CLI Under Construction Content 2a

How to handle data acquisition in digital forensics

Digital forensics evidence is volatile and delicate. As such, the inappropriate handling of this evidence can mar your entire investigative effort. Due to the fragility and volatility of forensic evidence, certain procedures must be followed to make sure that the data is not altered during its acquisition, packaging, transfer, and storage (that is, data handling). These specified procedures outline the phases of data handling and the protocols to be followed during data acquisition.

The continuously developing field of digital forensics has become its own field of scientific proficiency, with complementary training and certification programs such as Computer Hacking Forensic Investigation (CHFI). Join our community of professionals in the digital forensics industry by partaking in our certification programs today!

What is acquisition in digital forensics?

Data acquisition in digital forensics encompasses all the procedures involved in gathering digital evidence including cloning and copying evidence from any electronic source. It involves producing a forensic image from digital devices including CD ROM, hard drive, removable hard drives, smartphones, thumb drive, gaming console, servers, and other computer technologies that can store electronic data.

In digital forensics investigation, data acquisition is perhaps the most critical stage and it involves a demanding, thorough, and well-crafted plan for acquiring digital evidence. Thorough information must be stored and preserved, as well as all software and hardware provisions, the computer media applied during the investigation process, and the forensic evidence being considered.

Data acquisition methods

There are different types of data acquisition methods including logical disk-to-disk file, disk-to-disk copy, sparse data copy of a file or folder, and disk-to-image file. There are also different approaches used for data acquisition. This will depend on the type of digital device you’re applying to. For instance, the approach you’ll utilize for retrieving evidence from a smartphone will be different from the technique needed to acquire digital evidence from a computer hard drive.

Except you’re performing a live acquisition, the forensics evidence is typically obtained from the digital media seized and stored at the forensics lab (static acquisition). The seized digital forensics evidence is regarded as the primary source of evidence during a forensics investigation. It is called an ‘exhibit’ in legal vocabulary. Although, the digital forensics professional does not obtain data directly from the primary source so as not to corrode or compromise the evidence.

What is cybercrime investigation?

A cybercrime or a digital crime refers to the application of computers, networks, and other digital devices to commit a crime. The digital tools used for cybercrimes have two motives; to launch a cyberattack, or to function as the victim by receiving the cyberattack from other malicious sources.

Following the above logic, a cybercrime investigation involves all the strategies of examining, evaluating, and retrieving vital digital forensics data from the local networks or internet to discover the identities of the authors of the digital crime and their real motives.

The people who conduct cybercrime investigations must be professionals with an understanding of incident response processes, computer hacking, software and hardware, operating systems, and file systems. The computer forensics examiner must also understand how these components interact together, to have a full picture of the why, what, how, who, and when of the cyberattack.

To learn more about cybercrime investigations, sign up today for our CHFI certification program and course.

What is the first step in forensic analysis at a cybercrime scene?

The first step in any forensic analysis is the validation of the entire software and hardware specifications so that the digital forensic analyst can ascertain if they are properly working. Nevertheless, the investigation begins long before the digital forensics examiner arrives at a cybercrime scene.

As the CHFI expert approaches the cybercrime scene, the first obligation is to ‘switch on’ his/her observation powers and senses. Performing investigations in any crime scene are no simple task. A certified computer examiner has a better chance of detecting anomalies since he/she has gone through rigorous computer forensic courses. With any luck, the first responders haven’t mishandled or caused irreparable damage to the digital evidence.

Your data acquisition must be based on the volatility of your forensic evidence. This means that you need to collect your digital forensics evidence based on their level of fragility. The most fragile evidence must be collected first, and later the least fragile evidence. The reason for this is to minimize any form of damage or data modification.

For example, in an order of the most to the least fragile evidence, you should collect forensic evidence from registers, cache, routing tables, process table, kernel statistics, temporary file systems, CDs, remote logging and monitoring data that is relevant to the system in question, physical configuration, network topology, and finally from archival media.

Data acquisition in the private sector

Besides, the response to cybersecurity incidents in the private sector comprises of precise practices that must be observed for optimum data acquisition, and to contain, examine, and/or mitigate the incident. There are two basic approaches for data acquisition during a cybercrime, which varies from one organization to the other. Nevertheless, these approaches are not restricted to the private sector alone.

The first step is to recover quickly. At the stage, the digital forensic analyst is not bothered with the collection or preservation of data, but how to quickly contain the cybersecurity incident to lessen the potential damages or costs. Priority is given to immediate incidence response and recovery. However, critical digital evidence can be overlooked or damaged through this approach

The second approach is to gather digital forensic evidence and information regarding the incident. Here, the digital forensic professional keenly observes the cybersecurity incident and concentrates all their efforts on how to use the available digital forensics tools to gather evidence and clues about the incident. Since the major objective is to gather vital evidence, there is often a delay in the retrieval of significant digital evidence.

What is the correct order of processing evidence and analysis of a crime scene?

With the increase in mobile users and internet dependency, computers and networks are typically the targets of cyberattacks. While there have been efforts to develop a process model for processing and analyzing evidence at a cybercrime scene, there is yet to be a universally accepted methodology.

This may be due to the varying environments where these incidents occur, including law enforcement, national agencies, or incidence response. However, the investigator must first assess and protect the crime scene, seize critical evidence at the crime scene, and then make preparation to begin a detailed investigation.

How is a digital forensic investigation conducted?

The aim of a digital forensic investigation is to recover information from the seized forensic evidence during a cybercrime investigation. Forensic IT investigators use a systematic process to analyze evidence that could be used to support or prosecute an intruder in the courts of law. Forensics investigation could include all or some of the following steps:

  • Preparation: It is imperative for the digital forensics analyst to develop and follow stipulated procedures and guidelines for activities connected to computer forensic investigations.
  • Identification: At this stage, primary information is identified regarding the cybersecurity incident before the digital evidence is collected. The digital forensic analyst attempts to answer the what, where, how, when, who, and how of the incident.
  • Collection and preservation: Here, a search is conducted to acquire the relevant digital evidence and they are marked as an exhibit. The crime scene encompasses all the digital evidence, servers, systems, digital tools, and not just the physical location of the crime. The output for this is the type of crime, source of evidence, devices, media, and events.
  • Examination and Analysis: The digital forensics investigation covers the examination, analysis, and interpretation of the data evidence. The investigator determines how the data is produced, extracts hidden data, matches the pattern, and transforms the data into a more manageable form and size for investigation.
  • Presentation and Reporting: Presents all the information gathered from the analysis phase through a written or documented case report. Next, you’ll interpret all the statistical data from the analysis, demonstrate the legitimacy of the hypothesis, defend it against criticism and contests, and communicate the relevance of your findings to your audience.
  • Disseminating the case: This is the final stage of the digital forensic investigation. It is your responsibility to make sure that both the digital and physical property is returned to the appropriate owners, review the investigation to detect the possible areas for improvement, disseminate the information from the investigation, preserve the knowledge acquired, and conclude the investigation.

The original article can be found here.