CFC Week 6: The forensics process

Before the forensics

Why we said that computer information is a double-edged sword in forensic?

One the one hand, this information can provide compelling evidence in an investigation

One the other hand, it also introduce complexity that can trouble experienced practitioners

8. How does digital forensics differ in practice from conventional forensics?

• Conventional forensics

  Conventional forensics is based on Locard's Exchange Principle

  Locard’s Exchange Principle : Every contact leaves a trace. Physical contact leaves exchange of physical material.

  Conventional forensics also called wet forensics : Human body sweats, fingers are greasy -> touch and walk leave fingerprints and footprints

Why we need to isolate the crime scene, and How?

To save a great number of logs which provide actions and interactions and avoid:

• Cover digital tracks
• and commit the perfect cybercrime

What are the paramount challenges of crime scene isolation?

More and more devices are hyper-connected

Why the crime scene need to be frozen, and How?

Services are connected to network or Internet, to define the crime scene, we have to freeze the scene and control the range.

freeze the memory RAM of a device,and also cut the network (Faraday cage to cancel wireless signal)

Define digital forensics process

A set of methods driven towards the acquisition of legal evidence, which is possible for presentation in a court of law.

i. Acquisition process

“Going there and getting the stuff”

1. Judges have reasonable suspicion
2. A warrant indicates what type of devices that a forensic can seize (which corresponding to suspicions due to principle of proportionality
3. The place of a device is found is important to determine whether it’s relevant or not (like the one hidden in secret compartment of a drawer, even the type of mobile phone is not on the list)
4. Careful documentation of the acquisition process:
   • take photographs
   • tag all the bags with all details
   • watch out for hidden devices in plain sight

ii. Preservation

1. Provenance and change of custody are paramount (based on ACPO principles)

2. Making bit-for-bit images of all seized media

3. Use Write-blocker to make all drive devices read-only

4. Use cryptographic hashes to verify the integrity of the files (MD5 of SHA2)

5. In traditional forensics, you can destroy part of the evidence once you done with interventions like DNA testing

   the sample used in testing could be destroyed after the test

   However in computer forensics, 2,3 are required for the future

iii. Searching

aims to reduce the data volume to a manageable and reviewable level, but it has potential to impact the completeness and accuracy of an investigation

Search Method

Keyword-searching (not works on encoded or encrypted files, there are other tools)

Other tools for special files(compressed, encoded, encrypted or password protected files)

• What if you find a evidence of another crime?

  1. Start an independent process with warrant
  2. Not allowed to collect evidence for that crime

iv. Analysis of evidence

aims explain what does the evidence signify?

1. correlate evidence to your hypothesis
2. explain their timeline
3. identify what has happened

v. Evaluation of evidence

aims to confront the evidence

1. Assess how strong that evidence is
2. Challenge your own hypothesis using the evidence
3. Be able to know how compelling evidence is

vi. Reporting

aims to inform how the forensic analysis has reached a conclusion

It should be done in a form and style that lets both:

1. Technical experts validate their findings
2. Legal personnel and juries can understand it

Put layman's terms what the evidence means on executive summary would help

Characteristics of Legal Evidence (in UK)

Admissibility

Evidence has to be first-hand information, original and not hearsay.

Authenticity

Evidence should be genuine with clearly authentication to authenticate what it claims to be.

The correctness would be determined by court and judge later based on the evidence (we just try to use evidence to tell the hypothesis and evidence are correct)

Accuracy

Evidence should provide precise, clear and not vague information

Completeness

Evidence should be self-contained and not partial

Probative value

Evidence should be probative, if evidence’s danger outweight the value, the court can exclude it

Danger of evidence

1. introduce an unfair prejudice
2. confuse the issues
3. mislead the jury
4. introduce undue delay or waste time, or just simply present cumulative evidence

List and describe the key steps of the investigative methodology

Fundamental questions relating to a crime

1. Sequencing (when things happend?)
2. Linkage (who interacted with whom?)
3. Evaluation of source (the origin of items)
4. Attribution (who is responsible?)

What is the scientific method?

Scientific method is a cyclic process, aims to repeat the steps to get the conclusion

1. Gather information and make observations : aims to provide all evidence which you have access to

   • Process legal evidence: 1. Acquire 2. Preserve 3. Search 4. Verify integrity 5. Authentication
   • Process digital evidence: 1. preprocess 2. salvage deleted data 3. handle special files 4. filter out irrelevant data 5. extract embedded metadata

2. Form a hypothesis to explain observations : Develop possible explanations

3. Evaluate the hypothesis : Aims to suppress biases and hunches and try to disprove current working hypothesis through experiment

   • Avoid confirmation bias: - do not skew our thinking and analysis in favour of the working hypothesis

4. Draw conclusions and communicate findings : Communicate the explanations which supported by evidence with decision makers

Understand the capabilities of the tools

1. Understand the capabilities of the tools
2. Use multiple tools when possible

List the functions of forensic analysis

1. Attribution of activities : aims to attribute computer activities to a particular person

   To avoid a person to deny the responsibilities for the illegal activities, we could use

   • personal communication
   • access to online banking or e-commerce accounts

2. Assessing alibis : use evidence from multiple sources

3. Determining intent : analyse:

   • internet search history
   • suspicious behaviours
   • notes and plans

4. Evaluating sources : reveal the source of the evidence, and where it is produced or altered.

   Compare the evidence with an exemplar can reveal useful information

5. Document authentication : - Look for nuances on date-time stamps

   • look for metadata within files

   • extract attributes buried within storage media

The e-discovery process

What is the e-discovery process

Exchange of data between parties in civil or criminal litigation

The process is largely controlled by attorneys who determine what data should be produced based on relevance, or withheld based on claims of privilege

Electronic Discovery Reference Model

• 1. Preservation

  Ensuring that ESI is protected against inappropriate alteration or destruction.

• 2. Collection

  Gathering ESI for further use in the e-discovery process (processing, review, etc).

• 3. Processing

  Reducing the volume of ESI and converting it, if necessary, to forms more suitable for review and analysis.

• 4. Review

  Evaluating ESI for relevance and privilege.

• 5. Analysis

  Evaluating ESI for content and context, including key patterns, topics, people and discussion.

• 6. Production

  Delivering ESI to others in appropriate forms and using appropriate delivery mechanisms.

• 7. Presentation

  Displaying ESI before audiences (at depositions, hearings, trials, etc), to elicit further information, validate existing facts or positions, or persuade an audience.