Sample paper Digital Forensics Examination

Digital Forensics Examination

Introduction

The process of digital forensics examination involves identifiable steps of identifying, preserving, interpreting, and documenting evidences in computer crimes. Digital forensics has a variety of aspects and therefore has several procedures depending on the aspect being investigated. Basically, the process of digital forensics examination involves the analysis of the data and information residing on computer systems with the view of identifying what, when, who, and how the incident happened. Occasionally, the information to be gathered in not readily accessible or viewable to the usual computer users and includes things like files which were deleted or simply pieces of data located in the slack space together with the existing files. As such, it is important that the forensics examiner possesses special skills and techniques in the process so as to obtain such information which is normally hidden from the average user. This paper describes the methodology and outline instructions for the examiner incorporating aspects of the process of interview which is specific to the digital forensics examination.

Overview of the Digital Forensics Examination Process

The digital forensics examination is a process with identifiable steps which the examiner must follow through to accomplish it. The process begins with identification of the incident to be examined and determine its type. It also involves preparation for the process where the examiner collects all the tools needed for the examination, the techniques and approaches to be used, acquisition of search warrants and authorizations, and the management support from the relevant people (Tipton & Krause, 2000). A strategy of approach should also be identified so as exploit the collection of the uncontaminated evidence and reduce the effects associated with the process. After the collection of the evidence, the examiner need to have proper preservation approach of the evidence and may require isolating, securing, and preserving the physical and as well as the digital evidencing to be examined. The actual process of examining the evidence follows a systematic and in-depth search of evidence that leads to the suspected crime. The other step is the analysis of the collected information or data to determine the significance and may involve reconstructing fragmented data while making incisive decisions based on the collected exhibits. Presentation of the evidence is done on the summary while explaining the conclusions reached during the examination process (Global Digital Forensics, 2013).

The work of forensic experts would be in vain if their findings were not used in a court of law to incriminate of discharge someone facing a case. Thus, testimonies and reports by computer forensics experts are important elements that have great important on the decisions that the judge is going to take in a case. However, testifying in a court is not an easy task as the witness is subjected to sustained personal attack that during the process of cross-examination (Ciolino & Castle 2000). Testifying and writing a report from the work of computer forensic analysis then is important critical because of the attention that it receives from the defense lawyers and judges. A computer forensic expert may have done a good job and come up with evidences beyond doubt that a crime did or did not actually occur, but the method of presentation of this information to the jury becomes challenging because of the hostile environment in courts. In giving testimony, the computer forensic expert should be articulate with clear and well expressed terms that will leave no doubt in the minds of defense lawyers. This will avoid defense lawyers from accusing the forensic expert of inarticulate, incompetent, and ultimately not worthy of belief (Nelson, Olson & Simek, 2006).  The expert has the burden of ensuring that the defense lawyers and the judge comprehend every terminology and phrases that are used during testifying.

Further testifying or writing a forensic report is critical because of the requirements that computer forensic experts are required to adhere to before they present their evidences to the attorney or defense lawyers. Expert testimony or reports must contain information that goes beyond personal knowledge and observation in order to give technical opinion on the issues in hand. Computer forensic experts are thus mandated to testify and write reports that present their findings “on a very technical discipline in a simplistic manner” (Smith & Bace, 2002).  All in all a computer forensics examiner testimony or report must meet the admissibility threshold that is set by law if there is any hope that it will be acceptable in a civil or criminal case. In some cases, the reliability of the report that the examiner presents must be founded on sufficient facts and follow laid down principles and methodologies of collecting the data which is also a prerequisite for the acceptance of the evidence presented by the examiner.

Methodology for digital evidence collection, preservation, and analysis

The first step in embarking on a digital forensics analysis is to identify the type of data which is going to be investigated by the examiner. Three types of data exist for forensics examiner including the latent data, archival, and active data. Identifying and evaluating the type of data involved in the forensics analysis is an important step that will help the examiner to have specific target areas during the process of analysis. Active data is easy to investigate because the examiner can actually see the information without the need to use sophisticated tools and techniques. Examples of active data include simple data files used by the operating system of the computer and programs that are used to run applications on the computer. Nevertheless, the examiner should exercise precautions and care while handling active data because it can be misleading and therefore hinder access to the actual information which is being investigated. The other type of data is the archival data which is normally backed and stored up on various storage files on the computer. Some of the storage spaces may be located inside the computer while others are accessories which are removed from the computer and stored in another place like the CDs, backup tapes, floppy drives, or even removable hard drives (Reith, Carr & Gunsch, 2002).

