The Basics of Digital Forensics

Digital Forensics in Criminal Investigations

Criminal investigations can be either a digital forensic investigation of a “real-world” crimes (e.g., using digital artifacts to establish motivation, presence at a location, or some other aspect of a robbery, assault, homicide, etc.) or of a cybercrime that took place entirely within the digital realm (e.g., cyber-fraud, hacking, identity theft, etc.). The investigation begins when, at the scene of the crime (or an associated scene such as a suspect’s home), law enforcement finds an electronic device they believe may hold relevant evidence. The device might be a smartphone, computer, or even a personal health tracker. They document their discovery, establishing the chain of custody, and then turn the device over to the forensic investigator, at which point they begin the forensic investigation process

Learn the Digital Forensic Investigation Process

Want more detail on digital forensic investigations, including on the chain of custody? Review Chapter 2 of the Basics of Digital Forensics!

Uses of Digital Forensic Investigations of Crimes

Investigations of real-world crimes often take place after the recovery of one or more electronic devices from the victim, suspect, or another involved party. The investigations may help the investigators understand the motivation of the criminal(s), especially when they are non-cooperative or die in the course of committing the crime. As gruesome and tragic as the incidents themselves may be, investigators must spend substantial amounts of time investigating crimes like that range from all-too-frequent domestic murder/suicides and workplace violence to infamous incidents like the Aurora “Dark Knight” shooting or the 2015 San Bernadino terrorist attack, as well as countless investigations of less infamous crimes.

Digital Forensics in Action

Learn how the Aurora police department used FTK® to collect evidence about the killer’s state of mind after the “Dark Knight” shooting in this case study.

Internet Crimes

In Chapter One of the Basics of Digital Forensics, we mentioned that it has been said that “in terms of crime today, virtually every crime has a digital footprint, meaning that crimes occurring in the real world leave traces in the virtual world of electronic devices and the internet. Of course, in the internet age, many crimes

Other uses for a digital forensic investigation might include things like determining how a suspect acquired the means to commit a crime (such as an illegally-obtained firearm) with an eye towards preventing future occurrences, establishing a pattern of criminal behavior (in crimes like stalking or online harassment), or identifying accomplices before or after the fact. All this information helps establish intent for a jury, increasing the likelihood of the prosecution earning a conviction.

Hackers can infiltrate corporate networks and steal intellectual property valued at millions, billions, and even trillions of dollars. They can steal passwords, personally identifying information, or credit card information through phishing attacks or by breaking into WiFi networks. Dark web sites like the Silk Road, run by Ross Ulbricht, alias the “Dread Pirate Roberts,” serve as virtual marketplaces for illegal goods and services.

In cases like these, virtually the entire case against the perpetrators is built through a digital forensic investigation. The point of the investigation is to identify the person at the keyboard (or holding the phone) when a given crime was committed. As Gus Dimitrelos, founder of CyberForensics.com and a long-time digital forensic investigator both in the public and private sector, put it on a recent episode of FTK Over the Air, “The whole key is the identification of the [device’s] owner. Who’s sitting at the keyboard? Who’s using the computer? Who’s responsible for all the information that’s on the computer?”

From the FBI Historical Archives

On its website, the FBI displays a collection of historical artifacts from its past, including evidence seized in famous cases like the high-top sneakers belonging to Richard Reid, the infamous “Shoe Bomber,” J. Edgar Hoover’s fedora, and fingerprint kits from the 1930s. Among those artifacts is Ross William Ulbricht’s laptop computer, which he used to run the illegal, dark-web marketplace The Silk Road.

In 2011, a tax agent discovered a post about the website on an online forum, accessible to users via the Tor browser, to buy and sell illegal goods and services ranging from drugs to guns and hitmen. When Ulbricht posted a job opportunity, investigators were able to trace the email account back to him and ultimately identify him as a suspect. Seized in 2013 at Ulbricht’s arrest, the laptop contained crucial evidence that helped earn convictions for drug trafficking, computer hacking, and money laundering.

Ulbricht is now serving life in a federal prison.

Digital Forensics in the Courtroom

To help prosecutors earn convictions in court, they must have means to present persuasive digital evidence, including testimony from digital forensic investigators. As the National Institute of Justice explains, “digital evidence is now used to prosecute all types of crimes, not just e-crime. For example, suspects’ e-mail or mobile phone files might contain critical evidence regarding their intent, their whereabouts at the time of a crime and their relationship with other suspects.”

