We’ve divided the computer forensic examination process into six stages, presented in their usual chronological order.
Forensic readiness is an important and occasionally overlooked stage in the examination process. In commercial computer forensics it can include educating clients about system preparedness; for example, forensic examinations will provide stronger evidence if a device’s auditing features have been activated prior to any incident occurring.
For the forensic examiner themself, readiness will include appropriate training, regular testing and verification of their software and equipment, familiarity with legislation, dealing with unexpected issues (e.g., what to do if indecent images of children are found present during a commercial job) and ensuring that the on-site acquisition (data extraction) kit is complete and in working order.
The evaluation stage includes the receiving of instructions, the clarification of those instructions if unclear or ambiguous, risk analysis and the allocation of roles and resources. Risk analysis for law enforcement may include an assessment on the likelihood of physical threat on entering a suspect’s property and how best to counter it.
Commercial organisations also need to be aware of health and safety issues, conflict of interest issues and of possible risks – financial and to their reputation – on accepting a particular project.
The main part of the collection stage, acquisition, has been introduced above.
If acquisition is to be carried out on-site rather than in a computer forensic laboratory, then this stage would include identifying and securing devices which may store evidence and documenting the scene. Interviews or meetings with personnel who may hold information relevant to the examination (which could include the end users of the computer, and the manager and person responsible for providing computer services, such as an IT administrator) would usually be carried out at this stage.
The collection stage also involves the labelling and bagging of evidential items from the site, to be sealed in numbered tamper-evident bags. Consideration should be given to securely and safely transporting the material to the examiner’s laboratory.
Analysis depends on the specifics of each job. The examiner usually provides feedback to the client during analysis and from this dialogue the analysis may take a different path or be narrowed to specific areas. Analysis must be accurate, thorough, impartial, recorded, repeatable and completed within the time-scales available and resources allocated.
There are myriad tools available for computer forensics analysis. It is our opinion that the examiner should use any tool they feel comfortable with as long as they can justify their choice. The main requirements of a computer forensic tool is that it does what it is meant to do and the only way for examiners to be sure of this is for them to regularly test and calibrate the tools they rely on before analysis takes place.
Dual-tool verification can confirm result integrity during analysis (if with tool ‘A’ the examiner finds artefact ‘X’ at location ‘Y’, then tool ‘B’ should replicate these results).
This stage usually involves the examiner producing a structured report on their findings, addressing the points in the initial instructions along with any subsequent instructions. It would also cover any other information which the examiner deems relevant to the investigation.
The report must be written with the end reader in mind; in many cases the reader will be non-technical, and so reader-appropriate terminology should be used. The examiner should also be prepared to participate in meetings or telephone conferences to discuss and elaborate on the report.
As with the readiness stage, the review stage is often overlooked or disregarded. This may be due to the perceived costs of doing work that is not billable, or the need ‘to get on with the next job’.
However, a review stage incorporated into each examination can help save money and raise the level of quality by making future examinations more efficient and time effective.
A review of an examination can be simple, quick and can begin during any of the above stages. It may include a basic analysis of what went wrong, what went well, and how the learning from this can be incorporated into future examinations’. Feedback from the instructing party should also be sought.
Any lessons learnt from this stage should be applied to the next examination and fed into the readiness stage.