Introduction
With the emergence and rapid spread of digital technologies, criminals around the world have adapted to become more efficient at violating the law with the use of modern gadgets. Law enforcement agencies have to keep up and stay on top of criminal practices to be able to ensure the safety of citizens and be able to properly respond to a criminal act. Cybercrime digital forensic investigation is a crucial process that allows to confirm the guilt or innocence of a person on trial, which is a key to delivering justice. The universal protocol for the examination of digital evidence has not yet been established for multiple reasons including the fast-paced development of new technologies and new criminal practices. Given that, it is paramount to review current best practices in digital forensics and viable process models to have a well-rounded understanding of tools and procedures in the sphere.
Digital Forensic Process
There has been a variety of methods to establish a sound forensic procedure, and for the last ten to fifteen years researchers and forensic experts have developed dozens of process models. According to one of the latest published models devised by Kohn, Eloff, and Eloff (2013), the digital forensic process is divided into five major stages: preparation, incident, response to incident, the investigation, and presentation of the results. Other models such as the one elaborated by Agarwal, Gupta, Gupta, and Gupta (2011) additionally mention such steps as securing and documenting the scene, and lines of communication, data preservation, and review of the results. Many other models in a more or less detailed way follow the same procedure naming the steps differently or uniting them into different groups. The most commonly identified among professionals stages of the digital forensic process are as follows:
- Preparation to handle the evidence
- Seizure of the evidence
- Acquisition of the data
- Data analysis
- Report on findings.
Preparation Stage
The preparation and readiness of the agency for the actual process of investigation seems to be inherent in the structure that performs it and thereby it seems rather self-evident. However, this stage, according to the US Department of Justice (2015), requires special caution and interaction with other government structures such as Justice Courts, who issue a resolution for digital investigation. In the preparation step, it is crucial that an agency that conducts the investigation has sufficient data to initiate the investigation sequence and has all actions coordinated with the requester. Parallel to the process of official and legal questions resolution, experts that are answerable for handing evidence and maintenance of the equipment are to inspect if all the tools used for extraction and examination of the evidence are in good order and fully functional. The hardware and software has to be tuned in accordance with the task at hand.
The use of appropriate tools is defined by the forensic request. Some cases of digital forensic investigation feature evidence items that cannot be removed from the crime scene and thereby require on-sight copying of the data requiring analysis. During the preparation stage, the digital forensics team has to determine the set of appropriate tools to safely extract the required data (SWGDE, 2014). The possible self-destruction or destruction-upon-interference should also be considered in the stage of planning the tools necessary for safe and successful data retrieval (SWGDE, 2014).
Seizure Stage
This stage includes operations on locating and safe retrieval of carriers of digital evidence for its further examination such as personal computers, mobile devices, storage devices, and other equipment. Kohn et al. (2013) determine the search as identification of the location of the evidence. Its physical location is to be first searched at the crime scene. The team has to be skilled to locate and identify various types of hardware and software that is in itself or may contain evidence. In certain cases, the location of the evidence is concealed through servers, internet service providers, and routers (Kohn et al., 2013). Upon locating, the potential offender’s hardware may be available for immediate package, which is the most preferable scenario. However, there are cases when evidence must be retrieved on sight in order not to obstruct the process of traditional forensic procedures such as DNA sample or fingerprint recovery (SWGDE, 2014). In addition, in order to prevent contamination or damage to the evidence, forensics team has to ensure that each person not eligible to be present at the crime scene and have access to hardware or software that might be presented as digital evidence is removed from the vicinity of the such (SWGDE, 2014). It is also preferable that potential carriers of valuable information such as access codes, credentials, and location of the necessary data are identified and interrogated. All of the seized evidence has to be properly documented.
Acquisition of the Data
Acquisition stage is aimed at safe retrieval of evidence from the seized equipment and ensuring its proper functioning and absence of corruption. Retrieval often means copying all the information that might be relevant to the investigation. Copying is an important process as it allows to protect original evidence from corruption, mishandling or loss in the course of examination. When all data is safely copied, the sorting process is initiated. Preliminary on-stage triage, as noted by SWGDE (2014) might miss important data, therefore, it is paramount to seize and process all the information found if it is possible in the given circumstances. All of information that is stored on the device is processed in order to determine if it is relevant or irrelevant to the current case. As suggested by the US Department of Justice (2015), upon acquisition of data that is relevant to other possible case of violating the law, the investigation must be stopped until further instructions are given by the court or other authorizing body.
