🔍 Computer Forensics Investigation Process

Forensic investigators use a systematic strategy to investigate, seize and analyze digital evidence and handle the case from the time of search and seizure until reporting the investigation’s conclusion. Throughout the reading, you’ll learn about the many stages of a computer forensic investigation and the importance of expert witnesses. Formal investigative reports are also discussed in this section, emphasizing their relevance.

2.1 Forensic Investigation Process and its Importance

Forensic Investigation Process
- Examination/Investigation Goals
  - Investigators should have a clear idea about the goals of the examination prior to conducting the investigation
  - They should have an in-depth technical understanding of the inner workings of what is being examined
  - They should have the capability to take a systematic approach to examine evidence based on the request made, say for example, a request made by an attorney
- Hypothesis Formulation/Criteria
  - If the client has asked you a question, think about it. How you could prove (hypothesis) or disprove (null hypothesis) it.
  - Based on the above considerations, establish a form of reasoning that would assist you to form a hypothesis
  - For example, if you were asked to check for Dropbox installation on the suspect hard drive, consider:
    - Operating system (OS) installed, as artifacts to be examined for Dropbox installation differs for each OS
    - Previous research as it can help you if it is available for the given question
  - Based on the above considerations, establish a form of reasoning that would assist you to form a hypothesis
  - For the given example, the hypothesis could be as follows:
    - OS installed is Windows 10
    - Dropbox is said to be installed on the system if its artifacts are located in direct ories: C:\Users\Admin\AppOata\Roaming\ or C:\Program Files (x86) or C:\Program Files
- Experimental Design
  - After hypothesis formulation, frame an experiment to test the hypothesis
  - The test system should have an environment like that of the suspect machine to yield accurate results
- Tool Selection
  - Digital forensics tools include the following
    - Software or hardware
    - Commercial or open-source
    - Designed for specific purposes or with broader functionality
  - It is better to consider commercial tools that have a greater market value than open source tools
  - Using tools designed for specific purposes will allow a diverse and in-depth investigation to take place
  - Using multiple tools validates the findings, thus enhancing reliability of the evidence
- Results Review and Evaluation
  - Review your results from different points of view and communicate findings to the client with realistic expectations about why and how you arrived at your results
- Conclusion and Opinion Formulation
  - The conclusion is judgment based on the facts
    - For example, the Installation of Dropbox on the system can be confirmed by identifying its artifacts in locations found during the investigation
  - The opinion is judgment or belief without certainty or proof. It is solely based on science and/ or experience
    - For example, based on the review of several artifacts, you may determine exactly when Dropbox was installed
  - If you are supposed to testify at a trial, you must be prepared to explain how you arrived at your conclusion or opinion
- Importance of the Forensic Investigation Process
  - As digital evidence is fragile in nature, following strict guidelines and a thorough forensic investigation process that ensures the integrity of evidence is critical to proving a case in a court of law
  - The forensics investigation process to be followed should comply with local laws and established precedents. Any breach/deviation may jeopardize the complete investigation.
  - The investigators must follow a repeatable and well-documented set of steps such that every iteration of analysis provides the same findings; else, the findings of the investigation can be invalidated during the cross-examination in a court of law

2.2 Pre-Investigation Phase

Setting up a Computer Forensics Lab
Computer Forensics Lab (CFL) is a location that houses instruments, software and hardware tools, and forensic workstations required for conducting a computer-based investigation with regard to the collected evidence.
- Considerations
  1. Planning & budgeting
  2. Physical & Structural design
  3. Work area
  4. Physical security
  5. Human resources
  6. Forensic lab licensing
- Building the Investigation Team
  - Keep the team small to protect the confidentiality of the investigation and guard against information leaks
  - Identify team members and assign them responsibilities
  - Ensure that every team member has the necessary clearance and authorization to conduct assigned tasks
  - Assign one team member as the technical lead for the investigation
- Understanding the Hardware and Software Requirements of a Forensic Lab
  - A digital forensic lab should have all the necessary hardware and software tools to support the investigation process, starting from searching and seizing the evidence to reporting the outcome of the analysis
  - Hardware
    - Two or more forensic workstations with good processing power and RAM
    - Specialized cables
    - Write-blockers Drive duplicators
    - Archive and Restore devices
    - Media sterilization systems
    - Other equipment that allows forensic software tools to work
    - Computer Forensic hardware toolkit, such as Paraben’s First Responder Bundle, DeepSpar Disk Imager, FRED forensic workstation, etc.
