View
2
Download
0
Category
Preview:
Citation preview
i
ATHABASCA UNIVERSITY
SYSTEMATIC APPROACH TO PROCESS, ANALYZE, AND CLASSIFY DIGITAL EVIDENCE
BY
EMILE WONG
A project submitted in partial fulfillment Of the requirements for the degree of
MASTER OF SCIENCE in INFORMATION SYSTEMS
Athabasca, Alberta February, 2009
© Emile Wong, 2009
ii
DEDICATION
This thesis is dedicated to my mother, who raised me up to more than I can be.
i
ABSTRACT
The paper introduces a systematic approach of digital forensic investigation for digital
forensic students to understand the recognition, collection, preservation, documentation,
classification, comparison, individualization, reconstruction of digital evidence. The three
layered systematic approach of digital forensic investigation can be used on examination of
a single piece of evidence as well as large digital criminal cases. Literature is examined
relating to considerations of emerging problems in digital forensic investigation; to
emergent technologies in the forensic field including forensic tools, methodologies, and
investigation best practice. There is an explanation of the three layered structure, and
expounds theoretical and practical processes aimed at understand the macro-cycle and
micro-cycle digital evidence. It then discusses the roles and ethic of digital forensic
investigator. Finally, there is a description of digital forensic technology and tools to
support digital forensic investigation. The three layered structure simplified the complexity
of digital forensic investigation process in an organized and systematical manner; it can be
used as a framework to further develop standard digital forensic operational procedures, or
a model for digital forensic software development..
ii
ACKNOWLEDGMENTS
I would like to acknowledge with particular gratitude the assistance of my supervisor, Dr.
Harris Wang. I am also indebted to a number of other people presently and formerly at
Athabasca University, including Dr. Oscar Lin, Dr. Kinshuk, Dr. Xiaokun Zhang Richard
Hundrods, Mahmond Abaza, Kewal Dhariwal, Lil Saghafi, and Steve Leung for their
supervision in study for the degree of Master of Science in Information Systems. Finally, I
would like to thank my sons, Elvin and Ryan for their forbearance during the long period
it has taken me to conduct and write up this thesis.
iii
TABLE OF CONTENTS
CHAPTER I –INTRODUCTION….…...............................................................................1
Statement of the Purpose............................................................................................. 1
Research Problems and Questions ...............................................................................2
Outline of this Document ...….....................................................................................3
CHAPTER II - REVIEW OF RELATED LITERATURE…...............................................6
Context ........................................................................................................................6
Computer Forensic.......................................................................................................7
Digital Evidence….....................................................................................................10
Summary ....................................................................................................................11
CHAPTER III – THREE LAYERED SYSTEMATIC APPROACH.................................13
Background……………………….............................................................................17
Basic Concepts...................................................................................................18
Digital Incidents and Threats..............................................................................20
Top Layer....................................................................................................................23
Assessment and Preservation….........................................................................24
iv
Acquisition.........................................................................................................28
Examination…....................................................................................................31
Analysis……......................................................................................................32
Documentation...................................................................................................36
Reporting……....................................................................................................38
Presentation…....................................................................................................39
Middle Layer………..................................................................................................40
Document...........................................................................................................40
Preparation..........................................................................................................41
Physical...............................................................................................................42
Logical................................................................................................................43
Recover...............................................................................................................44
Analyze...............................................................................................................44
Findings..............................................................................................................45
Archive...............................................................................................................45
Roles and Ethic………...............................................................................................46
CHAPTER IV – FORENSIC TECHNOLOGY AND TOOLS……..................................48
v
Previewing Tools........................................................................................................49
Acquisition Tools........................................................................................................49
Examination Tools......................................................................................................51
CHAPTER V - CONCLUSIONS AND RECOMMENDATIONS ...................................54
Conclusions................................................................................................................54
Suggestions for Further Research...............................................................................56
REFERENCES ..................................................................................................................58
vi
LIST OF FIGURES
Page
1. Three Layered Systematic Approach of Digital Forensic Investigation ......................15
2. Digital Forensic Investigation Macro-cycle…..............................................................16
3. Digital Forensic Investigation Micro-cycle…..............................................................17
1
CHAPTER I
INTRODUCTION
Statement of the Purpose
Digital forensic science provides tools, techniques, and systematic approach that
can be used to process and analyze digital evidence. Computer forensic examiners are
expected to interact with digital evidence, digital forensic tools, and digital forensic
laboratories. The digital evidence can be used to reconstruct what occurred during the
perpetration of an offense. The purpose of reconstruction is to restore the links between
offender, victim, crime scene, or incident. The final goal is to present legal evidence that
can be accepted by the court to prove or disprove a theory. The research described in this
document focused on systematic approach to process, analyze, and classify digital
evidence. This document also demonstrated the tools and techniques which can be used to
analyze and recover the evidence. While the literature research in Chapter 2 shows that
there has been a significant amount of digital forensic training materials, manuals, and
books from different sources [2] [4] [5] [6] [7] [8] [13] [14] [15], the writing contain
somewhat major in professional view of digital forensic examiners or law enforcement
2
agents, or otherwise technical demonstration of discovery and analysis of digital evidence
by professionals. The research questions for the current thesis are formulated with the aim
to sketch out a systematic approach and guideline for digital forensic students to
understand the recognition, collection, preservation, documentation, classification,
comparison, individualization, reconstruction of digital evidence in the under-researched
area.
Research Problems and Questions
The research questions as defined in the project proposal were as follows:
What is digital crime, and the different between digital crime and traditional crime;
How to differential a professional digital investigator from a computer technical
person;
What are the difficulties to present technical evidence in easy understanding format ;
What is the proper procedure to handling evidence;
How to prove working copy of digital evidence that is the same as the original seized
evidence;
How to begin an investigation and where to start;
Understand your limits, and know when and where to stop;
3
How to prepare, collect, and use forensic toolkits.
Outline of this document
Following this introduction, chapter 2 of this thesis consists of a review of literature
in a number of areas relevant to computer or digital forensic. The review considers:
literature on the topic of computer forensics;
literature on the topic of cyber forensics;
literature on the topic of computer forensics response;
literature on the topic of examination of digital evidence;
literature on the topic of emerging problems in forensic computing;
literature on the topic of privacy protection;
literature on the topic of risks of live digital forensic analysis;
literature on the topic of digital forensic tools;
literature specifically relating to digital and multimedia evidence;
literature specifically relating roles of computer forensic investigator; and
literature concerning forensic techniques in general and particular proposed
measures.
Literature is explored on a variety theoretical concepts, history, principles,
4
methodologies, disciplines, and practical procedures of seizure, handling, analysis, and
recover of digital evidence; but the emphasis is largely positioned on personal experience
or case studies.
Following the literature review, chapter 3 examined and extended some of the
theoretical issues raised in the literature. This chapter sought to define the systematic
approach of recognition, collection, preservation, documentation, classification,
comparison, individualization, and reconstruction. In particular, there was an
enlightenment of the basis on initial assessment and response to a digital incident. The
chapter also includes discussion of the relationship between the discovery, preservation,
documentation, and presentation of digital evidence. Roles and ethic of digital forensic
investigator is also addressed in this chapter.
