Chapter 2 - The Forensic Investigation Process

Now that you’ve learned a little bit about digital forensics, its purpose, and how it’s different from e-discovery, it’s only natural to want to dig in a little deeper. One thing that sets digital forensics apart from other types of investigations is its rigorous process that demands careful attention to detail, mastery of complex technical knowledge, and diligent documentation.

We’ll start with a recap of the five phases of a digital forensic investigation and explore how they differ from other types of investigations before diving in depth during the rest of this chapter.

An Overview of the Forensic Investigation Process

Step One: During identification, the investigator (or investigating team) must identify what evidence is present on the device, where it is stored, and what format it is stored in.

Step Two: Preservation focuses on isolating the data, securing it, and preserving it, while creating a copy, or image, that can be analyzed and investigated. This process, also known as “imaging” a device, preserves the actual evidence in its original form, so it will be admissible in court.

Step Three: During analysis, the forensic investigator reconstructs the fragments of data and creates a holistic narrative of what happened during the crime (or other matter being investigated).

Step Four: During Documentation, the investigator prepares a record of the data to be presented in court (or in whatever other venue that the investigation is being resolved).

Step Five: In presentation, the investigator uses the documentation to explain the conclusions they have drawn about the event in question in a compelling manner.

Differences between Forensic and Other Investigatory Processes

In Chapter One of the Basics of Digital Forensics, we listed some differences between forensic investigations and civil, internal, and other types of investigations, but some were related to the venues for investigations and who might perform the investigations. There are three big differences that are related to the process of a forensic investigation: how evidence is preserved, who analyzes the evidence, and the standard required by the court.

  • In a forensic investigation, the investigator images, or makes an exact duplicate of, the data. This preserves the original evidence’s admissibility in court, while the investigator is free to examine and analyze the duplicate. Other processes may skip this step because it takes time and increases storage requirements.
  • In other investigations, one person collects the data and then hands it off to another for interpretation. For example, an e-discovery paralegal or IT professional may collect information and pass it on to an attorney or HR representative for interpretation.
  • The forensic process meets a standard of “forensic soundness” vs.
    “defensibility” in civil litigation. Defensibility leaves room for reasonable errors as long as good faith efforts are made and processes are in place; forensic soundness does not. Compromised evidence is not admissible in a criminal trial and could be grounds for dismissal of charges.

Defining Forensic Soundness

A widely accepted definition of forensic soundness is “the application of a transparent digital forensics process that preserves the original meaning of data for production in a court of law.” According to IGI Global, forensically sound methods should “give reasonable assurance that digital evidence was not corrupted or destroyed during investigative processes, whether on purpose or by accident."

Step One of the Digital Forensic Process: Identification

At the start of any digital forensic investigation, the investigator
must identify where evidence exists that might be pertinent to the
matter being investigated. The investigator is trying to answer basic questions at this stage. In many senses, the identification stage is a prelude to the actual work of digital forensic investigation.

Who are the key evidence-holders?

In a criminal case, this would be the suspect(s) and perhaps any accomplices or other individuals with whom the suspect(s) had communicated or been in contact with. In an investigation of a data breach or other cyber-incident, it might be someone who inadvertently clicked on a phishing email or a disgruntled employee who is suspected of exfiltrating confidential data.

What devices might hold evidence related to the investigation?

Most investigations will focus on devices like computers or smartphones, both of which can contain evidence of multiple types. However, they are not the only possible devices that can yield important information. Others might include computer servers, network or cloud file-shares, smartwatches or other wearable technology, internet of things (IoT) devices, and more.

What types of evidence are present on the device(s) being investigated?

Naturally the type of device will dictate what evidence it could hold. Where some devices may only hold one or two types of data, smartphones or computers can hold a multiplicity of types, including emails and text messages, web histories, application data, geolocation data, and more. Each type of evidence might occur in a distinct format, and may need be collected according to an appropriate methodology.

The investigative team then takes the devices into custody to eliminate any possibility of tampering. If the data is on a server or network, housed on the cloud, or some other location that cannot be taken into custody, then the investigator or organization needs to ensure that no one other than the investigating team has access to it. At that point, the investigator can make a choice about the appropriate method for collecting and preserving the evidence in question.