  - Software
    - OSes
    - Data discovery tools
    - Password-cracking tools
    - Acquisition tools
    - Data analyzers
    - Data recovery tools
    - File viewers (Image and graphics)
    - File type conversion tools
    - Security and Utilities software
    - Computer forensic software tools such as Wireshark, Cain and Abel, Access Data’s FTK, etc.
- Validating Laboratory Software and Hardware
  - Forensics tools should undergo a validation process prior to using them for casework as well as each time they are modified or updated
  - A tool is said to be validated if it works correctly, is trustworthy, and yields precise results
  - All the software tools (ranging from operating systems to applications) in the forensics laboratory must possess a license at all times
  - Updating tools to their latest version, testing them for functionality, and validating them should be an ongoing process
  - Hardware instruments must be in a working condition and should be properly maintained
  - Each time the tool is tested, the investigator needs to document the test methodology, results, and the theory relating to the test design
  - It is recommended to integrate maintaining, auditing, documenting, and demonstrating license compliance into the laboratory standard operating procedure (SOP)
  - **Computer Forensics Tool Testing Project (CFTT)**→establishes a “methodology for testing computer forensics software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware”
- Ensuring Quality Assurance
  - Quality assurance plays a vital role in ensuring the overall quality of services that a forensics unit offers
  - Following well-documented, systematic processes for quality assurance also works as proof of the fact that the forensic investigation has been carried out to the highest possible quality and standards, leading to a reliable result
  - Steps to Ensure Quality Assurance in Forensic Lab Operations
    - Arrange formal, documented trainings
    - Validate equipment and document it
    - Conduct annual proficiency test for investigators
    - Follow appropriate standards and/or controls in casework
    - Have policies and procedures in place for effective forensic investigations
    - Attain ASCLD/LAB accreditation and/or ISO/IEC 17025 accreditation
    - Perform quality audits and quality management system review
    - Ensure physical plant security
    - Assure health and safety
    - Review, update, and document policy and standards annually

2.3 First Response

First Response Basics
- The term first responder refers to→a person who arrives at a crime scene first
- The first response to any security incident can be done by one to three different groups of individuals who hold different skillsets and might perform different tasks based on the type and severity of the incident
  - First response by non-forensics staff
  - First response by system/network administrators
  - First response by laboratory forensic staff
- Under no circumstances should anyone except qualified forensic analysts make any attempts to collect or recover data from any computer system or device that holds electronic information
- Any attempts to recover data by untrained persons could either compromise the integrity of the files or result in the files being inadmissible in administrative or legal proceedings
First Response by Non-forensics Staff
- Non-forensics staff are responsible for→protecting the crime scene and ensuring that it remains in a secure state until the forensics team advises otherwise
- They should make notes and take photographs of the scene and those present to hand over to the attending forensics team
- The surrounding area linked to the incident should also be secured along with the computing systems or other electronic devices
First Response by System/Network Administrators
- Once a system administrator discovers an incident, it must be reported according to the current organizational incident reporting procedures
- The systems administrator should not perform any action unless directed to do so by either the incident/duty manager or one of the forensic analysts assigned to the case
- Based on the incident occurred, system/network administrators can take the following measures
  - Record what is on the screen if the computer is switched on
  - Transfer copies of system logs onto a clean media
  - If an ongoing attack is detected, seek top management approval before powering down any computing systems
  - Isolate the computing systems or other digital devices from further use or tampering
  - Document every detail relevant to the incident
First Response by Laboratory Forensics Staff
1. Documenting the Electronic Crime Scene
  - Photograph the scene
  - Sketch the scene
2. Collecting Incident Information
  - Ask questions
  - Conduct individual interviews
3. Planning the Search and Seizure
  - Obtain a search warrant for search and seizure
  - Check consent issues
  - Obtain witness signatures
4. Identifying and Collecting Electronic Evidence
  - Conduct the initial search of the scene
  - Secure and evaluate the crime scene
  - Seize evidence
  - Deal with powered-off or powered-on devices at the time of seizure
5. Packaging Electronic Evidence
  - Fill the panel on the front of evidence bags with proper details
  - Avoid folding and scratching storage devices
  - Label the containers that hold the evidence in an appropriate way
6. Transporting Electronic Evidence
  - Ensure proper handling and transportation of evidence to the forensics laboratory
  - Ensure the “Chain of Custody” is strictly followed

2.4 Investigation Phase

Computer Forensics Investigation Methodology