Chapter 4 described the forensic technology and tools which can be used to
preserve, analyze, and recover digital evidence. This chapter also included evaluation of
digital forensic tools, their functionalities, and related file systems and operating systems.
Chapter 5 concluded the thesis by revisiting the main findings of systematic
approach of digital forensics in theoretical, practical, and experimental stages of the
research; identified the impact of digital crimes, and raised issues which are likely to be
5
useful area for future study.
6
CHAPTER II
REVIEW OF RELATED LITERATURE
Context
Computer forensics can be considered as a branch of forensic science which has a
different investigation approach. The science of computer forensics encompassed a wide
range of disciplines including but not limited to computer hardware and software,
telecommunications, security, networks, electronic devices, law enforcement, criminal
justice system. The introduction of digital forensics into forensic science reflected the
urge need of digital forensic professionals, methodologies and tools to handle the rapidly
growing computer crimes. Computer forensics generally deployed to hacking, obscene
publication, perjury, murder, espionage, forgery, defamation, narcotics trafficking, credit
card cloning, software piracy, and paedophiliac rings [9][11][12]. Today, computer
forensic practitioners are faced with a multiplicity of investigative challenges in two main
categories. The first is technology. Criminals continuously employ up-and-coming
advance information technology and method [20] to commit fraudulent activities that
investigators need time to be fully aware or cognizant of. In Addition, the rapidly
changing storage media capacities and high speed network transmission increased the
7
complexity of analysis [7]. The other is the techniques and protocols of investigation,
examination, and analysis of digital evidence. In a dynamic technological environment,
the subject matter of examining evidence changes at such an exponential rate that forensic
tools are modified regularly in order to keep up [20]. Digital forensic is a continuously
developing topic. It is only in the last twenty years or so the literature of computer
forensic examination protocols and methodology has been commonly discussed and
studied.
Computer Forensics
The development of the discipline of Computer Forensic began with the realization
by the awakening of the “White Collar” crimes [11]. In 1981, after the make public of the
first IBM Personal Computer (PC) to ordinary businesses, U.S. Federal law enforcement
noticed the surfacing of “White Collar” crimes being committed with the aid of the new
PC’s. In 1980s, the emerging Computer Forensics science finds its starting place as a
training developed by U.S. Federal law enforcement agents. U.S. Federal Law
Enforcement Training Center (FLETC) started training agents in conducting
investigations in the computerized environment, and FLETC’s Financial Fraud Institute
(FFI) began to develop software and protocols to deal with the emerging discipline of
8
computer forensics.
Peter Stephenson’s book [4] introduced the potential impact of Cyber Crimes, it
also introduce a framework for conducting an investigation of a computer security
incident, how to prepare for cyber crime, and using of forensic utilities. A generalized
investigative framework for corporate investigator has been structured as follows:
1. Eliminate the obvious
2. Hypothesize the attack
3. Reconstruct the crime
4. Perform a trace back to the suspected source computer
5. Analyze the source, target, and intermediate computers
6. Collect evidence, including, possibly, the computers themselves
7. Turn your findings and evidentiary material over to corporate investigators or law
enforcement for follow-up
A report [11] was published by the National Institute of Justice identified the needs
that require attention to keep tempo with the rapid growth of computer crime in 2001, a
succinct synopsis of “Critical Ten” needs was identified:
1. Public Awareness
9
2. Data and reporting
3. Uniform training and certification courses
4. Onsite management assistance for electronic crime units and task forces
5. Updated laws
6. Cooperation with the high-tech industry
7. Special research and publications
8. Management awareness and support
9. Investigative and forensic tools
10. Structuring a computer crime unit
Another report [12] was published by the National Institute of Justice as a guide for
State and local law enforcement to examine computer evidence in 2004. The entire
examination process of handling digital evidence was outlined:
Policy and Procedure Development
Evidence Assessment
Evidence Acquisition
Evidence Examination
Documenting and Reporting
10
The other report [9] was published by the National Institute of Justice, the guide
provided structure for the continuing education of practicing forensic scientists and
training to enhance a current digital forensic examiner’s knowledge, skills, and abilities
(KSA).
Digital Evidence
The conference paper [20] referred Mark Pollitt’s generalization of Digital
Evidence as “information of probative value that is either store or transmitted in binary
form”. Digital evidence is a type of physical evidence that is made up of magnetic fields
and electronic pulses that can be collected and analysed using special tools and techniques.
Brian D. Carrier stated the different of live and dead digital forensic analysis is the
reliability of the results. The paper [1] concluded that live digital forensic analysis may
not produce reliable result. Michael. G. Solomon, Diane Barrett, and Neil Broom’s book
[2] described the need for computer forensics including preparation, common tasks,
capturing the data image, extracting information from data, passwords and encryption,
and testify in court. Albert. J. Marcella and Robert S. Greenfield’s book [6] introduced a
mature methodology for Digital Forensic investigation; the book described the procedure
of search and seizing computers and obtaining electronic evidence, computer crime policy
11
and programs, International aspect of computer crime, privacy issues in the high-tech
context, critical infrastructure protection, legal issues and consideration. The book also
defined that “Computer Forensics deals with the preservation, identification, extraction,
and documentation of digital evidence” [6]. Debra L. Shinda, a former police officer,
provided not only forensic techniques, but also investigation process and jurisdictional
issues in the book [5], the book stated that many information technology professionals
were unconcern of Cyber Crime, and at the same time law enforcement officers have not
equipped with appropriate tools to deal with the cyber crime problem. The book Incident
Response by Kevin Mandia, Chris Prosise and Matt Pepe [15] showed detail process of
live data collection from both Windows system and UNIX system, and required toolkit
tools for both operating systems.
Summary
M.G. Solomon, D. Barrett, and N. Broom [2], P. Stephenson [4], D.L. Shinda [5],
A.J. Marcella, and R.S. Greenfield [6], G. Mohay, A. Anderson, B. Collie, O. de Vel, and
R. Mckemmish [7], R. Leigh, and A.W. Krings [8], B. Middleton [13], D. Schweitzer [14],
C. Prosise, K. Mandia, and M. Pepe [15] have discussed digital forensics in great depth or
expand their own model of the discipline into a more general framework. In addition to
12
the frameworks mentioned previously, the use of digital forensics in investigations with a
view of incident response has also been looked at from different aspects. The present
study was designed to create a guideline for digital forensic student to understand the life
cycle of digital forensic process. The study sought to define a systematic approach of
digital forensic in recognition, collection, preservation, documentation, classification,
comparison, individualization and reconstruction.
13
CHAPTER III
THREE LAYERED SYSTEMATIC APPROACH
The paper [20] states that Digital forensics has mostly developed in an ad hoc
manner. Many research resources [2] [4] [6] [7] [19] but not limited to the resources of
this paper are based on cases, or current practices. Digital forensic methodologies and
protocols are introduced depend on certain circumstances, methods and procedures; most
of them are developed based on person experience and expertise [8]. The emerging topic
is still under development and being discussed. The entire examination process [12] of
National Institute of Justice provides a top-level structure of digital investigation. The
forensic formalization model [20] creates a low-level implementation of investigative
steps.