Where such storage facilities are suspected to exist, it is advisable for the examiner to carry out investigation and ensure that all relevant and necessary storage facilities are gathered before embarking on the actual process of examining the computer. This will ensure that no relevant information or data is left out in the process of examining the exhibit.  In the case of latent data, the examiner must have special tools so as access the information or data required. In most cases, latent data include deleted files and partially overwritten documents on the memory of the computer. Essentially a whole process of digital forensics examination encompasses the three types of data but it is the latent data which can be time consuming and expensive especially in terms of expertise needed and the tools to retrieve that particular information. During this process the examiner must keep in mind the overall function of digital forensics examination which is to detect and proof a crime (Nelson, Olson & Simek, 2006). Therefore, the focus must remain on obtaining the evidence for the unlawful use of computer so that the perpetrators can be nabbed and prosecuted. It is important to keep in mind that perpetrators of forensics crime are highly intelligent individuals who try as much as possible to hide the evidence since most of them are actively aware that they are committing a crime on the computer.

The process of digital forensics examination must thus be planned before embarking on it. This can be done in the following steps (Nelson, Olson & Simek, 2006):  Discuss the suspected incident to be investigated and examined by the concerned persons to establish potential areas of abuse or illegal acts. This is an important step because it actually sets the examiner in the whole process of digital forensics examination. It is an entry point in the examination process and must therefore provide gathering of sufficient information to allow the process to take off.

      ii.            Collecting of all electronic equipment including the computers and all external storage media to be examined. some of the tools to be examined may be located in different places and therefore the examiner must make arrangements to ensure that all required electronic equipment are in one place before starting to examine them

    iii.            The next process is the actual identification of violations or unlawful activities on the electronic equipments are identified in the first step. During this step, the examiner must pay attention to the emerging and new evidence which were not identified in the initial stage with the concerned persons.

    iv.            The next step is to ensure that the identified evidence is protected from harm or destruction by the perpetrator or the examiner himself. The examiner must be aware that suspected perpetrator can embark on destructing further evidence upon discovery that their activities are being forensically investigated.

      v.            After a thorough evaluation of the evidences, the examiner must confirm that actually they are the evidences which are required in proofing the suspected illegal activity by the perpetrator. Confirmation is an important step because it actually sets the pace of the collection of tools to be used in the gathering of latent data which may have been deleted by the perpetrator of partially contained on the hard drives of the computer to be used in the examination. The examiner must act quickly especially with active files because most of them are volatile and are prone to destruction by the suspect where they discover the examination process.

    vi.            The final step is the preparation of a written report and comments of the examiner which will be used for prosecution especially where it is established that a crime was committed using the electronic equipments which were examined forensically.

Documenting of Information obtained from an Interview

A digital forensics examiner must possess sufficient knowledge and skills to be able to acquire reliable information which can be used to prosecute crime perpetrators in a court of law. As such, the examiner needs to approach digital forensics examination process with a proper plan to be able to build and follow the target workflow guidelines as a way of minimizing on the time required for the process, reduce the costs of the process as well as increase the amount of relevant data collected as a way of ensuring that undisputable information is collected during the process.  To this end, the examiner must work with relevant authorities including security personnel and forensics examination investigators to identify and follow through particular sources of evidence while applying acceptable digital forensics examination procedures. The essence must always to come up with evidences which will be presented in a form of a report which will be acceptable in a court of law and which can be defended when called upon to do so by the prosecutors (Casey, 2011).

It is also important that the acquisition procedures are well executed and involves all equipments and evidences identified in the plan and involves complete disk imaging and also gathering of information and data from sources such as servers while adhering to the best practice in digital forensics examination procedure and the guidelines.  As such, the examiner must ensure a secure and sound chain of custody and assure the admissibility of the acquired evidences in a court of law for the purposes of prosecuting the perpetrators. It would be a waste of time and resources when the examiner’s report cannot be acceptable in the court of law simply because the admissibility of the process of examination is not acceptable or did not adhere to the laid down guidelines and rules. Evidently, the person to be prosecuted can challenge the admissibility of the evidence based on the procedures that were used to collect that evidence (Tipton & Krause, 2000).

Another area of concern is the extraction of the evidence which must be precise and acceptable. The examiner needs to know where to look for evidence, who to ask, and when to approach a suspected source of evidence. More importantly are the actual extraction process which must be precise and not interfere with the operations of the client’s activities or create unwanted disruptions to the workflow. This calls for specificity in the approach to sources of evidence but also not leaving out any important area or source which can provide the much needed evidences. The collected evidences must be analyzed objectively from the smallest electronic media using approved techniques and tools with a view of coming up with condensed conclusions. The examiner must realize that a proper digital forensics examination is one which yields manageable evidences in terms of the volume of the actual evidence given that the process can refer to hundreds of files which can be difficult to analyze if they were all presented as evidence. The other important and final technique that a digital forensics examiner needs to have is the reporting skills which allow the examiner to report the evidences of examination in an understandable, defendable and complete format to the client. It should be understood that the client is not versed with digital forensics jargons and terms and therefore the examiner must use an easy to understand language in the report and give important aspects which are helpful to the client. Reporting can incorporate figures like charts, tables, timelines, and entity relationships to give a clear picture to the client on what happened in the process of examining the electronic equipments. It is good to keep in mind that figures and tables are easy to understand and can therefore be used in the interview process to enable the concerned parties to easily understand what is required of them (Ciolino & Castle, 2000).

