Technology and Investigations
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Technology has progressively become a part of our everyday life. Twenty years ago, some people had a computer at home with Internet access and phones were not yet smart. They were not the equivalent of a computer in your hand. You could call, text, take mediocre pictures or videos and use some basic apps such as a daily planner, a calculator and other such basic apps.
Businesses had computers, but in many cases they were networked locally within the office, they did not have any connectivity outside of the office. Most of the computers were desktops thus were stationary in the office. The data was usually stored locally on the device itself.
Modern day homes can have multiple computers all networked together and connected to the Internet. It is not unusual to find a few computers, laptops or desktops and smart phones for every individual in the home, old enough to have one, as well as tablets, smart watches, smart televisions, connected gaming systems, etc. Businesses have switched to laptops so that their employees can work while out of the office. Offices across the globe are connected over the Internet. Data might be stored locally on the device, but it is not unusual for it to be stored in the ‘cloud’.
The cloud is used to describe computers that are ‘out there’ somewhere. The user does not know where the computer is located and does not need to know. All they know is that when they need to access their data, it is right there. Commercial companies such as Amazon, Microsoft, IBM and many others offer commercial cloud services. Companies that previously had a large server infrastructure on site can move everything to the cloud, freeing up valuable real estate, making their work force more mobile and eliminating the need for skilled IT network specialist as there is no more equipment on premise to maintain.
Conducting investigations in today’s world means you need to deal with technology. There will be very few investigations where you will have no data to seize to examine for evidence. Even something as traditional as a bar fight will be video recorded by people with their smart phones, posted to social media, or shared privately via any number of communication platforms. Parties involved in the fight might communicate with friends afterwards and discuss the fight. They may take pictures of their injuries. They may post about what happen on their social media pages.
Sexual misconduct investigations often include inappropriate electronic communications, whether text, photos or videos. Abuse of authority will include electronic communications. Frauds and thefts might involve modifying electronic records e.g. electronic communications with vendors, implementing partners, or accomplices, or the deletion of records.
All this technology has penetrated the fibres of our private and corporate worlds, which means you will be dealing with it in virtually every investigation. Electronic evidence can be easily modified whether intentionally or accidentally, resulting in the loss of inculpatory or exculpatory evidence. You need an appropriate resource to collect that evidence in a manner that it will be accepted as evidence at the hearing. It needs to be collected and analysed in keeping with sound digital forensics principles. You need a properly trained digital forensic examiner.
What is digital forensics?
‘Forensic science is generally defined as the application of science to the law.’. Digital forensics is the application of forensic science in the field of digital evidence. There are different models identifying the steps in digital forensics, with some minor variances in terminology. For the purpose of this document, we will use the following model:
|Indentify digital evidence to be collected
|Collect the evidence in accordance with forensic principles
|Preserve the evidence such that you can establish its integrity from collection to court
|Analyse the evidence in accordance with forensic best practices
|Report on both inulpatory and exculpatory evidence
The Association of Chiefs Police Officers (ACPO) published a ‘Good Practice Guide for Digital Evidence’ in March of 2012. In the document they outline the following four principles that are universally accepted within digital forensics and have stood the test of time:
- No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
- In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
- An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
- The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
Adhering to these principles will help ensure the admissibility of digital evidence.
Why do I need digital forensics?
These days it is very likely that every case you deal with will have some form of electronic evidence. Even traditional misconducts may have electronic communications, calls, chats, and emails, between parties relevant to the investigation. The geolocation of a device can help place someone at a location, away from a location, or a misconduct which may corroborate a party’s statement.
In some cases, digital evidence can account for the bulk of your evidence. In the early days of financial investigations, you could collect dozens of banker’s boxes of paper evidence. Today paper evidence makes up a very small percentage of the overall evidence. If you do not collect available digital evidence as part of your investigation, you are not conducting a full investigation. You risk missing both inculpatory and exculpatory evidence, both of which would be detrimental to your case.
Digital evidence has been used in police and corporate investigations for over two decades. If you have not already embraced it, you are limiting the scope of your investigations and subjecting them to unnecessary risk.
As was outlined in the forensic principles section of this chapter, there are principles that you must adhere to when dealing with digital evidence. Digital forensics is a specialised field of information technology and requires a subject matter expert. It must not be performed by an untrained or inexperienced individual.
Familiarise yourself with the section in this chapter on training and certification. Use that information to help you develop requirements for your subject matter expert or experts in digital forensics. Digital forensic examiners are in high demand. You should expect to have to compete for a small pool of qualified candidates with the necessary experience to implement a digital forensics program in your investigation section.
If you plan to hire a qualified but inexperienced digital forensic examiner, you will need to plan on 12 to 18 months of development of that staff member under the supervision of an experienced digital forensic examiner. If you anticipate growing your investigation team, make sure you assess the impact on your existing digital forensic capacity and plan to grow that capacity as well if necessary, recognising that it will take longer to grow that capacity versus traditional investigation capacity.
Digital forensic examiners require a collection of computers and specialised software and you will need to forecast annual training for your digital forensic examiners. You will also need to forecast the annual renewal of specialised software and the periodical replacement of aging hardware. Consider the impact of both of these on your budget projections when planning your digital forensic staffing requirements. Establishing a digital forensic capacity is not a one-off cost. You need to allocate an annual operating budget that will be far greater per staff member versus your traditional investigator as noted herein.
