Wikipedia

Digital forensic process: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
AnomieBOT (talk | contribs)
Bots
6,861,300 edits
Rescuing orphaned refs
Reverted to revision 777703644 by 24.16.154.216 (talk): Rvv. (TW)
Line 1:
[[File:Forensic tableau.JPG|thumb|right|A Tableau forensic write blocker]]
The '''digital forensic process''' is a recognized scientific and forensic process used in [[digital forensics]] investigations.<ref name="first" >{{cite web|title='Electronic Crime Scene Investigation Guide: A Guide for First Responders|publisher=National Institute of Justice|year=2001|url=http://www.ncjrs.gov/pdffiles1/nij/187736.pdf}}</ref><ref name="handbook" >{{cite book|last=Various|title=Handbook of Digital Forensics and Investigation|year=2009|publisher=Academic Press|isbn=0-12-374267-6|pages=567|url=https://books.google.com/books?id=xNjsDprqtUYC|editor=Eoghan Casey|accessdate=4 September 2010}}</ref> Forensics researcher [[Eoghan Casey]] defines it as a number of steps from the original incident alert through to reporting of findings.<ref name="casey">{{cite book|last=Casey|first=Eoghan|title=Digital Evidence and Computer Crime, Second Edition|year=2004|publisher=Elsevier|isbn=0-12-163104-4|url=https://books.google.com/books?id=Xo8GMt_AbQsC&hl=en&dq=Digital%20Evidence%20and%20Computer%20Crime,%20Second%20Edition&ei=it1XTMncCMm44gbC_qyFBw&sa=X&oi=book_result&ct=result&resnum=1&ved=0CDQQ6AEwAA}}</ref> The process is predominantly used in [[Computer forensics|computer]] and [[Mobile device forensics|mobile]] forensic investigations and consists of three steps: ''acquisition'', ''analysis'' and ''reporting''.
 
Digital media seized for investigation is usually referred to as an "exhibit" in legal terminology. Investigators employ the [[scientific method]] to recover [[digital evidence]] to support or disprove a hypothesis, either for a [[court of law]] or in [[civil litigation|civil proceedings]].<ref name="handbook" />
Line 16:
==Process models==
 
There have been many attempts to develop a process model but so far none have been universally accepted. Part of the reason for this may be due to the fact that many of the process models were designed for a specific environment, such as law enforcement, and they therefore could not be readily applied in other environments such as incident response.<ref name="adams">{{cite web|last=Adams|first=Richard|title='The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice|year=2012|url=http://researchrepository.murdoch.edu.au/14422/2/02Whole.pdf}}</ref> This is a list of the main models since 2001 in chronological order:<ref name="adams" />
 
The Abstract Digital Forensic Model (Reith, et al., 2002)
Line 54:
==Acquisition==
[[File:Tableau TD3 Forensic Imager 2014-06-26 07-05.jpg|thumb|Example of a portable disk imaging device]]
 
[[File:Wikipedia and Libraries - The Connection.pdf|thumb|Automatic]]
Once exhibits have been seized an exact [[Disk sector|sector]] level duplicate (or "forensic duplicate") of the media is created, usually via a [[Forensic disk controller|write blocking]] device, a process referred to as ''[[Disk imaging#Hard drive imaging|Imaging]]'' or ''Acquisition''.<ref name="horenbeeck">{{cite web|title=Technology Crime Investigation|url=http://www.daemon.be/maarten/forensics.html|accessdate=17 August 2010|author=Maarten Van Horenbeeck|date=24 May 2006}}</ref> The duplicate is created using a hard-drive duplicator or software imaging tools such as [[DCFLdd]], [[IXimager]], [[Guymager]], TrueBack, [[EnCase]], [[Forensic Toolkit|FTK]] Imager or FDAS. The original drive is then returned to secure storage to prevent tampering.
 
The acquired image is verified by using the [[SHA-1]] or [[MD5]] [[cryptographic hash function|hash function]]s. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state.
Line 61:
==Analysis==
 
After acquisition the contents of (the HDD) image files are analysed to identify evidence that either supports or contradicts a hypothesis or for signs of tampering (to hide data).<ref name="carrier" >{{cite web|last=Carrier|first=B|title=Defining digital forensic examination and analysis tools|citeseerx = 10.1.1.14.8953|publisher=Digital Research Workshop II|accessdate=2 August 2010|year=2001}}</ref> In 2002 the ''International Journal of Digital Evidence'' referred to this stage as "an in-depth systematic search of evidence related to the suspected crime".<ref name="ijde-2002" >{{cite web|title=An examination of digital forensic models|citeseerx = 10.1.1.13.9683|publisher=International Journal of Digital Evidence|accessdate=2 August 2010|author1=M Reith |author2=C Carr |author3=G Gunsch |year=2002}}</ref> By contrast Brian Carrier, in 2006, describes a more "intuitive procedure" in which obvious evidence is first identified after which "exhaustive searches are conducted to start filling in the holes"<ref name="df-basics">{{cite web|last=Carrier|first=Brian D|title=Basic Digital Forensic Investigation Concepts|url=http://www.digital-evidence.org/di_basics.html|date=7 June 2006}}</ref>
 