In the process of sorting it is also considered a proper practice to mark evidence according to strength of leads, relevance to the case, and usability for analysis (US Department of Justice, 2015). In addition, the volumes of data for analysis are often exceed hundreds of gigabytes, which may slow the down the examination. One of the best practices to reduce this amount is to sort out the system files that have a unique identifier such as MD5 or SHA-1 (Kohn et al., 2013). Those files are usually not modified by users and do not often represent evidence. However, some cases may involve offenders masking files they used for committing a crime as system files, so attention must be paid to the circumstances of the crime in order to adequately sort files and prevent relevant ones from being marked as irrelevant (SWGDE, 2014).
Analysis
An analysis stage of the digital forensic examination is set to answer the basic questions that give a well-round information about the evidence data itself and the person who created it. The standard analysis procedure utilizes the questions of who, when, where, and how. In addition other connections and metadata are processed.
The questions that determine the field of work and the main goals, towards which the analysis should be oriented, do not in any way bind the analysis experts in terms of sequence of finding answers to them. The analysis tools must be based on the type of data and device under analysis. In the course of analysis the professionals are to find the links between data and the person who created, stored, or transferred it. In case the data was generated automatically, the task is to find the initiator of the generating sequence. The location of the data and whether it is connected with the place of criminal act.
The researchers also have to recreate and document the timeframe of all metamorphosis or actions that the data underwent including the time of creation, all modifications, transfers, and deletion. This step should also determine if the data is connected to the time of the criminal event. In the process, the analysis has to uncover the origin of the files, the method of their creation, transfer or modification, which may shed light upon the methods used in the process of criminal act. Additional information that can be uncovered through digital forensic examination includes application logs, registry entries, users that participated in manipulations with data, possible designation of the files, facts of masking, protection and other useful findings. Protected, hidden or deleted data is currently detected automatically with the help of software such as Encase and Scalpel (Kohn et al., 2013). In the process of data decryption, the US Department of Justice (2015) guidelines suggest that the password itself may be a useful tip and has an implied meaning and may require linguistic examination or be self-evident. For instance, the password may be compiled from the date of birth, names of relevant users or items. Similarly, names of folders may shed some light on their content, which may also provide a valuable insight for examination professionals.
The process of data investigation should also involve construction of a logical structure of all of the data under analysis for better possibilities of its interpretation. If similar occasions of crime occurred the data from those previous cases could be compared in order to establish a pattern and obtain necessary information. In the process of identification of data and information about it the hypotheses are often constructed and tested in order to uncover additional sources of digital evidence and attribute it to a specific user. If the hypothesis is confirmed, then it could be used as a part of a statement in the court of law. Hypothesis includes reconstruction of the sequence of events that might shed light upon the process of criminal act.
Report on Findings
Report on findings has to be well-organized and structured for presentation in order to present only the relevant information about the case. It must also be presented in a manner that is transparent to non-professionals in order to be used as evidence in the court of law. Typically, the report is structured as follows:
- Purpose and scope of analysis
- Detailed description of all data containers such as hard drives or flash drives.
- Tools for examination
- Major findings
- Hypothesis and Timeline
- Conclusion
- Information about examining body and professionals (SWDGE, 2014; Kohn et al., 2013; Agarwal et al., 2011)
It must include the list of all examined devices, its description, and authorizing documents (SWGDE, 2014). The report has to present relevant files used by the person in question, when, where and how they created, modified or sent them to another person or location and the possible cause for such act. The report must also contain relevant information on new sources of leads uncovered in the process of examination but not directly relevant to the purposes of the investigation outlined by the requester (The United States Department of Justice, 2015). The final document is to be reviewed by the eligible certified organization to avoid any inconsistencies or flaws. The document is presented in the court by an authorized member of the organization conducting the examination in a written and oral form.
Conclusion
Digital forensic investigation is an invaluable tool not only in solving crime cases but also preventing ones. Thus, a timely and thorough examination of evidence might uncover data relevant to planned crimes and may lead to their prevention and capturing of the responsible individuals or groups. The review of current best practices and procedures seems to contribute to better understanding of the digital forensic investigation process and serve as a learning material for future forensic experts. The current paper identified the main stages of the forensic investigation such as preparation, seizure, acquisition, data analysis, and report. All of the stages have its own nuances and require a great deal of attention as details are the key in the work of a digital forensic examiner.
References
Agarwal, A., Gupta, M., Gupta, S., & Gupta, S. C. (2011). Systematic digital forensic investigation model. International Journal of Computer Science and Security (IJCSS), 5(1), 118-131.
Kohn, M. D., Eloff, M. M., & Eloff, J. H. (2013). Integrated digital forensic process model. Computers & Security, 38, 103-115.
Scientific Working Group on Digital Evidence (SWGDE). (2014). Best practices for computer forensics. Web.
The United States Department of Justice. (2015). Digital forensic analysis methodology. Web.