i

ATHABASCA UNIVERSITY

SYSTEMATIC APPROACH TO PROCESS, ANALYZE, AND CLASSIFY DIGITAL EVIDENCE

BY

EMILE WONG

A project submitted in partial fulfillment Of the requirements for the degree of

MASTER OF SCIENCE in INFORMATION SYSTEMS

Athabasca, Alberta February, 2009

© Emile Wong, 2009

ii

DEDICATION

This thesis is dedicated to my mother, who raised me up to more than I can be.

i

ABSTRACT

The paper introduces a systematic approach of digital forensic investigation for digital

forensic students to understand the recognition, collection, preservation, documentation,

classification, comparison, individualization, reconstruction of digital evidence. The three

layered systematic approach of digital forensic investigation can be used on examination of

a single piece of evidence as well as large digital criminal cases. Literature is examined

relating to considerations of emerging problems in digital forensic investigation; to

emergent technologies in the forensic field including forensic tools, methodologies, and

investigation best practice. There is an explanation of the three layered structure, and

expounds theoretical and practical processes aimed at understand the macro-cycle and

micro-cycle digital evidence. It then discusses the roles and ethic of digital forensic

investigator. Finally, there is a description of digital forensic technology and tools to

support digital forensic investigation. The three layered structure simplified the complexity

of digital forensic investigation process in an organized and systematical manner; it can be

used as a framework to further develop standard digital forensic operational procedures, or

a model for digital forensic software development..

ii

ACKNOWLEDGMENTS

I would like to acknowledge with particular gratitude the assistance of my supervisor, Dr.

Harris Wang. I am also indebted to a number of other people presently and formerly at

Athabasca University, including Dr. Oscar Lin, Dr. Kinshuk, Dr. Xiaokun Zhang Richard

Hundrods, Mahmond Abaza, Kewal Dhariwal, Lil Saghafi, and Steve Leung for their

supervision in study for the degree of Master of Science in Information Systems. Finally, I

would like to thank my sons, Elvin and Ryan for their forbearance during the long period

it has taken me to conduct and write up this thesis.

iii

TABLE OF CONTENTS

CHAPTER I –INTRODUCTION….…...............................................................................1

Statement of the Purpose............................................................................................. 1

Research Problems and Questions ...............................................................................2

Outline of this Document ...….....................................................................................3

CHAPTER II - REVIEW OF RELATED LITERATURE…...............................................6

Context ........................................................................................................................6

Computer Forensic.......................................................................................................7

Digital Evidence….....................................................................................................10

Summary ....................................................................................................................11

CHAPTER III – THREE LAYERED SYSTEMATIC APPROACH.................................13

Background……………………….............................................................................17

Basic Concepts...................................................................................................18

Digital Incidents and Threats..............................................................................20

Top Layer....................................................................................................................23

Assessment and Preservation….........................................................................24

iv

Acquisition.........................................................................................................28

Examination…....................................................................................................31

Analysis……......................................................................................................32

Documentation...................................................................................................36

Reporting……....................................................................................................38

Presentation…....................................................................................................39

Middle Layer………..................................................................................................40

Document...........................................................................................................40

Preparation..........................................................................................................41

Physical...............................................................................................................42

Logical................................................................................................................43

Recover...............................................................................................................44

Analyze...............................................................................................................44

Findings..............................................................................................................45

Archive...............................................................................................................45

Roles and Ethic………...............................................................................................46

CHAPTER IV – FORENSIC TECHNOLOGY AND TOOLS……..................................48

v

Previewing Tools........................................................................................................49

Acquisition Tools........................................................................................................49

Examination Tools......................................................................................................51

CHAPTER V - CONCLUSIONS AND RECOMMENDATIONS ...................................54

Conclusions................................................................................................................54

Suggestions for Further Research...............................................................................56

REFERENCES ..................................................................................................................58

vi

LIST OF FIGURES

Page

1. Three Layered Systematic Approach of Digital Forensic Investigation ......................15

2. Digital Forensic Investigation Macro-cycle…..............................................................16

3. Digital Forensic Investigation Micro-cycle…..............................................................17

1

CHAPTER I

INTRODUCTION

Statement of the Purpose

Digital forensic science provides tools, techniques, and systematic approach that

can be used to process and analyze digital evidence. Computer forensic examiners are

expected to interact with digital evidence, digital forensic tools, and digital forensic

laboratories. The digital evidence can be used to reconstruct what occurred during the

perpetration of an offense. The purpose of reconstruction is to restore the links between

offender, victim, crime scene, or incident. The final goal is to present legal evidence that

can be accepted by the court to prove or disprove a theory. The research described in this

document focused on systematic approach to process, analyze, and classify digital

evidence. This document also demonstrated the tools and techniques which can be used to

analyze and recover the evidence. While the literature research in Chapter 2 shows that

there has been a significant amount of digital forensic training materials, manuals, and

books from different sources [2] [4] [5] [6] [7] [8] [13] [14] [15], the writing contain

somewhat major in professional view of digital forensic examiners or law enforcement

2

agents, or otherwise technical demonstration of discovery and analysis of digital evidence

by professionals. The research questions for the current thesis are formulated with the aim

to sketch out a systematic approach and guideline for digital forensic students to

understand the recognition, collection, preservation, documentation, classification,

comparison, individualization, reconstruction of digital evidence in the under-researched

area.

Research Problems and Questions

The research questions as defined in the project proposal were as follows:

What is digital crime, and the different between digital crime and traditional crime;

How to differential a professional digital investigator from a computer technical

person;

What are the difficulties to present technical evidence in easy understanding format ;

What is the proper procedure to handling evidence;

How to prove working copy of digital evidence that is the same as the original seized

evidence;

How to begin an investigation and where to start;

Understand your limits, and know when and where to stop;

3

How to prepare, collect, and use forensic toolkits.

Outline of this document

Following this introduction, chapter 2 of this thesis consists of a review of literature

in a number of areas relevant to computer or digital forensic. The review considers:

literature on the topic of computer forensics;

literature on the topic of cyber forensics;

literature on the topic of computer forensics response;

literature on the topic of examination of digital evidence;

literature on the topic of emerging problems in forensic computing;

literature on the topic of privacy protection;

literature on the topic of risks of live digital forensic analysis;

literature on the topic of digital forensic tools;

literature specifically relating to digital and multimedia evidence;

literature specifically relating roles of computer forensic investigator; and

literature concerning forensic techniques in general and particular proposed

measures.

Literature is explored on a variety theoretical concepts, history, principles,

4

methodologies, disciplines, and practical procedures of seizure, handling, analysis, and

recover of digital evidence; but the emphasis is largely positioned on personal experience

or case studies.

Following the literature review, chapter 3 examined and extended some of the

theoretical issues raised in the literature. This chapter sought to define the systematic

approach of recognition, collection, preservation, documentation, classification,

comparison, individualization, and reconstruction. In particular, there was an

enlightenment of the basis on initial assessment and response to a digital incident. The

chapter also includes discussion of the relationship between the discovery, preservation,

documentation, and presentation of digital evidence. Roles and ethic of digital forensic

investigator is also addressed in this chapter.

Chapter 4 described the forensic technology and tools which can be used to

preserve, analyze, and recover digital evidence. This chapter also included evaluation of

digital forensic tools, their functionalities, and related file systems and operating systems.