This section generalized entire digital forensic investigation process into a three-
layered systematic approach. The entire digital forensic investigation process can be
conceptualized as occurring simultaneously in three different scales or time frames. The
top layer occurs over the course of an investigation and guides the overall investigation
from initial response to final presentation. The top layer has seven protocols as shown in
14
Figure 1. Each protocol actually contains one or multiple interfaces described in the
middle layer. The top layer of the processes evolves over time and can be considered as
the macro-cycle. The early two protocols tend to focus on the collection and acquisition
of digital evidence. The next two protocols introduce and focus on the examination and
analysis of seized evidence. The last three protocols focus on documentation, reporting
and presentation, and the documentation protocol overlapped the early four phases of
digital evidence investigation lifecycle as shown in Figure 2. The middle layer defines
systematic framework of interfaces for investigation as shown in Figure 3. The middle
layer has a limited scope than the top layer that can be considered as micro-cycle of
investigation. The middle layer is focused on providing an interface for actual
implementation of investigative processes or examination steps. Investigators or
examiners can apply their best practice into the interface to create standard procedures for
specific type of evidence. The bottom layer is the actual implementation of the
examination procedures and steps for individual evidence or file, and it is out of the scope
of this paper.
15
Figure 1: Three Layered Systematic Approach of Digital Forensic Investigation
16
Figure 2: Digital Forensic Investigation Macro-cycle
17
Figure 3: Digital Forensic Micro-cycle
Background
In 1988, Robert Morris accidentally unleashed an “Internet Worm” in 1988 in MIT
which infected and subsequently crashed thousands of computers [11]. Morris selected
MIT to mask the fact that the worm came from the computer at Cornell University. Morris
soon discovered that the worm was replicating and re-infecting machines at a much faster
rate than he had anticipated. Following a jury trail, Morris was found guilty, and he was
sentenced to three years of probation. The Internet Worm was considered the first case
prosecuted under The Computer Fraud and Abuse Act of 1986 in United States of
America. This case established a precedent that would help to convict other hackers and
18
virus programmers; and the word “hacker” was introduced into the vernacular of
computer and digital forensic community.
Basic Concepts
Digital evidence is a kind of physical evidence. Although digital evidence is less
tangible than other forms of physical evidence such as fingerprints, blood, or weapons;
digital evidence is made up of magnetic fields and electronic pulses that can be collected
and analyzed using special tools and techniques. Content of digital evidence can only be
viewed with particular tools or software. Digital forensic is about to create a story of how
this evidence linked with the crime, offenders, and victims. In the cases of digital crime,
there may have some transport mechanism of evidence from one storage media to another
storage media; also, there may have transfer mechanism of evidence across the network.
Think of a person visit a website, there is some auditing and logging going on in the
server. There create a trace of IP address, operating system used, pages viewed, and date
and time of the person who visited the website. All those information has been stored on
log files of the Web server. On the client side, the information, showed the person who
visited a website, is stored in the system by the cookies and temperate Internet files in a
temp folder. These established a tie between the person and the site. An incident scene is
19
somehow a linkage between victims and suspects with some physical evidence. To
summarize, digital forensic is the way to discover this less tangible electronic evidence,
collect them and analyse them; and somehow the storage of evidence may transfer across
the network. Digital evidence need to be able to gather, explorer, collect, and explain what
they are represented. Digital evidence can be used to reconstruct what occurred during the
perpetration of an offender, and eventual created link between an offender, victim, and the
crime scene under a theory. Eventually the evidence might prove or contradict the theory.
Digital evidence exists in many types of forms and locations within digital systems
or devices. As a digital forensic practitioner, it is crucial to understand the kinds of
information that may exist within the system in order to find the information effectively.
Classification of digital evidence let us understand the type of information, their purpose,
and what is important and relevant to the case. Also, finding pieces of information to
build the case and understand the timeline of what occurred is important in digital
forensic investigation. The digital forensic practitioner is responsible to conduct a digital
forensic analysis to gather digital evidence based upon level of proof. There are basically
two levels of proof in court of law.
Criminal - we need to prove to people that the case is a 100% sure without any doubt
20
or any reasonable doubt that we might be wrong.
Civil - we attempt to demonstrate for the preponderance of the evidence and only
need to convince by 51% of people in most cases.
Digital forensic analysis takes the acquired data and examines it to develop and
identify digital evidence. A different level of weight or levels of proofs are obligatory for
civil and criminal cases. There are three major categories of digital evidence that are
looking for in an investigation.
Inculpatory Evidence - that supports a given theory.
Exculpatory Evidence - that contradict a give theory.
Evidence of Tampering - that cannot be associated to any theory, but shows that the
system was tampered with to avoid identification.
Digital Incidents and Threats
Computer forensic examiner may come across various types of computer forensic
incidents. Before digital forensic students get into the investigation process of evidence,
they need to understand several basic concepts of digital forensic, and what a forensic
investigator will encounter in digital forensic investigation.
21
Laws of computer fraud clarify the definitions of criminal fraud and abuse for
computer crimes and to remove the legal ambiguities and obstacles to prosecuting these
crimes. The following will be considered as criminal cases include, but not limited to:
Online auction or electronic trading fraud
Trafficking in contraband such as child pornography
Network intrusions or hacking
Cyber threats such as cyber stalking
Theft of identity or personal information
Espionage
Murder
Perjury and forgery
Telecommunications fraud
Pirating of intellectual property such as copyright
Computer forensic practitioners faced with a numerous of investigations which may
be considered as civil in nature, the followings are considered as civil incident include,
but not limited to:
Misuse or damage of corporate information technology assets
22
Employee wrongful termination claims
Failed to compliance with Act for financial institutions.
Failed to compliance with Acts for business accounting.
Sexual harassment
Defamation
Divorce
Theft of proprietary data such as trade secrets
The threats involve end-users who commit fraud, or other illegal acts from inside
their organization. The persons maybe in positions of trust, and internal threats may not
be purposeful against the company itself, they can be committed in a variety of crimes.
Internal threats to an organizations’ computer infrastructure may include, but not limited
to:
Theft of proprietary data.
Using information technology asset to run personal business.
Using company servers to deliver contraband.
Alteration of official records, such as marks on report card
Sabotage via execution of malicious code.
23
The threats are considered to be an external threat if it involves end-users from
outside of an organization, the person may commit intrusions or other similar illegal acts.
The computer forensic practitioner may be called upon to investigate external threats,
such as but not limited to:
Virus, Malware, and Spyware.
Intrusions, Trojan horse, or hacking
Denial of service attack (DoS)
Spoofing
Password Cracking
Email spamming attacks
Website defacing
Top Layer
The seven primary protocols in the top layer extend through the entire lifecycle of
an investigation, and the top layer is considered as the macro-cycle of digital forensic
investigation process. Each protocol occurs in different scales and time frames as shown
in figure 2.
24
Assessment and Preservation
Digital Incident Response is different from discovery of digital artifacts. Digital
Incident Response is about how to assess a digital incident situation, identify the
procedures that are essential to protect the digital evidence, and shelter digital evidence in
a safe place to shun from contamination.
Digital incidents may happen as the consequence of acts committed by persons
involving a device which retains binary data, in the form of a desktop, workstation, server,
laptop, or similar digital computing devices. A computer forensic practitioner should
make an initial assessment of the situation and be prepared to apply the appropriate
response seeking to gather digital artifacts when the computer forensic practitioner is
called upon to respond to a digital incident. The collected digital artifacts will eventually
prove or disprove a theory concerning the commission of a civil offense, criminal offense,
or a security violation. The initial assessment of the situation includes consideration of the
type of incident, parties involved, incident or equipment location, and available response
resources.
