Digital forensic process: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 00:43, 24 July 2017 edit M4515 1 (talk \| contribs) 14 edits All my site Tag: Visual edit ← Previous edit		Latest revision as of 07:12, 25 May 2025 edit undo OAbot (talk \| contribs) Bots 643,717 edits m Open access bot: url-access updated in citation with #oabot.
(36 intermediate revisions by 19 users not shown)
Line 2: The '''digital forensic process''' is a recognized scientific and forensic process used in [[digital forensics]] investigations.<ref name="first" /><ref name="handbook" /> Forensics researcher [[Eoghan Casey]] defines it as a number of steps from the original incident alert through to reporting of findings.<ref name="casey" /> The process is predominantly used in [[Computer forensics\|computer]] and [[Mobile device forensics\|mobile]] forensic investigations and consists of three steps: ''acquisition'', ''analysis'' and ''reporting''. Digital media seized for investigation ismay ~~usually referred to as~~become an "exhibit" in legal terminology if it is determined to be 'reliable'. Investigators employ the [[scientific method]] to recover [[digital evidence]] to support or disprove a hypothesis, either for a [[court of law]] or in [[civil litigation\|civil proceedings]].<ref name="handbook" /> ==Personnel== The stages of the digital forensics process require ~~differing~~different specialist training and knowledge,. ~~there~~There are two ~~rough~~basic levels of personnel:<ref name="casey" /> ;Digital forensic technician :Technicians ~~may~~ gather or process evidence at crime scenes~~, in the field of digital~~. ~~forensics~~These ~~training~~technicians isare ~~needed~~trained on the correct handling of technology (for example how to preserve the evidence). Technicians may be required to carry out "Live analysis" of evidence. ~~- various~~Various tools to simplify this procedure have been produced, ~~most~~such as EnCase, ~~notably~~Velociraptor ~~[[Microsoft]]'s~~and ~~[[COFEE]]~~FTK. ;Digital Evidence Examiners Line 17: There have been many attempts to develop a process model but so far none have been universally accepted. Part of the reason for this may be due to the fact that many of the process models were designed for a specific environment, such as law enforcement, and they therefore could not be readily applied in other environments such as incident response.<ref name="adams" /> This is a list of the main models since 2001 in chronological order:<ref name="adams" /> * The Abstract Digital Forensic Model (Reith, et al., 2002)▼ * The Integrated Digital Investigative Process (Carrier & Spafford, 2003) [https://web.archive.org/web/20181223073625/https://pdfs.semanticscholar.org/915b/524318e2f0689b586ba7ae89ea39e9b22ce3.pdf ] ▲The Abstract Digital Forensic Model (Reith, et al., 2002) * An Extended Model of Cybercrime Investigations (Ciardhuain, 2004) * The Enhanced Digital Investigation Process Model (Baryamureeba & Tushabe, 2004)[https://www.dfrws.org/sites/default/files/session-files/pres-the_enhanced_digital_investigation_process_model.pdf ] {{Webarchive\|url=https://web.archive.org/web/20180401144648/https://www.dfrws.org/sites/default/files/session-files/pres-the_enhanced_digital_investigation_process_model.pdf \|date=2018-04-01 }} ~~The Integrated Digital Investigative Process (Carrier & Spafford, 2003)~~ * The Digital Crime Scene Analysis Model (Rogers, 2004)▼ An* ~~Extended~~A ~~Model~~Hierarchical, ofObjectives-Based ~~Cybercrime~~Framework for the Digital Investigations Process (~~Ciardhuain~~Beebe & Clark, 2004) * Framework for a Digital Investigation (Kohn, et al., 2006)[http://mo.co.za/open/dfframe.pdf ]▼ * The ~~Enhanced~~Four ~~Digital~~Step ~~Investigation~~Forensic Process ~~Model~~ (~~Baryamureeba~~Kent, &et ~~Tushabe~~al., ~~2004~~2006) * FORZA - Digital forensics investigation framework (Ieong, 2006)[https://dfrws.org/sites/default/files/session-files/paper-forza_-_digital_forensics_investigation_framework_that_incorporate_legal_issues.pdf ] {{Webarchive\|url=https://web.archive.org/web/20170808232356/https://www.dfrws.org/sites/default/files/session-files/paper-forza_-_digital_forensics_investigation_framework_that_incorporate_legal_issues.pdf \|date=2017-08-08 }} * Process Flows for Cyber Forensics Training and Operations (Venter, 2006)▼ ▲The Digital Crime Scene