Chapter 5 concluded the thesis by revisiting the main findings of systematic

approach of digital forensics in theoretical, practical, and experimental stages of the

research; identified the impact of digital crimes, and raised issues which are likely to be

5

useful area for future study.

6

CHAPTER II

REVIEW OF RELATED LITERATURE

Context

Computer forensics can be considered as a branch of forensic science which has a

different investigation approach. The science of computer forensics encompassed a wide

range of disciplines including but not limited to computer hardware and software,

telecommunications, security, networks, electronic devices, law enforcement, criminal

justice system. The introduction of digital forensics into forensic science reflected the

urge need of digital forensic professionals, methodologies and tools to handle the rapidly

growing computer crimes. Computer forensics generally deployed to hacking, obscene

publication, perjury, murder, espionage, forgery, defamation, narcotics trafficking, credit

card cloning, software piracy, and paedophiliac rings [9][11][12]. Today, computer

forensic practitioners are faced with a multiplicity of investigative challenges in two main

categories. The first is technology. Criminals continuously employ up-and-coming

advance information technology and method [20] to commit fraudulent activities that

investigators need time to be fully aware or cognizant of. In Addition, the rapidly

changing storage media capacities and high speed network transmission increased the

7

complexity of analysis [7]. The other is the techniques and protocols of investigation,

examination, and analysis of digital evidence. In a dynamic technological environment,

the subject matter of examining evidence changes at such an exponential rate that forensic

tools are modified regularly in order to keep up [20]. Digital forensic is a continuously

developing topic. It is only in the last twenty years or so the literature of computer

forensic examination protocols and methodology has been commonly discussed and

studied.

Computer Forensics

The development of the discipline of Computer Forensic began with the realization

by the awakening of the “White Collar” crimes [11]. In 1981, after the make public of the

first IBM Personal Computer (PC) to ordinary businesses, U.S. Federal law enforcement

noticed the surfacing of “White Collar” crimes being committed with the aid of the new

PC’s. In 1980s, the emerging Computer Forensics science finds its starting place as a

training developed by U.S. Federal law enforcement agents. U.S. Federal Law

Enforcement Training Center (FLETC) started training agents in conducting

investigations in the computerized environment, and FLETC’s Financial Fraud Institute

(FFI) began to develop software and protocols to deal with the emerging discipline of

8

computer forensics.

Peter Stephenson’s book [4] introduced the potential impact of Cyber Crimes, it

also introduce a framework for conducting an investigation of a computer security

incident, how to prepare for cyber crime, and using of forensic utilities. A generalized

investigative framework for corporate investigator has been structured as follows:

1. Eliminate the obvious

2. Hypothesize the attack

3. Reconstruct the crime

4. Perform a trace back to the suspected source computer

5. Analyze the source, target, and intermediate computers

6. Collect evidence, including, possibly, the computers themselves

7. Turn your findings and evidentiary material over to corporate investigators or law

enforcement for follow-up

A report [11] was published by the National Institute of Justice identified the needs

that require attention to keep tempo with the rapid growth of computer crime in 2001, a

succinct synopsis of “Critical Ten” needs was identified:

1. Public Awareness

9

2. Data and reporting

3. Uniform training and certification courses

4. Onsite management assistance for electronic crime units and task forces

5. Updated laws

6. Cooperation with the high-tech industry

7. Special research and publications

8. Management awareness and support

9. Investigative and forensic tools

10. Structuring a computer crime unit

Another report [12] was published by the National Institute of Justice as a guide for

State and local law enforcement to examine computer evidence in 2004. The entire

examination process of handling digital evidence was outlined:

Policy and Procedure Development

Evidence Assessment

Evidence Acquisition

Evidence Examination

Documenting and Reporting

10

The other report [9] was published by the National Institute of Justice, the guide

provided structure for the continuing education of practicing forensic scientists and

training to enhance a current digital forensic examiner’s knowledge, skills, and abilities

(KSA).

Digital Evidence

The conference paper [20] referred Mark Pollitt’s generalization of Digital

Evidence as “information of probative value that is either store or transmitted in binary

form”. Digital evidence is a type of physical evidence that is made up of magnetic fields

and electronic pulses that can be collected and analysed using special tools and techniques.

Brian D. Carrier stated the different of live and dead digital forensic analysis is the

reliability of the results. The paper [1] concluded that live digital forensic analysis may

not produce reliable result. Michael. G. Solomon, Diane Barrett, and Neil Broom’s book

[2] described the need for computer forensics including preparation, common tasks,

capturing the data image, extracting information from data, passwords and encryption,

and testify in court. Albert. J. Marcella and Robert S. Greenfield’s book [6] introduced a

mature methodology for Digital Forensic investigation; the book described the procedure

of search and seizing computers and obtaining electronic evidence, computer crime policy

11

and programs, International aspect of computer crime, privacy issues in the high-tech

context, critical infrastructure protection, legal issues and consideration. The book also

defined that “Computer Forensics deals with the preservation, identification, extraction,

and documentation of digital evidence” [6]. Debra L. Shinda, a former police officer,

provided not only forensic techniques, but also investigation process and jurisdictional

issues in the book [5], the book stated that many information technology professionals

were unconcern of Cyber Crime, and at the same time law enforcement officers have not

equipped with appropriate tools to deal with the cyber crime problem. The book Incident

Response by Kevin Mandia, Chris Prosise and Matt Pepe [15] showed detail process of

live data collection from both Windows system and UNIX system, and required toolkit

tools for both operating systems.

Summary

M.G. Solomon, D. Barrett, and N. Broom [2], P. Stephenson [4], D.L. Shinda [5],

A.J. Marcella, and R.S. Greenfield [6], G. Mohay, A. Anderson, B. Collie, O. de Vel, and

R. Mckemmish [7], R. Leigh, and A.W. Krings [8], B. Middleton [13], D. Schweitzer [14],

C. Prosise, K. Mandia, and M. Pepe [15] have discussed digital forensics in great depth or

expand their own model of the discipline into a more general framework. In addition to

12

the frameworks mentioned previously, the use of digital forensics in investigations with a

view of incident response has also been looked at from different aspects. The present

study was designed to create a guideline for digital forensic student to understand the life

cycle of digital forensic process. The study sought to define a systematic approach of

digital forensic in recognition, collection, preservation, documentation, classification,

comparison, individualization and reconstruction.

13

CHAPTER III

THREE LAYERED SYSTEMATIC APPROACH

The paper [20] states that Digital forensics has mostly developed in an ad hoc

manner. Many research resources [2] [4] [6] [7] [19] but not limited to the resources of

this paper are based on cases, or current practices. Digital forensic methodologies and

protocols are introduced depend on certain circumstances, methods and procedures; most

of them are developed based on person experience and expertise [8]. The emerging topic

is still under development and being discussed. The entire examination process [12] of

National Institute of Justice provides a top-level structure of digital investigation. The

forensic formalization model [20] creates a low-level implementation of investigative

steps.