In digital incident response, the computer forensic practitioner may encounter a
wide variety of digital media and devices which may retain potential digital evidence. The
25
person shall explore some of the digital devices which may serve as repositories of digital
data and be subjected to examination by the computer forensic practitioners. Almost
anything can retain binary data; digital forensic practitioners have to decide what to look
for, and to make the correct assessment. To determine the type of incident, a digital
forensic practitioner needs to identify the relationship between the activities acted and the
digital devices. The first type of incident involved the stolen property of hardware and
software. The second type of incident involved the digital device which contains evidence
of the incident or offense. The third type of incident involved digital device as the tools of
the offense. The last type of incident involved the digital device was actively used to
commit the offense. An incident can be any one of the above mentioned type of incident
or a combination of them.
During an incident response, a digital forensic practitioner also needs to recognize
the parties involved, identifies the persons involved in the investigation such as
complainants, victims, witnesses, informants, suspects, or system administrators and
technical supports. Other important information is also crucial in the investigation such as
name of Internet Service Provider, any online services, websites, newsgroup, web
application, and network and firewall configuration. Digital forensic practitioner must
26
aware of any skillful technical person that could lead to a serious loss of evidentiary data.
Further in an incident response, an investigator need to find out the location of the
incident or equipment involved to determine the proper action should be taken next. The
incident might occur in private property or residential, a business office, a public area, or
various location worldwide. Finally, the frequency of occurrence of the incident should be
addressed, and how long the activities have been occurred. So during a digital incident
assessment, we have to figure out how the equipments are to be used and how functioning
is important to the company. Digital forensic practitioner should prepare a checklist to a
digital incident response; the items in the checklist should include as follows:
a digital camera for you take photos of the scene;
portable imaging device and blank media to be able to make forensic copies;
Chain of Custody and other official documents to record actions and procedures;
items such as paper, permanent markers, labels, disassembly tools;
packaging items such as sealing tape, cardboard boxes and envelopes;
and transport vehicles.
Digital forensic practitioners need to use their time, tools, and talent in a
professional manner through out the entire case to be able to gather the evidence they
27
need and to be able to build a forensic sound case.
The goal of a digital forensic practitioner when responding to an incident is to
secure all potential digital evident and preserve them for examination and analysis. Due
to the fragile nature of digital evidence, the digital evidence must be handled properly
and carefully to avoid damage or immediate destruction. The best practice is to keep all
the people and suspects away from the evidence except the persons who have been
trained to handle them because evidence can be destroyed accidentally or maliciously by
triggers with some keystrokes on the keyboard. People should always wear gloves and
try not to disturb potential latent or digital evidence because there may have other
physical evidence in the crime scene such as finger prints on the digital devices.
Running machines should be handled carefully to preserve data in the cache, and the
state and configuration of the machine need to be documented or captured. Digital
evidence need to be secured to make sure that there is no way for anyone to access the
devices. A common practice to seal the digital evidence is to place evidence tape along
the edges of the computer’s housing, then place your initials, date and time over the seal
with permanent ink. Finally, move all digital evidence to a secured facility for storage if
possible. Bear in mind that improper handling of evidence can tamper or damage the
28
evidence. Failure to do so may leave it unusable in court or lead to an imprecise
conclusion, or even worse permanently destroyed what you are seeking.
Acquisition
Acquisition is the process of obtaining or extracting digital information from a
digital device or media with specialized forensic tools. There are difference between copy
and duplicate of digital evidence. A copy of original evidence is an accurate reproduction
of content stored on an original physical item, and it is independent of the electronic
storage device. The process copied the contents contained in the storage device of the
original evident, but attributes may change during the reproduction and other hidden
information is not transferred. For example, the last access date and time will be replaced
by the current date and time at the moment you are copying the content. A copy is not
considered as exact duplication of the original evidence. A duplicate is an exact
duplication of all data contained on an electronic storage device. The process of
duplication maintains all contents; all information of the storage device is transferred
including all viewable and hidden contents, metadata, attributes and all slack space.
Duplication may take place either at the incident scene or in the digital forensic laboratory
29
by a trained and certified digital forensic practitioner.
Copy of digital evidence is as admissible as original evidence as long as they can be
authenticated by professionals or experts. Any examination on the original piece of
evidence may alter or contaminate it. The goal of the digital evidence acquisition process
is to duplicate the original digital evidence in a manner that protects and preserves the
original evidence, in order to prevent destruction, damage, and alteration prior to analysis.
So in examination of digital evidence, original digital evidence must be kept intact; and
digital forensic examiner must have a duplicate exact copy of the original evidence, and
work with the copy of the original evidence alone.
Acquisition can be conducted in the forensic laboratory or on-site. The main
consideration of where to conduct the acquisition depends on the control of circumstances
and time. If the situation is beyond your control, an on-site acquisition of the potential
digital evidence may be necessary. For example, a running web-based application server
in a large corporation is vital to maintain their daily operation of business, and people
cannot simply take the server back to laboratory, the digital forensic practitioner should
consider conducting an on-site imaging or live acquisition of the activities on the server.
Authentication of the acquired digital evidence is essential to make the copy of
30
original evidence as admissible evidence in court. Cryptographic checksums can prove
the integrity of the contents of copy is as exactly the same as the original. Hashing
function is well-known authentication methods with cryptographic checksums; it inputs
some items and passes through mathematical processes or algorithms, and outputs with
certain answers in one way only. People cannot reverse the process by using the answer to
generate the same original source. A single bit different in the original objects will output
a significant different answers. Two different items will never generate the same hashed
result. The three main authentication methods are CRC-32, MD5, and SHA-1.
Digital evidence acquisition is one of the critical stages in the digital forensic
examination process. Any errors during the execution of this procedure could cause
undesirable results. Examiner must ensure documentation of all physical aspects of
hardware device such as serial number, makes, model, configuration details, and
procedures of the acquisition. Prior to the acquisition procedure, ensure that a
sufficiently-sized, forensically sterile target media. Digital forensic examiner can initiate
the acquisition procedure with the use of forensically sound acquisition tool. Forensically
sound tools can be proved by other professionals that the tool does not produce error or
mistake, and the same result will be generated by other forensically sound tools with same
31
procedure and on the same digital evidence. Forensically sound tools help to create an
accurate, authenticated duplicate of the original evidence.
Examination
After acquired a working copy of the original evidence, digital forensic examiner
can begin the examination phase of investigation on the duplicated image of evidence by
mounting the image with your digital forensic program. The examination can help the
examiner to focus on what the case is. During a digital forensic examination process,
some of the known files such as the operating system files can be ignored. Examiners
have to following certain rules and steps, and apply forensic examination protocols in the
analysis; those rules and steps ensure the evidence can be used as admissible evidence.
Digital forensic practitioner needs to understand the way to gather information with
methodology and accepted practices; and the findings can ultimately be presented in court
or similar venues.