Legal, policies and procedures
Chapter 9 provides more granular guidance on data collection and privacy. This section of the chapter provides some general considerations to be applied within the boundaries of whatever data privacy laws apply to you. Please refer to chapter 9 for specific guidance on data privacy.
Access to corporate data
It is a good practice to encrypt corporate data, ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ to protect it from unauthorised access. Corporate computers can be encrypted with BitLocker or some other encryption solution. Choose a solution that allows IT to implement a security policy whereby the recovery key to decrypt the data is securely stored and accessible by IT if required by your digital forensic examiner to decrypt a corporate device. Implement a policy that establishes the process that investigation must follow to request the recovery key to prevent abuse and refute the argument that investigations are operating without any oversight and engaging in fishing trips.
Corporate policies as well as IT policies can also be developed to manage the use of removable media, e.g. USB drives, the use of cloud storage, and the use of personal devices. Policies are designed to protect the organisation and ensure that it can access its data if the situation requires it. Your digital forensic examiner should engage your IT in a discussion to ensure that appropriate measures are in place to provide them with access to corporate data should it be authorised by an investigation.
Duty to cooperate
A common practice in corporations is to have a duty to cooperate policy where staff are obligated to cooperate with an internal investigation. This includes turning over corporate equipment when requested and providing the password for their work accounts. This can also be supplemented by an acceptable use policy that all staff members are required to read and acknowledge that they understand upon being hired. If the policy changes staff must sign the updated policy.
Unfortunately, some staff will forget their password under the stress of an internal investigation. Discuss with your IT options to deal with these scenarios and implement policies accordingly to ensure that your digital forensic investigator will be able to access corporate data, even in absence of a compliant employee.
Right to privacy
Your policies need to address the right to privacy of the employee. It is not uncommon for an organisation to either allow or turn a blind eye to an employee using corporate equipment for limited, reasonable personal use during their own time, e.g. accessing social media, personal email and online banking during their lunch break.
It is prudent to adopt a clear policy that lets employees and contractors know that everything done on a corporate device is subject to corporate policy. If an employee or contractor does not agree with that, they have the option of not using corporate equipment for personal use. Failure to have such a policy in place could result in getting dragged into a legal battle over an employee’s right to privacy, even on corporate assets.
This is especially delicate if your organisation allows BYOD. The UK Information Commission’s Office has published guidance on BYOD. In a BYOD environment, a user will use their own laptop or own mobile phone to carry out their duties. This can be an attractive cost savings option for an organisation, but it blurs the lines between personal data and corporate data. If the device simply provides the employee with access to a portal where everything work-related remains on corporate servers or in the corporate cloud, it is less of an issue. If employees store corporate data on their local device, can you compel the employee to turn over a personal device?
If you intend to make BYOD in scope of your search authority, the acceptable use policy that must be read and acknowledged by staff and contractors will need to include a section on BYOD. Transparency is important as is setting expectations with employees or contractors. If an employee or contractor does not agree with your search authority extending to BYOD, you have the option to issue that employee or contractor with a corporate device in lieu of BYOD.
Digital forensics specific policies
Your digital forensic investigator or investigators, like all other investigators in your agency, must operate within legal and administrative boundaries. Most of the policies and procedures in place for your regular investigators will apply to your digital forensic investigators or investigators. You will need to consider existing policies and how they relate to your digital forensic investigator or investigators and the duties they carry out.
A traditional investigator will collect physical evidence relevant to the matter under investigation. You may have a policy in place requiring investigators to physically triage all paper documents on scene to confirm that it falls within the scope of the approved investigation prior to seizing. It is generally feasible to implement such a restrictive policy relating to the collection of physical evidence to minimise the intrusiveness with minimal risk that evidence will be lost.
Such a policy does not work with digital evidence. The data on computers and storage devices is exponentially more voluminous. Some of the data might be encrypted, saved in an unknown format, or deleted and require data recovery. Documents can be mislabeled, e.g. dates and times might be inaccurate. It is risky for a digital forensic examiner to triage electronic evidence on scene and only seize targeted data based on high level filtering criteria.
There will be cases where such triage is appropriate or necessary. In general, the digital forensic examiner will need to seize the entire dataset and analyse the data over a period of days, weeks, or possibly even months. It may require procurement of specialised tools, or consult with peers. If the dataset contains personal data, please refer to chapter 9 for guidance on proper handling of such data.
Draft a data seizure policy reflecting today’s technological environment outlining the search authority of your investigators to seize data. The past number of years we have seen greater integration between devices. The data seamlessly syncronises with your phone, your laptop and the cloud. Data syncronising between Internet of Thing, (IOT), devices such as smart watches and your phone or laptop. Your browsing activity syncing with your phone, your work laptop and your personal laptop. Data can simultaneously exist on more than one device.
Do not implement a policy that artificially limits the authority of your digital forensic investigator to collect evidence from corporate assets that could reasonably contain the data being sought in an investigation.
Your digital forensic investigator will usually need to execute an over seizure, even when doing a targeted collection. The computer or phone that they are seizing will have a lot of data on it that is not relevant to your investigation, because of this; they will need to take on the role of gate keeper.
Policy framed within the appropriate legal authorities of your environment and data privacy guidelines outlined in chapter 9, will guide your digital forensic investigator on how to handle data that is not relevant to the matter under investigation. What can or must they do if they find privileged information, e.g. communication with a lawyer or health records? Under what circumstances, if any, can they share that with the investigator? How must they segregate that data from the rest of the data?