This section generalized entire digital forensic investigation process into a three-

layered systematic approach. The entire digital forensic investigation process can be

conceptualized as occurring simultaneously in three different scales or time frames. The

top layer occurs over the course of an investigation and guides the overall investigation

from initial response to final presentation. The top layer has seven protocols as shown in

14

Figure 1. Each protocol actually contains one or multiple interfaces described in the

middle layer. The top layer of the processes evolves over time and can be considered as

the macro-cycle. The early two protocols tend to focus on the collection and acquisition

of digital evidence. The next two protocols introduce and focus on the examination and

analysis of seized evidence. The last three protocols focus on documentation, reporting

and presentation, and the documentation protocol overlapped the early four phases of

digital evidence investigation lifecycle as shown in Figure 2. The middle layer defines

systematic framework of interfaces for investigation as shown in Figure 3. The middle

layer has a limited scope than the top layer that can be considered as micro-cycle of

investigation. The middle layer is focused on providing an interface for actual

implementation of investigative processes or examination steps. Investigators or

examiners can apply their best practice into the interface to create standard procedures for

specific type of evidence. The bottom layer is the actual implementation of the

examination procedures and steps for individual evidence or file, and it is out of the scope

of this paper.

15

Figure 1: Three Layered Systematic Approach of Digital Forensic Investigation

16

Figure 2: Digital Forensic Investigation Macro-cycle

17

Figure 3: Digital Forensic Micro-cycle

Background

In 1988, Robert Morris accidentally unleashed an “Internet Worm” in 1988 in MIT

which infected and subsequently crashed thousands of computers [11]. Morris selected

MIT to mask the fact that the worm came from the computer at Cornell University. Morris

soon discovered that the worm was replicating and re-infecting machines at a much faster

rate than he had anticipated. Following a jury trail, Morris was found guilty, and he was

sentenced to three years of probation. The Internet Worm was considered the first case

prosecuted under The Computer Fraud and Abuse Act of 1986 in United States of

America. This case established a precedent that would help to convict other hackers and

18

virus programmers; and the word “hacker” was introduced into the vernacular of

computer and digital forensic community.

Basic Concepts

Digital evidence is a kind of physical evidence. Although digital evidence is less

tangible than other forms of physical evidence such as fingerprints, blood, or weapons;

digital evidence is made up of magnetic fields and electronic pulses that can be collected

and analyzed using special tools and techniques. Content of digital evidence can only be

viewed with particular tools or software. Digital forensic is about to create a story of how

this evidence linked with the crime, offenders, and victims. In the cases of digital crime,

there may have some transport mechanism of evidence from one storage media to another

storage media; also, there may have transfer mechanism of evidence across the network.

Think of a person visit a website, there is some auditing and logging going on in the

server. There create a trace of IP address, operating system used, pages viewed, and date

and time of the person who visited the website. All those information has been stored on

log files of the Web server. On the client side, the information, showed the person who

visited a website, is stored in the system by the cookies and temperate Internet files in a

temp folder. These established a tie between the person and the site. An incident scene is

19

somehow a linkage between victims and suspects with some physical evidence. To

summarize, digital forensic is the way to discover this less tangible electronic evidence,

collect them and analyse them; and somehow the storage of evidence may transfer across

the network. Digital evidence need to be able to gather, explorer, collect, and explain what

they are represented. Digital evidence can be used to reconstruct what occurred during the

perpetration of an offender, and eventual created link between an offender, victim, and the

crime scene under a theory. Eventually the evidence might prove or contradict the theory.

Digital evidence exists in many types of forms and locations within digital systems

or devices. As a digital forensic practitioner, it is crucial to understand the kinds of

information that may exist within the system in order to find the information effectively.

Classification of digital evidence let us understand the type of information, their purpose,

and what is important and relevant to the case. Also, finding pieces of information to

build the case and understand the timeline of what occurred is important in digital

forensic investigation. The digital forensic practitioner is responsible to conduct a digital

forensic analysis to gather digital evidence based upon level of proof. There are basically

two levels of proof in court of law.

Criminal - we need to prove to people that the case is a 100% sure without any doubt

20

or any reasonable doubt that we might be wrong.

Civil - we attempt to demonstrate for the preponderance of the evidence and only

need to convince by 51% of people in most cases.

Digital forensic analysis takes the acquired data and examines it to develop and

identify digital evidence. A different level of weight or levels of proofs are obligatory for

civil and criminal cases. There are three major categories of digital evidence that are

looking for in an investigation.

Inculpatory Evidence - that supports a given theory.

Exculpatory Evidence - that contradict a give theory.

Evidence of Tampering - that cannot be associated to any theory, but shows that the

system was tampered with to avoid identification.

Digital Incidents and Threats

Computer forensic examiner may come across various types of computer forensic

incidents. Before digital forensic students get into the investigation process of evidence,

they need to understand several basic concepts of digital forensic, and what a forensic

investigator will encounter in digital forensic investigation.

21

Laws of computer fraud clarify the definitions of criminal fraud and abuse for

computer crimes and to remove the legal ambiguities and obstacles to prosecuting these

crimes. The following will be considered as criminal cases include, but not limited to:

Online auction or electronic trading fraud

Trafficking in contraband such as child pornography

Network intrusions or hacking

Cyber threats such as cyber stalking

Theft of identity or personal information

Espionage

Murder

Perjury and forgery

Telecommunications fraud

Pirating of intellectual property such as copyright

Computer forensic practitioners faced with a numerous of investigations which may

be considered as civil in nature, the followings are considered as civil incident include,

but not limited to:

Misuse or damage of corporate information technology assets

22

Employee wrongful termination claims

Failed to compliance with Act for financial institutions.

Failed to compliance with Acts for business accounting.

Sexual harassment

Defamation

Divorce

Theft of proprietary data such as trade secrets

The threats involve end-users who commit fraud, or other illegal acts from inside

their organization. The persons maybe in positions of trust, and internal threats may not

be purposeful against the company itself, they can be committed in a variety of crimes.

Internal threats to an organizations’ computer infrastructure may include, but not limited

to:

Theft of proprietary data.

Using information technology asset to run personal business.

Using company servers to deliver contraband.

Alteration of official records, such as marks on report card

Sabotage via execution of malicious code.

23

The threats are considered to be an external threat if it involves end-users from

outside of an organization, the person may commit intrusions or other similar illegal acts.

The computer forensic practitioner may be called upon to investigate external threats,

such as but not limited to:

Virus, Malware, and Spyware.

Intrusions, Trojan horse, or hacking

Denial of service attack (DoS)

Spoofing

Password Cracking

Email spamming attacks

Website defacing

Top Layer

The seven primary protocols in the top layer extend through the entire lifecycle of

an investigation, and the top layer is considered as the macro-cycle of digital forensic

investigation process. Each protocol occurs in different scales and time frames as shown

in figure 2.

24

Assessment and Preservation

Digital Incident Response is different from discovery of digital artifacts. Digital

Incident Response is about how to assess a digital incident situation, identify the

procedures that are essential to protect the digital evidence, and shelter digital evidence in

a safe place to shun from contamination.

Digital incidents may happen as the consequence of acts committed by persons

involving a device which retains binary data, in the form of a desktop, workstation, server,

laptop, or similar digital computing devices. A computer forensic practitioner should

make an initial assessment of the situation and be prepared to apply the appropriate

response seeking to gather digital artifacts when the computer forensic practitioner is

called upon to respond to a digital incident. The collected digital artifacts will eventually

prove or disprove a theory concerning the commission of a civil offense, criminal offense,

or a security violation. The initial assessment of the situation includes consideration of the

type of incident, parties involved, incident or equipment location, and available response

resources.

