Digital Forensics Methodology – a brief overview

Security News ThreatsCybercrime Uncategorized

By Ron McFarland, PMP, CEH, CISSP, Ph.D., College of the Canyons-University of Maryland University College,

Computer forensics is a current hot-topic that has emerged in response to the increase of crimes committed by hackers and nation-state attacks. The computer system can be either used as an object of crime or in the commission of a crime. The computer is, then, an instrument used to commit a crime or may be a repository of evidence related to the commission of a crime. Computer forensics can be traced back to as early as 1984 when the FBI laboratory and other law enforcement agencies begun developing methods and programs that examine computers and computer files for evidence that was used in the commission of a crime.
Computer forensics, and now the more expanded and contemporary notion of digital forensics, is necessary to address the investigation of cyber-crimes and support the mitigation of system vulnerabilities to improve the security of the data infrastructure in the organization. The threat-scape for cyberattacks against the typical organization is quite vast. The number of threats that can occur on each attack surface can be daunting and requires a plan to address advanced persistent threats and hacking. Further, computer and digital tools and techniques are used to investigate crimes involving computer systems, data, and the supporting infrastructure involved in the criminal activity. With digital forensics, criminals often leave evidence behind on compromised hard drives, data resources, log files, databases, and other information system components. Digital forensics is used to investigate the following situations:
• Cyber criminals execute an attack against the organization’s web presence,
• Unauthorized web access often violates organizational policies and mandated legal restrictions regarding data privacy,
• Data recovery may be required due to intentional or accidental activities that compromise organizational data resources and services,
• Data breaches can occur as a result of a hack,
• Suspicious activities are reported within the organization, or
• Fraud is reported (Nelson, Phillips, & Steuart, 2016, p. 490).

As a result of the large threat-scape, evidence of malicious behavior needs to be collected in the form of event reconstruction (a way to map an occurrence to determine exactly what happened and how), resource confiscation (in cooperation with law enforcement), and is necessary to gather and protect data before criminals can further alter or destroy it. The process of digital forensics is to acquire information while maintaining the integrity of the data that is properly collected, as it may be involved later in a court case (Cruz, 2012).

General Use of Forensics Tools in the Organization
Digital forensics tools can be applied to identify and troubleshoot problems that occur in the organization, outside of the issue of dealing with hackers and advanced persistent threats to the organization’s data infrastructure. Digital forensics techniques can be used by the organization to locate data and hosts to identify problems that may be located physically and virtually (Cruz, 2012). Forensics can be used to identify the main cause of processing problems that the organization may be experiencing (through trends and isolated incidents analysis), which can support methods to mitigate on-going and persistent data problems in the organization (Cruz, 2012). Digital forensics tools can be deployed to track and monitor a current event, help to mitigate functional and operational events, and handle security issues (Cruz, 2012).

Along with collecting, preserving, and protecting evidence that may be presented in court, digital forensics can provide valuable services through log monitoring. Log entries provide information about activities. Forensic tools can be deployed to collect, analyze, and match log entries across multiple platforms within the organization to examine inconsistencies or identify suspicious activities (Cruz, 2012). Further, Cruz (2012) also noted that it can be used for data and systems recovery. Data can be recovered and repaired even if data has been intentionally or accidentally modified or deleted. Forensics tools can be used decrypt encoded data if the encryption key is lost or forgotten, and can acquire data from other systems that are being repurposed, retired, or that need sanitation (Cruz, 2012).

Finally, forensic tools and techniques can assist organizations to comply with due diligence requirements in order to exercise reasonable care with the appropriate and mandated degree of effort required by law or industry standards while conducting business (Regev, 2015). Forensic tools and techniques can also help businesses meet compliance standards pertaining to the protection of sensitive data, the maintenance of relevant records required for audits, and can aid in the notification and reporting of data breaches, which compromise the confidentiality of sensitive data (Cruz, 2012).

Investigatory Practices and Procedures
The use of forensics techniques and tools to address an advanced persistent threats or cyber-attacks requires adherence to rigorous investigatory practice and procedures. A digital forensics investigation, in its simplest form, can be broken up into three distinct phases including seizure, isolation and documentation. Seizure involves the acquisition of data, devices, logs, and other components used in a hack. It is particularly important that the seizure of the materials and data resources used in a hack be properly, procedurally and legally acquired, as the acquisition process and methods will be examined in any court proceedings. The right to seize materials involved in a hack or cyber-crime is achieved in a few different ways. To obtain materials used in a hack or a cyber-crime that is owned by the organization requires a properly executed search warrant for the collection and examination of materials and data assets used in the criminal activity. A search warrant may not always be necessary where proper consent is given by the legal owner. Because rules governing these other circumstances vary from state to state, it is advisable to work with prosecutors when tackling an investigation of criminal activity (Miller, n.d.).

Two Primary Models (of many)
As digital forensics is a focus on the acquisition of data and information, several techniques and methods have evolved. Several models are prevalent and each proposes a methodology to
systematically search digital devices for significant evidence. This paper notes a common model, the Abstract Digital Forensic Model (ADFM) that has been in use for over a decade and a more contemporary model, the Systematic Digital Forensic Investigation Model (SRDFIM), which takes into account the myriad of devices, such as many connected IoT devices, that are part of a forensics investigation.