Because it’s not tangible, there are strict requirements to ensure that digital evidence is admissible in a courtroom. It must be preserved, documented, and analyzed completely through a forensically sound process that maintains the chain of custody. It must be validated using mathematical algorithms, known as hash values, that serve as digital fingerprints that authenticate the data is unchanged.

What Is a Hash Value?

According to TrendMicro.com, “Hash values can be thought of as fingerprints for files. The contents of a file are processed through a cryptographic algorithm, and a unique numerical value – the hash value - is produced that identifies the contents of the file. If the contents are modified in any way, the value of the hash will also change significantly.

Two algorithms are currently widely used to produce hash values: the MD5 and SHA1 algorithms.”

In the courtroom, the digital forensic expert typically testifies about what he or she found, the process used to find it, and the authenticity of the device. They must take care to testify in language that can be understood by non-experts—namely, the judge and jury. They must be thorough in their investigation, so they can provide supporting details where necessary, as well as answer additional, potentially hostile, questions from the defendant’s counsel. At times, they will need to rebut counterclaims made by technical experts hired on the defense’s behalf.

Forensic Investigations in Civil Litigation

Civil litigation investigations are often part of the electronic discovery process, in which a digital forensic investigator seeks to collect, preserve, and review a large corpus of electronic data that is potentially related to a matter being settled through the civil, rather than criminal, court system. In many cases, the investigator’s findings work their way into the attorneys’ case presentations, including on occasion actual testimony delivered in the courtroom.

Federal Rules Governing Digital Forensic Evidence

Two sets of rules govern civil litigation taking place in federal courts today—the Federal Rules of Evidence (FRE) and the Federal Rules of Civil Procedure (FRCP). FRE does not specify what process must be followed when copying data—and most courts do not mandate a certain type of collection either. Similarly, the definition of proportionality in the FRCP, as laid out in Rule 26(b)(2)(C), states that the court must limit the extent of discovery that is “unreasonably cumulative or duplicative,” “could be obtained from some more convenient, less burdensome…source,” or “the benefit of which is outweighed by its burden or expense.”

Given the time, effort, and expense of hiring digital forensic investigators to collect and analyze gigabytes upon gigabytes of data for a civil lawsuit, it’s understandable that most courts opt for a less rigorous standard.

E-Discovery Case Law

Two recent Exterro case law alerts can help you understand when forensic collection might or might not be appropriate in civil litigation.

Measured Wealth Private Client Group, LLC v. Foster Aminov v. Berkshire Hathaway Guard Insurance Companies

Special Considerations for Digital Forensics in Civil Cases

• Divorce and Custody hearings often incorporate digital forensic evidence. One or both parties may begin evidence gathering in advance of filing a suit, © 2023 Exterro, Inc. // exterro.com PAGE 7 but lacking skills or awareness of the law, they may inadvertently collect data in violation of the other party’s rights. On other occasions, evidence may be deleted, modified, or hidden, requiring investigators to be brought into a civil matter.
• Financial Implications Civil litigation often has a financial outcome as the primary purpose of the lawsuit, thereby increasing pressure on investigators to draw conclusions about finances that may be typically outside their purview.
• Court-Imposed Deadlines Typically, a court order will give a deadline for the forensic investigator to report their findings, which will then be shared with both parties’ counsel as well as guidance on the questions they should attempt to answer.

Internal Investigations

Many businesses or government agencies have digital forensics teams to help them conduct several types of forensic investigations or collections, collectively known as internal investigations. These investigations could be determining the cause and extent of a cybersecurity incident or data breach; human resources investigations; intellectual property theft or espionage investigations; regulatory compliance investigations; or even routine collections of data stored on the laptop of an employee that is separating from the company.

The purpose of a given investigation will do much to guide the digital forensic process. An investigation tasked to determine whether bias played a role in a hiring or promotion decision will necessarily differ in scope and substance from an investigation of the cause behind a data breach or other cybersecurity incident. But both will require skilled digital forensic investigators.

Cybersecurity Investigations

When a cybersecurity incident is detected, digital forensic teams have multiple goals. On one hand, they must contain the damage and remediate it. On the other, they must investigate the causes of the incident and take steps to prevent it from recurring. To accomplish these tasks, digital forensic investigators must use advanced technology and follow best practices.

Speed is critical in responding to cybersecurity incidents. The longer an intruder has access to sensitive systems and information, the more the risks and damage incurred by the incident. More data can be exfiltrated. More business systems may need to be temporarily shut down. More potential victims will need to be notified and appropriate steps taken to protect them from further criminal activity, like fraud or identity theft.

Thankfully, there are resources available to help cybersecurity and digital forensics teams understand how to go about these tasks. Published by CISA in November 2021, the Cybersecurity Incident and Vulnerability Response Playbooks give federal agencies, contracting organizations, and vendors and service providers to federal agencies a framework to understand and implement response plans that minimize the risk of cyberattacks to critical US infrastructure. While the playbooks are written for a public sector audience, the principles also apply to private enterprises as well.

Dive Deep on Cyber-Incident Response

Exterro has translated these valuable playbooks into six handy checklists to help you build out your workflow in our whitepaper Implementing the CISA Cybersecurity Incident Response Playbook.

Human Resources Investigations (Enterprise & Central)

While human resources investigations may seem rare, they are not. They can arise for many reasons. A quick list might include:

• Employee wrongdoing
• Harassment allegations
• Discrimination
• Bullying or abuse
• Inappropriate use of social media, computers, or other equipment
• Policy enforcement
• Hiring, firing, and promotion decisions

An Exterro survey conducted in 2022 found that almost half (45%) of organizations with over $1 billion in annual revenue conduct six or more internal investigations every month.

These investigations are fraught with risks for enterprises—which is why they must take pains to conduct them effectively. While the pressure may be on for investigators to clear their organization, the risks of doing so without a thorough, documented investigation are substantial. Individuals who are passed over for promotions or fired without justification can and have successfully sued their employers for compensation. In fact, much of the modern e-discovery industry is direct fallout from a series of famous rulings in the case Zubulake v. UBS Warburg!

In analyzing the data from Exterro’s Internal Investigations Benchmarking Report, David Cohen, Partner and Chair of Records and E-Discovery Group at ReedSmith, explained:

Learn from Your Peers

Find out more about how organizations are conducting internal investigations in the Internal Investigations Benchmarking Report from Exterro and EDRM.

Digital Forensic Technology for Internal Investigations

Whether for human resources investigations of possible employee wrongdoing or legal department reviews to facilitate regulatory compliance, enterprises need advanced toolkits built with the realities of decentralized, remote-first, multidevice environments foremost in mind. The technology must allow investigators to conduct key tasks remotely, securely, and discreetly at the endpoint, eliminating the need for costly physical transportation of devices while maintaining forensically sound investigatory standards.

Some key capabilities to look for include:

• Remote Collection: Conduct investigations without alerting suspects or disrupting business operations by forensically collecting and analyzing data from remote endpoints and securing it in encrypted forensic containers. Preview live data at the endpoint, then collect the data that matters to your investigation
• Off-Network Collection: With employees working from home, the ability to collect data from remote endpoints outside of the corporate network is critical.
• Multiple Device Capabilities: With employees using desktop and laptop computers, tablets, Macs, smartphones (both Google and iPhone) and more, a digital forensic solution must be able to collect from all types of electronic sources.

Conducting Forensic Investigations in Zero Trust Environments

With the need to detect and respond to incidents on all organizational devices and to log, analyze, and share learnings from these incidents, digital forensic technology is a must to maintaining a zero-trust environment in compliance with the federal mandate—or simply to follow best practices for securing organizational data and assets. This means that a forensic solution must be able to:

• Have admin access across the network
• Deploy agents to remote devices
• Maintain an inventory of all devices—and the ability to respond to incidents on these devices
• Operate across platforms including Mac, Windows, and Linux
• Image and collect data forensically across an encrypted connection
• Remediate incidents by deleting files, closing ports, or potentially deactivating users
• Preview endpoints to analyze files in use, programs running, and connected services in real time

Private Investigations

Private investigations could be considered a fourth type of forensic investigation, but functionally they are the same three types of investigations listed above but conducted by a digital forensic investigator that has been hired by a private party. They can be conducted for any number of reasons. Investigators may be hired by a party who was victimized or wants to seek justice, an investigation to ascertain whether to pursue civil litigation in a matter, or an internal investigation that is so sensitive a company decides to bring in an unbiased outsider. By conducting a forensically sound investigation, the investigator ensures that the information they discover will be admissible in court.

Functionally, private digital forensic investigations are no different than investigations conducted by law enforcement personnel or teams operating within a given public or private sector organization. Private forensic investigators may specialize in one or more types of investigations, depending on who their clientele is—individuals, businesses, media outlets, or governmental agencies. The investigator conducts the appropriate type of investigation, then delivers their conclusions in either an oral presentation, a written or digital report, or both.

Talk to an Exterro FTK® expert to find out which FTK solution is right for you. Speak to an Expert.