CommonDigital Investigation (DI) Process Model1. PreparationTo perform an effective digitalinvestigation, Brandon must first devise a plan of action. The plan of actionincludes methodical approach towards dealing with the location of investigationand expected evidential items, a strategicprotocol for processing and examining available evidence, and the preservationsteps for it.
We first need information resources tocreate a plan. Brandon needs to start by assessing the scope of the case, puttingconsideration for the computer OS and hardware devices to determine what resourcesand tools are needed to process andcollect evidence. This information can be obtained through reviewing ACEcompany inventory databases of computer hardware and software, and it’s configuration management database whichkeeps a record of all updates made to the office workstations. Next, a detaileddescription of the location and network topology will be comprehended firstbefore heading down to the scene.
This can be done through enquires ofinformation from Mr Kenneth Koh and the study of the company floor plan. With Intelabout the OS/Device present in the location of the investigation, Brandon needsto make a prediction for the size of the storage device on the suspect computerand roughly determine the number of digital devices to be processed at the scene. Also, predictionof what hardware equipment might be involved needs to bedone to prepare the compatible tools needed. Predetermining where potentiallyrelevant evidence is being hidden will result in efficiency during the search. To better prepare for dealing with unusual situations during the investigation,Brandon should make possible predictions on what will or will not beencountered at the search site. For example, seizing of computers and digitaldevices and taking them back to the forensic lab for further processing willnot be feasible, as there is a concern about alerting the subjects of thecovert investigation. Brandon may also encounter a complicated situation where files evidence is stored offsite thatare accessed remotely such as on the cloud storage which cannot be locatedphysically. Pre-planning of remediation towards these situations needs to bedone.
For a covert operation, Brandon would needto prepare for some on-scene processing of digital evidence. He would need todetermine the necessary resources/expertise and tools required, that canprovide speed data acquisition for acquiring digital evidence. Some essential equipment to prepare is evidence bags and tags for labelling and preservation of evidence. Chain of Custody form to support theintegrity of evidence. Digital camera for documentation of what is present onthe search site. Forensically prepared computers, hard drives and writeblockers for data acquisition of disk images. Lastly, a toolkit containing hand tools such as screwdriver, pliers andflashlight for dismantling and restoration.Brandon will also have to review allavailable facts, plans and objectives with the investigation team assembled tobetter prepares them.
Additional technical expertise may be brought in toassist the team to cover the weakness of the team. 2. SurveyFrom the preparation process, Brandon canutilise the plan of action devise earlier to survey the search site for sourcesof digital evidence related to the case. Through surveying the scene, the teammust “Recognise” all potential sources of digital evidence, finding bothexpected and unanticipated items. Among thisdigital evidence, Brandon needs to”Distinguish” by prioritizing what digital evidence to preserve based on the level of relevance, volatility, and magnitudeof effect and strength of the evidence. Rational speculation on each discovery andabsence of item will need to be developed too. Not just looking into obvioussources of digital evidence, other less significant hardware devices andpersonal information documentation such as ‘Dairy’ and ‘Handwritten notes’ maysometimes provide crucial information that allows Brandon to find patterns andmake correlations in the investigation process and solve the case. Therefore, asurvey of hardware will be done alongwith the survey of digital evidence at the search site.
3. PreservationDifferent situations result in the different procedure for preservation of digitalevidence. With the nature of the casetaking up a covert operation, Brandon’s team will need to perform on-site dataacquisition. Depending on the state of the suspect’s computer/work devices, theteam would have to use professional judgement to acquire and preserve theevidence in its current state while maintaining data integrity. If the computeris off, leave it off and proceed with thestatic acquisition. However, if it’s on,Brandon would have to determine the best investigative method and perform the live acquisition. To preserve the disk data, Brandonwill make the suspect drive read-onlywith a write-blocker device before acquiring data directly from a suspectdrive. After that, before creating a bitstreamimage of the suspect drive with disk-imaging software and storing it into alarge hard drive.
Two different hashing algorithms will be used to calculate thehash value of the original evidence. Upon finishing the process of imaging,Brandon will need to produce a digitalhash of the image file with the same hashing algorithm used previously andverify the hash value with the original one. If the hash values are identical,it shows that the integrity of the digital evidence didn’t change. The investigatorteam should never work with the golden copy thus duplication copies of theimage evidence will be made for examination and analysis. Lastly, the goldencopy will be stored in an evidence locker that has an evidence custody form forpreservation.4. Examination and AnalysisTo facilitate the analysis stage,Brandon’s team will first employ the 3 levels of forensic examination (TriageForensic Inspection, Preliminary and In-Depth Forensic Examination) to preparedigital evidence. They will need to determine which items contain the mostuseful evidence and require additional processing.
From there, examination ofthese identified items will be done to provide investigators with informationfor analysis. For an efficient and thorough digitalevidence examination, careful filtering and data reduction such as eliminatingirrelevant valid system files and focusing on files containing user-createddata within a restricted time frame will be done. In this case, since thesuspects are suspected of downloadingquestionable pictures from the internet, Brandon may perform selectiveextracting of certain file types such as JPEG, PNG and GIF.