Further to possible privileged information, your digital forensic investigator will possess a lot of private or personal information that will not be relevant to the investigation. They have an important responsibility to act as a gate keeper of the data they seize. As best, as is reasonably possible, they should limit what they give the investigator to only what is relevant. If the matter being investigated is harassing emails sent to a staff member, with no photos involved, there is no reason for the digital forensic examiner to look at the photos and no reason to provide them to the investigator for review. The exception to that might be if the subject claims to not know the victim, yet there are photos or videos that corroborate that they know each other.
Conversely, if the harassment involved sending sexually explicit images, it would be reasonable to look at images and make them available to the investigator for review. Where possible, your digital forensic examiner should filter the data as best as they can to minimise providing the investigator with content that is out of scope of the investigation. That will not always be possible. Because of this your policy will need to guide your investigators on how to deal with content they receive from the digital forensic investigator that is out of scope.
There may be cases where something will seem completely out of scope on the surface but may be relevant. A browsing history showing someone looking at information on Alcoholics Anonymous may very well be out of scope. But if intertwined with that browsing activity you see that the person at the computer logged into an email account and sent the threatening email you are investigating, the intertwined activity becomes potentially relevant as it provides insight of who was likely at the keyboard when that email was sent.
The elephant in the matchbox
There is a doctrine used in the courts in the United States called the elephant in the matchbox. If you are authorised to search a building for an elephant, you have no reason to look in a matchbox. Doing so would be operating outside the boundaries of your search authority. You should only be looking where an elephant could fit, but if you are also authorised to look for evidence relating to the illegal importation of that elephant you could look for paperwork in a desk for example.
This doctrine is also applicable to digital evidence. Your digital forensic investigator will need to justify why they looked in different locations on the computer, or at different types of data. It is important that they can demonstrate that they found something while respecting the boundaries of this doctrine. Your policy should reinforce this doctrine. Your digital forensic examiner may need to satisfy a court or tribunal that they did not go beyond the scope of the approved investigation when they found a particular piece of evidence.
This doctrine becomes even more important if your digital forensic investigator comes across evidence unrelated to the matter under investigation. Going back to the elephant in the matchbox, if you are authorised to search for an elephant and look in the garage and find a marijuana growing operation you have not violated the doctrine and the evidence relating to the newly discovered crime will most likely be admissible.
Your policy will need to guide your digital forensic investigator on what to do if they come across evidence of an additional misconduct not under investigation, or a misconduct that is subject of another, unrelated investigation. Can they share either of these with the investigator? What if they find misconduct against another agency? Are they permitted to share that with them? What if they find illegal content, e.g. fraud, drugs, child sexual abuse content or national security? What is their obligation or authority to report that to the authorities?
Equally important, your policy will need to outline whether your digital forensic investigator can go looking for more evidence relating to the new crime they discovered, or if they must wait until that becomes an authorised investigation complete with the boundaries of their search authority for that newly authorised investigation. In the policing world, an example of this would be looking for photos of a growing operation as part of a drug investigation and stumbling across child sexual abuse images. Depending on the jurisdiction, the police officer would not be able to start looking at Peer to Peer (P2P) activity. Knowing that people who are involved in child sexual abuse images often use P2P technology to trade in this material, the police officer cannot start analysing P2P programs on the computer while still operating within the scope of the drug investigation. A new investigation in child sexual abuse first needs to be opened and lawful authority obtained from the courts to start looking for evidence relating to that new offense.
If your corporate environment has similar restrictions on an investigator’s authority, you will need to ensure it is reflected in your policies.
Data retention policy
As noted in this section, when you collect electronic evidence as part of an investigation, you will end up with a lot of personal or private data in addition to data that is in scope of your investigation. When drafting data privacy or data protection policies, do not forget to include the data you collect in the course of an investigation.
Data should be securely held for as long as it is required for business purposes, including corporate investigations. Once the data is no longer required and it has reached its data retention limit, you have a duty to properly dispose of the data in accordance with the data privacy legislation that your organisation is bound by. Refer to chapter 9 for guidance on data privacy considerations that will guide your data retention policy.
Consider not only the data that is held on corporate devices, but the data held on your corporate servers, e.g. emails, network storage, and server logs. How many years of emails will you keep? Will you keep all emails, included deleted ones? How about files? Do you need to keep prior versions of a document? All these need to be considered and reflected in your policies.
Digital forensic equipment
There are various classifications and types to the digital forensic equipment. The classifications could easily be split into these 3 categories:
- Open-Source: Source Code is free to be used by the entire community.
- Commercial or Proprietary: Generally, are paid tools and are commercially available, the rights for the source code are protected.
- Self-Created: Can be created by a user, investigator to automate the investigative process.
Regarding the type of tools, it is further categorised in terms of the types of evidence to be analysed. In this chapter we will cover a sample of the most used open source and commercial tools.
Forensic Imaging is one of the first steps in the forensics process which involves securing a bit-by- bit copy of the drive to be examined. The process of imaging a drive varies depending on the method used. There are Softwares that allow this process, such as FTK Imager, Encase Imager, Caine and Belkasoft Acquisition tool. There is also Hardware, Duplicators, that perform the same tasks but at significantly faster speed, e.g. Tableau duplicator, Ditto DX and Detego Ballistic Imager.