In digital incident response, the computer forensic practitioner may encounter a

wide variety of digital media and devices which may retain potential digital evidence. The

25

person shall explore some of the digital devices which may serve as repositories of digital

data and be subjected to examination by the computer forensic practitioners. Almost

anything can retain binary data; digital forensic practitioners have to decide what to look

for, and to make the correct assessment. To determine the type of incident, a digital

forensic practitioner needs to identify the relationship between the activities acted and the

digital devices. The first type of incident involved the stolen property of hardware and

software. The second type of incident involved the digital device which contains evidence

of the incident or offense. The third type of incident involved digital device as the tools of

the offense. The last type of incident involved the digital device was actively used to

commit the offense. An incident can be any one of the above mentioned type of incident

or a combination of them.

During an incident response, a digital forensic practitioner also needs to recognize

the parties involved, identifies the persons involved in the investigation such as

complainants, victims, witnesses, informants, suspects, or system administrators and

technical supports. Other important information is also crucial in the investigation such as

name of Internet Service Provider, any online services, websites, newsgroup, web

application, and network and firewall configuration. Digital forensic practitioner must

26

aware of any skillful technical person that could lead to a serious loss of evidentiary data.

Further in an incident response, an investigator need to find out the location of the

incident or equipment involved to determine the proper action should be taken next. The

incident might occur in private property or residential, a business office, a public area, or

various location worldwide. Finally, the frequency of occurrence of the incident should be

addressed, and how long the activities have been occurred. So during a digital incident

assessment, we have to figure out how the equipments are to be used and how functioning

is important to the company. Digital forensic practitioner should prepare a checklist to a

digital incident response; the items in the checklist should include as follows:

a digital camera for you take photos of the scene;

portable imaging device and blank media to be able to make forensic copies;

Chain of Custody and other official documents to record actions and procedures;

items such as paper, permanent markers, labels, disassembly tools;

packaging items such as sealing tape, cardboard boxes and envelopes;

and transport vehicles.

Digital forensic practitioners need to use their time, tools, and talent in a

professional manner through out the entire case to be able to gather the evidence they

27

need and to be able to build a forensic sound case.

The goal of a digital forensic practitioner when responding to an incident is to

secure all potential digital evident and preserve them for examination and analysis. Due

to the fragile nature of digital evidence, the digital evidence must be handled properly

and carefully to avoid damage or immediate destruction. The best practice is to keep all

the people and suspects away from the evidence except the persons who have been

trained to handle them because evidence can be destroyed accidentally or maliciously by

triggers with some keystrokes on the keyboard. People should always wear gloves and

try not to disturb potential latent or digital evidence because there may have other

physical evidence in the crime scene such as finger prints on the digital devices.

Running machines should be handled carefully to preserve data in the cache, and the

state and configuration of the machine need to be documented or captured. Digital

evidence need to be secured to make sure that there is no way for anyone to access the

devices. A common practice to seal the digital evidence is to place evidence tape along

the edges of the computer’s housing, then place your initials, date and time over the seal

with permanent ink. Finally, move all digital evidence to a secured facility for storage if

possible. Bear in mind that improper handling of evidence can tamper or damage the

28

evidence. Failure to do so may leave it unusable in court or lead to an imprecise

conclusion, or even worse permanently destroyed what you are seeking.

Acquisition

Acquisition is the process of obtaining or extracting digital information from a

digital device or media with specialized forensic tools. There are difference between copy

and duplicate of digital evidence. A copy of original evidence is an accurate reproduction

of content stored on an original physical item, and it is independent of the electronic

storage device. The process copied the contents contained in the storage device of the

original evident, but attributes may change during the reproduction and other hidden

information is not transferred. For example, the last access date and time will be replaced

by the current date and time at the moment you are copying the content. A copy is not

considered as exact duplication of the original evidence. A duplicate is an exact

duplication of all data contained on an electronic storage device. The process of

duplication maintains all contents; all information of the storage device is transferred

including all viewable and hidden contents, metadata, attributes and all slack space.

Duplication may take place either at the incident scene or in the digital forensic laboratory

29

by a trained and certified digital forensic practitioner.

Copy of digital evidence is as admissible as original evidence as long as they can be

authenticated by professionals or experts. Any examination on the original piece of

evidence may alter or contaminate it. The goal of the digital evidence acquisition process

is to duplicate the original digital evidence in a manner that protects and preserves the

original evidence, in order to prevent destruction, damage, and alteration prior to analysis.

So in examination of digital evidence, original digital evidence must be kept intact; and

digital forensic examiner must have a duplicate exact copy of the original evidence, and

work with the copy of the original evidence alone.

Acquisition can be conducted in the forensic laboratory or on-site. The main

consideration of where to conduct the acquisition depends on the control of circumstances

and time. If the situation is beyond your control, an on-site acquisition of the potential

digital evidence may be necessary. For example, a running web-based application server

in a large corporation is vital to maintain their daily operation of business, and people

cannot simply take the server back to laboratory, the digital forensic practitioner should

consider conducting an on-site imaging or live acquisition of the activities on the server.

Authentication of the acquired digital evidence is essential to make the copy of

30

original evidence as admissible evidence in court. Cryptographic checksums can prove

the integrity of the contents of copy is as exactly the same as the original. Hashing

function is well-known authentication methods with cryptographic checksums; it inputs

some items and passes through mathematical processes or algorithms, and outputs with

certain answers in one way only. People cannot reverse the process by using the answer to

generate the same original source. A single bit different in the original objects will output

a significant different answers. Two different items will never generate the same hashed

result. The three main authentication methods are CRC-32, MD5, and SHA-1.

Digital evidence acquisition is one of the critical stages in the digital forensic

examination process. Any errors during the execution of this procedure could cause

undesirable results. Examiner must ensure documentation of all physical aspects of

hardware device such as serial number, makes, model, configuration details, and

procedures of the acquisition. Prior to the acquisition procedure, ensure that a

sufficiently-sized, forensically sterile target media. Digital forensic examiner can initiate

the acquisition procedure with the use of forensically sound acquisition tool. Forensically

sound tools can be proved by other professionals that the tool does not produce error or

mistake, and the same result will be generated by other forensically sound tools with same

31

procedure and on the same digital evidence. Forensically sound tools help to create an

accurate, authenticated duplicate of the original evidence.

Examination

After acquired a working copy of the original evidence, digital forensic examiner

can begin the examination phase of investigation on the duplicated image of evidence by

mounting the image with your digital forensic program. The examination can help the

examiner to focus on what the case is. During a digital forensic examination process,

some of the known files such as the operating system files can be ignored. Examiners

have to following certain rules and steps, and apply forensic examination protocols in the

analysis; those rules and steps ensure the evidence can be used as admissible evidence.

Digital forensic practitioner needs to understand the way to gather information with

methodology and accepted practices; and the findings can ultimately be presented in court

or similar venues.

