IV
see attached
3 months ago
4
Scenario.docx
UnitIV.pdf
Scenario.docx
Scenario: You are working a very disturbing case involving an individual who committed numerous heinous crimes against individuals. You have seen the individual’s disturbing images and videos while procuring forensic evidence from the perpetrator’s cell phone and the abundance of digital evidence stored on external drives and a home computer.
You were given the evidence after your predecessor was removed for not following the correct chain-of-custody procedures as outlined in the department’s standard operating procedures when gathering digital evidence.
While preparing the evidence for court, you find several irregularities in the way the evidence was secured for analysis. First, there was no write blocker installed, that would allow investigators to examine the data without risk of altering it.
You find still more irregularities that could make the digital evidence inadmissible in a court of law. Without the proper steps taken in the chain of custody, the court may find the evidence cannot be trusted.
Do you attempt to help convict this individual by going back and falsifying the chain of custody or do you allow justice to take its course? If the evidence is thrown out in court, who do you think will be blamed, you or your predecessor?
Your journal entry must be at least 200 words in length. No references or citations are necessary.
UnitIV.pdf
FRN 4302, Digital Forensics Applications 1
Course Learning Outcomes for Unit IV Upon completion of this unit, students should be able to:
6. Analyze digital forensics evidence for reporting procedures. 6.1 Explain the accepted documentation procedures used in investigations. 6.2 Discuss the importance of evidence identification and preservation. 6.3 Identify tools used in digital forensics investigations.
Required Unit Resources Chapter 6: Documenting the Investigation Chapter 7: Admissibility of Digital Evidence Unit Lesson
Documenting Digital Evidence: Image Method In Unit III, you learned more about gathering digital forensics evidence, which includes the proper ways to acquire, handle, and analyze digital evidence. You also explored essential techniques used to investigate offenses, such as the image method for investigating financial frauds and diagnosing hardware networks for forensic evidence. In Unit IV, you will learn more about documenting the digital evidence acquired using the image method. You will get more details regarding image documentation in a crime scene, seizing digital evidence, and handling and documenting digital evidence using the image method. The unit also explores various image forensics tools used in documenting digital evidence and the last step of the image documenting process, which involves image report writing.
Image Documenting a Crime Scene As mentioned in the previous lesson, the first phase of the investigation handling process is the preparation stage. This needs to be completed before conducting an assessment to acquire digital evidence. The aim of the preparation phase is to ensure that the infrastructure and operation can support forensic investigations. A forensic investigator should have everything required to document a digital crime scene. Documenting a crime scene involves creating or developing a critical record of a digital crime scene for investigation. The National Institute of Justice states that it is essential for forensics investigators to document the location and details of the scene. The power status, state, and condition of all storage media and other electronic devices, including the internet, and network access need to be recorded (Mukasey et al., 2008). When documenting the crime scene, investigators may be required to move storage devices, computers, or other electronic devices in order to find their serial numbers or other critical identifiers. However, moving such devices while they are powered on could jeopardize digital evidence. Therefore, devices should be powered off before moving them. Documentation of a digital crime scene must include the entire location, including the following:
• type of computers, • location of the computers,
UNIT IV STUDY GUIDE Digital Forensics Documentation
FRN 4302, Digital Forensics Applications 2
UNIT x STUDY GUIDE Title
• position of the computers, and • computers peripheral equipment and other components (Mukasey et al., 2008).
For image documentation of a crime scene, the most effective technique to ensure legal admissibility is the drive-imaging process. Before the forensic investigator starts evidence analysis from a source, they should first take an image of it. An investigator establishes a digital duplication of it by imaging a storage device or drive (Carrier & Spafford, 2003). Image documentation of all electronic media assists the examiner in retaining digital evidence for the investigation. Investigators should also document images of wiped or formatted drives because these may retain important and pertinent data. According to Carrier and Spafford (2003), a digital file must be documented using its entire file name path; the disk sector that stores it; and its file system cluster. Also, browsing and network information may be documented with the target and source addresses across different network layers.