Both kinds above have the same principle when it comes to imaging drives which is write blocking which basically prevent the system used from writing anything into the drive but only copying from it, so a one way of communication.
Computer analysis tools
Computer forensic analysis tools vary in terms of capabilities, operating system speciality and the depth of analysis they provide. Below are the most used free and commercial forensic tools for computers:
- Open-Source: Caine, The Sleuth Kit, Autopsy, SIFT workstation etc.
- Commercial tools: X-way, Encase, FTK, Intella, Axiom, Black Light, Belkasoft Evidence Center, Nuix, OS Forensics etc.
Mobile forensic tools
It is important to note that not all mobile forensics tools offer the possibility of unlocking locked devices. This is usually a service provided by commercial mobile forensic tools such as Cellebrite and GreyShift.
- Open-Source: E.g. Syncios, SuncDroid, iTunes Backup Parser Enscript, Android Data Extractor Lite (ADEL), Android Connections Forensics, iPhone Backup Browser and Open Source Android Forensics Toolkit.
- Commercial tools: E.g. XRY, UFED-Cellebrite, Oxygen Forensic, GreyShift, Belkasoft Evidence Center, Elcomsoft, Axiom, Access data Mobile Phone Examiner, MOBILedit Forensic, Mobilyze, and SecureView.
E-discovery, or eDiscovery or electronic discovery, is the process of searching and locating computer data present in digital archives such as: running systems, corporate emails, corporate servers, and computers etc.
- Open-Source: e.g. ADIA, Caine, SANS SIFT Workstation and the Sleuth Kit.
- Commercial: E.g. Microsoft 365 E-discovery module, Axiom Cyber, Intella, Blacklight, Belkasoft Evidence Center, Encase Forensics, Eclipse Enterprise, Forensics ToolKit FTK, Intella, Nuix and X-Ways Forensics.
Remote forensic tools
Remote forensics is constantly evolving to accommodate the growing need for organisations to remotely acquire evidence over the organisations network and the public internet. This capability facilitates the forensics examination by making the data available for analysis in minimal time.
- Open-Source: Bitscout
- Commercial: F-Response, Encase Enterprise, Access Data AD Enterprise, Belkasoft Evidence Center, Axiom Cyber, Live Marshal and Prey Anti-Theft.
Validating your tools
It is always advisable for forensic investigator to validate the tools they use. There are various method and resources out there which one can explore in this validation. For this chapter we will cover two of them:
The US National Institute of Standards and Technology (NIST) developed a comprehensive database of most forensic tools categorised by types and functionalities. It is advisable for forensics investigators to validate the tools they are using by ensuring the proper assessments were objectively made regarding the speciality of the tool they are using. Access to all information regarding the majority of the forensic tools can be found in the National Institute of Standards and Technology.
The European Informatics data Exchange framework, for courts and evidence, have developed a great resource by mapping, testing, and categorising the vast majority of the forensics tools online, covering commercial, freeware and open-source tools. This categorisation covers the complete spectrum of the forensics universe
Infrastructure to support remote working
Remote working has its challenges, from limitation to access the forensics laboratory, physical access to evidence to be seized, remote connection to workstations etc.
In the next chapter we will discuss remote forensics when it comes to remote seizure of evidence. Another important infrastructure to mention is remote dongles server which allows for forensics investigator to access all their licences from anywhere if these dongles are connected to such devices: SHE Dongle server and Donglify.
Types of digital evidence
To understand the value of digital evidence, it helps to understand the types of digital evidence available to you. This section will provide you with some examples of digital evidence, providing you with some insight on what type of evidence you could expect to encounter in your investigations. The types of digital evidence can be classified into system artifacts and user artifacts.
System artifacts are created by an application, e.g. logs and file system information. Whereas user created artifacts are user created, e.g. a document, a video or a picture. We will explore both kinds in this section.
It is important to note that there are numerous variables that will impact the presence, persistence and accessibility of digital evidence. The examples herein are examples of what you may find. The following are some of the variables that will impact what digital evidence is available, how long it will persist on a device and how readily accessible it is, e.g. is it encrypted by the application or is it stored in an unknown format.
- the operating system of the device, e.g. Microsoft Windows, MacOS, Linux, iOS and Android;
- the application that created the artifact, e.g. Microsoft Word and WhatsApp;
- the storage media on which the information is saved, e.g. a mechanical hard drive, a solid-state drive, a network or cloud storage solution;
- the amount of activity after the artifact of interest was created;
- the use of privacy features; and
- the use of anti-forensic techniques.
This section will not explore the above any further. It provides context to the rest of this section. The subsequent sample artifacts in this section may or may not be available in a given situation. The absence of any of these artifacts can be as a result of normal system function, or it can be the result of overt user actions. The length of time that any of the below artifacts persists on a system can vary from not at all to years. Your digital forensic examiner can assist you in assessing the merits of seizing a particular electronic device.
Browsers are used to surf the Internet and run local browser-based applications and may contain user data relevant to your investigation. The most commonly used browsers are Google Chrome, Microsoft Edge, Safari, Firefox and in some parts of the world, Opera.
Modern browsers track a lot of information that could be valuable to your investigation. The most common browser artifacts are websites that users visit, information entered into online forms online, login usernames used to connect to services, e.g. Facebook and Gmail, also terms that users entered into a search engine. If your investigation involves Internet activity you will want to examine browser activity.
