Digital Forensics Process Model

29 September 2024 11:21

Introduction

The correct collection and documentation of digital evidence are vital for ensuring its admissibility in court.
Unlike what is shown in TV shows, actual investigations involve thorough paperwork starting at the crime
scene.

Detecting digital evidence can be difficult, especially with small devices like memory cards. Examiners often
deal with multiple devices such as running computers and wireless equipment, requiring careful handling.
Given the volatile nature of digital evidence, a forensic image or clone of the media is created for examination
to preserve the original data.

Crime Scenes and Collecting Evidence

Handling digital crime scenes varies based on the case—criminal, civil, or administrative—but certain core
practices remain consistent.
Securing evidence is the first step, ensuring it is protected from accidental or intentional damage.

This includes:
• Limiting physical access to the crime scene from people like news media, nosy neighbours, and police
supervisors. Ensured by stringing crime scene tape, posting guards, or simply asking people to leave.
• Isolating digital devices from networks to prevent tampering.
○ For example, unplugging Ethernet cables or disconnecting wireless devices.

Devices must be properly isolated to prevent remote access and data compromise.

Removable Media

Removable storage media, such as memory cards, DVDs, external hard drives, and thumb drives, can store
massive amounts of data.
A single 64 GB memory card can hold around 7,000 complete Harry Potter book sets, highlighting the need
for careful search and examination.

Investigators should also examine the surrounding area for clues:

• Manuals or other documents that may indicate technical skill or encryption use.
• Discarded packaging in trash that might provide additional evidence.

Cell Phones

Cell phones often contain valuable data like texts, emails, and call logs.
These items can be used to show intent, determine the last person to come in contact with a murder victim,
establish alibis, determine approximate locations, and more.
However, they are vulnerable to remote wiping by the owner or provider.

To secure these devices:

• Isolate the phone from network signals to prevent remote wiping or data deletion
Use Faraday bags or turn the phone off to prevent network connections. A Faraday bag is made of

New Section 3 Page 1

 ○ Use Faraday bags or turn the phone off to prevent network connections. A Faraday bag is made of
“some type of conducting material or mesh” that repels these signals.
• Address power concerns:
○ Be aware of power concerns, as phones trying to connect to networks may drain their batteries.
Seize power cables to ensure the phone can be recharged during the examination.

Order of Volatility

When collecting digital evidence, prioritize based on the order of volatility:

1. CPU, cache, and register content (most volatile).
2. Routing table, ARP cache, process table, and kernel statistics.
3. Memory (RAM).
4. Temporary file systems/swap space.
5. Data on hard disks.
6. Remotely logged data.
7. Archived media (least volatile).

This structured approach ensures critical volatile data is preserved first, minimizing the risk of loss.

Documenting the Scene

Proper documentation is critical in digital forensics; the saying "If you don’t write it down, it didn’t happen"
emphasizes this point.

Documentation methods include photographs, written notes, and sometimes video. The documentation
process begins as soon as investigators arrive at the scene, noting key details such as the date and time of
arrival, individuals present, and a thorough description of the evidence.

Key documentation practices:

• Record the type, make, model, and serial number of each digital device.
• Note whether devices are on or off, and whether they are connected to networks or peripherals.
• Label peripheral connections to allow for potential reconstruction in the lab.
• Conduct a walk-through to assess the type and number of devices and resources needed.

Photography
Photography is a vital component of documentation, capturing the scene before any evidence is disturbed.
Photos are often described as telling a story, which could help investigators walk a judge or jury through the
crime scene later.

Guidelines for photography:

• Begin with wide-angle photos of the scene, and then move to close-ups of individual pieces of evidence.
• Include long, medium, and close-range shots to show the context and condition of the evidence.
• Take multiple photos to capture identifying information such as serial numbers, damage, or connections.
• When using a ruler or other measurement tool to give perspective on evidence size, take a picture
without the ruler first, then one with it.
• Photos do not replace notes; they are supplementary and help recall details.

New Section 3 Page 2

Notes
Detailed, chronological notes are another key element of documentation. Notes should record actions taken
at the scene, who discovered or collected each piece of evidence, and general observations. They are essential
for refreshing memory when preparing for court.

Key points for note-taking:

• Notes should include time of arrival, actions of individuals, and specific details about evidence collection.
• Ensure legibility and detail, as these notes may be used in court and could be discoverable by the
opposing party.
• Avoid drawing conclusions or speculating in the notes. Stick to observations and actions, leaving analysis
for later.

Chain of Custody
Before evidence is presented in court, it must adhere to strict legal requirements, particularly a well-
documented chain of custody. This process is essential to ensure that the evidence is both reliable and
admissible.

For digital evidence, such as computers, it is crucial to document each instance where the evidence changes
hands or locations. Key steps in this process include:
• Collection at the crime scene
• Logging the item in at the lab
• Storage in secure facilities
• Checkout for analysis
• Check-in for storage again after analysis

Each of these steps must be meticulously recorded to maintain the integrity of the evidence. Without proper
documentation, the evidence may be considered inadmissible in court.