A key section of digital forensic is the examination of digital storage media. Due to

the rapidly changing and increasing in size of data storage media, standard digital forensic

methods and procedures do not have the time to be established. Digital forensic

32

practitioners usually conduct examination in ad hoc manner. Examiners examine available

evidence, generate hypotheses about what occurred to create the evidence, carry out tests

to prove or contradict the hypotheses; work through the examination process with

forensically sound tools. The findings of the examination helps digital forensic

practitioners to fabricate strong possible about what occurred. A forensically sound

examination is one conducted under controlled conditions that it is completely

documented, the examination is repeatable and the result is verifiable. A forensically

sound methodology does not alter any data on the original evidence, it preserves in

original condition, and regardless of who completes the examination of the media and the

specific tools and methods employed. If anyone uses forensically sound tools and

methodologies, they should get the same results. So an investigator or analyst has the

flexibility to choose among many acceptable tools and techniques as long as they are

forensically sound. Anyone use forensically sound tools and methodologies can reproduce

the same examination result.

Analysis

The goal of analysis of digital evidence is to reconstruct the digital incident scene.

33

The analysis process has three main aspects. The first aspect is recovery of data and

information; important information can be found in hidden, corrupted, or protected data.

The other aspect is classification of digital artifacts. Reconstruction the digital incident

scene relies on classification of digital artifacts. Classification is the process of finding

characteristics of the digital evidence in order to distinguish it from similar specimens.

Classification can be carried out by comparison and individualization. The third aspect is

reconstruction, reconstruction determines the events surrounding an incident The concept

of reconstructing an incident is to puzzle out the picture of who, what, when, where, why

and how of an incident using all available digital evidence, and construct a timeline and a

sequence of events of what had occurred

The recovery of active, backup, hidden, encrypted, deleted or damaged digital

artifacts is usually the first step in recreating the digital incident scene. A computer

forensics practitioner must have access to the appropriate tools and time necessary to fully

develop any recoverable digital artifacts, and ultimately construct the story behind the

scene. The recovery process takes times not only to examine depending on the of tools

and how much information you are going to look at, but the documentation and recovery

of the artifacts you try to make the case. Recovery is a time consuming process, it could

34

take a months or years to produce a result. The analysis result lets an investigator be able

to put together the digital evidence and precisely establish what occurred during the

perpetration of the incident.

Comparison is crucial when analyzing digital evidence. Comparing piece of digital

evidence with a control specimen can highlight unique aspects of the artifact.

Individualization is individualizing characteristics which are created by mistake,

arbitrarily, or intentionally that can be recognized later. Digital evidence can therefore be

classified, compared and individualized with contents, functions, and characteristics.

Contents – usually in plain text form and graphical images, investigators can use the

content determine the information, such as the original, the message, the receiver,

and the motivation.

Functions – usually programs or applications for specific purpose, investigators can

examine how a program functions to classify it and individualize it, as in the case of

a Trojan horse program.

Characteristics – file names, file extension, file size, and time stamps can be helpful

in classifying and individualizing digital evidence.

The process of classifying, comparing and individualizing digital evidence can be

35

lengthy. An investigator must examine each digital artifact carefully to reveal the unusual

or unique details of an artifact. The smallest detail may provide clues which could prove

or contradict your overall hypothesis as to what occurred. Digital forensic practitioner

may find a variety of data files during an examination; these files are usually stored in the

hard drive of a computer or other storage device elsewhere. Those files can be classified

as ordinary, hidden or deleted, system and metadata. Ordinary data includes active data

that is available and easily access, and backup or archival data that is no longer in use, but

stored separately for later retrieval. Hidden or deleted data is the information appeared not

existed or not noticeable, but it is recoverable from the digital media. System data

includes background data and information created by operating, systems such as log file,

which can be used to supplementary expand the details of a case. Metadata is information

of data about data, important information such as the time, date, and creator of a

document may be embedded in the document.

During reconstruction, digital evidence can be used to sequence events, determine

locations, and establish the time and or duration of the incident. Some of the clues that are

used to recreate an incident, they are relational, functional, temporal data. Relational data

shows the relationship between objects or evidence, multiple files can be parts of the

36

overall crime that we are investigating. Functional data contains the purpose of works or

how it was used during the incident. For example, email shows the recipient and the

server information that received it. Temporal data shows the timeline when the data is

created, they can be used to reconstruct an incident. Time is used to connect event, access,

victims, and offenders; examine and verify the time stamps attached to digital evidence

which can help to reconstruct the order of events.

Documentation

An experience investigator relies on the practice to follow good methodology

during the course of evidence collection and handling so that the evidence can be

presented in court. “Document everything” is the key for a successful case. A digital

forensic investigation requires investigator to perform process of preparation, collection,

assembly, examination, analysis of digital evidence. Throughout the forensic process, the

investigator examines and extracts huge amount of information. Ultimately, information

has to be processed into a succinct and concise report that people can easily understand.

Properly documenting the steps, along with sound forensic procedures, is essential for

success in computer crime cases. Documentation is tedious. Simple mistake in

37

documentation can completely ruined the evidence that we found in the case. Good

documentation reflects the professionalism of investigators and examiners, mistakes or

errors in documentation can turn out to be an issue to question in a presentation.

A good documentation practice includes documenting all investigation steps,

examination procedures, and analysis results as soon as possible. Information has to be

writing in a clear and concise manner, date and time must be included in all documents.

Other information also needs to be stated in the document precisely. The documents must

have the names and signatures of the person who participated in the investigation or

preparing the document. Chain of Custody is a one of indispensable documents for all

forensic investigations.

Establish a chain of custody is required upon securing any piece of digital

evidence. Any delay in the submission of digital evidence in a timely manner could break

the chain of custody. The chain of custody starts at the point of properly marked with

initials, current date and time onto the device; and then record and make notes on the

form of chain of custody of all items of digital evidence to be turned into evidence

custody facility or locker. Simply leaving the evidence unattended violates the chain of

custody.

38

Reporting

Reporting is a stage of collaboration and explanation that come after complete of

the investigation. The documentation stage provides the essential information for

reporting. Reporting requires discipline and organization to prepare information for

presentation. Reporting can be the most difficult phase of the digital forensic investigation.

The challenge is to create reports that accurately describe the whole situation of the case

including digital response, evidence collected, preservation, examination, and findings of

analysis. These reports have to show the events and information in a timely manner. Many

standard documents must be included in reporting so that they can withstand the barrage

of legal scrutiny. Investigators should develop a standard format for reporting; forms and

templates should be created for easy recording of the process, pertinent information and

data. Various software help to generate reports on the data. They provide view, search,

sort, bookmark, and report creating features. The basic guidelines of reporting are to

document your steps clearly, organize the report by using a template, be consistent, and

include supporting material and methods used in data collection. Documenting in a clear

and concise manner helps ensure that the details can be recalled when needed. The final

report may include the sections of summary, objectives, analysis, findings, supporting

39

documentation, Glossary [2].