A key section of digital forensic is the examination of digital storage media. Due to
the rapidly changing and increasing in size of data storage media, standard digital forensic
methods and procedures do not have the time to be established. Digital forensic
32
practitioners usually conduct examination in ad hoc manner. Examiners examine available
evidence, generate hypotheses about what occurred to create the evidence, carry out tests
to prove or contradict the hypotheses; work through the examination process with
forensically sound tools. The findings of the examination helps digital forensic
practitioners to fabricate strong possible about what occurred. A forensically sound
examination is one conducted under controlled conditions that it is completely
documented, the examination is repeatable and the result is verifiable. A forensically
sound methodology does not alter any data on the original evidence, it preserves in
original condition, and regardless of who completes the examination of the media and the
specific tools and methods employed. If anyone uses forensically sound tools and
methodologies, they should get the same results. So an investigator or analyst has the
flexibility to choose among many acceptable tools and techniques as long as they are
forensically sound. Anyone use forensically sound tools and methodologies can reproduce
the same examination result.
Analysis
The goal of analysis of digital evidence is to reconstruct the digital incident scene.
33
The analysis process has three main aspects. The first aspect is recovery of data and
information; important information can be found in hidden, corrupted, or protected data.
The other aspect is classification of digital artifacts. Reconstruction the digital incident
scene relies on classification of digital artifacts. Classification is the process of finding
characteristics of the digital evidence in order to distinguish it from similar specimens.
Classification can be carried out by comparison and individualization. The third aspect is
reconstruction, reconstruction determines the events surrounding an incident The concept
of reconstructing an incident is to puzzle out the picture of who, what, when, where, why
and how of an incident using all available digital evidence, and construct a timeline and a
sequence of events of what had occurred
The recovery of active, backup, hidden, encrypted, deleted or damaged digital
artifacts is usually the first step in recreating the digital incident scene. A computer
forensics practitioner must have access to the appropriate tools and time necessary to fully
develop any recoverable digital artifacts, and ultimately construct the story behind the
scene. The recovery process takes times not only to examine depending on the of tools
and how much information you are going to look at, but the documentation and recovery
of the artifacts you try to make the case. Recovery is a time consuming process, it could
34
take a months or years to produce a result. The analysis result lets an investigator be able
to put together the digital evidence and precisely establish what occurred during the
perpetration of the incident.
Comparison is crucial when analyzing digital evidence. Comparing piece of digital
evidence with a control specimen can highlight unique aspects of the artifact.
Individualization is individualizing characteristics which are created by mistake,
arbitrarily, or intentionally that can be recognized later. Digital evidence can therefore be
classified, compared and individualized with contents, functions, and characteristics.
Contents – usually in plain text form and graphical images, investigators can use the
content determine the information, such as the original, the message, the receiver,
and the motivation.
Functions – usually programs or applications for specific purpose, investigators can
examine how a program functions to classify it and individualize it, as in the case of
a Trojan horse program.
Characteristics – file names, file extension, file size, and time stamps can be helpful
in classifying and individualizing digital evidence.
The process of classifying, comparing and individualizing digital evidence can be
35
lengthy. An investigator must examine each digital artifact carefully to reveal the unusual
or unique details of an artifact. The smallest detail may provide clues which could prove
or contradict your overall hypothesis as to what occurred. Digital forensic practitioner
may find a variety of data files during an examination; these files are usually stored in the
hard drive of a computer or other storage device elsewhere. Those files can be classified
as ordinary, hidden or deleted, system and metadata. Ordinary data includes active data
that is available and easily access, and backup or archival data that is no longer in use, but
stored separately for later retrieval. Hidden or deleted data is the information appeared not
existed or not noticeable, but it is recoverable from the digital media. System data
includes background data and information created by operating, systems such as log file,
which can be used to supplementary expand the details of a case. Metadata is information
of data about data, important information such as the time, date, and creator of a
document may be embedded in the document.
During reconstruction, digital evidence can be used to sequence events, determine
locations, and establish the time and or duration of the incident. Some of the clues that are
used to recreate an incident, they are relational, functional, temporal data. Relational data
shows the relationship between objects or evidence, multiple files can be parts of the
36
overall crime that we are investigating. Functional data contains the purpose of works or
how it was used during the incident. For example, email shows the recipient and the
server information that received it. Temporal data shows the timeline when the data is
created, they can be used to reconstruct an incident. Time is used to connect event, access,
victims, and offenders; examine and verify the time stamps attached to digital evidence
which can help to reconstruct the order of events.
Documentation
An experience investigator relies on the practice to follow good methodology
during the course of evidence collection and handling so that the evidence can be
presented in court. “Document everything” is the key for a successful case. A digital
forensic investigation requires investigator to perform process of preparation, collection,
assembly, examination, analysis of digital evidence. Throughout the forensic process, the
investigator examines and extracts huge amount of information. Ultimately, information
has to be processed into a succinct and concise report that people can easily understand.
Properly documenting the steps, along with sound forensic procedures, is essential for
success in computer crime cases. Documentation is tedious. Simple mistake in
37
documentation can completely ruined the evidence that we found in the case. Good
documentation reflects the professionalism of investigators and examiners, mistakes or
errors in documentation can turn out to be an issue to question in a presentation.
A good documentation practice includes documenting all investigation steps,
examination procedures, and analysis results as soon as possible. Information has to be
writing in a clear and concise manner, date and time must be included in all documents.
Other information also needs to be stated in the document precisely. The documents must
have the names and signatures of the person who participated in the investigation or
preparing the document. Chain of Custody is a one of indispensable documents for all
forensic investigations.
Establish a chain of custody is required upon securing any piece of digital
evidence. Any delay in the submission of digital evidence in a timely manner could break
the chain of custody. The chain of custody starts at the point of properly marked with
initials, current date and time onto the device; and then record and make notes on the
form of chain of custody of all items of digital evidence to be turned into evidence
custody facility or locker. Simply leaving the evidence unattended violates the chain of
custody.
38
Reporting
Reporting is a stage of collaboration and explanation that come after complete of
the investigation. The documentation stage provides the essential information for
reporting. Reporting requires discipline and organization to prepare information for
presentation. Reporting can be the most difficult phase of the digital forensic investigation.
The challenge is to create reports that accurately describe the whole situation of the case
including digital response, evidence collected, preservation, examination, and findings of
analysis. These reports have to show the events and information in a timely manner. Many
standard documents must be included in reporting so that they can withstand the barrage
of legal scrutiny. Investigators should develop a standard format for reporting; forms and
templates should be created for easy recording of the process, pertinent information and
data. Various software help to generate reports on the data. They provide view, search,
sort, bookmark, and report creating features. The basic guidelines of reporting are to
document your steps clearly, organize the report by using a template, be consistent, and
include supporting material and methods used in data collection. Documenting in a clear
and concise manner helps ensure that the details can be recalled when needed. The final
report may include the sections of summary, objectives, analysis, findings, supporting
39
documentation, Glossary [2].