Analysis Model (Rogers, 2004) * The Common Process Model (Freiling & Schwittay, (2007) [https://www.imf-conference.org/imf2007/2%20Freiling%20common_model.pdf ]▼ * The Two-Dimensional Evidence Reliability Amplification Process Model (Khatir, et al., 2008)[https://www.researchgate.net/publication/232619841_Two-Dimensional_Evidence_Reliability_Amplification_Process_Model_for_Digital_Forensics Two-Dimensional Evidence Reliability Amplification Process Model for Digital Forensics \| Request PDF] ~~A Hierarchical, Objectives-Based Framework for the Digital Investigations Process (Beebe & Clark, 2004)~~ * The Digital Forensic Investigations Framework (Selamat, et al., 2008)▼ * The Systematic Digital Forensic Investigation Model (SRDFIM) (Agarwal, et al., 2011)[https://www.researchgate.net/publication/228410430_Systematic_Digital_Forensic_Investigation_Model (PDF) Systematic Digital Forensic Investigation Model] ▲Framework for a Digital Investigation (Kohn, et al., 2006) * The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice (Adams, 2012) [http://researchrepository.murdoch.edu.au/id/eprint/14422/2/02Whole.pdf Research Portal]▼ ~~The Four Step Forensic Process (Kent, et al., 2006)~~ ~~FORZA - Digital forensics investigation framework (Ieong, 2006)~~ ▲Process Flows for Cyber Forensics Training and Operations (Venter, 2006) ▲The Common Process Model (Freiling & Schwittay, (2007) ~~The Two-Dimensional Evidence Reliability Amplification Process Model (Khatir, et al., 2008)~~ ▲The Digital Forensic Investigations Framework (Selamat, et al., 2008) ~~The Systematic Digital Forensic Investigation Model (SRDFIM) (Agarwal, et al., 2011)~~ ▲The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice (Adams, 2012) ==Seizure== Prior to the actual examination, digital media will be seized. In criminal cases this will often be performed by [[Law enforcement agency\|law enforcement]] personnel trained as technicians to ensure the preservation of evidence. In civil matters it will usually be a company officer, often untrained. Various laws cover the [http://www.duhaime.org/LegalDictionary/S/Seizure.aspx seizure] {{Webarchive\|url=https://web.archive.org/web/20140821103731/http://www.duhaime.org/LegalDictionary/S/Seizure.aspx \|date=2014-08-21 }} of material. In criminal matters, law related to [[search warrants]] is applicable. In civil proceedings, the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are ~~observed~~preserved. ==Acquisition== [[File:Tableau TD3 Forensic Imager 2014-06-26 07-05.jpg\|thumb\|Example of a portable disk imaging device]] ~~[[File:Wikipedia and Libraries - The Connection.pdf\|thumb\|Automatic]]~~ Once exhibits have been seized an exact [[Disk sector\|sector]] level duplicate (or "forensic duplicate") of the media is created, usually via a [[Forensic disk controller\|write blocking]] device, a process referred to as ''[[Disk imaging#Hard drive imaging\|Imaging]]'' or ''Acquisition''.<ref name="horenbeeck"/> The duplicate is created using a hard-drive duplicator or software imaging tools such as [[DCFLdd]], [[IXimager]], [[Guymager]], TrueBack, [[EnCase]], [[Forensic Toolkit\|FTK]] Imager or FDAS. The original drive is then returned to secure storage to prevent tampering.▼ ▲Once exhibits have been seized, an exact [[Disk sector\|sector]] level duplicate (or "forensic duplicate") of the media is created, usually via a [[Forensic disk controller\|write blocking]] device,. aThe duplication process is referred to as ''[[Disk imaging#Hard drive imaging\|Imaging]]'' or ''Acquisition''.<ref name="horenbeeck"/> The duplicate is created using a hard-drive duplicator or software imaging tools such as [[DCFLdd]], [[IXimager]], [[Guymager]], TrueBack, [[EnCase]], [[Forensic Toolkit\|FTK]] Imager or FDAS. The original drive is then returned to secure storage to prevent tampering. The acquired image is verified by using the [[SHA-1]] or [[MD5]] [[cryptographic hash function\|hash function]]s. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state.