Presentation

When anyone wants to join the field of digital forensic, the person cannot avoid

presentation of findings in court of law or similar venues. Presentation of digital evidence

is out of the scope of this research paper, but few points are worth to mention. First, all

evidence must be admissible to court, always discuss any legal issues with our corporate

attorney, lawyers prior to conducting seizures or presenting digital evidence. Second,

make sure the person follow the guideline of the jurisdiction of where the presentation

takes place. Evidence is considered to be type of proof legally presented at a trail allowed

by the judge. Evidence is intended to convince the judge or jury of alleged facts material

to the case. Proper control over maintenance of evidence and documentation can be

crucial in overcoming inevitable objections that will be raised in the courtroom or legal

authorities. Third, defendants often attempt to challenge the authenticity of computer

generated records by challenging the reliability of the program and verification of the

findings. Investigators must be prepared to proof that the forensic tools are forensically

sound and licensed. Fourth, explain procedures, findings, technical information in

40

laymen’s terms. Complex forensic data and procedures can be converted into something

easy to understand with some simple devised frame of reference. Finally, the person’s

appearance, attitude, tone, professionalism are important factors to convince the audience.

Middle Layer

The middle layer is considered as the micro-cycle of digital forensic investigation

that contains one or more systematic interfaces, as shown in Figure 3, that can be applied

iteratively or nested to digital forensic investigation as a framework to develop

procedures of examination. Digital forensic practitioner can apply the best practice into

the interface to develop a particular implementation of steps or procedure for specific type

evidence. The interface contains eight functional units in different time frames. Each unit

specifies particular nature of procedures or steps throughout the micro-cycle of

investigation; and the steps or procedures may vary depending on the type of evidence.

Document

Document unit is a fraction of the whole documentation process which is stated in

top layer. Document unit contains standard documents needed in the investigation, and it

41

is the starting point of every procedure. Upon any requests for digital forensic

investigation service, investigator should start to make notes on all information related to

the service. Some software designed for digital forensic investigation help the investigator

to create related documents for cases; they usually assign a unique number to each case

for later reference. Prepare log files, checklists that are convenient for the investigators to

fill out the time, date, and events. Reports can be easily created from proper records or log

files. Chain of Custody is one important document.

Preparation

Preparation unit includes all preparation that is ready to use for investigative

service requests. Digital incident response usually does not have time for the investigator

to get prepared. Investigator should always be prepared tools and laboratory environment

for any forensic investigation service. Establishing sterile examination storage media is a

good practice. Sterile examination media need to be prepared by practitioner; all data

areas of the media should be wiped out and documented. Sterilized hard drives take time

to wipe the data and they should be prepared when needed. All forensic systems and

media have to be scanned for viruses and verified virus-free before use. The laboratory

42

should have ready to use systems running with licensed software, and make sure all

forensic software up-to-dated and licensed to the practitioner or the organization. Make

sure the systems are time-validated because time is important part of the analysis

especially when we need to create a timeline of the activities of the suspects. Procedures

or policies must be set to secure the laboratory environment from unauthorized person to

avoid violation of chain of custody, the evidence must be proved that it is under control of

authorized personnel all the time.

Physical

Physical unit refers physical inspection and examination of the evidence. Physically

examine the hardware of computers and digital device and document specific description

of hardware; record all serial numbers, USB port, network cabling socket. Take notes on

anything unusual, take digital photographs and record in log file. Initialize BIOS and

capture CMOS information. Boot the system without media installed and record all

important data, such as system date, time, boot sequence and storage media settings.

Examine boot record data, check and record all partition data, look for any unusual

configurations. Understand the baseline of particular type of machines and aware of

43

anything extraordinary. Record of physical examination not only verifies the identity of

original evidence, it also provides the information of states and condition of the original

evidence.

Logical

Logical unit refers to the examination of logical structure and information of the

evidence that are related to the case, such as the operating systems, the file system, user

profile, network settings, and contents. The information helps the investigator to

understand case. Examine the File Allocation Tables (FAT) for data of evidentiary

interests. Examine directories and files for available information, such as time stamps,

owner, last access, and other attributes. The information can be used to create an end-user

profile to indicate proficiency of technology of the suspects. Conduct keyword searches is

a good approach to find additional information from the content of the files. The data

from contents may tell the linkage between suspects and other parties. Logically

examination of evidence helps investigator to decide what actions need to be taken in

order to extract information related to the case.

44

Recover

Recover unit contains steps or procedures to get through and find out what has been

deleted or hidden. Recover deleted files, hidden files, and files in the Slack and

unallocated space. Audit all recovery files, or file fragment of a file and create a list of all

recovered files. From the file list, sort out the most relevant or against whatever is focus

in the case. Make sure all the unallocated space and slack space of the media had been

examined to avoid the risk of missing the important information.

Analyze

Analyze unit includes all procedures or steps to discover and extract information

that the evidence contains or represents. Investigator need to analyze all users created

files and digital artifacts. Conduct keyword searches of all apparent digital evidence. By

using the forensic software, files name and all the words in the content will be indexed.

Keyword search will show all the documents that contain the exact keyword and the

frequency of the words appeared inside the document. Investigators have obligation to

examine every single of suspicious file. Audit and create the list of any apparent digital

evidence. Run any suspicious executable files in a standalone system to see what they do.

45

Unlock or crack password protected files with program. Try to decrypt any encrypted files.

Each individual analyze unit may contains the only procedures or steps that focus on a

particular type of evidence.

Findings

Findings unit records the findings from examination of the evidence that may prove

or contradict to a hypothesis of an investigation. Investigators examine the evidence and

try to look for clues of what was occurred during the perpetration of offence. In fact, the

jury will make the decision based on the facts of findings. Investigators only need to

make all the findings are accurate on the report that answers to all of the questions of the

investigation. In many cases, findings may lead to more evidence that need to be

investigated.

Archive

Archive unit preserves and archives investigated materials. Create archive of

investigated material, and put it into a read-only media. Archive may last for a long time;

investigator need to ensure the information can be retrieved from the media, and also need

46

to make certain that the media may not be degraded or destroyed.

Roles and Ethic

There may be some legality issue to enter the scene. Law enforcement agents may

need a certain warrant to enter the scene. Investigators may either enter the scene with

permission, or accompany by law enforcement agent with warrant. Prior to seizing

equipment or evidence, make sure you have consent or the necessary document filed and

have proper permission to seize the computer or equipment in question, otherwise the

person may commit a separate crime of burglary. Analysis takes time, and investigators

have to be fair not only to the victims but also the defendants; examine all evidence and

be neutral to the results. Follow regulation and procedures in examination and analysis

and create some sort of checklists or patterns for your investigation or to incident

response. Always follow the procedures in the pattern that considered as acceptable

professional practices for digital incident response for a good case. Investigators have to

document everything carefully; use forensic sound analysis tools, use licensed analysis

tools, and the original evidence should be left untouched. Investigator must maintain

impartiality by simply providing the fact not the judgment, and report of any wrong doing

47

on digital examination.

48

CHAPTER IV

FORENSIC TECHNOLOGY AND TOOLS

The goal of digital evidence processing is to gain access to the data and examine

the data. The three layered systematic approach of digital forensic investigation shown in

Figure 1 identifies the procedures, steps, and the implementation of digital forensic

investigations in different time frames and scope. Those investigation processes cannot be

done manually. Procedures should be conducted on the verified duplicate of the original

using forensically sound procedures and tools. Forensically sound software can help

investigators to complete their jobs more effectively and efficiently. Software can be used

in any layers of the three layered systematic approach. Digital forensic suite software,

such as EnCase [21] and FTK [25], can be used in top layer over the course of the

investigation. Standalone programs can be used in different units in the middle and the

implementation of standard procedures in the bottom layers.

