Digital forensic is an investigation for the retrieval and analysis of digital evidence. In general, three main steps, called the three A’s, have been identified in the investigation process: Acquire, Authenticate, and Analyze. These three steps and the final step of Presentation are elaborated upon further in this section..When a suspect drive is obtained from a seized computer, a copy of the drive is made. The copy is then analyzed to identify valuable evidence such as log files, deleted files, and so forth. Analysis of identified evidence yields reconstructed files or other useful information.
The process of acquiring electronic evidence may vary from one case to another. A challenge in finding evidence is to know where to look for it. For example, some investigations may require examining the data stored in the hard disk while in certain cases of network intrusions, the evidence may exist only in the RAM. So, there is no single procedure for collecting evidence, and the use of a suitable methodology to secure digital evidence will depend on the type of evidence sought and the technology available at that time. The investigator should know which tool to use in order to make the evidence apparent. It is also important to identify and capture the evidence without losing its integrity and value so that it is admissible in court. There are several steps involved in acquiring the evidence as outlined in the following list:
To protect the integrity of the evidence and argue that the evidence was not tampered while in custody, maintaining a chain of custody of the evidence collected is crucial. Chain of custody is a process used to maintain and document the chronological history of the investigation. The chain of custody tracking document for a piece of evidence records information such as who handled the evidence, what procedures were performed on the evidence, when the evidence was collected and analyzed, where the evidence was found and is stored, why this material was considered as evidence, and how the evidence collection and maintenance was done.
To identify potential evidence, the investigator needs extensive knowledge of computer hardware and software, including operating systems, file systems, and cryptographic algorithms. Evidence has to be identified among normal files, and may be found in slack space, unallocated space, registries, hidden files,encrypted files, password-protected files, system logs, etc. Evidence can be found on any number of media sources such as hard drive, floppy disk, CD-ROM, PDA, cell phones, flash drives, and more.
The identified evidence has to be collected from available components. The evidence collection must not be delayed because valuable information may be lost due to prolonged computer use. In some cases, the evidence may have to be duplicated for analysis by making an exact bit-by-bit copy of the original using special “forensic” software and/or hardware. This process of making an identical copy of the original evidence is called imaging. The mutability of data creates a number of hurdles in the imaging process. Evidence could be altered easily while the copy is being made. The imaging utility must not introduce new data into the original evidence or the copy. The investigator must be able to prove in court that the copy is a valid one, and show that the imaging process is repeatable.
All data recovered from the compromised system should be physically secured. Evidence such as hard disks can be damaged if not handled properly. Such magnetic media should be protected from mechanical or electromagnetic damage. The package has to be sealed to prove that it has not been tampered with during transportation. A chain of custody document must be associated with every piece of evidence.
A challenge in acquiring digital evidence lies in the fact that it is economically infeasible to seize all available resources for further investigation in today’s digital age where information is mostly created, stored, and transmitted in an electronic form.
It is essential that the evidence collected is an exact copy of the original at the time the crime was detected. The investigator must be able to persuasively show that the evidence originated from the computer under attack or the computer in the crime scene. Once the evidence is collected, it must be ensured that the evidence is not destroyed, altered, or tampered with. Authentication of evidence using simple time-stamping techniques is an effective way to compare the duplicate with the original. A hash function H is a transformation that takes an input m and returns a fixed-size string, which is called the hash value h (that is, h = H[m]). One can think of the hash value as a “digital fingerprint”. MD5 and SHA are two popular hash algorithms. When digital evidence is collected and duplicated, the hash values of the original and the copy are computed and recorded. They must be identical.
Multiple tools may need to be used to completely analyze the evidence seized. Tested and validated tools should be used, or if other tools are used, then the investigator must ensure that the evidence is not tainted. Some activities involved in the analysis include reading the partition table, searching existing files for relevant information such as keywords, system state changes, or text strings, retrieving information from deleted files, checking for data hidden in the boot record, unallocated space, slack space or bad blocks in the disk, cracking passwords, and so on. Performing analysis on a live system keeping in mind that the system utilities may have been modified by the intruder is a challenging task. In some cases, the complex computer and network activity makes the evidence dynamic and not conducive to reproduction. Even deleted files can be retrieved from a disk by a trained forensic investigator; only completely overwriting a file will make it inaccessible by any standard means. In order to recover overwritten data, advanced techniques such as Scanning Tunneling Microscopy (STM) or Magnetic Force Microscopy (MFM) may be used (Gomez, Adly, Mayergoyz, Burke,1992; Gutmann, 1996). These techniques exploit the fact that it is virtually impossible to write data to the same location every time because of physical limitations of the recording mechanisms. These devices incur huge costs in time and storage space and hence are not widely used. Other log-based techniques such as “Byteprints” have been proposed to recover previous consistent snapshots of files even if they have been overwritten (Sitaraman, Krishnamurthy, Venkatesan, 2005). Such techniques do not need sophisticated and often expensive equipment.The interpretation of the results of an analysis depends largely on the capability of the examiner. At this stage, the examiner can establish the meaning and relevance of the processed data and solve issues like the identity of the owner, purpose of the data, and so forth.
Presentation or generation of a report of the results of an analysis is a crucial step in an investigation. Every step in the forensic analysis has to be documented carefully. The examiner should be able to explain complex technological concepts in simple terms. The meaning and significance of the results obtained must be clearly conveyed.
Source : I forgot where I took this article??