1. Documenting the Electronic Crime Scene
2. Search and Seizure
3. Evidence Preservation
4. Data Acquisition
5. Data Analysis
6. Case Analysis
7. Reporting
8. Testifying as an Expert Witness
Computer Forensics Investigation Methodology - Documenting the Electronic Crime Scene
- Documentation of the electronic crime scene is necessary to maintain a record of all the forensic investigation processes performed to identify, extract, analyze, and preserve the evidence
- The crime scene should be documented comprehensively at the time of investigation
- Points to remember when documenting the crime scene
  - Document the physical crime scene, noting the position of the system and other equipment, if any
  - Document details of any related or difficult-to-find electronic components
  - Record the state of computer systems, digital storage media, and electronic devices, including their power status
- Photographing and Sketching the Scene
  1. On arrival, the first step taken by the forensics team should be to photograph the scene
  2. Photographs should be taken in a way that will not alter or damage the scene, and everything should be clearly visible
  3. Take multiple photographs so that the entire crime scene is depicted
  4. It is important to proceed all the way from the entire crime scene down to the smallest piece of evidence
  5. Photos should also be taken of the back of the computer system to accurately show how cables are linked
  6. If this cannot be done on-site, then all cables must be labeled so that the computer system can be reconnected at the forensics laboratory and photographed
  7. After photographing the scene, the forensics team should prepare sketches of the scene that record minute details about the objects present and their locations
Computer Forensics Investigation Methodology - Search and Seizure
- Search and Seizure Process Flow
  1. Planning the search and seizure
    - Seeking consent
    - Obtaining witness signatures
    - Obtaining warrant for search and seizure
    - Collecting incident information
  2. Initial search of the scene
  3. Securing and evaluating the crime scene
  4. Seizing evidence at crime scene
    - Dealing with powered-on computers
    - Dealing with powered-off computers
    - Dealing with networked computers
    - Operating System shutdown procedure
    - Dealing with mobiles and other handheld devices
- Planning the Search and Seizure
  - Description of the incident
  - Case name or title of the incident
  - Location of the incident
  - Applicable jurisdiction and relevant legislation
  - Determining the extent of authority to search
  - Creating a chain of custody document
  - Details of equipment to be seized
    - Structure type and size
    - Location(all in one place, spread across the building or floors)?
    - Type of device and model number
    - Power status
    - Network status and type of network
    - Backups (if any), last time and date, location of the backup
    - If it is necessary to take the server down and the business impact of this action
  - Search and seizure type (overt/covert)
  - Approval from local management
  - Health and safety precautions
- Seeking consent
  - There are instances when the user is present and their consent is required before the search for evidence begins
  - In such cases, appropriate forms for jurisdiction need to be used and carried in the forensic grab bag
  - Activities related to search and seizure should be a part of a well-documented procedure that is clearly detailed in the obtained consent
- Obtaining Witness Signatures
  - Depending on the legislation in the jurisdiction, a signature (or two) may or may not be required to certify the search and seizure of evidence
  - Typically one witness signature is required if it is the forensic analyst or law enforcement officer conducting the seizure
  - Where two signatures are required, guidance should be sought to determine who the second signatory should be
  - Whoever signs as a witness must have a clear understanding of that role and may be called upon to provide a witness statement or attend court proceedings
- Obtaining Warrant for Search and Seizure
  - A search warrant is→a written order issued by a judge that directs a law enforcement officer to search for a particular piece of evidence at a particular location
  - The investigating officer must conduct the investigation process in a lawful manner, which means, a search warrant from the court is required for search and seizure
  - Warrants can be issued for an entire company, a floor, room, device, car, house, or any company-owned property as per the requirement
  - Following are the two types of search warrants
    - Electronic Storage Device Search Warrant
      - This allows the investigating team to search and seize the victim’s computer components such as hardware, software, storage devices, and documents
    - Service Provider Search Warrant
      - If the crime is committed through the internet, the investigating team will need information about the victim’s computer from the service provider
      - This warrant allows the investigator to get the victim’s computer information such as service records, billing records, and subscriber information from the service provider
- Example of a Search Warrant
- Searches Without a Warrant
  - When the destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity." United States v. David. 756 F. Supp. 1385, 1392 (D. Nev. l991)
  - Agents may search a place or object without a warrant or, for that matter, without probable cause, if a person with authority has consented. Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973)