The Primary Methods of Forensic Collection

Investigators should understand the basic methodology and reasoning behind the fundamental types of data collection for digital forensic investigations.

  • Dead-box Collection In dead-box forensics, the investigator makes an image of the entire system and analyzes its contents offline. The device is powered down (hence the term “dead-box”) and results in capture of data at rest, often by removing the device’s hard drive completely, if possible.
  • Live Forensics In live forensics, the investigator accesses the system or device while it is still powered on, allowing him or her to capture volatile information—or information that is stored in the devices RAM. Once the device is powered down, RAM data is lost to the investigation.

Deep Dive on Collecting Volatile Data

Learn how to capture volatile data with FTK® Enterprise with Exterro Forensics Evangelist, Justin Tolman.

  • Mobile Collection Mobile collection focuses on mobile devices, such as smartphones, wearable technology like smart watches, and tablets. With the wealth of data stored on smartphones, it is essential for investigators to be able to collect data from them. Since many devices give users the capability to remotely wipe data, it is critical to store them in special evidence bags that block WiFi and cellular signals and prevent static discharges that might damage the device.
  • On-Network Collection In an enterprise environment, investigators must be able to collect data from all devices connected to a corporate network, including routers, servers, and employee computers. This type of acquisition is performed by using remote agents on the endpoints requiring collection. Ideally digital forensic software should also be automated and connected to security incident and event management (SIEM) or security orchestration, automation, and response (SOAR) technology, so it instantaneously starts collecting data when an incident like an intrusion happens.
  • Off-Network Collection Given the reality of modern remote and hybrid workplaces, enterprise investigators need to be able to connect to devices that are not on their organization’s network or virtual private network (VPN) when incidents requiring investigation occur.

Deep Dive on Off-Network Collection

Wonder why it’s important to be able to collect data from corporate resources that aren’t connected to your network? Dig into the reasons with FTK Evangelist Justin Tolman and Forensic Product Marketing Director Lynne Roossien in Episode 10 of FTK Over the Air.

  • Cloud Data Collection Both criminal and civil investigations may require investigators to collect data from cloud sources, whether those are web-based applications or personal or corporate file storage services like Google Drive or Box, in investigations of incidents like data breaches or identity theft. While the investigator follows the same methods in cloud forensics as they would in traditional digital forensics, the lines may blur on who owns the evidence and whether it is admissible in court.

Learn from Professionals

Learn how some organizations are tackling the challenge of cloud forensics in this report on Evidence and the Cloud.

Step Two of the Digital Forensic Process: Preservation

Preservation is arguably the most important step of the digital forensic process. Since the goal of digital forensics is to construct a narrative of the event in question that will stand up in court, all evidence must be preserved in a forensically sound manner, so it will be admissible in court. Digital evidence can be very compelling, but it is fragile, and subject to tampering. During preservation, the investigator must isolate and protect digital evidence exactly as it was found, without alteration, so that it can later be analyzed.

Preservation is a science. Digital forensics is an industry that works on devices that are entirely designed and built by mankind. And that means that ultimately most things are knowable. We may not know who to ask. They may not want to tell us the answers. But when it comes to reading and writing data from a computer, every bit of how that process works is documented somewhere

- Allan Buxton
Director of Forensics, Secure Data

Defining Forensic Imaging

Investigators accomplish this goal by imaging the device in question. Digital forensic imaging is defined as the processes and tools used in copying a physical storage device for conducting forensic investigations and gathering evidence.

While it’s beyond the scope of this chapter to explain all the steps and means to create an image, there are some key best practices digital forensic investigators should take into account.

  • Document the steps you’re taking. You will need to be able to explain them to non-investigators at the conclusion of the investigation.
  • Maintain the chain of custody. It is necessary to ensure your evidence is admissible in court.
  • Validate the accuracy of data using hash values, the unique numeric or alphanumeric string obtained by applying a hash function to a piece of data that can serve as the fingerprint of a digital file.

