The Digital Forensics Process
Step 1: Identification
The identification process is where the forensic investigator examines the available and potential sources for digital information. This could be hardware devices such as laptops, cellphones and tablets or it could be network data or information stored at the cloud. During the identification process the investigator highlights these various sources of digital information which will later drive the collection requirements later in the process. For example if law enforcement has determined that criminal evidence may be present on an individuals computer then this device has been identified as a potential source for media exploitation during the collection phase.
Step 2: Collection
After potential sources for digital information have been identified the next step is to collect these items. During this phase the investigator will follow the necessary protocols to lawfully acquire these items for examination. It is important that the items collected are procured in such a way that is consistent with the law. For example in a law enforcement investigation, if the items collected are not done so in a lawful way then the evidence found thereafter may be discarded in court. This is less important for military or business applications but caution must still be used in these settings to guarantee the preservation of the digital evidence. For example if certain digital artifacts are not collected properly then the data found therein may be damaged or destroyed.
Step 3: Preservation
Preservation of digital information is extremely important, especially in a law enforcement investigation. Certain types of digital information such as Random Access Memory (RAM) may be easily lost, damaged or destroyed if not handled properly. If the information is completely destroyed it may not be of any value to the investigator, whether it is for law enforcement or other purposes. The forensics investigator must handle each item with different levels of care depending on how that information is stored. Hardware devices must be kept safe from physical damage such as water, heat and chemicals, while image files and digital artifacts must be viewed with care as to not lead to corruption of the file.
Step 4: Examination
The examination phase is where the digital forensics investigator prepares the data for later analysis. During this phase the investigator will prepare the items, extract the necessary data and identify what is needed for the next phase of analysis. During this phase the investigator determines what data is relevant to the current project based on certain industry keywords, file types and data types. Often when examining a piece of hardware there is a large volume of data on the device. Going through this data manually or as a whole would take far too long. To reduce this burden investigators will use certain parameters and criteria to narrow down their search which will make the analysis phase more efficient.
Preparing the items for extraction is also done during this phase. This may include various activities such as extracting data from a device with a tool for remote examination or viewing the data on the device itself. In some cases it may be more advantageous to do either one depending on the circumstances. If investigators are worried about losing the device or are concerned that powering it up will cause destroy or encrypt the data then extraction may be the best method.
Step 5: Analysis
The analysis phase of the digital forensics process is where investigators will make new discoveries and draw conclusions about the data they are viewing. Many insights will be drawn from this phase such as who created the data, who edited the data, how the data was created and used, when data was manipulated and much more. This type of information can help investigators link criminals to specific crimes, discover key intelligence or uncover vulnerabilities in a IT audit.
There are many tools and resources investigators can use during the analysis process. Some of those tools will be covered in this course in a later section. These tools help investigators extract and analyze large quantities of data. The data can be in the form of files stored in a hard drive, metadata or network traffic. Each data type and its source is used for different purposes and can help analysts make determinations about the case they are involved in.
Step 6: Presentation
Whether digital forensics is being used in a military, law enforcement or business setting, the findings of the investigation will often be reported in a detailed presentation. The audience of the presentation may vary depending on the industry and job type. For example in a law enforcement investigation the audience may be a judge and jury. In a military setting the audience may be commanders and other decision makers. In a business setting the audience may be a client or the Chief Information Security Officer (CISO).
Depending on the audience the presentation of the findings needs to be conveyed in way that audience in question can understand. The presentation should highlight key discoveries made throughout the investigation and should clearly demonstrate how the data found relates to the project. For example, packet captures from network analysis may indicate that a certain person outside of an organization accessed confidential files belonging to a business. This information needs to be conveyed in a way that the audience can understand.
The presentation may also include remediation techniques such as software updates, role based access control and modifications to computer code in order to further secure an organization. Depending on what type of investigation is being conducted, the presentation will take on many different forms. Always remember to tailor each presentation to your specific audience.