Image-Seizing Digital Evidence Crucial to a forensic investigation is the seizing phase of the digital crime scene. Before the examiner starts the actual analysis or examination, seizure of digital media associated with the crime investigation needs to occur. Most criminal investigations see law enforcement officers and trained forensic technicians collaborating to ensure that digital evidence is not destroyed or tampered with whilst seizure is taking place (Reddy, 2019). The seizure phase of digital evidence is governed by different rules and regulations, including legislation relating to search warrants that may apply in the case. Forensic investigators seizing and collecting digital evidence should prevent cross-contamination. Therefore, before analyzing the seized evidence, an image or duplicate work copy of the original computer storage device should be created. Seized devices such as mobile phones need to be switched off immediately in order to preserve the call logs and cell tower location data. Turning off these devices also prevents them from being used; something that may damage or change the digital evidence. Also, if they are left on, destruction commands could be remotely issued, thus altering the digital evidence (National Forensic Science Technology Center [NFSTC], n.d.). After seizure of digital evidence by forensics personnel, a forensic image of evidence is developed to aid further analysis. The forensic image includes a bit-stream copy. This forms part of the storage device’s hybrid hard drive (HDD) or solid-state drive (SSD) digital copy (Reddy, 2019). Forensic images of seized digital evidence include the encase image file (E01) and disk dump (dd); the latter consists of all directories as well as those files that have been wiped from the seized storage device. In order to preserve the seized evidence for court, investigators usually create the image using hashing process to prevent damage or tampering with the overall content (Reddy, 2019).
Image Documentation and Handling Evidence Having analyzed and examined seized evidence, forensics investigators are responsible for reporting their findings fully and accurately. Image documentation is an ongoing activity throughout the examination process, making it crucial for fully recording of all procedures followed (U.S. Department of Justice [DOJ], 2004). The DOJ states that image documentation should be in sync with the assessment and retained notes should be in line with the respective department’s policies, rules, and regulations. There are several items that should be documented to help the investigator complete the process:
• consultations with the forensic investigators and prosecutors; • a copy of the search authority; • original request for examination assistance; • chain of custody documentation; • detailed information of the image; • record of key times, dates and descriptions; • relevant irregularities present and actions taken; • additional information such as a list of all authorized users and passwords; and • operating systems, versions of software, and current installed patches (DOJ, 2004).
As a rule of thumb, forensic investigators are expected to concentrate their efforts on the duplicate image only and not the original digital media or evidence (Reddy, 2019). If initial digital evidence is to be presented at
FRN 4302, Digital Forensics Applications 3
UNIT x STUDY GUIDE Title
court, forensic investigators should limit their actions on it. They are required to prove that the evidence is unaltered by presenting digital time stamps, cryptographic hash values, and identifying those legal procedures that have been followed. When examiners create an image of a computer or storage device for analysis, a cryptographic hash value is generated (MD5, SHA-1) (Reddy, 2019). The purpose of this hash value is to authenticate and verify the duplicate image as the actual copy of the original. Chain-of-custody (CoC) forms need to be created in the documentation phase. When examiners search, collect, and transfer suspect media, they should document all files and folders transferred along with evidence on CoC forms (Reddy, 2019). When they hand off the media, they should capture dates and digital signatures.
Image Forensic Tools for Documenting an Investigation Forensic investigators must be ready to prove the methods or procedures applied and documentation criteria used. The National Institute of Standards and Technologies (NIST) approve various methods. NIST typically tests the imaging software through standard methodologies, where the forensic investigator can compare a set of tools and select the one that meets his/her needs (Nelson et al., 2015). The forensic tools that help the investigators to answer related questions are suitable. According to the National Institute of Justice, RAND (as cited in Novak et al., 2019) has created “an open-source digital forensics processing application” (p. 4), whose primary purpose is to lessen the time consumed in conducting forensic investigations of information and data stored on computers or desktops using their images. The Digital Forensics Computer Cluster (DFORC2) has the capability of conducting parallel processing of “stand-alone high performance servers or cloud computing devices” (Novak et al., 2019, p. 4). DFORC2 software applies the open-source software packages like Apache Kafka, dc3dd, and Apache Spark. The investigator interacts with the software application through Autopsy; an open-source digital forensic tool used by government and law enforcement agencies to reduce complexity from investigations. The DFORC2 can also utilize the Kubernetes Cluster Manager, which is responsible for providing auto-scaling, especially when it is used in conjunction with an appropriate cloud-computing service (Novak et al., 2019).
