in which data sources should be collected and preserved based on their susceptibility to modification or loss
    • Following order of volatility minimizes data loss
    • 5 Steps of Order of Volatility
      1. Collect data from the system’s memory
         • System's Cache and RAM
      2. Capture data from the system state
         • System and network configuration, active user sessions, and any data that can be attained without altering the state of the system
      3. Collect data from storage devices
         • Hard Drives, SSDs, etc.
      4. Capture network traffic and logs
         • Data that can help us reconstruct any network-related activities or network events
      5. Collect remotely stored or archived data
         • Backups, cloud storage, external devices, and printouts.
    • Collect the things that change faster first.
  • Chain of Custody
    • Documented and verifiable record that tracks the handling, transfer, and preservation of digital evidence from the moment it is collected until it is presented in a court of law
    • Maintaining a secure and unbroken chain of custody is essential to demonstrate the integrity and admissibility of evidence.
    • Document actions and changes.
  • Evidence Collecting techniques
    • Disk imaging
      • Involves creating a bit-by-bit or logical copy of a storage device, preserving its entire content, including deleted files and unallocated space
      • Original data remains untouched and allows forensic analysts to work with an exact duplicate of the device for the analysis
    • File Carving
      • Focuses on extracting files and data fragments from storage media without relying on the file system
      • Useful when file metadata is missing or corrupted

• Analysis

  • Examine the forensically sound evidence copy
  • Systematically scrutinize data for relevant information, timestamps, user interactions, and signs of criminal activity
  • Follow strict procedures and documented protocols for consistency and objectivity

• Reporting

  • Document methods, tools used, actions performed, findings, and conclusions in a final report
  • The report serves as crucial evidence in legal proceedings, and the forensic analyst may need to testify in court about findings

Additional Concepts

• Legal Hold

  • Issued when litigation is expected and preserves potentially relevant electronic data
  • Formal notification that ensures employees to preserve all potentially relevant electronic data, documents and records.
  • Ensures evidence is not tampered with, deleted, or lost
    • Freezes the state of electronic information to safeguard it for future use in a legal preceding
  • Requires the implementation of preservation practices to protect systems and evidence
    • Ensure data is not Overwritten, Deleted, or Modified
    • May include
      • Making backup copies
      • Isolating critical systems
      • Implementing access controls

• E-Discovery (Electronic Discovery)

  • Process of identifying, collecting, and presenting electronically stored information for potential legal proceedings
  • Involves searching, analyzing, and formatting electronic data for litigation
  • Employed to efficiently sift through
    • Emails
    • Documents
    • Databases
    • and other digital records

• In most cases, your organization should opt to appoint a liaison with legal knowledge and expertise to help facilitate communication and cooperation with law enforcement and forensic teams to ensure you stay on the right side of the law.

  • Serves as a point of contact with the law

Ethical Considerations

• Adherence to a code of ethics that emphasizes avoiding bias, repeatable actions, and evidence preservation
  • Avoiding bias
    • Analysis should be performed without bias or prejudice and be based solely on the evidence
    • Use forensic analysts who are completely removed from the situation to avoid potential bias
    • Example:
      • Have one set of people who collect information called digital media collectors
      • Have another set that analyzes it called the digital forensic examiners
      • Can help minimize or eliminate bias of knowing the attacker/victim
  • Repeatable actions
    • All analysis must be based on repeatable processes documented in the final report
    • Example:
      • When doing a forensic analysis write down
        • Time
        • Actions
        • Results
      • On February 2nd, 2024, at 10:23, I entered the command "netstat - ano" at the command prompt of the Windows 10 System. I received a list of active network connections on that machine, and I noticed a connection to a potentially malicious server with an IP address of 66.55.44.33.
      • In addition to this, I might include a screenshot of the netstat results.
      • This way anyone can see what I did, when, and how I did it.
    • Ensuring the original evidence remains unchanged is critical to maintaining evidentiary integrity
  • Evidence preservation
    • Evidence includes both the device (e.g., laptop hard disk) and the data recovered from it
    • Perform analysis on a disk image, not the original drive, to prevent modifications or alterations
    • Example:
      • First image that drive, then conduct my analysis on the disk image of that drive instead of the original drive to prevent any modifications or alterations of any potential evidence located on that hard drive.