Original Post Date: June 19, 2014
What is the 'Forensic Methodology'?
One of the things that can serve to separate a digital
forensic examiner from others is the ability to explain very technical subjects
in layman's terms. Now, we don't like
the term "layman". It sounds
pedestrian and a little insulting, depending on the context. So we prefer to
use terms like "understandable", "realistic" or even
"pragmatic". The fact is we're
all surrounded by technology we may or may not understand totally... or even
partially! To that end, we will strive
to write and post articles that should
be understandable to most people who may read them.
When we talk about digital forensics, and if you visit our
website (www.prodigital4n6.com), we emphasize the "forensic
methodology". But what does that
mean? The forensic methodology is a term that is universal across all
disciplines in science, whether you're examining archaeological artifacts,
insects, physical crime scenes or data in digital format. Simply put, the forensic methodology is the
study of items of particular interest in a particular set of circumstances in
their purest form possible. For example,
at a crime scene, Forensic Crime Scene Investigators strive to document,
collect and report evidence in the state in which it was discovered, so as to
attempt to gain the purest perspective about what was going on prior to their
arrival based upon physical characteristics at the scene.
Think of the forensic methodology in terms of taking a
photograph. Yes, we know no one takes actual photographs these days, but we
hope that most people reading are familiar with the basic concept of film
photography... When one takes a
photograph, a snapshot in time is recorded.
A "blue print" or negative of the photograph is placed upon
the film and cannot be altered. It can
be destroyed at that stage, but generally speaking, that isn't the goal of most
photographers. When the film is
developed, the negative is developed and the actual photograph is created
through the use of chemicals to help render the picture viewable by the
user. That snapshot in time, that
picture of what was going on at that particular moment cannot be altered, at
least not without extreme effort that most people won't bother with. At that point, a trained eye could choose to
use special tools to enlarge the picture to a larger size for examination or
use a simple device such as a magnifying glass to examine the picture in
detail, record what they see and report the findings to any interested
parties. The content of the picture
itself is not altered, only examined using specialized tools and extensive
training. The forensic methodology in
digital forensics is no different...
When a piece of digital evidence is recovered, be it a
computer hard drive, thumb drive, CD/DVD, smart phone or data card, it is
immediately documented where it was located, in what state it was located and
then packaged for preservation. Documentation
starts here by noting its location, who found or collected it and numbered
using a standard logging format.
Documentation, however, certainly doesn't end here.
Once the evidence is ready to be examined, we don't simply
turn on the computer or plug the data card into the card reader on a forensic
machine... this would be directly against the forensic methodology because
simply by performing one of those basic actions, a small (or large) part of
that evidence would be altered. In some
cases, this is necessary anyway and almost as a last resort, but when that
happens, documentation is extremely important. No, in order to preserve the evidence in the
state which it was collected, we use special tools and/or software to prevent
any of the data on that media from being changed. Even after that's done, we don't examine the
media. A forensic copy or
"image" is made of the media.
These special file types are designed to maintain the integrity of the
evidence and are verified many, many times during the imaging process to ensure
their validity. While much of this work
is done by automated forensic tools, the validity must be verified and
documented by the examiner. This initial
step in the forensic methodology is fairly simple and routine, but perhaps one
of the most important. If these initial
actions aren't undertaken, it opens the door to questions about possible
alteration of the evidence, the validity of the processes leading up to the
examination of the data and perhaps most importantly, the effectiveness of the
Digital Forensic Examiner, whose findings in evidence may be somewhat
inconsequential, but may also serve to put someone in prison for a long time,
depending on the type of case. The
bottom line is, the examiner may not know the scope of the case until well into
the examination, so every case must be treated the same in the initial stages
to maintain uniformity in process and to ensure no questions about the process
or the examiner's professional integrity are raised in later proceedings.
So why do we make an image (copy) of the evidence to work
from? There are several reasons. As stated, we don't want to take any chances
of altering the original evidence.
Second, most Digital Forensic Examiners know one law all too well: Murphy's Law.
For those of you who don't know Murphy, he's a stalwart Irishman who
very wisely observed "Whatever can go wrong, will go wrong, and at the
absolute wrong time". This
"law" illustrates probably the unofficial biggest reason for making a
copy of the evidence... because even if we tried to examine a hard drive using
write-blocking devices to ensure the evidence wouldn't be altered, chances are
the hard drive would crash and we'd lose all the data and any evidence
contained therein... and if Murphy's Law follows, this would probably happen in
the middle of an examination in a homicide or child exploitation case. By making a copy (image) of that data, we
preserve the original, which is safely locked away after the image is created,
just in case we need to go back and make another image due to a file corruption
or other incident that Murphy probably dealt with at some point. It should be noted that the image files that
are examined when conducting the forensic examination cannot be altered by the
normal user. They are self-contained in
their own "shell" and that shell is protected by algorithms and
values that would be reported if violated.
In fact, most all respectable forensic software tools will verify the
integrity of the image file every time the file is loaded prior to examination.
To sum up, the forensic methodology entails documentation,
collection and preservation of the evidence in the purest form possible from
the moment of discovery. This ensures
the integrity of the physical piece of evidence, the digital evidence contained
therein, the validity of any findings during examination and, perhaps most
important, the professional integrity of the examiner.
Thanks for reading! Hope you stayed awake!
Author:
Patrick J. Siewert
Owner, Lead Forensic Examiner
Pro Digital Forensic Consulting
www.ProDigital4n6.com