Image Report Writing After completing the forensic analysis of the imaged digital evidence, the forensic investigator should present all the relevant results and findings in the form of a report. Here, forensic investigators cannot present their opinions or personal views. The image report should be precise, providing a clear conclusion drawn from the in-depth analysis of the image documented from the original digital evidence. When writing this report, forensic investigators should keep in mind that it is expected to be easily read and understood by non- technical people including law enforcement agencies officers (Reddy, 2019). However, departmental rules, regulations and policies may dictate the specifics of forensic report writing, including the report’s contents and order. The image report may include the features in Figure 1.
Figure 1: Components of the image report (Reddy, 2019) The report should provide an in-depth analysis of the examination’s findings:
FRN 4302, Digital Forensics Applications 4
UNIT x STUDY GUIDE Title
• files associated with the request; • other files (including deletions) that support the forensic examination’s findings; • keyword, string and text-string searches; • internet- or network-based evidence, including the web traffic analysis, cache files, email, chat logs
and newsgroup interactions; • analysis of graphic image; • details of ownership, including software or program registration details; • report of any data analysis conducted; • brief description of software or programs on the devices; and • methods applied to mask or hide data, including the steganography, encryption, hidden partitions,
hidden attributes, and file name anomalies (Reddy, 2019). The image report should also provide supporting material. A list of reference materials included with forensic report include the printouts of specific devices or drives evidence, chain-of-custody documentation, and digital evidence copies.
Summary In this lesson, you explored more details regarding documentation of digital evidence; specifically, documenting a crime scene, the seizing phase of accessing digital evidence, documentation and handling of digital evidence, image forensics tools for documenting a forensic investigation, and image report writing. As a forensic investigator, you should now be aware of your responsibilities to provide accurate and complete reporting of your results and findings of a digital evidence examination. You should now also understand that documentation of digital evidence is a process that remains ongoing throughout an examination, where documentation is expected to be carried out accurately, completely, and comprehensively.
References Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital investigation process. International
Journal of Digital Evidence, 2(2), 10–17. https://pdfs.semanticscholar.org/915b/524318e2f0689b586ba7ae89ea39e9b22ce3.pdf
National Forensic Science Technology Center. (2013). A simplified guide to digital evidence: How it’s done.
http://www.forensicsciencesimplified.org/digital/how.html National Institute of Justice. (2004, April). Forensic examination of digital evidence: A guide for law
enforcement (NIJ Special Report No. 199408). U.S. Department of Justice. https://www.ncjrs.gov/pdffiles1/nij/199408.pdf
National Institute of Justice. (2008, April). Electronic crime scene investigation: A guide for first responders,
second edition (NCJ Special Report No. 219941). U.S. Department of Justice. https://www.ncjrs.gov/pdffiles1/nij/219941.pdf
Nelson, B., Phillips, A., & Steuart, C. (2015). Guide to computer forensics and investigations. Cengage
Learning. Novak, M., Grier, J., & Gonzales, D. (2019). New approaches to digital evidence acquisition and analysis.
National Institute of Justice Journal, 280, 1–8. https://www.ncjrs.gov/pdffiles1/nij/250700.pdf Reddy, N. (2019). Practical cyber forensics: An incident-based approach to forensic investigations. Apress.
FRN 4302, Digital Forensics Applications 5
UNIT x STUDY GUIDE Title
Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. To check your knowledge of what you have learned in this unit, complete the cards and quizzes for Chapters 6 and 7. The cards will provide an opportunity to review key terms from the chapters, and the quizzes will give you an opportunity to test yourself and then give feedback on your answers.
- Course Learning Outcomes for Unit IV
- Required Unit Resources
- Unit Lesson
- Documenting Digital Evidence: Image Method
- Image Documenting a Crime Scene
- Image-Seizing Digital Evidence
- Image Documentation and Handling Evidence
- Image Forensic Tools for Documenting an Investigation
- Image Report Writing
- Summary
- References
- Learning Activities (Nongraded)