This is the process of examining and analyzing the evidence data. It is distinctly classified into the following building blocks:
1.1. Evidence Extraction
This is the fundamental building block of the analysis phase and focuses on the extraction of ‘true’ evidence from entire set of collected evidence material, documents and artefacts, etc. The extraction process aims to:
1.1.1. Create Visibility and Reduce Data
The aim of the process is to make the all the evidence that matters visible and explain its origin and significance. It should document the content and state of the evidence in its totality to allow all parties to discover what is contained in the evidence. One of the fundamental goals is to reveal the information that may be hidden or obscured.
Once all the information is made visible, the process of data reduction can begin, thereby separating what matters from what doesn’t. Given the tremendous amount of information that can be stored on electronic media, this part of the examination is critical.
Part of the process is also to look at the product of the examination for its significance and probative value to the case. Examination is a technical review that is the province of the forensic practitioner, while analysis may be conducted by a range of people.
1.1.2. Physical and Logical Extraction
The physical extraction identifies and recovers data across the entire physical drive without any consideration or regard for the underlying file system. This may include keyword searching, file carving, and extraction of the partition table and unused space on the physical drive.
The logical extraction phase identifies and recovers files and data based on the installed operating system(s), file system(s), and/or application(s). During this stage the extraction of the data from the drive is based on the file system(s) present on the drive and may include data from such areas as active files, deleted files, file slack, and unallocated file space.
Analysis is the process of interpreting the extracted data to determine their significance to the case. Analysis may require a review of the request for service, legal authority for the search of the digital evidence, investigative leads, and/or analytical leads. Some fundamental examples of analysis that may be performed include:
1.2.1. Timeframe Analysis
This is useful in developing understanding of the timeline of when events occurred on a computer system. This kind of analysis is, for example, useful in establishing when particular contents were accessed and/or modified to develop a sequence of events.
1.2.2. Data Hiding Analysis
This analysis is focusing on revealing hidden data through exhaustive correlation analysis, reviewing password protected or archived information, tracking any kind of steganography, and searching through Host Protected Areas for tracing attempts for exfiltration repositories.
1.2.3. Application and File Analysis
Analyzing applications and files data assists with understanding the users’ behavior and capabilities. It also allows for information hidden in mismatched pattern violating standard application behavior – a common telltale signs of malware, for example.
1.2.4. Ownership and Possession
It is sometimes, if not always, useful to identify the individual(s) who accessed, created or modified a certain element on the computer. It may also be important to establish ownership and knowledgeable possession of the data in question at certain time to correlate access and probability of a subject to determine unauthorized access.
Following figures provides sample guidelines on a number of analysis techniques:
|Make Bit Stream Backups|
|Description: Bit stream backup process refers to making exact bit-by-bit replication of disk sectors for the systems under the scope of the investigation. Bit stream backups are much more thorough than standard backups. They involve copying of every bit of data on a storage device.|
|Process: Identify the devices under the scope of the investigationObtain custody of the system (as it is) Calculate the mathematical hash value of the system drives.Update the chain of custody formTake bit stream backup of the entire device using a suitable bit stream imaging software|
|Mathematically Authenticate Data|
|Description: Mathematical authentication of data involves calculating and comparing the hash values with the original hash value. Mathematical authentication of data helps in proving the integrity of the evidence that it is not tampered with during the course of the investigation.|
|Process: Determine the algorithm used for calculating the original hash values of the evidenceCalculate the hash value of the bit stream back using same algorithm as determined in step 1.Compare the hash values obtained in step 2 with the original hash values of the evidenceDocument the findings.|
|Document the System Date & Time|
|Description: Capture and document the system date, time and time zone for each evidence in scope of the investigation. System date and time captured helps in analyzing the evidences and reconstruct the incident based on evidences gathered.|
|Process: Identify the devices under the scope of the investigationObtain custody of the system (as it is) Note the system time and time zone settings for each systemUpdate the chain of custody formDocument the findings|
|Make a List of Key Search Words|
|Description: Key words may include words related to the incident like email address, IP address that will help in identifying and searching for relevant evidence. Key words based search helps in logical analysis of the evidence.|
|Process: Get the complete background on the incident from the respective stakeholdersProbe and document information related to the incident like day, date, time, business risk, suspected users, log files, privileges of the suspects etc.Based on the information captured in the above steps, make a list of keywords which can be used during the investigationKeywords can be person name, file name, date, email address, IP address etc.Document the findings|
|Evaluate the Windows Swap File|
|Description: Windows swap file is a file stored on the computer hard drive that is used as a temporary location to store information that is not currently being used by the computer RAM. Evaluating the windows swap file might give insight into the activities being carried out and before the system was seized for investigation.|
|Process: During the course of the investigation access the windows swap file using the forensic analysis tool being usedManually review the contents of the swap file for recent activity, files accessed etc.Use the keywords defined for the investigation for searching the potential evidence in the windows swap fileDocument the findings along with file names and time stamps.|
|Evaluate Unallocated Space (Erased Files)|
|Description: Generally, when a computer user deletes a file, he/she assumes that it has been thoroughly erased. However, the DOS and Windows “delete” function does not thoroughly erase either file names or file content and instead the storage space associated with such files simply becomes unallocated and available to be overwritten with new files. Unallocated space is often a significant source of information that potentially includes erased files and File Slack Space associated with files that have been “deleted”.|
|Process: During the course of the investigation use the forensic investigation tools to review the unallocated space. Manually review the contents of the unallocated space for recent activity, files accessed, deleted, renamed etc.Use the keywords defined for the investigation for searching the potential evidence in the unallocated spaceDocument the findings along with file names and time stamps.|
|Identify File, Program, & Storage Anomalies|
|Description: Encrypted, compressed, and graphic files store data in a binary format and, as a result, a text search program cannot identify text data stored in these file formats. Identify hidden partitions and/or partitions that have been formatted with an operating system other than a DOS compatible operating system. Image files, deleted partitions may contain important information related to user, his activities on the system or information which could possibly be a potential evidence.|
|Process: During the course of the investigation use the forensic investigation tools to identify such files or storage areas. Manually review the contents of the unallocated space for recent activity, files accessed, deleted, renamed etc.Use the keywords defined for the investigation for searching the potential evidence in the unallocated spaceDocument the findings along with file names and time stamps.|
|Evaluate Program Functionality|
|Description: Depending on the application software involved, it may be necessary to run certain programs to learn their purpose. Evaluating program functionalities helps in identifying detrimental services/processes relevant to the investigation and could be a potential evidence, to prove willfulness.|
|Process: During the course of the investigation identify all the software’s that are installed in the systemIdentify all the software executables that are downloaded and stored in the systemEvaluate any suspicious programs or executablesDocument the findings along with file names and time stamps.|
Figure 7: Sample Analysis Guidelines
1.2.5. Sample Computer Evidence Review Form
As established earlier, each captured piece of evidence must be accompanied by a duly completed Evidence Capture Form.
Whenever a Forensic analysis is carried out on the device, findings must be captured in the Computer Evidence Review Form. This assists with maintaining the validity of the forensics results and also works as a reference point for areas to consider. A sample form is provided below followed by its document version as an attachment for use in practice.
1.1.1. Sample Device Research Form
Above form is accompanied by a Device Research Form as required in cases where a more in-depth research is required for a particular device of interest. All findings are structurally captured and recorded for reference and audit in the future. This form is very similar to the Evidence Review Form discussed earlier. Please note, this is for only for reference purpose to cover a forensics perspective. Dolphin should feel free to make any amends as necessary.
A sample form is provided below followed by its document version accompanied as an attachment.