Base Interview Script for Interviewing Victims, Potential Perpetrators, and Other Sources

According to Tipton & Krause (2000), a successful digital forensics examination interview must consider all stakeholders involved in the investigation before commencing. An essential part of the interview is the inclusion of the legal counsel because not all circumstances under investigation require the services of a legal counsel. But in cases where evidences point to the breaking of an established law, the examiner must involve the legal counsel mainly because he or she is not a legal expert. Digital forensics examiners must not initiate an interview with the victims or potential perpetrators without pondering on the legal implications of their interviews as this may act against their conclusions when they are finally presented to the client for further actions. Additionally, interview questions may deviate from the usual straight forward, fact-finding process to legal standards that require wide consultations and guidance from the legal experts. Issues of confidentiality also need to be addressed first before embarking on the interview because some information gathered may be incriminating to the people involved in the whole process of gathering data. Where the potential source of data feels that this has not been sufficiently addressed they may decline to give the information being sought for the purposes of investigation. They may also be forced to give inaccurate or even slanderous information which can harm the people involved and thereby exposing the examiner to legal consequences. The baseline is that digital forensics examiners must ponder the legal implications of their interviews especially in sensitive issues with high stakes to the stakeholders in the investigation process (Sheetz, 2007).

The other standard to measure the success of the process of interview is the security of data and all equipments used in the interview. It is important for the examiner to identify important documents and equipments to be used in the interview and which may act as the evidences during the process so that they are not destroyed or altered by the interviewees. This can always be done by ensuring that there is a proper chain of custody of all materials which are going to be used during the interview process in cases where the examiner is certain that the materials used in the interview are going to be finally used in the process of initiating legal actions. It is also important to keep in mind the kind of data and information that the examiner is looking for so that he or she avoids asking irrelevant questions which are not going to contribute anything to the final conclusions. This means that the examiner must always have a clear picture of the results of the investigation from the word go although it is not always certain that this will be realized at the end of the investigation (Tipton & Krause, 2000).

The whole interview process should guard against spoliation of evidences by the interviewees which is conscious withholding of information, hiding important equipments and tools important for investigation, or even total destruction of the evidences which could be used in a legal process (Maras, 2011). The questions to be asked in the interview should thus involve an aspect of detecting spoliation from the interviewees but this should be done in a voluntary manner so that the process can be legally acceptable during prosecution process.  This is because if it is established that spoliation occurred as a result of lack of transparency or care by the examiner, then the evidences presented in the legal process can be challenged by the potential perpetrator as having been collected from them through coercive means. The process also must provide controls to ensure that the examiner does not accidentally or intentionally tamper with the information collected during the interview. It is also important to consider the types of questions that the examiner is going to ask. Certain questions like the double-negative questions or the attitude questions should be avoided during the digital forensics examination especially to a potential perpetrator because they are repulsive and can sometimes suggest answers to the person being interviewed. The examiner should consider using closed-ended questions, open-ended questions, and admission seeking questions.

For an effective interview, the examiner should consider the following guidelines prior to the interview (Global Digital Forensics, 2013);

        i.            The examiner should prepare after consultation an interview plan

      ii.            Always seek consultations in cases where allegations are involved

    iii.            In cases where several interviews are to be done, they must be done systematically, one after the other

    iv.            The location should be conducive for maximum gathering of information

      v.            The interview must collect sufficient information about the person to be interviewed before the actual interview

    vi.            Relevant documents and information to the subject of investigation including facts must be gathered before the interview

  vii.            The examiner must be confident, courteous, and professional during the interview and avoid showing attitudes to the interviewee and this should be done through maintenance of control and exercise of restraint during the whole process of interview

viii.            The examiner must also establish a rapport with the interviewee to build confident in them

    ix.            The examiner must also be ready to follow instincts in cases where he or she feels that the interviewee is engaging in deception

      x.            The examiner must also prepare a summary report of the whole process of interview for future use.

In conclusion, the process of digital forensics examinations requires the examiner to prepare adequately to ensure that the gathered evidence can be used in the legal process and that the evidence is reliable and admissible for the purposes of prosecuting a crime.