Presentation
When anyone wants to join the field of digital forensic, the person cannot avoid
presentation of findings in court of law or similar venues. Presentation of digital evidence
is out of the scope of this research paper, but few points are worth to mention. First, all
evidence must be admissible to court, always discuss any legal issues with our corporate
attorney, lawyers prior to conducting seizures or presenting digital evidence. Second,
make sure the person follow the guideline of the jurisdiction of where the presentation
takes place. Evidence is considered to be type of proof legally presented at a trail allowed
by the judge. Evidence is intended to convince the judge or jury of alleged facts material
to the case. Proper control over maintenance of evidence and documentation can be
crucial in overcoming inevitable objections that will be raised in the courtroom or legal
authorities. Third, defendants often attempt to challenge the authenticity of computer
generated records by challenging the reliability of the program and verification of the
findings. Investigators must be prepared to proof that the forensic tools are forensically
sound and licensed. Fourth, explain procedures, findings, technical information in
40
laymen’s terms. Complex forensic data and procedures can be converted into something
easy to understand with some simple devised frame of reference. Finally, the person’s
appearance, attitude, tone, professionalism are important factors to convince the audience.
Middle Layer
The middle layer is considered as the micro-cycle of digital forensic investigation
that contains one or more systematic interfaces, as shown in Figure 3, that can be applied
iteratively or nested to digital forensic investigation as a framework to develop
procedures of examination. Digital forensic practitioner can apply the best practice into
the interface to develop a particular implementation of steps or procedure for specific type
evidence. The interface contains eight functional units in different time frames. Each unit
specifies particular nature of procedures or steps throughout the micro-cycle of
investigation; and the steps or procedures may vary depending on the type of evidence.
Document
Document unit is a fraction of the whole documentation process which is stated in
top layer. Document unit contains standard documents needed in the investigation, and it
41
is the starting point of every procedure. Upon any requests for digital forensic
investigation service, investigator should start to make notes on all information related to
the service. Some software designed for digital forensic investigation help the investigator
to create related documents for cases; they usually assign a unique number to each case
for later reference. Prepare log files, checklists that are convenient for the investigators to
fill out the time, date, and events. Reports can be easily created from proper records or log
files. Chain of Custody is one important document.
Preparation
Preparation unit includes all preparation that is ready to use for investigative
service requests. Digital incident response usually does not have time for the investigator
to get prepared. Investigator should always be prepared tools and laboratory environment
for any forensic investigation service. Establishing sterile examination storage media is a
good practice. Sterile examination media need to be prepared by practitioner; all data
areas of the media should be wiped out and documented. Sterilized hard drives take time
to wipe the data and they should be prepared when needed. All forensic systems and
media have to be scanned for viruses and verified virus-free before use. The laboratory
42
should have ready to use systems running with licensed software, and make sure all
forensic software up-to-dated and licensed to the practitioner or the organization. Make
sure the systems are time-validated because time is important part of the analysis
especially when we need to create a timeline of the activities of the suspects. Procedures
or policies must be set to secure the laboratory environment from unauthorized person to
avoid violation of chain of custody, the evidence must be proved that it is under control of
authorized personnel all the time.
Physical
Physical unit refers physical inspection and examination of the evidence. Physically
examine the hardware of computers and digital device and document specific description
of hardware; record all serial numbers, USB port, network cabling socket. Take notes on
anything unusual, take digital photographs and record in log file. Initialize BIOS and
capture CMOS information. Boot the system without media installed and record all
important data, such as system date, time, boot sequence and storage media settings.
Examine boot record data, check and record all partition data, look for any unusual
configurations. Understand the baseline of particular type of machines and aware of
43
anything extraordinary. Record of physical examination not only verifies the identity of
original evidence, it also provides the information of states and condition of the original
evidence.
Logical
Logical unit refers to the examination of logical structure and information of the
evidence that are related to the case, such as the operating systems, the file system, user
profile, network settings, and contents. The information helps the investigator to
understand case. Examine the File Allocation Tables (FAT) for data of evidentiary
interests. Examine directories and files for available information, such as time stamps,
owner, last access, and other attributes. The information can be used to create an end-user
profile to indicate proficiency of technology of the suspects. Conduct keyword searches is
a good approach to find additional information from the content of the files. The data
from contents may tell the linkage between suspects and other parties. Logically
examination of evidence helps investigator to decide what actions need to be taken in
order to extract information related to the case.
44
Recover
Recover unit contains steps or procedures to get through and find out what has been
deleted or hidden. Recover deleted files, hidden files, and files in the Slack and
unallocated space. Audit all recovery files, or file fragment of a file and create a list of all
recovered files. From the file list, sort out the most relevant or against whatever is focus
in the case. Make sure all the unallocated space and slack space of the media had been
examined to avoid the risk of missing the important information.
Analyze
Analyze unit includes all procedures or steps to discover and extract information
that the evidence contains or represents. Investigator need to analyze all users created
files and digital artifacts. Conduct keyword searches of all apparent digital evidence. By
using the forensic software, files name and all the words in the content will be indexed.
Keyword search will show all the documents that contain the exact keyword and the
frequency of the words appeared inside the document. Investigators have obligation to
examine every single of suspicious file. Audit and create the list of any apparent digital
evidence. Run any suspicious executable files in a standalone system to see what they do.
45
Unlock or crack password protected files with program. Try to decrypt any encrypted files.
Each individual analyze unit may contains the only procedures or steps that focus on a
particular type of evidence.
Findings
Findings unit records the findings from examination of the evidence that may prove
or contradict to a hypothesis of an investigation. Investigators examine the evidence and
try to look for clues of what was occurred during the perpetration of offence. In fact, the
jury will make the decision based on the facts of findings. Investigators only need to
make all the findings are accurate on the report that answers to all of the questions of the
investigation. In many cases, findings may lead to more evidence that need to be
investigated.
Archive
Archive unit preserves and archives investigated materials. Create archive of
investigated material, and put it into a read-only media. Archive may last for a long time;
investigator need to ensure the information can be retrieved from the media, and also need
46
to make certain that the media may not be degraded or destroyed.
Roles and Ethic
There may be some legality issue to enter the scene. Law enforcement agents may
need a certain warrant to enter the scene. Investigators may either enter the scene with
permission, or accompany by law enforcement agent with warrant. Prior to seizing
equipment or evidence, make sure you have consent or the necessary document filed and
have proper permission to seize the computer or equipment in question, otherwise the
person may commit a separate crime of burglary. Analysis takes time, and investigators
have to be fair not only to the victims but also the defendants; examine all evidence and
be neutral to the results. Follow regulation and procedures in examination and analysis
and create some sort of checklists or patterns for your investigation or to incident
response. Always follow the procedures in the pattern that considered as acceptable
professional practices for digital incident response for a good case. Investigators have to
document everything carefully; use forensic sound analysis tools, use licensed analysis
tools, and the original evidence should be left untouched. Investigator must maintain
impartiality by simply providing the fact not the judgment, and report of any wrong doing
47
on digital examination.
48
CHAPTER IV
FORENSIC TECHNOLOGY AND TOOLS
The goal of digital evidence processing is to gain access to the data and examine
the data. The three layered systematic approach of digital forensic investigation shown in
Figure 1 identifies the procedures, steps, and the implementation of digital forensic
investigations in different time frames and scope. Those investigation processes cannot be
done manually. Procedures should be conducted on the verified duplicate of the original
using forensically sound procedures and tools. Forensically sound software can help
investigators to complete their jobs more effectively and efficiently. Software can be used
in any layers of the three layered systematic approach. Digital forensic suite software,
such as EnCase [21] and FTK [25], can be used in top layer over the course of the
investigation. Standalone programs can be used in different units in the middle and the
implementation of standard procedures in the bottom layers.