Key Concept: Chain of Custody

The “chain of custody” refers to the process through which physical or digital evidence is handled during an investigation. Proving that an item has been properly handled through an unbroken chain of custody is required for it to be legally accepted as evidence in court. It documents how, when, and by whom items have been collected, handled, analyzed, or otherwise controlled during an investigation.

Forensics in Action: The OJ Simpson Case

Gaps in the chain of custody can result in the evidence being inadmissible. In the infamous OJ Simpson murder trial, a number of items of evidence, including blood samples linking Simpson to the crime scene, remained in officers’ possession for considerable amounts of time before being entered into the chain of custody by being immediately logged. This mistake allowed the defense attorneys to argue that evidence linking him to the scene could have been planted or contaminated, introducing a layer of doubt into the jurors’ minds.

For digital evidence, forensic investigators will often make use of a hardware write blocker. These devices ensure that no changes are made to the media being imaged, thus supporting the chain of custody.

Automating Forensic Collection

In enterprise environments, digital forensics and incident response (DFIR) teams can achieve considerable benefits by automating critical collection tasks.

By integrating DFIR technology with SIEM and SOAR technology, as soon as unusual activity is detected or a cyber-security incident happens, the technology can immediately take critical steps to collect evidence that will be useful to investigators. In criminal forensic workflows, automation can reduce the delay from taking physical possession of electronic devices to investigation and analysis by automating evidence processing and review workflows.

Deep Dive on Cyberattack Investigations

Why is it so important to integrate your DFIR technology with your SIEM/SOAR solutions? Because There’s No Place for Guesswork in Cyberattack Investigations, of course!

Step Three of the Digital Forensic Process: Analysis

While identification and preservation of evidence are essential for a successful forensic investigation, analysis is the stage of the process that truly solves the mystery. In it, the investigator reconstructs the fragments of data and creates a holistic narrative of what happened during the crime or other matter being investigated. Due to the volume of data present and the inability to examine it with scientific instruments, digital forensic investigators rely on their technological toolkit to conduct their investigations.

During analysis, investigators strive to remain open-minded as to how to interpret the evidence they find. As evidence accumulates, the investigator will begin to form theories of what happened during the crime or incident(s) in question, and evaluate how or whether additional evidence supports the theory. Ultimately, they hope to develop a holistic story of what happened, when, how, and why

How Investigators Use Forensic Analysis Tools

Email analysis: Helps investigators extract as much data as possible from email messages and addresses.

  • File analysis: Analyze, index, search, track and report on file metadata and file content, enabling investigators to identify files that are relevant to an investigation.
  • File viewers: View the contents of multiple types of files quickly.
  • Internet analysis: Collect and analyze internet usage and identify patterns that may be relevant.
  • Mobile device analysis: Software or agents developed specifically for extracting data from mobile devices.
  • Registry analysis: Automatically extract information from the live registry or the raw registry files found in digital evidence and display it in an understandable format.
  • Network forensics: Specialized technology developed to monitor and collect data passing through a network or to access specific endpoints and collect data from them.
  • Decryption: Decrypt encrypted data including files of any type, emails, and other messages to view and analyze them for possible evidence.
  • Password crackers: Access data on locked devices, applications, or web-based software by breaking users’ passwords.
  • File restoration: Restore deleted files or data to examine the evidence they may contain.
  • Drive defragmentation: Decode the contents of hard drives that have been overwritten by reassembling the pieces, or fragments, of files.
  • Image detection: Recognize faces and flesh-tone colors, especially in child pornography and exploitation matters.
  • Video recognition: AI technology can automatically identify critical points of interest in evidence videos like people, weapons, and drugs, thus eliminating hours of manual video review.

Go deep on the analysis phase of a digital forensic investigation with these two courses in Exterro’s Masters of Digital Forensics series:

Images and Video in Digital Forensics Investigations: The Risk of Vicarious Trauma

Vicarious trauma, also known as second-hand trauma, occurs when a person empathetically engages with victims of traumatic experiences. While the term and phenomenon was first identified in therapists, forensic investigators also experience vicarious trauma. People experiencing vicarious trauma undergo symptoms just like the primary victims of trauma, with their brains literally rewiring themselves in attempts to suppress, internalize, or protect themselves from traumatic imagery related to crimes like child abuse, torture, assault, and other forms of violence.