Communication is frequently significant in establishing mens rea. If you are investigating a matter that involves more than one party, a subject, a victim, co-conspirators and witnesses, there is a good possibility that some of them engaged in electronic communication pertaining to the matter under investigation. Whether it is prior to the commission of a crime, conspiring in the commission of a crime or after the crime, if two or more parties are involved, there is a good chance that they communicated electronically.
Historically, electronic communication was via email, whether corporate or personal webmail account. Today there is a large variety of options to communicate electronically, e.g. Facebook Messenger, WhatsApp, iMessage, Signal, Viber, LinkedIn, Skype and in a gaming platform. It is not uncommon for people to use more than one platform to communicate with others.
A good practice is to deploy corporate communication tools and require staff to use them for all official correspondence. This simplifies the archiving, identification, collection and analysis of the communications. The challenge you will encounter is that your staff may have to use unapproved communication platforms to communicate with some partners who either cannot communicate via your officially approved platforms, or as a matter of preference use something else. It is certain that staff engaging in misconduct may use non-approved communication platforms to evade detection.
Collect as much intelligence as you can on the methods of electronic communication used by parties involved in your investigation so that your digital forensic examiner can start their analysis on those. If you have some of the communications either in electronic or paper format, provide those to your digital forensic examiner. This will provide them with valuable information on what keywords to look for and what communication application was used by the parties involved.
Connected USB devices
Modern day operating systems track a lot of information about a user’s activities on that system. Among other things, a forensic examiner can tell you what type of USB devices were connected to a computer, e.g. external USB drive, thumb drive, digital camera, mobile phone, printer and in some cases the make, model, and serial number of the device, as well as when it was first and last connected to that device.
This can help you identify other potential sources of electronic evidence you should be looking for. It can help link a staff member’s USB key that they have in their possession to a specific device. If you are investigating the exfiltration of corporate data, connected USB devices could be very important.
Pictures, videos, and audio recordings may contain evidence relevant to your investigation. It can be a picture, or audio/video recording of the actual matter under investigation. Or multimedia evidence might allow you to make a connection between individuals who claim to not know each other by showing them interacting socially. A picture or video may help place someone at a particular location. It may confirm that they could not have been at a location on a particular date and time because they were elsewhere.
Multimedia files can contain metadata that will provide you with a wealth of additional information. Even in the absence of metadata, you can create a timeline with photos which could help you establish an approximate location of a photo that contains no metadata. A seemingly irrelevant photo of a child playing in the yard with the house in the background can become very important if it was taken within 5 minutes of another photo of counterfeit money on a non-descript table. You have now established that the counterfeit money had to be within 5 minutes of the house in the previous photo, providing they were taken with the same digital device.
Background details in a photo or video could be helpful. If you see a North American style plug in the background, you know that the person was definitely not in Europe for example.
Windows logging basics
OS event logs records operations that happen in a computer, these logs are either created by a person or by a running process and it helps in the analysis and tracking of any incident or it is troubleshooting. Monitoring the logs can assist in managing the system`s health and security.
In digital forensics investigations event logs are considered one of the most important forms of evidence, as the operating system logs every system activity and builds an audit trail of the user events in the computer with their corresponding timestamps. This could then all be mapped out using timeline analysis to create understand the full picture of what the user was up to.
Timeline is an important step in the process of the forensics analysis. It is used to categorise the events, usage patterns and activities of the computer system mobile, table and others. E-mail messages and chat conversations, e.g. Windows Messenger, ICQ and Trillian all contain a timestamp for each message sent and received. All files on most modern computers contain timestamps when the file was first created, but not in Unix systems.  Timeline visualisation is crucial when examining artifacts while trying to assess all activities that took place in a specific period, year, month, week, day and hour. Digital forensics examiners might decide to use the timeline analysis function to group all email communications of a specific timeline period to determine the beginning and end of an event, the same goes for documents, downloaded files, system activities and more.
There is a difference between data and metadata. Data refers to information stored in the memory of a device which is usually unprocessed such as written content in a document. Metadata on the other hand refers to the data ‘beyond’ the data, it is always processed, e.g. the type of file name of the file. The amount and value of the metadata for each file varies depending on the type of file and the investigation itself.
Metadata has two different viewpoints, internal and external. External is every file on a computer device, while internal is the user created files.
Metadata of files might include date and time stamps that are linked to the file creation, last access and last written date and time.
Files like Word documents and Excel spreadsheets contains wealth of metadata, e.g. author, contributor, company name, network storage location of the file was saved, number of revisions, number of users on the document and their SID ‘identifiers’, verification whether it is an authentic document or a copy that has been modified.
All photos taken by a digital camera contain wealth of metadata which could benefit the investigation, e.g. when the picture was taken, GPS coordinates of the device, setting of the camera, brand and model camera. These metadata vary depending on the camera used and the tool used for the analysis.
Network logs hold vast amount of information into the user Internet activities, such as the websites visited, communications and e-mailed documents. The analysis involves looking at the IP address of the user along with the timestamps to better link and understands when and what happened. Network logs could also be analysed for instances of intrusions and the data packets which transmitted during a network attack. The modality of examination varies depending on the type of incident and analysis required.
Unallocated and slack space
When a file is deleted, it is not erased, but instead the space which used to host the deleted file becomes ‘unallocated’. As a result the deleted file could be retrieved, as long as the space remained empty and a file with the exact size was not overwritten on that location.