The Abstract Digital Forensic Model
The Abstract Digital Forensics model in use today proposes a standardized digital forensics process that consists of nine components:
1. Identification: the type of incident is identified,
2. Preparation: the selection and preparation of tools, techniques, search warrants, and support of management is delineated,
3. Approach strategy: development of a procedure that will maximize collection of untainted evidence while minimizing the impact to the victim,
4. Preservation: Isolation, securing and preserving of the state of physical and digital evidence,
5. Collection: The recording of the physical scene and duplicate digital evidence using standardized and accepted procedures,
6. Examination: A systematic search of evidence previously collected,
7. Analysis: The determination of the significance of evidence, the reconstruction of data fragments and drawing conclusions based on evidence found,
8. Presentation: The summary and explanation of conclusions, and
9. Returning evidence: This step ensures physical and digital property is returned to proper
Agarwal, et. al (2011) discussed a more robust replacement models as new technologies have surfaced including wireless, whole drive encryption, device diversity, volume of evidence, distributed evidence, usability and visualization). Further, Agawal (2011) noted that digital forensic science has a significant impact on:
• The prevention of additional and further malicious events,
• The successful back tracking of events that led to the crime, which may determine the guilty parties involved,
• The impact on forensic science to bring criminals and perpetrators of the crime to justice,
• The improvement of current prevention standards that serve to mitigate the presenting issue, and
• The deepening of connectivity in organizations and society.

Image: SRDFIM (Agarwal, et. al, 2011).
The SRDFIM model consists of eleven phases. Each of these phases and their relationship to each phase are depicted in the image above. A clearer description of each phase is provided below.
• Phase One – Preparation: The preparation phase occurs prior to the actual investigation. This involves getting an initial understanding of the nature of the crime and activities, prepare accumulating materials for packing evidence sources, etc.
• Phase Two – Securing the Scene: This stage deals with securing the crime scene from unauthorized access and preserving the evidence from being contaminated. There should be a formal protocol for handing over a crime scene in order to ensure that the chain of custody is properly followed.
• Phase Three – Survey and Recognition: This stage involves an initial survey conducted by the investigators for evaluating the scene, identifying potential sources of evidence and formulating an appropriate search plan.
• Phase Four – Documenting the Scene: This stage involves proper documentation of the crime scene along with photographing, sketching and crime-scene mapping. All the
electronic devices at the scene must be photographed along with the power adaptors, cables, cradles and other accessories.
• Phase five – Communication Shielding: This step occurs prior to evidence collection. At this stage, all further possible communication options of the devices should be blocked. Even if the device appears to be in off state, some communication features like wireless or Bluetooth may be enabled. This may result in overwriting the existing information and hence such possibilities should be avoided.
• Phase Six – Evidence Collection: Evidence collection of the digital or mobile devices is an important step and required a proper procedure or guideline to make them work.
• Phase Seven: Preservation: This phase includes packaging, transportation and storage. Appropriate procedures should be followed and documented to ensure that the electronic evidence collected is not altered or destroyed. This phase is also important in the documentation of the chain of custody.
• Phase Eight: Examination: This phase involves examining the contents of the collected evidence by forensic specialists and extracting information, which is critical for proving the case. Appropriate number of evidence back-ups must be created before proceeding to examination. This phase aims at making the evidence visible, while explaining its originality and significance.
• Phase Nine: Analysis: This step is more of a technical review conducted by the investigative team on the basis of the results of the examination of the evidence. Identifying relationships between fragments of data, analyzing hidden data, determining the significance of the information obtained from the examination phase, reconstructing the event data, based on the extracted data and arriving at proper conclusions etc. are some of the activities to be performed at this stage.
• Phase Ten: Presentation: After extracting and analyzing the evidence collected, the results may need to be presented before a wide variety of audience including law enforcement officials, technical experts, legal experts, corporate management, etc.
• Phase Eleven – Result & Review: The final stage in the model is the review phase. This phase involves reviewing all the steps in the investigation and identifying areas of improvement.
In summary, computer forensics (e.g. digital forensics) involves the proper and procedural acquisition of data, which can be used in computer crime. Computer forensics is the use of a set of prescribed procedures that are employed to examine a computer system and associated devices using software and tool that extract and preserve digital evidence. The use of a structured approach, whether the more commonly used Abstract Digital Forensic Model, the more robust Systematic Digital Forensic Investigation Model, or a similar model to derive and categorize digital evidence in a legally-sound manner.
Agarwal, Ankit & Megha Gupta, Ms & Saurabh Gupta, Mr & Gupta, Yatendra & Gupta, Chandra. (2011). Systematic Digital Forensic Investigation Model. International Journal of Computer Science and Security. 2011-118.
Cruz, X. (2012, November 5). The Basics of Cloud Forensics. Retrieved September 18, 2017, from Cloud Times:
Nelson, B., Phillips, A., & Steuart, C. (2016). Guide to Computer Forensics and Investigations: Processing Digital Evidence. 5th ed. Boston: Cengage Learning.
Regev, H. (2015, February). Due Diligence. Retrieved September 17, 2017, from TechTarget: