By John Ahearne, Forensic Analyst
This article is part of a series that delves into each step of the digital forensic process. If you missed one of the previous articles, you can read them at the links below:
- Digital Forensic Process—Introduction
- Digital Forensic Process—Identification
- Digital Forensics Process—Preservation/Collection
Analysis of Digital Evidence
Forensic digital analysis is the in-depth analysis and examination of electronically stored information (ESI), with the purpose of identifying information that may support or contest matters in a civil or criminal investigation and/or court proceeding.
When forensic analysis is the ultimate goal, it is imperative that the electronically stored evidence is treated with great care. The evidence must be preserved and nothing should be done that may alter the ESI during the analysis process. This is why the best legal result will be obtained by analyzing a forensic image or copy of the device as opposed to the original device or source. A source of digital evidence may be cloud-based as well.
As explained in the previous article in this series, the first step to the digital forensic process is identification. This step goes hand-in-hand with determining your scope of analysis.
Scope of Analysis
The scope of analysis begins with identifying who the key players are and where the electronically stored evidence is. This information is gathered during the identification step of the digital forensic process and requires clear communication with the client.
Whenever possible, the initial scope should be clearly identified, but that is not always the case. In some cases, we may be looking for a “needle in a haystack,” so the scope may be expanded or contracted as the analysis progresses. This is the Who, What, When and possibly the Where and Why part of the examination.
Documentation and communication should include:
- Focus of the examination
- General nature of the matter
- Time frame of the chain of events
- Logical and/or deleted data
- Data leakage
Focus of the Examination
What is the focus of the examination?
Identify who are the people involved on both sides of the dispute and who is the focus of the examination.
Please see our article, Digital Forensic Process—Identification.
General Nature of the Matter
What is the general nature of the matter? Is it regarding a will or trust, or a company design? Many legal cases have also arisen regarding customer lists, which can be considered valuable intellectual property (IP).
Employee misconduct, misappropriation of company information, fraud or divorce are just a few examples. Knowing the nature of the matter will help identify what type of data or what file types a forensic examiner should be looking for and where that data might be found.
Time Frame of Chain of Events
When did the chain of events occur?
The times and dates or a date range of when an alleged event took place will help narrow the examination. In the example of employee misconduct, when was the employee’s last work date? When was the device last used by the employee or returned to the company?
In this and similar situations, resist the temptation to log into an employee’s computer because you will compromise potential evidence, especially time/date stamps.
Logical and/or Deleted Data
Logical data refers to data that is not deleted and does not require data recovery or special software to access the information. Determine which data types should be included in the examination, such as Word documents, Excel spreadsheets, Acrobat PDFs, photographs and emails. Use of social media, such as Snapchat, WhatsApp, Facebook and YouTube may require analysis, depending on the case.
An emptied Recycle Bin or Trash is referred to as a hard deletion. Deleted data and a cleared web history are signs of hiding one’s tracks. With deleted data, we cannot be limited by a targeted collection of logical data only. A sector by sector forensic image of the entire device must be performed. It’s good practice to pre-emptively extract a forensic image of employee devices when any employee leaves a company.
Establishing a scope of analysis and understanding where the data is stored helps us as forensic examiners to provide the client with accurate and fast results.
The unauthorized transfer of information from inside to outside an organization is known as data leakage.
Were any external hard drives or other connected devices plugged into the computer? Examples include USBs, mobile devices or backup devices. Be sure to identify any possible sharing of data to another device.
Internet of Things (IoT) are becoming more prevalent in our lives and should also be considered. Examples include wearable technology, company/rental cars, surveillance cameras or home assistants.
Are the email servers and cloud storage systems monitored and backed up by IT? Is there a legal responsibility to preserve data?
What are names, phrases and words that could be helpful in locating the data of interest? Examples may include contacts, personal email addresses, project names or companies in direct competition.
Limitations may be in effect due to privacy or opposing interests.
In matters involving opposing interest, a party or court may limit the scope of information to be analyzed or even collected. It is always best to get this in writing in the form of a Stipulation or a Protective Order. The digital forensic analyst should be included in the creation of this documentation to insure that the limitations are possible, based on the way the ESI is stored and how forensic software acquires and processes the data.
Time can be an issue. Are there any immediate court dates or depositions scheduled?
Privileged communication between attorney/client, doctor/patient, and husband/wife are common limitations to consider when providing evidence in a case. Just because a wife hands over her husband’s cell phone, it does not mean that the authority to analyze it is automatic. Employees may have an expectation of a certain amount of privacy even when using a company supplied laptop. Does company policy clearly define what privacy the employee can expect, and does the employee understand it?
Personal Identifiable Information (PII), such as patient records, Social Security numbers, and tax records are ESI that needs to be protected. It is important to investigate any third party digital forensic team you may employ to be sure all data is protected by necessary security certifications, such as SOC 2 Type II and HIPAA.
Forensic Tools and Software
A repeatable and defensible process is the continuing theme throughout this series of articles. Forensic and eDiscovery software are no exception. There are many forensic/eDiscovery tools on the market. Free and open source tools are also available. An experienced digital forensic examiner will know what tool or tools are the best for the type of device and the type of data.
Forensic Software Validation
Regardless of what tool or software you use, it must be validated. I am not going to get into the Daubert Standard here; a quick search will provide you with plenty of reading material. However, the digital forensic examiner has to be certain that the information produced by the forensic software is accurate.
A forensic examiner has to know where information is stored and how the chosen forensic tool parses out that information. There are no shortcuts to this requirement. You can’t rely on “push-button” forensics by simply running some software and spitting out the results.
Training, experience and good tech support are a few of the ways a forensic examiner can gain the knowledge necessary to validate their tools. Forensic forums, podcasts and articles are other methods to stay on top of new trends and technologies.
At the same time, there has to be some faith in your forensic software. If we had to validate every single step, we would never get any work done. An application’s main purpose is to improve productivity and accuracy. Industry leading forensic software does not stay in the lead if their subscribers are finding errors in their product. It is important for forensic analysts to be trained and certified in digital forensics and eDiscovery by leading software vendors because these are the tools that generally provide the best results.
Open Source vs. Commercial Software
Open source software certainly has its place. There are times that, if a forensic examiner sees something that doesn’t seem right or doesn’t make any sense, open source software can be used to validate commercial software by comparing results. If results from different software vary in ways that were not expected, then it’s time for some research and/or software tech support.
One thing about open source software, there is no tech support. You are on your own with open source. If you paid for software—any kind of software—take advantage of that tech support (it’s paid for!).
Budget matters as well. Industry leading software and forensic training is not cheap. A lot of good open source software is free and many leading vendors offer tools for free, especially to law enforcement.
You may already have software in place, like Google Vault or Takeout, that can be of use to your forensic/eDiscovery team. BlackBag Technology offers free two-day training. SANS Institute offers a free forensic toolkit and free webinars that earn CPE credits. Keep informed of upcoming offers like these.
Every good forensic lab should have a healthy balance of quality forensic software by leading vendors and open source, and the knowledge to stand behind them.
Accurate, Repeatable and Defensible
Whether you work in law enforcement putting criminals behind bars, or in the corporate/civil world where someone may lose a job or custody of their children, we as forensic examiners and analysts always have to be sure that our results are accurate.
With DriveSavers, you can be confident that our results are accurate, repeatable and defensible, as well as secured and treated with the respect and the integrity that you require.
Stay tuned for your lesson in Presentation!