▼ ▲The acquired image is verified by using the [[SHA-1]] or [[MD5]] [[cryptographic hash function\|hash function]]s. At critical points throughout the analysis, the media is verified again~~, known as "hashing",~~ to ensure that the evidence is still in its original state. The process of verifying the image with a hash function is called "hashing." Given the problems associated with imaging large drives, multiple networked computers, file servers that cannot be shut down and cloud resources new techniques have been developed that combine digital forensic acquisition and ediscovery [https://patents.google.com/patent/US8392706 processes]. ==Analysis== Line 63 ⟶ 50: After acquisition the contents of (the HDD) image files are analysed to identify evidence that either supports or contradicts a hypothesis or for signs of tampering (to hide data).<ref name="carrier" /> In 2002 the ''International Journal of Digital Evidence'' referred to this stage as "an in-depth systematic search of evidence related to the suspected crime".<ref name="ijde-2002" /> By contrast Brian Carrier, in 2006, describes a more "intuitive procedure" in which obvious evidence is first identified after which "exhaustive searches are conducted to start filling in the holes"<ref name="df-basics"/> During the analysis an investigator usually recovers evidence material using a number of different methodologies (and tools), often beginning with recovery of deleted material. Examiners use specialist tools (EnCase, ILOOKIX, FTK, etc.) to aid with viewing and recovering data. The type of data recovered varies depending on the investigation;, but examples include email, chat logs, images, internet history or documents. The data can be recovered from accessible disk space, deleted (unallocated) space or from within operating system cache files.<ref name="casey" /> Various types of techniques are used to recover evidence, usually involving some form of keyword searching within the acquired image file;, either to identify matches to relevant phrases or to ~~parse~~filter out known file types. Certain files (such as graphic images) have a specific set of bytes which identify the start and end of a file,. ifIf identified, a deleted file can be reconstructed.<ref name="casey" /> Many forensic tools use [[Cryptographic hash function\|hash signatures]] to identify notable files or to exclude known (benign) ~~ones~~files; acquired data is hashed and compared to pre-compiled lists such as the ''Reference Data Set'' (RDS) from the [[National Software Reference Library]]<ref name="horenbeeck" /> On most media types, including standard magnetic hard disks, once data has been [[Secure file deletion\|securely deleted]] it can never be recovered.<ref>{{cite web \| url = http://www.anti-forensics.com/disk-wiping-one-pass-is-enough \| title = Disk Wiping – One Pass is Enough \| date = 17 March 2009 \| access-date = 27 November 2011 }}</ref><ref>{{cite web▼ \|~~archiveurl~~ archive-url = https://web.archive.org/web/~~20111223162133~~20100316163955/http://www.anti-forensics.com~~:80~~/disk-wiping-one-pass-is-enough~~-part-2-this-time-with-screenshots~~ ▼ \|title=Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots) ▼ \| archive-date = 16 March 2010 \|url=http://www.anti-forensics.com/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshots ▼ \| url-status = dead \|date=18 March 2009 ▼ ▲ }}</ref><ref>{{cite web ~~\|deadurl=yes~~ ▲ \|title = Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots) ▲ \|archiveurl=https://web.archive.org/web/20111223162133/http://www.anti-forensics.com:80/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshots ▲ \|url = http://www.anti-forensics.com/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshots \|archivedate=2011-12-23 ▼ ▲ \|date = 18 March 2009 ~~\|df=~~ \|url-status = dead \|archiveurl = https://web.archive.org/web/20111223162133/http://www.anti-forensics.com/disk-wiping-one-pass-is-enough-part-2-this-time-with-screenshots ▲ \|archivedate = 2011-12-23 }}</ref> Once evidence is recovered the information is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less ~~specialist~~specialized staff.<ref name="ijde-2002" /> Digital investigators, particularly in criminal investigations, have to ensure that conclusions are based upon data and their own expert knowledge.<ref name="casey" /> In the US, for example, Federal Rules of Evidence state that a qualified expert may testify ~~“in~~"in the form of an opinion or ~~otherwise”~~otherwise" so long as: {{quote\|(1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.<ref name="rule702" />}} Line 88 ⟶ 78: When an investigation is completed the information is often reported in a form suitable for [[layman\|non-technical individuals]]. Reports may also include audit information and other meta-documentation.