Digital Forensics Phases (2) Flashcards
There are five phases in the digital forensics process. List them, and explain what their key activities are.
Identification:
The task of detecting, recognizing, and determining the incident or crime to investigate. Verification of event, incident or crime, ID data objects of relevance. It is the first step in the forensic process. The identification process mainly includes things like what evidence is present, where it is stored, and lastly, how it is stored (in which format).
Electronic storage media can be personal computers, Mobile phones, PDAs, etc.
Collection:
Collection of data from digital devices to make a digital copy using forensically sound methods and techniques.
Examination:
Preparation and extraction of potential digital evidence from collected data sources.
Analysis:
The processing of information that addresses the objective of the investigation with the purpose of determining the facts about an event, the significance of the evidence, and the person(s) responsible. Use of scientific methods to determining the facts about an incident or crime (if any), by developing hypothesis that accounts for the available evidence. It might take numerous iterations of examination to support a specific crime theory.
Presentation:
The process by which the examiner shares results from the analysis phase in the form of reports to the interested party or parties. Legally required documentation and formal presentation of hypothesis with the evidence supporting it
What is a first responder?
The first responder is the first investigator to get to the scene of the event. The main tasks of the first responder is to control the environment and start utilizing standard operating procedures (SOPs) for structured evidence identification activities. One example of such an activity is to perform documentation to maintain chain of custody and evidence integrity. Ensuring that the first responder understands how to conduct himself is critical for the remainder of the investigation. Unwarranted tampering with devices may ruin critical evidence. Forensic readiness is essential for ensuring proper first responder conduct.
What are the 5WH questions and why are they helpful for investigators looking to construct a hypothesis?
The 5WH are:
- Who committed the crime?
- Why was the crime committed? (git commit -m “”)
- How was the crime committed?
- Where may potential collaborators be?
- When was the crime committed?
These simple question lets the investigators examine important aspects such as motives, likely suspects, and potential sources of evidence, which will aid in the formulation of an early stage hypothesis.
What are the key objectives for the identification phase?
The essentials of the identification phase is to get to understand the incident, build a hypothesis, and identify potential evidence. In short, the purpose of the identification phase is to lay the foundation for the remainder of the investigation.
What are the key objectives and challenges for the collection phase?
The collection phase is concerned with gathering data from devices that may be valuable as evidence. Making copies of main memory and disks (images) is usually how data is collected. When retrieving data from the devices, it is essential that the collection is carried out in a manner which does not alter the original data itself (evidence integrity). Some essential steps may require the investigators to affect the system in small ways (especially applicable for main memory). If so, all actions performed on the data must be thoroughly documented (chain of custody).
What are the key objectives and challenges for the examination phase?
In its essence, the examination phase consists of making sense of the raw data extracted in the collection phase. Key techniques are parsing, reconstructing deleted files, and preprocessing of the raw data. To facilitate this phase, analysts usually employ several tools to extract the relevant information. The most important challenge in the examination phase is the amount of data collected and in need of examination. Investigators typically work on a packed schedule and cannot closely inspect all data collected. Consequently, they must prioritize.
What is typically the first step in filtering out files irrelevant to the investigation?
The filtering of irrelevant files from raw data (when inspecting a disk image) can be accomplished with the aid of databases containing cryptographic hash values for known files. This allows investigators to ignore OS and application files of little importance and put more effort into files more likely to contain valuable information.
What are the key objectives and challenges for the analysis phase?
During the analysis, investigators inspect the material extracted to determine what to use as digital evidence for proving or refuting the hypothesis. As the hypothesis tends to be quite crude after the identification phase, it is often altered when more information obtained. The newly formed hypothesis may require more/different evidence. Thus, the collection, examination, and analysis phase may repeat itself several times over during an investigation.
What are some of the techniques used for identifying information that may be used as evidence.
The process of establishing what information to be considered as evidence uses several techniques. Statistical analysis of the data, manual analysis, understanding the protocols and formats used, data mining for linking objects together, and timelining are some of the more important techniques used during the analysis phase.
What are the key objectives and challenges for the presentation phase?
The final phase in the digital forensics process is the presentation of the findings and conclusion from the conducted investigation. All findings must be summarized while all steps in the investigation must be accounted for and explained in a manner understandable for the target audience. The presentation of the results must be carried out in a proper manner since this is what will inform the audience about your findings. With improper documentation we might find that the message is not properly carried across, thereby making the entire investigation obsolete