Marking Evidence
The first "link" in the chain of custody is the person collecting the evidence.
In some cases, IT staff or other personnel may be the first link in civil cases.

• Marking the Evidence:

○ Items are typically marked with initials, dates, and case numbers.
○ Permanent markers are used to ensure that the markings don’t smudge or fade.
○ These marks are crucial for identifying the item in court and proving that it is the same as the one
collected.
• Sealing Small Evidence:
○ Small items are sealed in tamper-proof evidence bags.
○ Bags are initialed and dated.
○ Bags may be made of paper, plastic, or anti-static material for electronics, which protects sensitive
components from static electricity.

Cloning

A forensic clone, or bitstream image, is an exact, bit-for-bit copy of a hard drive, capturing every bit (1 or 0)
New Section 3 Page 3
A forensic clone, or bitstream image, is an exact, bit-for-bit copy of a hard drive, capturing every bit (1 or 0)
onto a separate, forensically clean media.

Why not just copy paste?

• only gets the active data—that is, data that are accessible to the user.
• does not get the data in the unallocated space, including deleted and partially overwritten files
• doesn’t capture the file system data.

Purpose of Cloning
Given the volatility of digital evidence, it's crucial to avoid examining the original drive unless absolutely
necessary.
Cloning allows for a safe examination of the data, providing a “mulligan” if something goes wrong. Ideally,
the original drive is preserved securely, used only if needed for reimaging.
Hard drives are susceptible to failure. Having two clones gives you one to examine and one to fall back on.
Ideally, all examination is done on a clone as opposed to the original.

The Cloning Process

1. Setup: Identify the source drive (the suspect's hard drive) and the destination drive (forensically
cleaned media). Ensure the destination drive is equal to or larger than the source drive.
2. Removal and Connection: Remove the source drive and connect it to a cloning device or another
computer.
3. Write Blocking: A write block is a crucial piece of hardware or software that is used to safeguard the
original evidence during the cloning process. Implement a write-blocking device to prevent any data
from being written to the source drive during cloning.
4. Cloning: The destination drive must be forensically cleaned before cloning a suspect’s drive to it.
Initiate the cloning process, which should generate a report indicating success, verified by matching
hash values (digital fingerprints) of the source and clone.

Forensically Clean Media

A forensically clean drive is proven to be free of data before cloning.
Cleaning involves overwriting the entire drive with a specific pattern(such as 1111111111111), ensuring no
comingled data that could render evidence inadmissible.

Forensic Image Formats

The output of the cloning process is a forensic image, which can be in various formats, such as:
• EnCase (.E01)
• Raw dd (.001)
• AccessData Custom Content Image (.AD1)
These formats are forensically sound, and the choice may depend on the tools being used and compatibility
needs. Some, like DD, are open source, while others, like AD1, are proprietary.

Risks and Challenges

The primary risk during cloning is accidentally writing to the source drive, which compromises its integrity.
Proper use of write-blocking devices is essential.
Complications may also arise from corrupt boot sector or failing drives.

Value in eDiscovery
“[t]he process of identifying, preserving, collecting, preparing, reviewing, and producing electronically stored
information ‘ESI’) in the context of the legal process” - eDiscovery definition by Sedona Conference

Forensic cloning is valuable in the eDiscovery process, ensuring the preservation of relevant electronic data
(ESI). It serves as the gold standard, maintaining all data on media, not just active files. However, cloning can
be expensive and impractical in some situations.

New Section 3 Page 4

Sanctions in Electronic Discovery
In the case of E.I. du Pont de Nemours v. Kolon Industries (2011), Kolon faced severe penalties for failing to preserve
e-mails and relevant data. The court’s determination of destruction led to a jury award of $919 million, with further
punitive damages and attorney fees requested by DuPont.

Live System Versus Dead System

Dead System
Traditionally, forensic investigations focus on powered-off, or “dead” systems. This method avoids making
any changes to the data, ensuring evidence integrity.
However, when encountering a live system (a running computer), this approach becomes more
complicated due to the risks involved in altering or losing volatile data.

Live Acquisition Concerns

1. Traditional Approach - Pulling the Plug
The old-school method of simply pulling the plug on a live system removes the risk of changing
system data during investigation. Interacting with a live system causes changes, which can affect the
integrity of the evidence. However, even a powered-on, unaltered machine experiences changes in
memory, and pulling the plug has its drawbacks.

2. Downsides of Pulling the Plug

○ Loss of RAM Data: Data in RAM (volatile memory) is at risk when power is removed. Although
data fades rather than disappears instantly, critical evidence like passwords, running processes,
and encryption keys can be lost. This dissipation can be further slowed if the RAM is cooled
to –58 degrees Fahrenheit (–50 Celsius).
○ Encryption Risks: Systems or files that are unencrypted while powered on may revert to an
encrypted state after shutdown, making evidence inaccessible.
○ Potential Data Corruption: Abruptly cutting power can damage files, rendering them
unreadable.
○ Unsaved Evidence: Some data may only be written to disk during a proper shutdown, so pulling
the plug may prevent the recovery of key artifacts.