Any procedures or tools should not be applied on the original evidence directly to
avoid contaminating it. The following described tools are designed to aid the examiner in
the process of examination and analysis of the digital evidence. These tools are not
49
intended to be all-inclusive. Since the majority of digital evidence involves
computer-related storage media, the tools discussed will focus on these types of storage
media.
Previewing Tools
Previewing tools give an option for the investigator who wants to safely preview
digital evidence prior to initiating the forensic process. An investigator can have a quick
scan of digital media using read-only tools without altering any data in the media. The
preview tools are developed for the read-only access; they will not alter any information
on the data including the time stamp of last access of the files. Preview tools aid in logical
examination of file structures, image scan, and keyword search. EnCase [21] and FTK [25]
both provide preview mode for safely preview of evidence.
Acquisition Tools
The goal of digital evidence duplication is to duplicate or copy the original digital
evidence that protects and preserves the evidence from destruction, damage, or alteration
prior to analysis by the computer forensic practitioner. Duplication is an accurate digital
50
reproduction that maintains all contents and attributes, and all slack space is transferred.
When duplicating or copying evidence, ensure that the examiner’s storage device is
forensically sterile. Write protection should be initiated to preserve and protect original
evidence. The MD5, or SHA-1 hashing algorithm should be used prior to duplication or
copying. The write protection can be performed via either hardware or software. Please
note that the formatted area is not the total storage of the drive, there can be some
unallocated area of storage in hard drive. Hosted Protect Area (HPA) defined as a reserved
area for data storage outside the normal operating file system. The Protected Area of Run
Time Interface Extension Services (P.A.R.T.I.E.S) is hidden from the operating system
and file system; that is normally used for specialized application. Duplicate or copy the
electronic evidence to the examiner’s storage device using the appropriate software and
hardware tools such as:
Stand-alone duplication software - SafeBack [22]
Stand-alone validation tools – CRCMd5 [24], DiskSig [25].
EnCase Acquisition Tool [21]
FTK Acquisition Tool [25].
WinHex Acquisition Tool [26].
51
Dedicated hardware devices –ImageMASSter Solo-3 IT [27], Fire Chief [28], DIBS
[29]
Examination Tools
Upon successful duplication of original evidence, investigator is ready for digital
evidence examination. Examiner needs to prepare a working log file, and forensic
analysis system with working directories on separate media to which evidentiary files and
data can be copied. Before performing any actual examination, Examiner should record
the logical drive structure, information contained in MBR /MFT of the hard drive,
partition information, and information found in each partition’s boot sector. EnCase , FTK,
and WinHex [26] provide functionality that can help investigators in record the statistics
of the hard drive and create log files of them. The next step is to identify and eliminate the
known files. Known files (KFF) are not to be of evidentiary interest that investigators do
not want to spend the time to investigate. The National Software Reference Library
(NSRL) is designed to collect software from various sources and incorporate file profiles
computed from this software into a Reference Data Set (RDS) of information [30]. The
RDS can be used to review files on a computer by matching file profiles in the RDS. RDS
52
helps lessen the effort involved in determining importance of files on computers or file
system. EnCase has a feature for importing National Software Reference Library of RDS;
and FTK also provides KFF hash database. Investigator need to examine large amount of
files including swap files, registry files, backup files, printer spools, log files, user profiles,
temp files, recycle bin files and thumbnail files. Perform keyword searches is an efficient
way to locate information; further than the keyword searches, investigator can apply the
Regular Expressions searches. Forensic tools allow for the use of Regular Expressions to
search special patterns to look for data, such as driver’s licence number, social insurance
number, credit card number. By examining the binary form of data, file signature is
helpful to identify pattern found within a file. A file signature is a unique identify of a file
that is usually found at the beginning of the file. Investigator can easily recreate the image
file by locating the file signature of the image file from the thumbnail db file even though
all images have been deleted. Investigators have to extract various types of files from the
system, examine network intrusions, and examine file slack and unallocated space in the
storage devices; they also need to identify, decode, and examine data that has been binary
encoded, encrypted, password protected, or compressed. Examine executable files not
identified in the known file identification process and execute the programs of interest.
53
Digital forensic investigators or examiners have to choose their own tools for specific
process, file type, or functionality. EnCase and FTK are two digital forensic suites of
application that provide wide variety of functionality for analysis of files in both
Windows based and Linux Based system. The Coroner’s Toolkit (TCT) [31] is a
collection of programs for post-mortem analysis of a UNIX based and Linux based
system. The Sleuth Kit [32] is a collection open source digital investigation tools for
forensic analysis that can be used in Linux platform.
54
CHAPTER V
CONCLUSIONS AND RECOMMENDATIONS
Conclusions
This paper introduces digital forensic in a three layered structure systematic
approach, which shows different levels of entire digital forensic investigation that an
investigator should focus on. The top layer generalizes assessment, acquisition,
examination, analysis, documentation, reporting, and presentation into macro-cycle that
describes the overall investigation process. In assessment phase, investigator assesses
digital evidence thoroughly during the incident response to determine the course of action
to take. In acquisition phase, investigator conducts duplication of the original evidence for
examination to keep the original evidence untouched. Examination is to recover and
analyze digital evidence. In analysis phase, investigator interprets the recovered data into
logical and meaningful evidence. Documentation records actions and observation
throughout the forensic processing of evidence. Reporting concludes the findings into a
report. Presentation phase is to present evidence to convince people of the truth of the
findings. The facts should be presented in a concise, but sufficiently detailed manner.
55
To establish a digital forensic laboratory or maintain the operation of a digital
forensic laboratory, a selection of procedures and protocols should be implemented to
ensure operation running smoothly. The laboratory policies may vary depending upon the
location, jurisdiction, financial resources, and operational commitments. Quality
assurance and quality control refers to the measures of performance of monitoring,
verifying, and documentation conducted by the laboratory; and they must be maintained
within the laboratory. The middle layer formalizes the digital forensic procedures and
steps into interface. The interface can be further developed into standard procedure for
particular types of digital evidence. Unlike traditional forensic science, digital forensic
science is a rapidly changing field of endeavour, thus, attempting to develop and enforce
strict standards, protocols, and procedures is quite difficult. The middle layer
conceptualizes the investigation procedures into an interface with eight processing units,
the actually implementation of each unit depends on the development of the digital
forensic community or laboratory. Investigator need to ensure all established procedures
that are compliance with the current industry standards and best practices, changes in
technology, and jurisdiction. All forensic procedures should be documented in a timely
manner. The documents should contain sufficient detail to make it possible for another
56
computer forensic practitioner to reproduction the original investigators efforts. A report
of examination or investigation should be submitted at the completion of each computer
forensic examination. The report must describe all items of evidence examined and all
data recovered during the computer forensic examination. The report should present clear
understanding of the results and conclusions of the computer forensic examination. And
finally, all original digital evidence must be returned to the evidence custody unit or
facility, and the findings of the examination must be properly archived.
