adam's notes

Forensic Frameworks

The process of preparing an investigative plan of action can be found in many sources, both academic and professional. There are best practice frameworks and digital forensic models that apply standard systems analysis steps to problem-solving. Each has similar steps and focus.

Digital Forensics Research Workshop (DFRWS)

The Digital Forensics Research Workshop (DFRWS) developed a forensic framework to address standardization of analytical procedures suggesting there are common steps forensic examinations follow that do not require a dependency on a specific technology or tool (Reith et al., 2002).

The key components of this framework include identification, preservation, collection, examination, analysis, and presentation.

  • Identification involves recognizing indicators that signal an incident, determining the type of incident, preparing the necessary tools and processes to be followed (inclusive of search warrants and authorizations as needed), and formulating an approach strategy that maximizes unspoiled evidence collection while minimizing impact to the business.
  • Preservation requires isolating and securing both physical and digital evidence. This digital evidence cannot be altered; it must be exactly as it was found (Ahearne, 2017).
  • Collection comprises employing forensically sound procedures to record the physical scene and duplicate digital evidence.
  • Examination is the in-depth exploration of both physical and duplicated digital evidence to identify potential evidence related to the alleged crime or violation.
  • Analysis is an iterative process involving data reconstruction and determining the significance in order to draw conclusions based on the evidence.
  • Presentation summarizes how the investigative plan of action was employed and delivers an explanation of conclusions. The presentation is typically written appropriately for the expected audience and avoids technical forensic terms where necessary. Careful documentation is at the heart of each framework component.

Forensic Plan Guide and Cookbook

Likewise, the Forensic Plan Guide and Cookbook (King, 2006) identifies common plan phases and provides a detailed discussion and some relevant examples of each phase.

  • common phases include:
    • identification
    • preservation
    • data collection
    • examination
    • and reporting

Scientific Working Group on Digital Evidence (SWGDE)

The Scientific Working Group on Digital Evidence (SWGDE) developed a framework of best practices for computer forensics, including seizing and handling evidence, equipment preparation, forensic imaging, forensic analysis and examination, and documentation (SWGDE, 2006).

  • Seizing evidence requires reviewing the legal or corporate authority to do so, determining any restrictions, and understanding the process that may be necessary to obtain additional authority to seize evidence outside the existing scope of the initial search or plan of action. Be prepared to methodically search the scene for evidence. Further, any bystanders and the potential suspect should be removed from the scene during evidence seizure to avoid contamination. Solid evidence handling procedures are dependent on the type and condition of the computer or other items to be seized.
  • Preparing forensic investigator equipment involves determining and validating the appropriate forensic hardware and software tools to be used for the investigation at hand.
  • Forensic imaging encompasses the process for capturing a bitstream image of the seized evidence using forensically sound actions. The procedure can vary with the tools being used. • Forensic analysis and examination methods avoid the use of the original evidence and consider the strategy outlined in the investigative plan of action.
  • Documentation should include an evidence chain of custody, legal authority, information about the evidence seized, and possible conclusions.

Other

Nelson et al. (2019) describes taking a systematic approach, much like the steps in systems analysis. Forensic investigators should assess the type of case by asking questions about the incident, including the location of possible evidence. This is followed by strategizing and outlining the possible steps needed to successfully investigate the case. Those steps can include clarifying the outline into a detailed checklist, determining resources needed and how evidence will be obtained, identifying and minimizing risks, and testing the proposed process.

What is meant by forensically sound evidence collection? To be forensically sound you must be able to defend your collection process and results in court. Further, the process and results must be repeatable and be clearly documented. The most common method is to use a tested and approved forensic software tool to obtain an image of the suspect’s storage device (Zapproved, 2018).

References

Ahearne, J. (2017, June 8). Digital forensic process—Preservation/collection. DriveSavers. https://drivesaversdatarecovery.com/blog/digital-forensic-process-preservation-collections/

King, G. (2006). Forensics plan guide and cookbook. SANS Institute. https://www.giac.org/paper/gcfa/283/forensic-investigation-plan-cookbook/108356

Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to computer forensics and investigations: Processing digital evidence (6th ed.). Cengage.

Reith, M., Carr, C., & Gunsch, G. (2002). An examination of digital forensic models. International Journal of Digital Evidence, 1(3), 1–12.

SWGDE. (2006). Best practices for computer forensics. https://www.oas.org/juridico/spanish/cyb_best_pract.pdf

Zapproved. (2018, September 5). What is forensically sound data collection? https://zapproved.com/blog/what-is-forensically-sound-data-collection/

Graph View

Backlinks