Digital Forensics Fundamentals: Successful Preservation of Evidence
Digital forensics uncovers, analyses and can be used to reconstruct criminal activity. An essential part of this, is the digital preservation of evidence. Data from relevant areas must be collected, documented and processed in an effective and defensible way. This article explores the evolution of digital forensics in an era when the volumes and variety of data have grown beyond expectation and how organizations can prepare for a potential investigation.
Digital evidence gathering
In digital forensics, the SAP model is considered the standard procedure for dealing with data-related wrongdoing. In the first step, "Secure," the preservation of evidence takes place. In step two, the analysis (Analyse) of the secured and processed data follows. In the final step, "Present," the results are presented, correlations are identified and conclusions are drawn.
The digital preservation of evidence can be divided into numerous categories:
- Data storage forensics
- Operating system forensics
- Hardware forensics
- Mobile device forensics
- Application forensics
- Network forensics
- Cloud forensics
- Web forensics
- Multimedia forensics
- Software forensics (code)
- Wearable forensics
- Car / EV forensics
Data storage forensics
For the digital preservation of evidence, this involves making copies of all relevant data storage devices. In addition, the digital forensic expert should identify hidden data areas and restore deleted data. Data downloaded from the data storage (data leakage) should be documented.
Operating system forensics
Secure evidence from the operating systems of the devices involved, by collecting data on the system, the users and the applications:
- System: Version, hardware, installation date, configuration, log files, etc.
- Users: Who was created and when, logins, rights, etc.
- Applications: Which were installed when, uninstalled applications, etc.
Hardware forensics includes data generated by the devices and is of interest to digital forensics:
- Through the Internet of Things (IoT) and smart homes, devices play an increasingly important role in digital evidence gathering.
- On the other hand, data from simple devices such as a printer, fax or network attached storage (NAS) can also be necessary.
Mobile device forensics
Mobile devices such as smartphones, tablets, navigation systems or e-book readers can also provide digital forensics with information about the issue being investigation. The data on these contain, among other things:
- Location data: Position systems (geo-tracking), radio cells, etc.
- Communication data: Email, SMS, MMS, chat, calls, etc.
- Other usage data: Apps, internet history with cookies and search terms, networks used, address and phone book, calendar, digital notes, etc.
Digital forensics will undertake a more detailed investigation of the associated data if applications relevant to the study can be identified. In the case of proprietary formats, it may not be possible to interpret all data correctly. In any case, however:
- Secure the data generated by the application.
- Collect evidence of how the application was used.
- Document information on the time of installation, version, patches, and updates applied.
Communication between people, applications and systems takes place over networks. The communication data is secured as evidence in the network section of digital forensics. Important aspects include:
- Source and destination network.
- Network services.
- Traces of protocols used, such as HTTP and DNS.
- Time sequences from log files.
For cloud forensics, digital forensics must determine which systems the cloud is built on and who has access. Interfaces must be documented and application, user and system data collected.
Another particular field of digital forensics is web forensics. Here the focus is on web applications, i.e., applications that can be accessed via the browser. The following data is essential for the digital preservation of evidence:
- Traces and settings of the web browser.
- Data generated by the application on the web server and in the database.
- Data exported to the end device.
Finally, an important area of digital forensics is multimedia forensics:
- Image, audio and video files are secured and checked for authenticity.
- Determined whether multimedia was used for disguised communication or contained confidential information.
- Checking which metadata such as device information, place and time of creation is contained in the media.
What can serve as evidence in digital forensics?
On the one hand, digital forensics can help to solve serious crimes. For example, forensic scientists use a smartphone’s GPS data to check where a person was at the time of the crime. On the other hand, digital forensics can also be used to investigate data-related crimes. In both areas, additional evidence can be obtained.
The Federal Office for Information Security (BSI) distinguishes between eight types of data that can be used as evidence:
- Hardware data: Data that cannot be changed or can only be changed to a limited extent by components of the operating system and applications, e.g., serial number, OP code, RTC time and virtualisation data.
- Raw data content: Data streams that are not yet classified, e.g., network packets or the image of a data carrier. Raw data can contain data types three to eight.
- Details about data: Metadata such as the signature of an image or the sequence number of a network packet.
- Configuration data: This data affects system behaviour and can be modified by applications or the operating system.
- Communication protocol data: Data that affects communication between systems. This includes network configuration files and inter-process communication.
- Process data: All data about a process, e.g., status, owner, priority, allocation of memory, start time and the associated application.
- Session data: Data is stored about a session that a person started, an application or the operating system, e.g., web pages and documents accessed.
- User data: Data that the user has consumed and or modified, mainly multimedia data such as images, videos, texts and audio files.
Digital forensic experts can do preparatory work to ensure that the securing of this evidence data works quickly and successfully in the event of an emergency.
The groundwork for fast evidence recovery in digital forensics
In preparing for an investigation, teams must develop a response and action plan that specifies how the organisation should act in the event of a significant matter. If everyone knows their role and task, the process will be faster, fewer mistakes will be made and steps are less likely to be forgotten.
As part of this, teams should also review the company's IT structures. How easy is it to collect, secure and process data? It is often easier to manage a homogeneous system landscape. Five servers with the same settings and operating systems can be approached identically in digital forensics. However, more time is needed if there are five different and partly outdated servers.
Next, various programmes can help back up and prepare data daily. A firewall protects and documents network traffic at the same time. An intrusion detection system (IDS) detects anomalies in the network, and an intrusion prevention system (IPS) tries to prevent them. A web application firewall (WAF) is suitable for evidence collection if you want to facilitate web forensics. For each of the areas of digital forensics presented above, a product exists to enable digital evidence collection. The SANS Institute has a workstation with open-source tools for digital forensics.
Data becomes evidence in criminal cases
Preservation of evidence is the first step in digital forensics. A distinction is made between different areas that need to be investigated depending on the case.
To simplify the process of securing data, you should prepare your corporate IT structures, use reputable, robust and defensible digital forensics tools and develop a response plan. The preparatory work also helps to detect data-related crime more quickly and prevent it over the long term.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.