- Collecting Incident Information
  - Before search and seizure activities begin, investigators should gather the following information about the victim devices and connected systems while adhering to departmental policies and applicable laws
    - Actual holders and/or users of any electronic devices present at the crime scene
    - Webmail and social networking website account information
    - Usernames Internet service providers
    - Passwords required to access the resources
    - Purpose of using the system
    - Automatic applications in use
    - Documents explaining the hardware or software installed on the system
    - Any off-site data storage
    - Unique security schemes or destructive devices
  - Conducting Preliminary Interviews
    - Conduct interviews in the presence of the witness
    - Identify the persons present at the crime scene, conduct individual interviews, and note everyone’s physical position and their reason for being there
    - Determine if the incident was a criminal act, violation of policies or accident
    - If the suspect is present, ask questions that are compliant with the relevant human resources or legislative guidelines with regard to the jurisdiction
    - During an initial interview, suspects are often taken off guard, having been given little time to create a false story; thus, they will often answer any questions truthfully, helping investigators to gather useful information about the incident
    - If the system administrator is present at the time of the initial interview, gather important information such as the number of systems involved, persons associated with a particular account and the relevant passwords
- Initial Search of the Scene
  - Once the forensics team has arrived at the scene and unloaded their equipment, the first task is to try to identify any evidence
  - Steps to be taken while searching for evidence
    1. Survey the crime scene to recognize potential sources of evidence
    2. Protect physical evidence or hidden fingerprints that may be found on keyboards, mice and other equipment
    3. Find telephone lines that are connected to devices such as modems, and caller ID boxes
    4. Observe the current situation at the scene, and record observations
    5. Maintain a search and seizure evidence log to document the details of all the electronic devices and media identified during the search for evidence
    6. Search the scene for secondary storage media such as diskettes, wireless hard disks, USB drives, tapes, etc.
- Securing and Evaluating the Crime Scene: A Checklist
  1. Follow standard procedures and policies of the legal authority for securing the crime scene
  2. Make sure that the scene is safe for the responders
  3. Isolate other persons who are present at the scene
  4. Locate and help the victim
  5. Do not allow any individual to access the scene or electronic devices
  6. Establish a security perimeter to see if the offenders are still present at the crime scene area
  7. Protect perishable data (e.g. pagers and caller ID boxes) physically, and electronically
  8. Transmit additional flash messages to other responding units
  9. Request additional help at the scene if needed
- Seizing Evidence at the Crime Scene
  - When an incident is reported where an electronic device is assumed to be a part of the incident, it is often the case that this is the first and only item seized
  - The evidence obtained must not be tampered with in any way from the start to the endpoint of a forensics investigation process for it to be admissible in the court of law
  - Pieces of evidence found at the crime scene should be identified, recorded, seized, and bagged with no attempts to determine the contents or status
  - All collected evidence should be tagged with required details such as the date and time of collection and initials of the collecting person
  - Forensic investigators might encounter a variety of computers and other information storage and processing devices at the crime scene, which should be handled differently at the time of search and seizure to protect the integrity of the evidence
- Dealing with Powered-On Computers
  - When dealing with a powered-on computing device the investigator should stop and think before taking any action
  - In powered-on computers, the contents of RAM may contain vital information which is volatile in nature
  - All of this vital information will be lost when the computer is shut down or when the power supply is removed
  - Investigators must perform the following steps while obtaining evidence from powered on computers:
    - If a computer is switched ON and the screen is viewable, photograph the screen and document the running programs, open files or data of evidentiary value
    - If a computer is ON and the monitor shows a screensaver, move the mouse slowly without pressing any mouse button, then photograph the screen and document the programs
    - If a portable computer wakes up, record the time and date at which this occurs, take a photograph of the screen, and document all programs running
    - Pull the power cord from the back of the computer immediately in the following situations
      - There is an indication on-screen that data is being overwritten or deleted
      - Destructive processes are observed to be running to obliterate data from data storage devices
      - The computer screen shows a typical Microsoft Windows environment; in this case, disconnection of power supply would still preserve many valuable information such as the time of last user login, recently used documents and commands etc.