Slack space is also a source of unallocated space which occurs if the system allocates a larger space for a file to be written than needed. If a file is 50kb but the system allocates 80kb for the file, those 30kb of empty space is the slack space.
During the digital forensics’ examination it is crucial to analyse the unallocated and slack space as it sheds light on the content that used to be stored there. By carving up data from those spaces the forensics examiner will ensure no available data is being overlooked.
Ability to extract geolocation data in any case solidifies the findings and might help pinpoint the subject in a specific location during the crime or misconduct.
During the forensics examination of a subject's mobile phone or computer the examiner might extract the geolocation data from, e.g. Images, IP addresses or videos, which would assist in establishing where the subject was in a specific point of time in any place in the world.
OS artifacts relates to data available in the device whether automatically created by the operating system or created directly, indirectly by the user.
Windows registry is an important element that has to be analysed when examining a computer. As it holds very valuable information to the forensics examiner such as information about the OS configuration, installed software and user activity.
We can think of Windows registry is a database to the computer as the genetic DNA for humans. Everything the user does on the system is being recorded such as, typed URLs, recent documents, active users, connected USBs and operating` system information etc.
LNK files, Windows shortcut files, are created either by Windows OS automatically or by the user for an ease of access. An example of where LNK files might be of great value, i.e. you are investigating a recruitment fraud and upon examining the drive, you uncover that a file or multiple files were accessed during the exam period, while knowing these files do not exist in the computer if the examination candidate plugged a USB drive into the exam computer and opened the files directly from the computer, a LNK file will be created automatically, this would record information such as, the filename, path and time stamps This is crucial when taken into account the Windows registry, as you will be able to extract details of the USB directly from the registry, and perhaps link it to a specific owner.
Computers organise data directories, these directories further contain folders and files.
For applications to work they need to have a filesystem. Programs also require a file system, hence program designed for Windows will not work in a Mac operating system.
Filesystems plays the key role in the storing and retrieval of data by utilising the metadata of each file to ensure everything is in accordance to the designed system. This includes when a file created, or modified and makes use of metadata, which includes the date the file was created, data modified, file size, and so on.
Volume shadow copies
Volume shadow copies are an integral part of the Windows operating system and are essential for the forensic analysist. Shadow copies provide a glimpse of the hard drive at a point in time in the past. This will allow for discovery of changes to files and even view possible deleted files.
In a case where the allegation suggests some files existed in a user`s machine, but upon analysis it was discovered the content is no longer there, the forensics investigator will then check the volume shadow copies to retrieve the computer back to that restore point. This will uncover what used to exist in a computer in terms of setting, data, software, previous set-up and much more.
Types of forensics
In digital forensics when seizing a device by ‘pulling the plug’, powering off the device, this is referred to as dead-box forensics. It is one of the most widely used methods in digital forensics. Whether it is to image or clone the hard drive, dead-box forensics gives the forensics examiner more flexibility in physically accessing the computer. However, this method is not advised if it involves volatile data, e.g. encryption keys and processes, are required from the computer memory (RAM) as it gets flushed out when the computer is powered off.
Live forensics is the method used when targeting the data which is temporarily stored on the RAM. This includes encryption keys, usernames, passwords, phone numbers, instant messenger sessions, unencrypted data, clipboard, copy and paste data, rootkits, open documents, running processes and many more volatile data which are deleted the moment a computer is powered off. Typically RAM size ranges from 1 to 16 GB but can be more.
Memory dump is the term used when imaging RAM. This process provides the forensics investigator with a great insight on the subject`s activity on the computer.
Remote forensics refers to performing digital forensics in an enterprise environment. This includes imaging of computers, RAM, mobile phones, connected USBs and peripheral devices connected over the network. This could be done via the same network umbrella, VPN, or directly over the internet.
Remote forensics is particularly useful in cases where physical access to seizing electronic equipment is limited for any reason. Remote forensics increases the efficiency in conducting digital forensics by reducing cost for traveling to seize equipment, saves time by cutting of the waiting period for evidence to be shipped back to the oversite office examiner and most importantly it enables complete visibility on the live computer system including all connected devices and the most volatile data available in the RAM (memory) such as encryption keys and passwords.
Mobile forensics is a branch of digital forensics which covers mobile phones, tablets and more. Although compact, mobile devices may contain information relevant to various types of misconducts being investigated. In recent years, with the significant advances in the mobile industry, the field of mobile forensics has grown significantly to tackle all limitations associated with the extraction of the vast types of mobile OS and artifacts.
Unlike computer forensics where it is common to have various user profiles in one computer, mobile devices are personal. As a result, it gives a great indication into the subject’s activities.
Depending on the level of acquisition the user data may be extracted, e.g. conversations, geo-locations, pictures, videos, audio files, social networks applications, emails, contacts, applications, files, databases, hidden and deleted data.
Below are the various types of mobile forensics acquisitions:
- Logical: The extraction of a portion of the file system. This includes:
- Call logs
- App data
- File System: The extraction via accessing the file system. Along with the above this includes:
- Hidden Files
- Physical: The physical acquisition of a phone’s data via accessing the circuit board, e.g. JTAG, Hex Dump and Chip-Off. Along with all of the above this includes:
- Deleted data
Network forensics is a branch of digital forensics which covers the capturing, recording and analysis of the network packets to detect intrusions and identifies breaches and misconducts. This allows for the following questions to be addressed:
- When did the intrusion begin?