Any procedures or tools should not be applied on the original evidence directly to

avoid contaminating it. The following described tools are designed to aid the examiner in

the process of examination and analysis of the digital evidence. These tools are not

49

intended to be all-inclusive. Since the majority of digital evidence involves

computer-related storage media, the tools discussed will focus on these types of storage

media.

Previewing Tools

Previewing tools give an option for the investigator who wants to safely preview

digital evidence prior to initiating the forensic process. An investigator can have a quick

scan of digital media using read-only tools without altering any data in the media. The

preview tools are developed for the read-only access; they will not alter any information

on the data including the time stamp of last access of the files. Preview tools aid in logical

examination of file structures, image scan, and keyword search. EnCase [21] and FTK [25]

both provide preview mode for safely preview of evidence.

Acquisition Tools

The goal of digital evidence duplication is to duplicate or copy the original digital

evidence that protects and preserves the evidence from destruction, damage, or alteration

prior to analysis by the computer forensic practitioner. Duplication is an accurate digital

50

reproduction that maintains all contents and attributes, and all slack space is transferred.

When duplicating or copying evidence, ensure that the examiner’s storage device is

forensically sterile. Write protection should be initiated to preserve and protect original

evidence. The MD5, or SHA-1 hashing algorithm should be used prior to duplication or

copying. The write protection can be performed via either hardware or software. Please

note that the formatted area is not the total storage of the drive, there can be some

unallocated area of storage in hard drive. Hosted Protect Area (HPA) defined as a reserved

area for data storage outside the normal operating file system. The Protected Area of Run

Time Interface Extension Services (P.A.R.T.I.E.S) is hidden from the operating system

and file system; that is normally used for specialized application. Duplicate or copy the

electronic evidence to the examiner’s storage device using the appropriate software and

hardware tools such as:

Stand-alone duplication software - SafeBack [22]

Stand-alone validation tools – CRCMd5 [24], DiskSig [25].

EnCase Acquisition Tool [21]

FTK Acquisition Tool [25].

WinHex Acquisition Tool [26].

51

Dedicated hardware devices –ImageMASSter Solo-3 IT [27], Fire Chief [28], DIBS

[29]

Examination Tools

Upon successful duplication of original evidence, investigator is ready for digital

evidence examination. Examiner needs to prepare a working log file, and forensic

analysis system with working directories on separate media to which evidentiary files and

data can be copied. Before performing any actual examination, Examiner should record

the logical drive structure, information contained in MBR /MFT of the hard drive,

partition information, and information found in each partition’s boot sector. EnCase , FTK,

and WinHex [26] provide functionality that can help investigators in record the statistics

of the hard drive and create log files of them. The next step is to identify and eliminate the

known files. Known files (KFF) are not to be of evidentiary interest that investigators do

not want to spend the time to investigate. The National Software Reference Library

(NSRL) is designed to collect software from various sources and incorporate file profiles

computed from this software into a Reference Data Set (RDS) of information [30]. The

RDS can be used to review files on a computer by matching file profiles in the RDS. RDS

52

helps lessen the effort involved in determining importance of files on computers or file

system. EnCase has a feature for importing National Software Reference Library of RDS;

and FTK also provides KFF hash database. Investigator need to examine large amount of

files including swap files, registry files, backup files, printer spools, log files, user profiles,

temp files, recycle bin files and thumbnail files. Perform keyword searches is an efficient

way to locate information; further than the keyword searches, investigator can apply the

Regular Expressions searches. Forensic tools allow for the use of Regular Expressions to

search special patterns to look for data, such as driver’s licence number, social insurance

number, credit card number. By examining the binary form of data, file signature is

helpful to identify pattern found within a file. A file signature is a unique identify of a file

that is usually found at the beginning of the file. Investigator can easily recreate the image

file by locating the file signature of the image file from the thumbnail db file even though

all images have been deleted. Investigators have to extract various types of files from the

system, examine network intrusions, and examine file slack and unallocated space in the

storage devices; they also need to identify, decode, and examine data that has been binary

encoded, encrypted, password protected, or compressed. Examine executable files not

identified in the known file identification process and execute the programs of interest.

53

Digital forensic investigators or examiners have to choose their own tools for specific

process, file type, or functionality. EnCase and FTK are two digital forensic suites of

application that provide wide variety of functionality for analysis of files in both

Windows based and Linux Based system. The Coroner’s Toolkit (TCT) [31] is a

collection of programs for post-mortem analysis of a UNIX based and Linux based

system. The Sleuth Kit [32] is a collection open source digital investigation tools for

forensic analysis that can be used in Linux platform.

54

CHAPTER V

CONCLUSIONS AND RECOMMENDATIONS

Conclusions

This paper introduces digital forensic in a three layered structure systematic

approach, which shows different levels of entire digital forensic investigation that an

investigator should focus on. The top layer generalizes assessment, acquisition,

examination, analysis, documentation, reporting, and presentation into macro-cycle that

describes the overall investigation process. In assessment phase, investigator assesses

digital evidence thoroughly during the incident response to determine the course of action

to take. In acquisition phase, investigator conducts duplication of the original evidence for

examination to keep the original evidence untouched. Examination is to recover and

analyze digital evidence. In analysis phase, investigator interprets the recovered data into

logical and meaningful evidence. Documentation records actions and observation

throughout the forensic processing of evidence. Reporting concludes the findings into a

report. Presentation phase is to present evidence to convince people of the truth of the

findings. The facts should be presented in a concise, but sufficiently detailed manner.

55

To establish a digital forensic laboratory or maintain the operation of a digital

forensic laboratory, a selection of procedures and protocols should be implemented to

ensure operation running smoothly. The laboratory policies may vary depending upon the

location, jurisdiction, financial resources, and operational commitments. Quality

assurance and quality control refers to the measures of performance of monitoring,

verifying, and documentation conducted by the laboratory; and they must be maintained

within the laboratory. The middle layer formalizes the digital forensic procedures and

steps into interface. The interface can be further developed into standard procedure for

particular types of digital evidence. Unlike traditional forensic science, digital forensic

science is a rapidly changing field of endeavour, thus, attempting to develop and enforce

strict standards, protocols, and procedures is quite difficult. The middle layer

conceptualizes the investigation procedures into an interface with eight processing units,

the actually implementation of each unit depends on the development of the digital

forensic community or laboratory. Investigator need to ensure all established procedures

that are compliance with the current industry standards and best practices, changes in

technology, and jurisdiction. All forensic procedures should be documented in a timely

manner. The documents should contain sufficient detail to make it possible for another

56

computer forensic practitioner to reproduction the original investigators efforts. A report

of examination or investigation should be submitted at the completion of each computer

forensic examination. The report must describe all items of evidence examined and all

data recovered during the computer forensic examination. The report should present clear

understanding of the results and conclusions of the computer forensic examination. And

finally, all original digital evidence must be returned to the evidence custody unit or

facility, and the findings of the examination must be properly archived.