  - Do not disconnect the power if
    - Data of evidential value is visible on computer display
    - There are active programs or files in use such as chatrooms, open text files, financial documents, instant messages etc.
      - Photograph and thoroughly document all on-screen information
      - Perform volatile data collection and preservation process
  - After collecting volatile data, pull the plug from the back of the computer to disconnect the power supply
  - In the case of portable computers, remove the battery and unplug the power cord from the wall socket
  - If the battery removal is not possible, press down the power switch for 30 seconds to force the power off
- Dealing with Powered-Off Computers
  - If the computer is switched off, leave it OFF
  - Disassemble and package it by doing the following things
    - Remove the power supply cord from the back of the computer and from the wall outlet, or battery backup device and secure it
    - Disconnect all wires and cables from the computer and secure them
    - Check for any removable media and secure them if present
    - Tag the evidence clearly and note all important details in the search and seizure evidence log
    - Document the chain of custody
  - If a monitor is switched OFF and the display is blank
    - Turn the monitor ON, move the mouse slightly, observe the changes from a blank screen to another screen and note the changes
    - Photograph the screen
  - If a monitor is switched ON and the display is blank
    - Move the mouse slightly
      - If the screen does not change on moving the mouse slightly, do not press any keys
    - Photograph the screen
- Dealing with Networked Computers
  - Unplug the network cable from the router and modem in order to prevent further attacks
  - Photograph all devices connected to the victim’s computer, such as the router, modem, printer, scanner etc., from different angles
  - If the computer is turned OFF, leave it in that state and follow the procedure for its disassembly
  - If the computer is turned ON, photograph the screen and follow the steps for powered on computers
  - Unplug the main power cord from the wall socket
  - Unplug all other cords, and devices connected to the computer, and label them for identification
- Dealing with Open Files and Startup Files
  - When malware attacks a computer system, some files are created in the startup folder to run the malware program; investigators can get vital information from these files
  - Open any recently created documents from the startup or system32 folder in Windows and the rc.local file in Linux
  - Document the date and time of the files
  - Examine the open files for sensitive data such as passwords or images
  - Search for unusual MAC (Modified, Accessed, or Changed) times on vital folders, and startup files
  - Use the dir command for Windows or the ls command for Linux to locate the actual access times on those files and folders
- Operating System Shutdown Procedure
  - In case investigators need to shut the systems down, they must either collect or wait for the collection of the volatile data from the systems, as the system deletes it after shutting down and is impossible to retrieve
  - Investigators must follow predefined shutdown procedures for different operating systems; otherwise, data may be lost as the hard drives may crash
  - Window Operating System
    - Take a photograph of the screen
    - Document any running programs
    - Unplug the power cord from the wall socket
  - Mac OS X Operating System
    - Click the Apple icon located on the top left-hand side
    - Select Shutdown option
  - UNIX/Linux Operating Systems
    - Right-click on the Desktop and select the Console option
    - If the root user’s prompt is set to #sign mode:
      - Enter the password if available and type sync;sync;halt to shut down the system
      - If the password is not available, unplug the power cord from the wall socket
    - If it is set to console #sign mode:
      - Enter the user ‘s ID and press Enter
      - If the user ID is root, type sync;sync;halt to shut down the system
- Dealing with Smartphones or Other Handheld Devices
  - Photograph the device and its screen display
  - Do not turn the device ON if it is OFF
    - Collect and label the power cables and package the device
    - Collect information on whether any security feature is enabled on the device such as pass patterns, passwords, or biometrics
    - Look for any computing systems that may contain device backups
    - Tag the evidence and note all important details of the seized item in the search and seizure evidence log
    - Document the chain of custody
  - Leave the device as it is if it is ON
    - Keep the device charged as evidence might be lost if the device is turned OFF
Computer Forensics Investigation Methodology - Evidence Preservation
- Preserving Evidence
  - Evidence preservation→refers to the proper handling and documentation of evidence to ensure that it is free from any contamination
  - Any physical and/or digital evidence seized should be isolated, secured, transported and preserved to protect its true state
