Friday, January 2, 2015

What is the 'Forensic Methodology'?



Original Post Date:  June 19, 2014

What is the 'Forensic Methodology'?

One of the things that can serve to separate a digital forensic examiner from others is the ability to explain very technical subjects in layman's terms.  Now, we don't like the term "layman".  It sounds pedestrian and a little insulting, depending on the context. So we prefer to use terms like "understandable", "realistic" or even "pragmatic".  The fact is we're all surrounded by technology we may or may not understand totally... or even partially!  To that end, we will strive to write and post articles that should be understandable to most people who may read them.

When we talk about digital forensics, and if you visit our website (www.prodigital4n6.com), we emphasize the "forensic methodology".  But what does that mean? The forensic methodology is a term that is universal across all disciplines in science, whether you're examining archaeological artifacts, insects, physical crime scenes or data in digital format.  Simply put, the forensic methodology is the study of items of particular interest in a particular set of circumstances in their purest form possible.  For example, at a crime scene, Forensic Crime Scene Investigators strive to document, collect and report evidence in the state in which it was discovered, so as to attempt to gain the purest perspective about what was going on prior to their arrival based upon physical characteristics at the scene. 
Think of the forensic methodology in terms of taking a photograph.  Yes, we know no one takes actual photographs these days, but we hope that most people reading are familiar with the basic concept of film photography...  When one takes a photograph, a snapshot in time is recorded.  A "blue print" or negative of the photograph is placed upon the film and cannot be altered.  It can be destroyed at that stage, but generally speaking, that isn't the goal of most photographers.  When the film is developed, the negative is developed and the actual photograph is created through the use of chemicals to help render the picture viewable by the user.  That snapshot in time, that picture of what was going on at that particular moment cannot be altered, at least not without extreme effort that most people won't bother with.  At that point, a trained eye could choose to use special tools to enlarge the picture to a larger size for examination or use a simple device such as a magnifying glass to examine the picture in detail, record what they see and report the findings to any interested parties.  The content of the picture itself is not altered, only examined using specialized tools and extensive training.  The forensic methodology in digital forensics is no different...

When a piece of digital evidence is recovered, be it a computer hard drive, thumb drive, CD/DVD, smart phone or data card, it is immediately documented where it was located, in what state it was located and then packaged for preservation.  Documentation starts here by noting its location, who found or collected it and numbered using a standard logging format.  Documentation, however, certainly doesn't end here. 
Once the evidence is ready to be examined, we don't simply turn on the computer or plug the data card into the card reader on a forensic machine... this would be directly against the forensic methodology because simply by performing one of those basic actions, a small (or large) part of that evidence would be altered.  In some cases, this is necessary anyway and almost as a last resort, but when that happens, documentation is extremely important.  No, in order to preserve the evidence in the state which it was collected, we use special tools and/or software to prevent any of the data on that media from being changed.  Even after that's done, we don't examine the media.  A forensic copy or "image" is made of the media.  These special file types are designed to maintain the integrity of the evidence and are verified many, many times during the imaging process to ensure their validity.  While much of this work is done by automated forensic tools, the validity must be verified and documented by the examiner.  This initial step in the forensic methodology is fairly simple and routine, but perhaps one of the most important.  If these initial actions aren't undertaken, it opens the door to questions about possible alteration of the evidence, the validity of the processes leading up to the examination of the data and perhaps most importantly, the effectiveness of the Digital Forensic Examiner, whose findings in evidence may be somewhat inconsequential, but may also serve to put someone in prison for a long time, depending on the type of case.  The bottom line is, the examiner may not know the scope of the case until well into the examination, so every case must be treated the same in the initial stages to maintain uniformity in process and to ensure no questions about the process or the examiner's professional integrity are raised in later proceedings.

So why do we make an image (copy) of the evidence to work from?  There are several reasons.  As stated, we don't want to take any chances of altering the original evidence.  Second, most Digital Forensic Examiners know one law all too well:  Murphy's Law.  For those of you who don't know Murphy, he's a stalwart Irishman who very wisely observed "Whatever can go wrong, will go wrong, and at the absolute wrong time".   This "law" illustrates probably the unofficial biggest reason for making a copy of the evidence... because even if we tried to examine a hard drive using write-blocking devices to ensure the evidence wouldn't be altered, chances are the hard drive would crash and we'd lose all the data and any evidence contained therein... and if Murphy's Law follows, this would probably happen in the middle of an examination in a homicide or child exploitation case.  By making a copy (image) of that data, we preserve the original, which is safely locked away after the image is created, just in case we need to go back and make another image due to a file corruption or other incident that Murphy probably dealt with at some point.  It should be noted that the image files that are examined when conducting the forensic examination cannot be altered by the normal user.  They are self-contained in their own "shell" and that shell is protected by algorithms and values that would be reported if violated.  In fact, most all respectable forensic software tools will verify the integrity of the image file every time the file is loaded prior to examination.

To sum up, the forensic methodology entails documentation, collection and preservation of the evidence in the purest form possible from the moment of discovery.  This ensures the integrity of the physical piece of evidence, the digital evidence contained therein, the validity of any findings during examination and, perhaps most important, the professional integrity of the examiner. 

Thanks for reading!  Hope you stayed awake! 

Author:
Patrick J. Siewert
Owner, Lead Forensic Examiner
Pro Digital Forensic Consulting
www.ProDigital4n6.com