Digitalized technology influenced the world in the area of financial, commercial,

social activities. Criminals continuously take advantages of the computer technology to

commit fraudulence activities, and these activities can be conducted from internally,

externally, or remotely through a network or Internet. Digital forensics deployed in wide

range of criminal cases and civil cases. Digital Evidence must be admissible,

authenticated, and accurate; and next, it tells a complete story of particular circumstances;

and finally it has probative value to juries or trails. Digital evidence is like any other

evidence but fragile in nature, and they must be handled properly and carefully.

Suggestions for Further Research

57

The biggest challenge of digital forensic science is lack of standardized protocols and

methodologies. Standard protocols and methodologies do not have sufficient time to

develop and go through usual cycle of validation and verification of new and tested forensic

techniques and discoveries. For operational reason, investigator need to have a broad range

of computer knowledge and skills to examine all types of files on a massive storage device,

this create reliability issue; their findings will be challenged on the validation of findings

and verification of evidence, completeness of the investigation, and absence of tampering

during examination. The digital forensic community needs a structured framework for

rapid development of standard operation procedures that can be peer-reviewed and tested

instantly, and validated and verified quickly. Computer forensic practitioners can benefit

from the standard operation procedures to build a forensically sound case. The three

layered structure put forth here shows a potential structured framework for the

development of training materials for digital forensic students; it can be a guideline for

standard operational procedures, and a model for digital forensic software development.

58

REFERENCES

[1] B.D. Carrier, “Risk of Live Digital Forensic Analysis,” Communication of the

ACM, vol. 49, no. 2, Feb. 2006.

[2] M.G.. Solomon, D. Barrett, and N. Broom, Computer Forensics JumpStart, San

Francisco, CA: SYBEX Inc, 2005.

[3] W. Harrison, “A Term Project for a course on Computer Forensic,” ACM

Journal of Educational Resource in Computing, vol. 6, no. 3, article 6, Sep.

2006.

[4] P. Stephenson, Investigating computer – Related crime: A handbook for

corporate Investigator. Boca Raton, FL: CRC Press LLC, 2000.

[5] D.L. Shinda, Scene of Cyber Crime – Computer Forensic Handbook, Rockland,

MA: Syngress Publishing, 2002.

[6] A.J. Marcella, and R.S. Greenfield, Cyber Forensics – A field Manual for

Collecting, Examining and Preserving Evidence of Computer Crimes, Boca

Raton, FL: CRC Press LLC, 2002.

[7] G. Mohay, A. Anderson, B. Collie, O. de Vel, and R. Mckemmish, Computer

59

and Intrusion Forensics, Boston, MA: Artect House, 2003.

[8] R. Leigland, and A.W. Krings, “A Formalization of Digital Forensics,”

International Journal of Digital Evidence, vol. 3, issue 2, Fall. 2004.

[9] “Education and Training in Forensic Science: A Guide for Forensic Science

Laboratories, Educational Institutions, and Students,” Office of Justice Program,

National Institute of Justice, U. S. Department of Justice, Washington, DC,

NCJ203099, Jun. 2004.

[10] J. Wartell, and J.T. McEwen, “Privacy in the Information Age: A Guide for

Sharing Crime Maps and Spatial Data,” Crime Mapping Research Center,

National Institute of Justice, U. S. Department of Justice, Washington, DC,

NCJ188739, Jul. 2001.

[11] H. Stambaugh, D.S. Beaupre, D.J. Icove, R. Baker, W. Cassaday, and W.P.

Williams, “ Electronic Crime Needs Assessment for State and Local Law

Enforcement,” Office of Justice Program, National Institute of Justice, U. S.

Department of Justice, Washington, DC, NCJ186276, Mar. 2001.

[12] “Forensic Examination of Digital Evidence: A Guide for Law Enforcement,”

Office of Justice Program, National Institute of Justice, U. S. Department of

60

Justice, Washington, DC, NCJ199408, Apr.. 2004.

[13] B. Middleton, Cyber Crime Investigator’s Field Guide. Boca Raton, FL: CRC

Press, 2002.

[14] D. Schweitzer, Incident Response: Computer Forensics Toolkit, Indianapolis,

Indiana: Wiley Publishing, 2003.

[15] C. Prosise, K. Mandia, and M. Pepe, Incident Response & Computer Forensics,

2nd ed., New York: McGraw-Hill Companies, 2003.

[16] M.A. Caloyannides, Privacy Protection and Computer Forensics, 2nd ed.,

Boston, MA: Artect House, 2004.

[17] P. Crowley, CD and DVD Forensics. Rockland, D. Kleiman, Ed., Rockland,

MA: Syngress Publishing, 2007.

[18] H. Carvey, Windows Forensics Analysis. Burlington, MA: Syngress Publishing,

2007.

[19] J.J. Barbara, Handbook of Digital and Multimedia Forensic Evidence, Totowa,

New Jersey: Humana Press, 2008.

[20] J. Beckett, and J. Slay, “Digital Forensics: Validation and Verification in a

Dynamic Work Environment,” 40th Annual Hawaii International Conference on

61

System Sciences, 2007.

[21] S. Bunting, and W. Wei, The Official EnCE: EnCase Certified Examiner Study

Guide, Indianapolis, IN: Wiley Publishing, Inc., 2007.

[22] New Technology Inc., “Introduction to SafeBack 3.0”. [Online]. Available:

http://www.forensics-intl.com/safeback.html [Accessed: Feb. 1, 2009].

[23] New Technology Inc., “CRCMd5 Data Validation Tool”. [Online]. Available:

http://www.forensics-intl.com/crcmd5.html [Accessed: Feb. 1, 2009].

[24] New Technology Inc., “DiskSig Pro Bitstream Backup Validation”. [Online].

Available: http://www.forensics-intl.com/diskSig.html [Accessed: Feb. 1,

2009].

[25] AccessData Corp., “Get Flexibility with Forensic Toolkit 2.0”. [Online].

Available: http://www.accessdata.com/forensictoolkit.html [Accessed: Feb. 1,

2009]

[26] X-Ways Software Technology AG., “WinHex: Computer Forensics & Data

Recovery Software, Hex Editor & Disk Editor”. [Online]. Available:

http://www.x-ways.net/winhex/index-m.html [Accessed: Feb. 1, 2009]

[27] Intelligent Computer Solution Inc., “Home page – ImageMASSter Product

62

Lines”. [Online]. Available: http://www.ics-iq.com [Accessed: Feb. 1, 2009]

[28] Digital Intelligent, “About the FireChief”. [Online]. Available:

http://www.digitalintelligence.com/products/firechief/ [Accessed: Feb. 1, 2009]

[29] DIBS USA Inc., “Home page – Computer Forensics Equipment, Training, Case

Support and Analysis”. [Online]. Available: http://www.dibsusa.com/ [Accessed:

Feb. 1, 2009]

[30] National Software Reference Library, “Home page – Welcome to the National

Software Reference Library (NSRL) Project Web Site”. [Online]. Available:

http://www.nsrl.nist.gov [Accessed: Feb. 1, 2009]

[31] Porcupine.org, “Home page – The Coroner’s Toolkit (TCT)”. [Online].

Available: http://www.porcupine.org/forensics/tct.html [Accessed: Feb. 1, 2009]

[32] Sleuthkit.org, “Home page – Feathers”. [Online]. Available:

http://www.sleuthkit.org/sleuthkit/desc.php [Accessed: Feb. 1, 2009]