In investigators, vicarious trauma can arise over time, from repeated exposure to evidence from traumatic crimes, or after a discrete event, because of a specific characteristic of a crime being investigated (such as having a victim who resembles a loved one or a particularly troubling crime). Not every forensic investigator will experience vicarious trauma, but it is a possibility that all investigators should be aware of. Awareness allows investigators to take steps to help them maintain a healthy separation between their work and the rest of their life—including importantly their mental health. Investigators can and should take steps both in their personal lives and at work to maintain their physical and mental health.

Deep Dive on Technology to Prevent Vicarious Trauma

Learn about how technology solutions are helping to protect investigators in Episode 16 of FTK Over the Air or check out this article for tips on protecting yourself from vicarious trauma.

Step Four of the Digital Forensic Process: Documentation

Once a digital forensic investigator has completed his or her investigation and has reached a compelling conclusion, the next two phases of the process—documentation and presentation—are geared towards ensuring that those charged with acting on its results find it understandable and compelling. That audience may ultimately be a jury in a criminal trial, an oversight board in an enterprise environment, or some other group, depending on the nature of the investigation. Ultimately, the presentation of the findings (the final step in the investigatory process), must make it easy for listeners to visualize what happened and understand the timeline of the disparate activities involved in the wrongdoing, from planning to execution to any attempts to hide evidence or cover up the activity.

If you’ve documented the steps you’ve taken thoroughly throughout the investigation, this activity should be largely complete. You’ll just need to curate your list of steps, so that you’re focusing on the most compelling pieces of evidence and how they fit into the timeline you’re looking to establish. Identify these key pieces of evidence and explain in layman’s terms why they are both significant and compelling. Why do they prove the assertion you are making? What is the logical path your investigation took from uncertainty about what happened to certainty?

At this point, you’re not working anymore with advanced digital forensic technology. It may be the source of the evidence and the means through which you drew your conclusions, but in documenting your investigation, you are
creating a narrative report, with visual, audio, and other evidence backing it up, whether you anticipate delivering it in courtroom testimony or a written report delivered to your organization’s CISO.

Step Five of the Digital Forensic Process: Presentation

Once the investigation is complete, and you’ve documented the most important evidence, it’s time to present the findings to the authorities charged with determining the outcome of the investigation. In a courtroom, a digital forensics investigator might act as an expert witness, summarizing their report and presenting the most critical pieces of evidence to the jury, while the full report is submitted as an exhibit in the courtroom. In an internal investigation of a cyber-incident, the venue for the presentation may be an executive board meeting, a meeting of the leadership team, or simply a small group of colleagues in information security.

Best Practices for Presenting Investigatory Results

Ideally an expert witness should have relevant expertise, credentials, and plenty of experience testifying—but that’s not always the case. Everyone, including the most experienced expert, has a first time testifying or presenting conclusions. Remember, whatever the type of the investigation and the venue for its presentation, certain key principles hold true.

  • Review your investigation notes and documentation. You’ll want to be able to speak to the steps you took and why you took them just as much as the conclusions you’ve drawn.
  • Make sure you’re comfortable speaking about the chain of custody for key pieces of evidence.
  • Practice your testimony. Review the report you’ve assembled and make sure you’re able to dig into detail and provide supporting evidence for your conclusion.
  • Speak in easy to understand language, not jargon. Chances are your audience will not be made up of digital forensics experts; make sure you can make key concepts, processes, and technology clear to them.
  • Prepare for objections and follow-up questions. There are always two sides to a story. Whether you’re in a courtroom or in an internal investigation, the opposition will have an opportunity to make their case. If you anticipate and prepare for their statements, you will be able to speak clearly to the reasons why you disagree with that interpretation.
For detailed discussions of the digital forensic process, make sure to bookmark Exterro’s five-part webinar series, The Masters of Digital Forensics