Advantages of Live Collection

Modern forensics tools allow for live acquisition of data from running systems, including RAM capture.
These tools minimize the risk of losing volatile data and maintain evidence integrity in a forensically sound
manner. Live collection is essential in certain cases, such as investigations involving malware or
encryption, where capturing active memory data is crucial.

Principles of Live Collection

When conducting a live collection:
• Evaluate the Necessity: Is the potential evidence in RAM worth the risk and effort? For malware
investigations, RAM is critical; in other cases, like child pornography, RAM may hold little value.
• Have the Right Resources: Use specialized tools and trained personnel for live data collection. If such
resources are unavailable, pulling the plug may still be the better option.
• Minimize Interaction: Use the least invasive methods to interact with the machine, and prioritize
collecting volatile data first (e.g., RAM).

Evidence in RAM
Volatile memory (RAM) can contain valuable evidence, including:
• Running processes

New Section 3 Page 5

 • Running processes
• Executed commands
• Passwords in clear text
• Unencrypted data
• Instant messages
• Internet Protocol (IP) addresses
• Trojan horse malware

Conducting and Documenting a Live Collection

Once you decide to collect live data:
• Prepare Thoroughly: Gather all necessary tools and materials (e.g., memory capture tools, report
forms).
• Document Everything: Note every action taken, such as waking the desktop or launching a tool.
Follow an action-response approach to log system behavior.
• Capture Volatile Data: Use a validated memory capture tool to collect RAM data.
• Shutdown Properly: After collecting evidence, shut down the system correctly to allow all running
applications to write their data to disk.
Live collection offers significant advantages but requires careful handling to avoid compromising the
integrity of the evidence. With proper tools and techniques, volatile memory can be preserved for further
investigation.

Hashing in Digital Forensics

Purpose of Hashing
Hashing is a crucial method used in digital forensics to verify the integrity of data. A hash value acts as a unique
identifier for data, similar to a “digital fingerprint” or “digital DNA.” Even a minor change in the original data will
result in a completely different hash value, making it an effective tool for detecting tampering or manipulation of
evidence.

Types of Hashing Algorithms

Several hashing algorithms are commonly used in digital forensics, including:
• Message Digest 5 (MD5): Fast and widely used, but vulnerable to collision attacks.
• Secure Hashing Algorithm (SHA) 1: More secure than MD5, but still considered weak by modern standards.
• Secure Hashing Algorithm (SHA) 2: The current standard, offering enhanced security and resistance to
attacks.

Hashing Example
To illustrate the impact of minor changes on hash values, consider the following example using SHA1:
• Original Phrase: "Go Steelers!"
SHA1 Hash: c924 4cac 47b3 4335 5aed 06f3 cc85 ea82 885f 9f3e
• Modified Phrase: "Go steelers!" (changed "S" to lowercase)
SHA1 Hash: 1a10 ffd1 db12 c88f 88e6 b070 561f 6124 f632 26ec
The significant difference in hash values demonstrates how even a small change alters the output drastically,
underscoring the reliability of hashes for verifying data integrity.

Uses of Hashing
1. Verification of Cloning: After creating a clone of an evidence drive, hash values can confirm that the clone is
an exact duplicate.
2. Integrity Checks: Hashes serve as integrity checks at various stages of the forensic process to ensure evidence
remains unaltered.
3. Exchange of Forensic Images: When sharing forensic images with other examiners (especially opposing sides),
the hash value can be compared with the original to verify that the image is a bit-for-bit copy.
4. Identification of Files: Hash values can identify specific files, aiding in the investigation process.
5. Documentation: All relevant hash values generated during the investigation should be recorded in the final
report, as they play a vital role in demonstrating the integrity of the evidence.

New Section 3 Page 6

 report, as they play a vital role in demonstrating the integrity of the evidence.

Final Report in Digital Forensics

The final report generated by the examiner is a critical part of the forensic process.

Key considerations include:

1. Audience Awareness: Reports should be crafted with the intended audience in mind, avoiding technical
jargon and focusing on clear, understandable language suitable for judges, attorneys, and juries.
2. Detailed Narrative: A comprehensive account of all actions taken during the examination should be included,
providing enough detail for another examiner to replicate the procedure.
3. Customization: While forensic tools like EnCase and FTK generate useful reports, they should be
supplemented with additional explanations and narratives to ensure clarity.
4. Effective Communication: A report written in plain English enhances comprehension and ensures that the
evidence is effectively communicated, improving its potential impact in court.

A well-structured report that balances technical details with readability is essential for the successful presentation
of forensic findings.

New Section 3 Page 7