THE DIGITAL FORENSIC PROCESS
Overview of the Digital Forensics Process
Digital Forensics procedures can be segregated in four different phases in which different resources are needed. The first phase is the execution of an Incident Response procedure, followed by the collection and preservation of the evidence, then the analysis of information and finally, the presentation of the results.
Figure 1: Forensics Procedures
Incident Response is the actions performed, forensically talking, to react in front of any kind of incident or attempt. It is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that allows the responders to identify if an incident has indeed occurred, limit the impact and reduce recovery time and costs.
Formally, the Acquisition can be defined as the process executed to collect and identify all information stored in the suspect computer systems (memory, processes, network connections, storage –hard drives, media cards, etc.-malware …). The acquisition process must be performed strictly following forensically sound procedures so that the investigator can prove at any given moment that not even a bit has been modified or lost during the process, ensuring the reliability, completeness and accuracy of all items. All the aforementioned procedures are verifiable and able to stand in a court of law if necessary.
Digital evidence can be collected from various sources. Obvious sources include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, and so on. Non-obvious sources include settings of digital thermometers, black boxes inside automobiles, RFID tags, and web pages (which must be preserved as they are subject to change).
During a Forensics Investigation acquisition process, all the activities performed should be timed and thoroughly documented
Preservation and Custody of Evidence
Special measures should be taken when conducting a Forensic Investigation if it is desired for the results to be used in a court of law. One of the most important measures is to assure that the evidence has been accurately collected, preserved and kept under appropriate Custody, preserving the Chain of Custody from the scene of the crime to the investigator and ultimately to the Court.
Chain of custody refers to the chronological documentation, and/or paper trail, showing the acquisition, custody, control, transfer, analysis, and disposition of evidence, physical or electronic.
The Analysis phase of the Digital Forensic process addresses the extraction of the individual elements of information that may be of significant to the case. For this purpose, a myriad of specialized tools are used to discover information from different sources. There is no perfect tool for every kind of process, so in many investigations, numerous tools are used to analyze specific portions of information.
Typical Forensic Analysis includes a manual review of material on the media, reviewing the Windows registry for suspicious information, keyword searches for topics related to the incident, and extracting e-mail and images for review.
Once the analysis is complete, a report is generated. This report may be a written report, an oral testimony or any combination of the two. The aim of this phase is to present the evidence obtained in a form that is an accurate representation of the facts and that is understandable by the intended audience.
Please feel free to contact us to schedule meeting with you and evaluate your requirements.