Digital forensics is the use of scientifically derived and proven methods to the collection, validation, and analysis of digital evidence derived from digital sources (Song & Carroll, 2017). The purpose of doing so is to facilitate or further the reconstruction of events found to be criminal. In doing forensic analysis, specific scientifically proven methods are followed. The methodology is five steps which include preparation, extraction, identification, and analysis (Song & Carroll, 2017).
Preparation and Extraction
The people who lead forensic research are called examiners; and their first role in the forensic examination is preparation (Song & Carroll, 2017). Preparation involves ensuring there is sufficient data to proceed with the investigation. They always clarify the lead question and ensure there is enough data to answer it. The first stage in the preparation phase thus involves the validation of all hardware and software materials which are needed to aid the search. They also ensure such elements work as expected, such that they don’t hinder any extraction in the later stages. It is highly recommended that organizations validate hardware and software after purchase, or after any change like updating, patching or reconfiguration.
Once the forensic apparatus are ready, the investigator duplicates the data and validates its authenticity. That happens after the examiners have obtained the necessary legal requirements. After verification and confirmation of data integrity, plans are made to extract the data. The first thing in the extract is refining the request to questions which they can easily answer, and whose probability of obtaining answers are realistic. The questions are added to the lead search list, which helps them to focus on the specifications. For examples, if the examiners are examining financial fraud, the lead search question can be ‘search for irregular financial transactions.’ The lead search list can have multiple questions, and as they extract data and come along new possible evidence, they can reframe the questions, and include them on the list.
Identification
This is the process of going through the extracted data. The first approach is to determine what kind of data item has been extracted. If they found an item which is not relevant to their search, they mark it as processed or done and proceed. However, in some cases, they can come across another incriminating data outside their original search list. In that case, they are advised to stop the process immediately and notify the request of such findings after which the examiner waits for further instructions. For example, if the examiners are investigating a case of financial fraud, or coming across terror-related information, they must stop immediately and inform the requester. In the event where the search was independent, the examiner will need to seek another warrant, to investigate the new leads. That happens every time the examiner learns of anything criminal that is outside the scope of the original issue. In the case where the identified data list is consistent with the investigation, the examiners record it in the relevant data list. They continue this for all relevant search lead. However, they may come to new, related incriminating leads, which they need to record in a new list called new search lead list, to ensure they investigate it exhaustively. It is advisable that investigators go back to the extraction phase if they get any new search lead list, to extract relevant data and repeat the identification process. At this point, the requester is also informed of the findings, before the team embarks on the analysis of the same. In some case, this phase may be enough. For instance, in an event the investigator retrievals loads of terror-related information, and financial transactions, it may be enough to secure a conviction. However, in cases where that are insufficient, then they move to the next phase, analysis.
Analysis
This is the phase where investigators connect all the logic to the information they found. They try to answer how, where, who, what and other questions concerning findings in the relevant data list. They try to explain everything, with solid logical connection regarding involved parties, channels of communication, data existence among other things. For example, they can produce a timeline trail of activities which creates a consistent and coherent story. The investigators then document all the analysis and add them to another list named analysis results list. Form this step; examiners proceed to report their findings, which the requester can use to build a case for prosecution.
Importance of Using Forensic Tools to Collect and Analyze Evidence
One important factor in using forensic tools to collect and analyze evidence is their ability to go through large contents of data within a short period, analyze and provide findings (Brecht, 2015). This is done quickly and efficiently. A comparison with conventional collection and analysis of evidence will show that today’s technology supported tools are efficient, and are the only one which can meet corporate needs, where there are tons of data which needs collection and analysis.
Similarly, the tools like EnCase or FTK Imager are not hampered by language barriers; they can search loads of data online written in different languages and provide exactly what they are requested. Today, internet fraud is international, and some of the perpetrators are people in countries far away, communication or writing codes in languages we have no clue about. Forensic tools, therefore, come in as savior, to bridge the gap which conventional methods of data collection and analysis would not solve. Other forensic tools have full scripting abilities, enable decryption and other methodologies critical in collection and analysis of data.
Hashing in the Context of Digital Forensics
Hashing is the science of turning a variable-sized amount of text into a fixed sized output called a hash value (Kumar, Sofat, Aggarwal & Jain, 2017). It has several uses particularly in checking the verifying the data integrity. In digital forensics, hashing is used to check the integrity of evidence disk data. Imaging, which is the bit by bit copying of digital images, is created in digital forensics. This copied-image must match the original images during extraction. Hashing, owing to its non-invertible property is used in the copying process, to ensure the image will be a replica of the original during the analysis phase. In digital forensics, a hash value is created for a full image, which ensures during extraction, the same exact copy is obtained (Kumar, Sofat, Aggarwal & Jain, 2017). It is, therefore, a necessary component in digital forensics, given the extracted data must meet specific integrity standards to ensure the results of the investigation are credible.
Ensuring Evidence is not tampered with
Hashing is one method of encryption which helps in ensuring the evidence is never tampered with, and if tampered, then the evidence will be so conspicuous that they cannot be bypassed (Kumar, Sofat, Aggarwal & Jain, 2017). The encryption employs an algorithmic concept of converting large texts in into a fixed size text, which cannot be converted back to its original form. For instance, if a single letter in a sentence is deleted, then the whole fixed text changes and cannot match the original one, the same happens when a single pixel is deleted in an image, the image becomes something else. For example, in imaging, the hash value is used to make a fixed text image, which cannot be manipulated. The image is later extracted looking exactly like the original and used for analysis.
Other than hashing which is the most trusted encryption option, the write blockers have also proved effective in protecting digital evidence. This is a one-way digital valve that allows investigators to access data from a device with the risk of accidentally or intentionally altering it (Stone, 2015). This methodology allows read commands, but blocks write commands, and that is the source of its name ("Write Blockers," 2017).
These two are the most common method used to secure digital evidence from tampering, other methodology including physically locking the data devices, passcode encryption and denying access to suspicious parties.
Conclusion
Search for digital information follows a systematic approach. The approach ensures that nothing is left behind in the search. That, however, is the conventional method of doing it. Forensic tools like FTK Imager and Encase are developed to collect and analyze data. Unlike human beings, they are much more powerful, collect large amounts of data in seconds, interpret data in several languages and even analyze and interpret in real time.
With criminals employing every tactic to hide their activities, efforts by examiners and law enforcer to develop methodology is to ensure collected data is never tampered with have also improved. Some of the common methodologies of securing data from being tampered with include using write blockers and hashing.