  - At the time of evidence transfer, both the sender and the receiver need to provide information about the date and time of transfer in the chain of custody record
  - The procedures used to protect the evidence and document it while collecting and shipping are as follows
    - Evidence The logbook of the project
    - A tag to uniquely identify any evidence
    - A chain of custody record
- Chain of Custody
  - Chain of custody is→a legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory
  - The chain of custody administers the collection, handling, storage, testing, and disposition of evidence and safeguards against tampering with or substitution of evidence
  - Chain of custody documentation should list all the people involved in the collection and preservation of evidence and their actions, with a stamp for each activity
  - Chain of custody document contains
    - Case number
    - Name and title from whom it was received
    - Address and telephone number
    - Location from where the evidence was obtained
    - Date/time of evidence
    - Item number/quantity/ description of items
- Sample Format of the Chain of Custody Document
- Chain of Custody Form
- Chain of Custody on Property Evidence/Evidence/Bag and Sign-out Sheet
- Evidence Bag Contents List
  1. Date and time of seizure
  2. The investigator who seized the evidence
  3. Exhibit number
  4. Where the evidence was seized from
  5. Details of the contents of the evidence bag
  6. Submitting agency and its address
- Packaging Evidence
  - Ensure the gathered electronic evidence is correctly documented, labeled, and listed before packaging
  - Pay special attention to hidden or trace evidence, and take necessary actions to safeguard it
  - Pack magnetic media in antistatic packaging
  - Do not use materials such as plastic bags for packaging because they may produce static electricity
  - Avoid folding and scratching storage devices such as diskettes, DVDs, and tapes
  - Make sure that all containers that contain evidence are labeled in the appropriate way
  - Use antistatic packing material such as bubble wrap, Styrofoam, etc. in the containers holding evidence
- Exhibit Numbering
  - All the collected evidence should be labeled and marked (numbered) properly as exhibits, using a pre-agreed format
  - Example: aaa/ddmmyy/nnnn/zz
    - aaa are the initials of the forensic analyst or law enforcement officer seizing the equipment
    - ddmmyy is the date of the seizure
    - nnnn is the sequential number of the exhibits seized by the analyst, starting with 0001
    - zz is the sequential number for parts of the same exhibit (for example, A would be the computer, B would be the monitor, C would be the keyboard, etc.)
- Determining the Location for Evidence Examination
  - Assess the nature of the evidence to determine where to conduct the examination
  - Perform evidence examination in a controlled environment such as a forensics laboratory
  - If you come across a situation where you need to examine the evidence on-site, try to control the on-site environment
  - Factors to consider while conducting investigation on-site
    - The time required to conduct the investigation
    - Logistic and personnel concerns associated with long-term deployment
    - The impact on the business due to prolonged investigation
    - The suitability of the forensic tools and resources, training, and experience required to conduct an on-site investigation
- Transporting and Storing Evidence
  1. Avoid turning the computer upside down or putting it on its side during transportation
  2. Keep the electronic evidence collected from the crime scene away from magnetic sources such as radio transmitters, speaker magnets, and heated seats
  3. Store the evidence in a safe area, away from extreme heat, cold, or moisture
  4. Avoid storing electronic evidence in vehicles for a long period of time
  5. Maintain proper chain of custody on the evidence that is to be transported
  6. Ensure that wireless or portable devices do not connect to the networks by storing them in signal blocking containers
Computer Forensics Investigation Methodology - Data Acquisition
- Acquiring the Data
  - Forensic data acquisition is→a process of imaging or collecting information from various media in accordance with certain standards for analyzing its forensic value
  - Investigators can forensically process and examine the collected data to extract information relevant to any particular case or incident while protecting the integrity of the data
  - It is one of the most critical steps of digital forensics as an improper acquisition may alter data in evidence media, and render it inadmissible in the court of law
  - Investigators should be able to verify the accuracy of acquired data, and the complete process should be auditable and acceptable to the court
- Original Evidence Should NEVER be Used for Analysis
  - Investigators should make copies of the evidence and work on it to avoid damage to the original data in case of accidents or mishaps.