- Is the intrusion still going on?
- How many effect systems?
- What data was taken?
- Was any sensitive, proprietary, or confidential data taken?
Establishing a forensic capacity
Digital forensic capacity
Building digital forensic capacity in your organisation is not a binary question. You do not have to choose between absolutely no digital forensic capacity and a fully functioning digital forensic unit. In this section, the authors explore the different tiers of digital forensic capacity for your consideration. Note that the numbering of the tiers is completely arbitrary on the part of the authors.
The authors outline the digital forensic capacity at each tier and cover the advantages and disadvantages of that tier, along with some guidance on when that tier might be appropriate for you. The details in each tier are not intended to be exhaustive. It will be important for you to identify your requirements and see which tier or tiers is or are an option.
Tier 1 – Everything in-house
In this tier, you do all your forensic processing in-house with the exception of very advanced forensics that requires assistance from an external subject matter expert. This means you have the subject matter expert, or experts, and the necessary hardware and software in-house to collect digital evidence, create forensic images, conduct forensic analysis of seized evidence, and provide investigators with an e-Discovery platform for evidence review.
- You have complete control over your resources and their priorities. If a case comes in that requires immediate attention, you have the autonomy to re-prioritise your resources accordingly.
- You have some level of control over costs, e.g. what tools they have, what training they have and travel.
- The data remains within the four walls of your organisation.
- It may be more cost effective in the long-term versus outsourcing.
- It is the costliest option in the short term.
- It requires hiring a digital forensic examiner, or more than one depending on your workload and budget.
- You must allocate sufficient office space for the digital forensic lab.
- You must purchase the necessary hardware and software.
- You must provide ongoing professional development for the digital forensic examiner or examiners.
- In some jurisdictions such as the EU, law enforcement digital forensic labs must be ISO certified. If that same expectation is imposed on your lab, it adds cost and complexity.
When is it an option?
- You have the necessary workload whereby this option is more economical than outsourcing some or all of the digital forensic work.
- You have the budget to support the initial and ongoing cost of a digital forensic unit.
- You deal with highly sensitive investigations.
- You deal with time sensitive investigations.
Tier 2 – Imaging and E-discovery
In this tier you collect the digital forensic evidence yourself and prepare the data in an E-discovery application for review by investigators. You do not engage the services of an in-house subject matter expert to conduct a digital forensic analysis of the seized data. Where required, you outsource that part of the work.
- You retain control over the resources that collect and image digital evidence.
- In corporate investigations this could meet a large percentage of your digital forensic needs depending on the nature of your investigations.
- It reduces the level of expertise required by your digital forensic examiner or examiners, and consequently the tools and ongoing professional development they require, thus a cost reduction versus tier 1.
- You will need to outsource the digital forensic analysis if you need any of the following:
- deleted data;
- operating system artefacts not handled by your e-Discovery solution, limitations will vary from one e-discovery application to the next;
- intrusion or malware investigations; or
- other artefacts that might be important to your investigation but not parsed by your e-Discovery solution.
- If you do require a digital forensic expert to do anything that is not supported by the e-Discovery tool, it will be expensive, and you may need to wait in queue for your case to be the next one to be processed by the subject matter expert.
- A concern could be raised by the individual under investigation that an e-Discovery only analysis results in an incomplete analysis resulting in missing exculpatory evidence, be prepared to address why this is not the case.
When is it an option?
- You have the necessary workload supporting the need for this capacity.
- You have the budget.
- You very seldom need any analysis beyond what an e-Discovery tool can provide.
- You have an LTA in place for when you require digital forensic services outside of your in-house capacity.
- The cost to outsource does not exceed the cost to establish your own in-house capacity.
- The evidence you require in a typical investigation sits on corporate servers
- OneDrive or Google Drive
- Other corporate tools where data is stored on servers rather than on a computer or mobile device.
Tier 3 – Imaging only
In this tier you use in-house resources to collect your digital evidence and image it. E-Discovery and analysis is outsourced.
- It requires fewer digital forensic tools.
- It requires a lesser degree of subject matter expertise.
- You retain control over the resources collecting your digital evidence:
- you control their priorities;
- you control their response time; and
- you can deploy your internal resource to quickly collect and image electronic evidence, allowing you to quickly return electronic assets back to service.
- The perishability of digital evidence necessitates that it is collected as quickly as possible. In this tier you have the in-house capacity to ensure evidence is quickly collected and properly preserved for later analysis.
- All work except imaging needs to be outsourced.
- The digital forensic analysis is usually the most time consuming and thus the most expensive part to outsource.
- You will require an external witness to enter digital evidence and provide opinion evidence.
- Your corporate data will need to be handed over to an external party.
When is it an option?
- You have too few investigations in the year to keep a digital forensic examiner occupied.
- You have an investigator with foundation IT knowledge and skills, whose duties would also include the collection and imaging of electronic evidence as required.
- You have a long-term agreement, LTA, in place for digital forensic analysis services that meets your organisational needs and fits within your budget.
- The sensitivity of your investigations and the electronic data you collect does not require that the work be performed internally.
- The cost to outsource does not exceed the cost to establish your own in-house capacity.
Tier 4 – Outsource everything
In this tier you outsource all your forensic needs. You have no in-house capacity at all.
- You have no upfront or recurring expenditures to build and maintain a digital forensic unit.