<ref name="casey"/> When completed, reports are usually passed to those commissioning the investigation, such as law enforcement (for criminal cases) or the employing company (in civil cases), who will then decide whether to use the evidence in court. Generally, for a criminal court, the report package will consist of a written expert conclusion of the evidence as well as the evidence itself (often presented on digital media).<ref name="casey"/> ==References== {{reflist\|refs= ~~{{Natural}}~~ <ref name="adams">{{cite web\|last=Adams\|first=Richard\|title='The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice\|year=2012\|url=http://researchrepository.murdoch.edu.au/14422/2/02Whole.pdf}}</ref> <ref name="first" >{{cite web\|title='Electronic Crime Scene Investigation Guide: A Guide for First Responders\|publisher=National Institute of Justice\|year=2001\|url=http://www.ncjrs.gov/pdffiles1/nij/187736.pdf}}</ref> <ref name="casey">{{cite book\|last=Casey\|first=Eoghan\|title=Digital Evidence and Computer Crime, Second Edition\|year=2004\|publisher=Elsevier\|isbn=0-12-163104-4\|url=https://books.google.com/books?id=Xo8GMt_AbQsC&q=Digital%20Evidence%20and%20Computer%20Crime,%20Second%20Edition}}</ref> <ref name="carrier" >{{cite web\|last=Carrier\|first=B\|title=Defining digital forensic examination and analysis tools\|citeseerx = 10.1.1.14.8953\|publisher=Digital Research Workshop II\|year=2001 \|url=https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.14.8953}}</ref> <ref name="horenbeeck">{{cite web\|title=Technology Crime Investigation\|url=http://www.daemon.be/maarten/forensics.html\|accessdate=17 August 2010\|author=Maarten Van Horenbeeck\|date=24 May 2006\|url-status=dead\|archiveurl=https://web.archive.org/web/20080517022757/http://www.daemon.be/maarten/forensics.html\|archivedate=17 May 2008}}</ref> <ref name="ijde-2002" >{{cite web\|title=An examination of digital forensic models\|citeseerx = 10.1.1.13.9683\|publisher=International Journal of Digital Evidence\|author1=M Reith \|author2=C Carr \|author3=G Gunsch \|year=2002 \|url=https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.13.9683}}</ref> <ref name="rule702" >{{cite web\|title=Federal Rules of Evidence #702\|url=http://federalevidence.com/rules-of-evidence#Rule702\|accessdate=23 August 2010\|archive-url=https://web.archive.org/web/20100819114909/http://federalevidence.com/rules-of-evidence#Rule702\|archive-date=19 August 2010\|url-status=dead}}</ref> <ref name="df-basics">{{cite web\|last=Carrier\|first=Brian D\|title=Basic Digital Forensic Investigation Concepts\|url=http://www.digital-evidence.org/di_basics.html\|date=7 June 2006}}</ref> <ref name="handbook" >{{cite book\|last=Various\|title=Handbook of Digital Forensics and Investigation\|year=2009\|publisher=Academic Press\|isbn=978-0-12-374267-4\|pages=567\|url=https://books.google.com/books?id=xNjsDprqtUYC\|editor=Eoghan Casey\|accessdate=4 September 2010}}</ref> }} ==External links== Line 97: * [http://www.ncjrs.gov/pdffiles1/nij/199408.pdf U.S. Department of Justice - Forensic Examination of Digital Evidence: A guide for Law Enforcement] * [https://www.fbi.gov/about-us/lab/forensic-science-communications/fsc/april2000/swgde.htm/ FBI - Digital Evidence: Standards and Principles] * {{cite book\|title=Computer forensics: incident response essentials\|url=https://archive.org/details/computerforensic0000krus\|url-access=registration\|year=2002\|publisher=Addison-Wesley\|isbn=0-201-70719-5\|pages=[https://archive.org/details/computerforensic0000krus/page/392 392]\|author1=Warren G. Kruse \|author2=Jay G. Heiser }}<~~ref>{{Cite web~~!--\|~~url~~accessdate=~~http://automatic.com/\|title=Connect~~3 ~~Your~~February ~~Car to Your Digital Life with Automatic\|website=automatic.com\|language=en~~2011-~~us\|access~~-~~date=2017-07-24}}</ref~~> ==Further reading== * {{cite journal\|last=Carrier\|first=Brian D.\|title=Risks of live digital forensic analysis\|journal=Communications of the ACM\|date=February 2006\|volume=49\|issue=2\|pages=56–61 \|doi=10.1145/1113034.1113069\|s2cid=16829457\|url=http://portal.acm.org.libezproxy.open.ac.uk/citation.cfm?doid=1113034.1113069\|accessdate=31 August 2010\|issn=0001-0782\|url-access=subscription}} {{Digital forensics}}