Digitalized technology influenced the world in the area of financial, commercial,
social activities. Criminals continuously take advantages of the computer technology to
commit fraudulence activities, and these activities can be conducted from internally,
externally, or remotely through a network or Internet. Digital forensics deployed in wide
range of criminal cases and civil cases. Digital Evidence must be admissible,
authenticated, and accurate; and next, it tells a complete story of particular circumstances;
and finally it has probative value to juries or trails. Digital evidence is like any other
evidence but fragile in nature, and they must be handled properly and carefully.
Suggestions for Further Research
57
The biggest challenge of digital forensic science is lack of standardized protocols and
methodologies. Standard protocols and methodologies do not have sufficient time to
develop and go through usual cycle of validation and verification of new and tested forensic
techniques and discoveries. For operational reason, investigator need to have a broad range
of computer knowledge and skills to examine all types of files on a massive storage device,
this create reliability issue; their findings will be challenged on the validation of findings
and verification of evidence, completeness of the investigation, and absence of tampering
during examination. The digital forensic community needs a structured framework for
rapid development of standard operation procedures that can be peer-reviewed and tested
instantly, and validated and verified quickly. Computer forensic practitioners can benefit
from the standard operation procedures to build a forensically sound case. The three
layered structure put forth here shows a potential structured framework for the
development of training materials for digital forensic students; it can be a guideline for
standard operational procedures, and a model for digital forensic software development.
58
REFERENCES
[1] B.D. Carrier, “Risk of Live Digital Forensic Analysis,” Communication of the
ACM, vol. 49, no. 2, Feb. 2006.
[2] M.G.. Solomon, D. Barrett, and N. Broom, Computer Forensics JumpStart, San
Francisco, CA: SYBEX Inc, 2005.
[3] W. Harrison, “A Term Project for a course on Computer Forensic,” ACM
Journal of Educational Resource in Computing, vol. 6, no. 3, article 6, Sep.
2006.
[4] P. Stephenson, Investigating computer – Related crime: A handbook for
corporate Investigator. Boca Raton, FL: CRC Press LLC, 2000.
[5] D.L. Shinda, Scene of Cyber Crime – Computer Forensic Handbook, Rockland,
MA: Syngress Publishing, 2002.
[6] A.J. Marcella, and R.S. Greenfield, Cyber Forensics – A field Manual for
Collecting, Examining and Preserving Evidence of Computer Crimes, Boca
Raton, FL: CRC Press LLC, 2002.
[7] G. Mohay, A. Anderson, B. Collie, O. de Vel, and R. Mckemmish, Computer
59
and Intrusion Forensics, Boston, MA: Artect House, 2003.
[8] R. Leigland, and A.W. Krings, “A Formalization of Digital Forensics,”
International Journal of Digital Evidence, vol. 3, issue 2, Fall. 2004.
[9] “Education and Training in Forensic Science: A Guide for Forensic Science
Laboratories, Educational Institutions, and Students,” Office of Justice Program,
National Institute of Justice, U. S. Department of Justice, Washington, DC,
NCJ203099, Jun. 2004.
[10] J. Wartell, and J.T. McEwen, “Privacy in the Information Age: A Guide for
Sharing Crime Maps and Spatial Data,” Crime Mapping Research Center,
National Institute of Justice, U. S. Department of Justice, Washington, DC,
NCJ188739, Jul. 2001.
[11] H. Stambaugh, D.S. Beaupre, D.J. Icove, R. Baker, W. Cassaday, and W.P.
Williams, “ Electronic Crime Needs Assessment for State and Local Law
Enforcement,” Office of Justice Program, National Institute of Justice, U. S.
Department of Justice, Washington, DC, NCJ186276, Mar. 2001.
[12] “Forensic Examination of Digital Evidence: A Guide for Law Enforcement,”
Office of Justice Program, National Institute of Justice, U. S. Department of
60
Justice, Washington, DC, NCJ199408, Apr.. 2004.
[13] B. Middleton, Cyber Crime Investigator’s Field Guide. Boca Raton, FL: CRC
Press, 2002.
[14] D. Schweitzer, Incident Response: Computer Forensics Toolkit, Indianapolis,
Indiana: Wiley Publishing, 2003.
[15] C. Prosise, K. Mandia, and M. Pepe, Incident Response & Computer Forensics,
2nd ed., New York: McGraw-Hill Companies, 2003.
[16] M.A. Caloyannides, Privacy Protection and Computer Forensics, 2nd ed.,
Boston, MA: Artect House, 2004.
[17] P. Crowley, CD and DVD Forensics. Rockland, D. Kleiman, Ed., Rockland,
MA: Syngress Publishing, 2007.
[18] H. Carvey, Windows Forensics Analysis. Burlington, MA: Syngress Publishing,
2007.
[19] J.J. Barbara, Handbook of Digital and Multimedia Forensic Evidence, Totowa,
New Jersey: Humana Press, 2008.
[20] J. Beckett, and J. Slay, “Digital Forensics: Validation and Verification in a
Dynamic Work Environment,” 40th Annual Hawaii International Conference on
61
System Sciences, 2007.
[21] S. Bunting, and W. Wei, The Official EnCE: EnCase Certified Examiner Study
Guide, Indianapolis, IN: Wiley Publishing, Inc., 2007.
[22] New Technology Inc., “Introduction to SafeBack 3.0”. [Online]. Available:
http://www.forensics-intl.com/safeback.html [Accessed: Feb. 1, 2009].
[23] New Technology Inc., “CRCMd5 Data Validation Tool”. [Online]. Available:
http://www.forensics-intl.com/crcmd5.html [Accessed: Feb. 1, 2009].
[24] New Technology Inc., “DiskSig Pro Bitstream Backup Validation”. [Online].
Available: http://www.forensics-intl.com/diskSig.html [Accessed: Feb. 1,
2009].
[25] AccessData Corp., “Get Flexibility with Forensic Toolkit 2.0”. [Online].
Available: http://www.accessdata.com/forensictoolkit.html [Accessed: Feb. 1,
2009]
[26] X-Ways Software Technology AG., “WinHex: Computer Forensics & Data
Recovery Software, Hex Editor & Disk Editor”. [Online]. Available:
http://www.x-ways.net/winhex/index-m.html [Accessed: Feb. 1, 2009]
[27] Intelligent Computer Solution Inc., “Home page – ImageMASSter Product
62
Lines”. [Online]. Available: http://www.ics-iq.com [Accessed: Feb. 1, 2009]
[28] Digital Intelligent, “About the FireChief”. [Online]. Available:
http://www.digitalintelligence.com/products/firechief/ [Accessed: Feb. 1, 2009]
[29] DIBS USA Inc., “Home page – Computer Forensics Equipment, Training, Case
Support and Analysis”. [Online]. Available: http://www.dibsusa.com/ [Accessed:
Feb. 1, 2009]
[30] National Software Reference Library, “Home page – Welcome to the National
Software Reference Library (NSRL) Project Web Site”. [Online]. Available:
http://www.nsrl.nist.gov [Accessed: Feb. 1, 2009]
[31] Porcupine.org, “Home page – The Coroner’s Toolkit (TCT)”. [Online].
Available: http://www.porcupine.org/forensics/tct.html [Accessed: Feb. 1, 2009]
[32] Sleuthkit.org, “Home page – Feathers”. [Online]. Available:
http://www.sleuthkit.org/sleuthkit/desc.php [Accessed: Feb. 1, 2009]
Recommended