- If your jurisdiction requires ISO certification, that responsibility will rest with the external digital forensic lab.
- Digital forensic services on a contractual basis can quickly exceed the cost of an in-house unit.
- Your corporate data will need to be handed over to an external party.
- Your corporate policies will not apply to the external party unless you include them in the service level agreement (SLA) of your LTA.
When is it an option?
You have only a few cases per year that requires digital forensic services.
- The cost to outsource does not exceed the cost to establish your own in-house capacity.
- You have an LTA in place for digital forensic analysis services that meets your organisational needs and fits within your budget.
- The sensitivity of your investigations and the electronic data you collect does not require that the work be performed internally.
Smaller organisations may lack the caseload and the budget to justify a higher tier on their own. As you explore which of the above tier is most appropriate for your organisation, consider if the partnering with another organisation to develop in-house capacity for the partners is a viable option.
Challenge will arise when an integrated unit is faced with competing priorities from the different partners. You will need clear guidelines in place to prioritise caseload across all partners. If you can navigate this potential challenge successfully, an integrated unit can be a viable, cost-effective solution in lieu of a dedicated unit.
Certifications and training
Education and training
Digital forensics is a specialised area within the broader field of information technology (IT). A skilled digital forensic examiner will have a solid foundation in IT combined with specialised training in digital forensics much like a medical specialist will have foundation training in medicine combined with specialised training in their field of medicine.
In its early years, digital forensics was primarily used by law enforcement agencies. Post-secondary institutions did not offer undergraduate or graduate degrees in digital forensics. Police officers with aptitudes in IT developed into skilled digital forensic examiners mostly through on-the-job experience and some training that was developed at police colleges.
Vendors of digital forensic solutions started offering training on their tools, eventually expanding to provide foundation digital forensic training as well as product specific training. Private training organisations also started to offer digital forensics training. The most widely recognised name in this field is SANS.org. Non-profit organisations were also founded to address the growing demand for training and networking. Two of them well known in North America are the International Association of Computer Investigative Specialists (IACIS) and the High Technology Crime Investigation Association (HTCIA).
The use of digital forensics found its way into the corporate world. With this new growth, it created enough demand for post-secondary institutions to start offering undergrad and graduate degrees in digital forensics related disciplines. Today you can find colleges and universities with well-established digital forensic programs in addition to expanded training offered by police training institutions.
You will still encounter some who have been in this field for decades with minimal formal education in IT or digital forensics, but a lifetime of valuable experience. Any newcomers to this field in the past few years will likely have some formal education in either digital forensics, cyber, or some other relevant field of IT.
Although a degree is not an absolute requirement if the person has the right experience, courts and tribunals do tend to place more value on formal IT education, particularly in digital forensics or cyber security than on experience. Find out what the court or tribunal in your jurisdiction requires to recognise someone as a competent digital forensic examiner and use that as your minimum standard for selecting a digital forensic examiner.
In addition to or in lieu of education, a digital forensic examiner can pursue certifications to demonstrate that they have achieved a certain level of competency in their technical skills. Practically every major digital forensic software company now provides a ‘certification’ course for their product. There are also commercial and non-profit organisations that provide certification in the field of digital forensics. It is important to know what value to attribute to a certification, as not all certifications are equal.
Some people become very skilled at gaining certifications, chasing down different ones to add to their resume, but there are also many very skilled digital forensic examiners who do not have any certification at all. Do not get distracted by someone who has a collection of certifications on different products. Unless you use these products on a regular basis, you will get rusty. Vendor specific certifications are great for tools that you use regularly. Learning about the different features of the tool and how to use it efficiently is valuable but there is limited value in getting certifications on tools that you do not use, or seldom use. It is not completely without merit, as it is good to know the strengths of different products so that you can use the right one for the case you are working. It is worth noting that its value is diluted if you only use the product once every 4 to 6 months.
Vendor neutral certifications are generally more desirable, as you have to demonstrate knowledge and skills in digital forensics in general and are usually more demanding than a vendor specific certification. A very well respected certifying non-profit organisation is IACIS. They offer a few different certifications, their foundation one being Computer Forensic Certified Examiner (CFCE).
The potential trap of relying on vendor specific certifications to bolster one’s credibility in court is that chances are a digital forensic examiner will use a few different tools during their analysis, some for which there are no certifications, or the examiner does not have the certification for it. It creates the opportunity to argue that because the digital forensic examiner is certified on product A but not product B, the findings of their analysis using product B is not as reliable. Whereas a vendor neutral certification, or a college or university degree, demonstrates to the court or tribunal that they are knowledgeable and competent in digital forensic principles and that they apply those principles no matter what tool they are using.
There is no such thing as a bad certification, but there are certainly some that are better than others. Choose quality over quantity.
Legally reviewed by Liam Guidera (Mason Hayes and Curran – Dublin).
 Kent, Chevalier, Grance, & Dang, 2006.
 Police Central e-Crime Unit. March 2012. APCO Good Practice Guide for Digital Evidence. https://www.digital-detcetive.net-forensics-documents.
 GDPR – Article 32.
 Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006, August). NIST Special Publication 800-86. Retrieved from nist.gov: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf.
 Casey, Eoghan. Digital Evidence and Computer Crime. 2nd ed. London: Academic Press, 2004.
 Carrier, Brian. File System Forensic Analysis. Regno Unito: Pearson Education, 2005.