- Duplicating the Data (Imaging)
  - Make a duplicate of the collected data to preserve the original
  - The data should be duplicated bit by bit to represent the same original data
  - Calculate the hash value of the original data and the forensic image generated and check if there is a match in the result to verify its integrity
  - Once a copy of the original data is made and verified, you can use the copy for further processing
  - Use industry standard or licensed hardware or software tools to duplicate the data
Computer Forensics Investigation Methodology - Data Analysis
- Analyzing the Data
  - Thoroughly analyze the acquired data to draw conclusions related to the case
  - Data analysis techniques depend on the scope of the case or the client’s requirements
  - This phase includes the following
    - Analysis of the file’s content, date and time of file creation and modification, users associated with file creation, access, and file modification, and physical storage location of the file
    - Timeline generation
    - Identification of the root cause of the incident
    - Identify and categorize data in order of relevance
Computer Forensics Investigation Methodology - Case Analysis
- Analysis of the Case
  - Investigators can relate the evidential data to the case details for understanding how the complete incident took place and determining the future actions such as the following
    - Determine the possibility of exploring other investigative procedures to gather additional evidence (e.g., checking host data and examining network service logs for any information of evidentiary value, collecting case-specific evidence from social media, identifying remote storage locations etc.)
    - Gather additional information related to the case (e.g., aliases, email accounts, ISP used, names, network configuration, system logs, and passwords) by interviewing the respective individuals
    - Consider the relevance of components that are out of the scope of investigation; for example, equipment such as laminators, check paper, scanners, and printers in case of any fraud; or digital cameras in case of other nefarious activities
- Evidence Reconstruction
  - Once the evidence related to the case is analyzed, investigators can use it to reconstruct the crime and identify the missing links
  - Fundamentals of reconstruction for investigating a crime
    - Temporal analysis
      - It produces a sequential event trail, which sheds light on important factors such as what happened and who was involved
    - Relational analysis
      - It correlates the actions of suspect and victim
    - Functional analysis
      - It provides a description of the possible conditions of a crime. It testifies to the events responsible for a crime in relation to their functionalities
- Collecting Evidence from Social Networks
  - Social media sites and apps can be a treasure trove for forensics investigations to track a perpetrator
  - The information gathered from social media might help an incident responder to build a timeline of attack
  - Generic data of interest for forensics investigations on social media networks or apps
    - The social footprint
      - The social graph of the user and with whom the user is connected
    - Communication pattern
      - The network used for communicating, method of communication, and with whom the user has communicated
    - Pictures and Videos
      - Pictures and videos uploaded by the user, and on whose pictures the user is tagged
    - Times of Activity
      - The time user has connected to the social network, and the exact time a specific activity of interest has taken place
    - Apps
      - Apps used by the user and their purpose Information that can be inferred in the social context
  - Location of Social Networking information
    - Footprints in RAM, browser cache, page files, unallocated clusters, and system restore point of a computer
  - Ways to gather data from social media
    - Traditional forensics methods can be used to extract artifacts from the local web browser cache
    - Passive sniffing on the network (not possible if data on the communication layer is encrypted using HTTPs)
    - Active attacks like sniffing on unencrypted Wi-Fis or in combination with ARP spoofing on LANs
    - Social network APIs can be used to acquire data, which extends the available data of the web interface
    - The easiest way to obtain data is to request the victim for their account’s login credentials to start with the investigation
  - Tools to obtain information from different common social media websites
    - Social media data is humongous; therefore, tools are required to efficiently and securely collect such data
    - Some of the popular tools include Netvizz, twecoll, divud, Digitalfootprints, Netlytic, X1 Social Discovery, Facebook Forensic Software, H&A forensics, Geo360 , Navigator by LifeRaft Social, Emotive, etc.

2.5 Post-Investigation Phase

Computer Forensics Investigation Methodology - Reporting
- Gathering and Organizing Information
  - Identification
    - Documentation in each phase should be identified to decide whether it is appropriate to the investigation and should be organized in specific categories
  - Procedures
    - Gather all notes from different phases of the investigation process
    - Identify the facts to be included in the report for supporting the conclusions
    - List all the evidence to submit with the report
    - List the conclusions that need to be in the report
    - Organize and classify the information gathered to create a concise and accurate repo
- Writing the Investigation Report
  - Report writing is a crucial stage in the outcome of the investigation
  - The report should be clear, concise, and written for the appropriate audience
  - Important aspects of a good report
    - It should accurately define the details of an incident
    - It should convey all necessary information in a concise manner
    - It should be technically sound and understandable to the target audience
    - It should be structured in a logical manner so that information can be easily located
    - It should be created in a timely manner
    - It should be able to withstand legal inspection
    - It should include conclusions that can be completely reproduced by a third-party
    - It should try to answer questions raised during a judicial trial
    - It should provide valid conclusions, opinions, and recommendations supported by figures and facts
    - It should adhere to local laws to be admissible in court
- Forensics Investigation Report Template
  - Executive summary
    - Case number
    - Names and Social Security Numbers of authors, investigators, and examiners
    - Purpose of investigation
    - Significant findings
    - Signature analysis
  - Investigation objectives
  - Details of the incident
    - Date and time the incident was reported to the agency’s personnel
    - Details of the person or persons reporting the incident
    - Date and time the incident allegedly occurred
  - Investigation process
    - Date and time the investigation was assigned
    - Allotted investigators
    - Nature of the claim and information provided to the investigators
  - Evidence information
    - Location of the evidence
    - List of the collected evidence
    - Tools involved in collecting the evidence
    - Preservation of the evidence
  - Evaluation and analysis Process
    - Initial evaluation of the evidence
    - Investigative techniques
    - Analysis of the computer evidence (Tools involved)
  - Relevant findings
  - Supporting Files
    - Attachments and appendices
    - Full path of the important files
    - Expert reviews and opinion
  - Other supporting details
    - Attacker’s methodology
    - User’s applications and Internet activity
    - Recommendations
- Guidelines for Writing a Report
  1. Create and use a standard report template with all essential elements to save time
  2. Organize your report in such a manner that it gets progressively complex; this allows high-level executives to understand its essence by just reading the initial pages of the report
  3. Use a unique identifier or reference tag for each person, thing, and place mentioned repeatedly in your report to eliminate ambiguity
  4. Write your reports considering the technical capability and knowledge of your audience.
  5. Include in-depth details and findings of the complete investigation process so that another investigation of the evidence, if conducted, leads to the same result
  6. Record MD5 hashes in the report for all evidence recovered (hard disk, USB, specific file, etc.) during acquisition, verification of image, and at the end of the examination for them to be admissible in a court of law
  7. Include metadata (file location, file path, file size, time/date stamps, author, etc.) for every file named in your report. This eliminates confusion and increases client’s confidence
  8. Get the report technically reviewed by another forensic examiner prior to publishing to ensure that it is sufficiently documented and forensically sound
Computer Forensics Investigation Methodology - Testifying as an Expert Witness
- Who is an Expert Witness?
  - An expert witness→is a witness who, by virtue of their education, profession, or experience, is believed to have special knowledge on the subject, beyond that of the average person, and sufficient to the extent that others legally depend upon their opinion
  - The opinion of an expert witness, authorized by a court, has legal status and can be accepted as evidence in a court of law
- Roles of an Expert Witness
  1. Evaluates the evidence
  2. Helps the attorney to get to the truth
  3. Testifies in court
  4. Assists the court in understanding intricate technical evidence
  5. Truthfully and objectively express their expert opinion, without regard to any others’ views or influence
  6. Conducts investigations on behalf of the court and reports the findings back to the court
  7. Participates in court-appointed expert witness conferences to study any intriguing incident
  8. Educates the public and the court
  9. Assists plaintiff’s or defendant’s lawyers to establish facts, assess merits, help in the preparation of a case, and aid in making the initial decision on whether to start a litigation
- What Makes a Good Expert Witness?
  - Good expert witnesses can talk to the jurors in a way that shows they have confidence in their case and are sincere, without seeming like an advocate
  - Experts need to change the complicated material into understandable material, so as to make it comprehensible for the lay audience
  - They should observe the jurors to determine their level of interest, and avoid overextended opinions
  - They should repeat the details and descriptions of the case for the jury
  - They should enhance their credibility by adhering to a formal dress code
- Testifying in the Court
  - Presenting digital evidence in the court requires knowledge of new, specialized, evolving, and sometimes complex technology
  - Things that take place in the courtroom
    1. Familiarize the expert witness with the usual procedures that are followed during a trial
    2. The attorney introduces the expert witness
    3. The opposing counsel may try to discredit the expert witness
    4. The attorney leads the expert witness through the evidence
    5. Later, it is followed by the opposing counsel’s cross-examination
- General Ethics while Testifying
  - Be professional and polite in presenting a testimony
  - Keep the jury interested in what you are saying
  - Maintain a steady body language and a balanced stance
  - Be enthusiastic and alert
  - Be aware and prepare for the possible rebuttal questions, especially from the opposing counsel
  - Have self-confidence and create personal space for winning professional style in the courtroom

John Tai