When examining a piece of digitalevidence, Brandon will have to address questions of identification,classification/individualization characteristics and evaluation of source as ithelps in the documentation of the evidence handling process that may berequired to be produced in court. Lastly,the team may need to perform evidence recovery bytraversing the hex dump of data for the reconstitutesof fragments into its near original state upon discovery of deleted file. Encrypteddata will require them to obtain the passphrase through the use of trial anderror method such as Brute force. The passphrasemay also be obtained through the search of surrounding for slips of paper orcover monitoring.Information obtained from the examination will aid the investigator team inconducting interviews and developing leads during forensic analysis. Brandonwill have to perform functional analysis to review and study the identifieddigital evidence and understand themeaning of the readable data to gain insight into the suspect’s intent andmotives. Following that, the relationalanalysis will be done to establish links between the suspect and the crimescene, alongside with verifying the source of items to reaffirm the offender.Lastly, to know the time and sequence of events, the temporal analysis will help Brandon identify patterns and gaps as hereconstructs events relating to the incident through the creation of the timeline.
As a result, Brandon will be able toascertain the claims.5. PresentationBrandon will need to present his findingsoutlined in a report. The report shall provide a transparent view of theinvestigative process, containing important details from each step above in astructure of Introduction, Evidence Summary, Examination Summary, File SystemExamination, Analysis, Conclusions, Glossary of Terms and Appendix ofSupporting Exhibits. In the report, Brandon will have to explain eachconclusion through a thorough description of the supporting evidence andanalysis. He will need to convey his objectivity behind theories used and thoseeliminated to provide a rationalised explanation on how he derives hisconclusion.
Lastly, explanation of technical terms used in the report will be conveyed into the understandable narrative for the ease of discussion with ACE’sdirector for further steps to be taken.ForensicTools for AnalysisFor accuracy in terms of data integrityand the credibility of evidence, Brandon will use more than one tools toanalyse the forensic image. As each forensic tool have its own weaknesses,using two different tools helps act as a countercheck to cover the weaknessesof the tool.
This countercheck will ensure that the evidence acquired has thesame result as using the other tool and it verifies that the integrity of theevidence matches one another. By doing so, we can enhance the credibility andweight of the evidence. Autopsy and Forensic Toolkit (FTK) will beused for examination and analysis of the forensic image. Autopsy is easyto use, a fast GUI-based program thatallows one to efficiently analyse disk images in either raw or E01 format,local drives or a folder of local files. Autopsy offers robust file system analysisfor various common file systems, including NTFS, FAT12/16/32, Ext2/3/4 andISO9660 (CD-ROM). FTK is an investigations solution knownfor its intuitive interface, email analysis, customizable data views,processing speed and stability.
It can quickly locate evidence and forensicallycollects and analyses any digital device transmitting or storing data. LikeAutopsy, it is capable of showing details about deleted data and file systemstructures. (Refer to Table 1)SingaporeLaw regarding misuse of Wireless ConnectionsThe Computer Misuse and Cybersecurity Act Section6 mention the use or misuse of wireless connection.
Section 6 (1a) and (1c)states that if any person secures access without authority to any computer or,uses or causes to be used, for obtaining, directly, or indirectly, any computerservice shall be guilty. For this case, the suspect is seen to be involved withthe legality of piggybacking. Piggybacking falls into place when someone usesan existing computer service to his or her advantage. The suspect was suspectedof abusing the company’s computer andwireless connection for personal gains, therefore, violating this law.
If the suspect is to be judged guilty, he/sheis liable to a fine not exceeding $10,000 or to imprisonment for a term notexceeding 3 years or to both and, in the case of a second subsequentconviction, a fine not exceeding $20,000 or to imprisonment for a term notexceeding 5 years or to both may be impose. An example of piggybacking in Singapore isMr Lin Zhenghuang. On 4 January 2007, Mr Lin Zhenghuang was charged for usinghis neighbour’s unsecured wireless network to post a bomb hoax online. Linpleaded guilty and was sentenced to three month’s jails and a $4,000 fine.Toolsfor tracking or discovering Internet AccessOne of the tools to track or discoverInternet access using Internet Explorer is Magnet Forensics Internet EvidenceFinder (MAGNET IEF). IEF can search for over hundred types of digital forensic artefactsfound in allocated and unallocated space on computers by extracting data fromfragmented files that are not sequential or missing entirely. Using this, Brandoncan recover evidence from the Internetand, Business Applications & OS artefacts from Windows and Mac computers. Internetartefacts include ‘Browser Activity’,’Web Search and Search Toolbars’, ‘Media Files’, ‘Webmail’ and ‘Cloud Drives’.
BusinessApplications & OS artefacts include’Corporate Email’, ‘Documents’ and ‘Windows OS’. From here, Brandon can utilizeIEF Report Viewer for initial review and analysis of all the recovered digitalevidence related to the case. (Refer to Table 2 forexamples)Digital evidence such as browser activityfrom Internet Explorer, search engine activity from applications like Googleand Cloud Drives activity on applications like Dropbox will aid Brandon in thediscovery of the suspect Internet access usage on his/her computer.Another tool that can be used is Forensic Toolkit. With its built-infunction like internet keyword search option, Brandon can extract all Web pageURLs and other associated information to the allegation made upon the diskdrive examination. With this information recovered from forensics analysis, Brandoncan match the URL data against the company network server log to determine ifthere is an act of breaching thecompany’s policy where inappropriate data was downloaded to the computer andwhether it was through the company’s intranet connection to the internet.