During the analysis an investigator usually recovers evidence material using a number of different methodologies (and tools), often beginning with recovery of deleted material. Examiners use specialist tools (EnCase, ILOOKIX, FTK, etc.) to aid with viewing and recovering data. The type of data recovered varies depending on the investigation; but examples include email, chat logs, images, internet history or documents. The data can be recovered from accessible disk space, deleted (unallocated) space or from within operating system cache files.<ref name="casey" />
Line 83:
Once evidence is recovered the information is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialist staff.<ref name="ijde-2002" /> Digital investigators, particularly in criminal investigations, have to ensure that conclusions are based upon data and their own expert knowledge.<ref name="casey" /> In the US, for example, Federal Rules of Evidence state that a qualified expert may testify “in the form of an opinion or otherwise” so long as:
 
{{quote|(1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.<ref name="rule702" >{{cite web|title=Federal Rules of Evidence #702|url=http://federalevidence.com/rules-of-evidence#Rule702|accessdate=23 August 2010}}</ref>}}
 
==Reporting==
Line 91:
 
==References==
{{reflist|refs=
{{Natural}}
<ref name="adams">{{cite web|last=Adams|first=Richard|title='The Advanced Data Acquisition Model (ADAM): A process model for digital forensic practice|year=2012|url=http://researchrepository.murdoch.edu.au/14422/2/02Whole.pdf}}</ref>
<ref name="first" >{{cite web|title='Electronic Crime Scene Investigation Guide: A Guide for First Responders|publisher=National Institute of Justice|year=2001|url=http://www.ncjrs.gov/pdffiles1/nij/187736.pdf}}</ref>
<ref name="casey">{{cite book|last=Casey|first=Eoghan|title=Digital Evidence and Computer Crime, Second Edition|year=2004|publisher=Elsevier|isbn=0-12-163104-4|url=https://books.google.com/books?id=Xo8GMt_AbQsC&hl=en&dq=Digital%20Evidence%20and%20Computer%20Crime,%20Second%20Edition&ei=it1XTMncCMm44gbC_qyFBw&sa=X&oi=book_result&ct=result&resnum=1&ved=0CDQQ6AEwAA}}</ref>
<ref name="carrier" >{{cite web|last=Carrier|first=B|title=Defining digital forensic examination and analysis tools|citeseerx = 10.1.1.14.8953|publisher=Digital Research Workshop II|accessdate=2 August 2010|year=2001}}</ref>
<ref name="horenbeeck">{{cite web|title=Technology Crime Investigation|url=http://www.daemon.be/maarten/forensics.html|accessdate=17 August 2010|author=Maarten Van Horenbeeck|date=24 May 2006}}</ref>
<ref name="ijde-2002" >{{cite web|title=An examination of digital forensic models|citeseerx = 10.1.1.13.9683|publisher=International Journal of Digital Evidence|accessdate=2 August 2010|author1=M Reith |author2=C Carr |author3=G Gunsch |year=2002}}</ref>
<ref name="rule702" >{{cite web|title=Federal Rules of Evidence #702|url=http://federalevidence.com/rules-of-evidence#Rule702|accessdate=23 August 2010}}</ref>
<ref name="df-basics">{{cite web|last=Carrier|first=Brian D|title=Basic Digital Forensic Investigation Concepts|url=http://www.digital-evidence.org/di_basics.html|date=7 June 2006}}</ref>
<ref name="handbook" >{{cite book|last=Various|title=Handbook of Digital Forensics and Investigation|year=2009|publisher=Academic Press|isbn=0-12-374267-6|pages=567|url=https://books.google.com/books?id=xNjsDprqtUYC|editor=Eoghan Casey|accessdate=4 September 2010}}</ref>
}}
 
==External links==
Line 97 ⟶ 107:
* [http://www.ncjrs.gov/pdffiles1/nij/199408.pdf U.S. Department of Justice - Forensic Examination of Digital Evidence: A guide for Law Enforcement]
* [https://www.fbi.gov/about-us/lab/forensic-science-communications/fsc/april2000/swgde.htm/ FBI - Digital Evidence: Standards and Principles]
* {{cite book|title=Computer forensics: incident response essentials|year=2002|publisher=Addison-Wesley|isbn=0-201-70719-5|pages=392|author1=Warren G. Kruse |author2=Jay G. Heiser }}<ref>{{Cite web!--|urlaccessdate=http://automatic.com/|title=Connect3 YourFebruary Car to Your Digital Life with Automatic|website=automatic.com|language=en-us|access-date=20172011-07-24}}</ref>
 
==Further reading==
Retrieved from "https://en.wikipedia.org/wiki/Digital_forensic_process"