1 What is Digital Forensics#
In the 21st century where everything in life is connected to an electronic device ranging from doorbells, smartphones, and social media. These all track your digital footprint and creates a profile that follows you around the internet. As a digital forensics investigator your job is to find all available criminal evidence, process it, and present findings to the finder of facts.
In other words digital forensics is a division of forensics involving the recovery and analysis of data that has been recovered from digital devices.
2. Introduction to computer-based investigations#
As a digital forensics investigator you will find artifacts that may be incriminating or prove a subject’s innocence such as search history. It is your responsibility to critically analyze evidence of a specific user to prove or disprove allegations, which an effective examiner must be an unbiased third party with both technical knowledge of data and the legal understanding of evidence handling and testimony.
There are three main roles in the field which are as followed:
- The first responder
- The investigator
- Crime scene technician
2.1 First Responder#
These are the ones called upon the crime happening, they will identify the following:
- Potential victims
- Witnesses
- Subjects
- Maintain control
2.2 Investigators#
The investigators will be called upon by the first responder where they both share information based on the crime scene
2.3 Crime scene technician#
They have specialized training in the collection of evidence such as physical evidence or digital evidence. Responsible for preserving evidence and starting the chain of custody.
3. Types of illicit images communication types#
- Email-based communication
- Newsgroups / USENET
- Peer-to-Peer file sharing
4. Types of Crimes#
- Cyber stalking / Cyberbullying
- Corporate espionage
5. The Response kit (Recommendation)#
- a response kit is unique to all digital forensic analysis which may include things such as:
- Digital camera - This is to record the scene as it is and also record all action performed when collecting digital evidence
- Latex gloves - Protection against biohazards and not leaving fingerprints
- Notepads - Take notes of who you talk to during the scene and some organisation’s policies require a hand-written sketch of the area where digital evidence has been collected
- Organizational paperwork - Official documents listing exactly what was taken, where it was taken from and any specific identifying marks or serial number.
- Paper storage bags/antistatic bags - This is to keep any evidence safe and away from electrical shock and prevent unauthorized access
- Storage media - Hard drives such as SSD and USB devices used to store an copy image of a server and collect the specific datasets
- Write Blocking devices - Hardware that allows you to access storage device without changing its content such as a forensic Bridge Kit
- Frequency shielding material - These are containers that block radio transmissions for devices such as mobile phones
- Toolkit - Tools such as screwheads to disassemble laptops, desktops, or mobile phones
- Miscellaneous items - Power cables, data cables, USB hubs, screws or anything that might be needed on site
- Forensic Laptop - Include forms, processes that need documenting, and any application you find useful to carry out your tasks
- Encryption - When traveling abroad it is common for security services or customs to seize devices so it’s a good idea to encrypt all evidence
- Software security keys - A decryption security key in the shape of a USB used to use the forensic software as some may become unavailable to use without it
- A program called VirtualHere which allows you to use USB security keys remotely as long as there is a network connection at your destination These should all be stored inside a Pelican-type case which should be crushproof and watertight along with a TSA-compliant locking device in case going abroad
6. Forensic Software#
- Using pirated software is very unprofessional and puts the organisation at risks to viruses compared to license software which can be either open source or commercial software.
- Open-source software - Has no cost and can be edited, use for profit, educational and testing purposes
- The drawbacks are that there is little to no technical support if something goes wrong
- These often come as CLI and don’t provide GUI
- Commercial tool - Has better customer support, documentation and timely updates. Only downside is that you have to pay for these services
- Commercial tool may have more features compared to open-source tools which may require you to use one or more different open source tools to accomplish the same task
- Forensic software are not court approved which means you will need to understand how a tool has validated the results
As a forensic investigator you have to know where the data came from and ensure the tool used provides an accurate representation of the data
This is known as the Daubert standard which determines whether a judge uses to decide if an expert’s opinion is trustworthy enough to be used in court. The factors the court considered are as follows:
- Whether the theory or technique can be or has been tested
- Whether it has been subjected to peer review and publication
- The known or potential error rate
- The existence and maintenance of standards
- Its acceptance within the scientific community
6.1 Open-source forensic tools#
- Autopsy: fully functioning suite of forensic tools which can be found here
- SIFT Workstation: SIFT is a VM which contains multiple forensic tools pre-installed which can be found here
- Paladin Forensic Suite: A live Linux Ubuntu OS with pre-installed open source forensic tools which can be found here
- CAINE (Computer Aided Investigative Environment): A GUI project which provides many open source forensic tools for free which can be found here
6.2 Commercial forensic tools (Windows)#
- X-Ways Forensics: https://www.x-ways.net/
- EnCase: https://www.guidancesoftware.com/encase-forensic
- Forensic Toolkit (FTK): https://accessdata.com/products-services/forensic-toolkit-ftk
- Forensic Explorer (FEX): http://www.forensicexplorer.com/
- Belkasoft Evidence Center: https://belkasoft.com/ec
- Axiom: https://www.magnetforensics.com/products/magnet-axiom/
7. Forensic Investigator Training#
To become a digital forensics investigator you will need extensive training to achieve a level of competent which is ideal for court level investigations. Taking a 40-hour course doesn’t automatically make you a digital forensics investigator, this is taking the first step and continuing to train yourself and associate with other like-minded peers which will put you on track to becoming a professional.
7.1 Forensic Investigative Training#
- International Association of Computer Investigative Specialists (IACIS): https://www.iacis.com/
- EnCase Certified Examiner (EnCE): https://www.Opentext.com/products-and-solutions/services/training-and-learning-services/encase-training/certifications
- Accessdata Certified Examiner (ACE): https://accessdata.com/training/computer-forensics-certification
- Computer Hacking Forensic Investigator (CHFI): https://www.eccouncil.org/programs/computer-hacking-forensic-investigator-chfi/
- Global Information Assurance Certification (GIAC): https://www.giac.org/certifications
7.2 Understanding case information and legal issues#
This is the information you get before you power up your workstation to begin investigating which you should ask the following questions:
- What is the nature of the investigation? Is it a narcotics case, homicide, or employee misconduct?
- What digital evidence do you expect to find at the scene? Information received may not be accurate where you could be looking for a single laptop but find multiple laptop, desktops, and many mobile phones.
- what are the legal justification? what is the rationale behind the search? Consent? A search warrant? You need to make sure you understand the limitation being placed on the search which can either be physical or digital limits.
- Finding relevant artefacts outside the limitation scope will mean you cannot use them as you may face sanctions
- Who are the subjects and suspects? Depending on your role you may not have any contact with the subjects and suspects involve, but if you do try having a conversation with them to pry for information.