One of the most common remarks I hear from Clients and their attorneys is, "I'm not very computer savvy." At the beginning of almost every court testimony I am asked to describe what a Digital Forensics Analyst does. This post is intended to answer the question, 'What is Digital Forensics,' and provide an explanation of what an Analyst does.
A common definition for Digital Forensics is the branch of forensic science focused on the identification, acquisition, processing, analysis and reporting on data stored in any electronic device in a manner which makes introduction of the data and analysis admissible in a court of law. Originally, the term Computer Forensics was commonly used, but the current term Digital Forensics is more expansive to encompass mobile phones, tablets, USB drives, media cards, and online cloud storage. The remainder of this post will expound on each of the phases in Digital Forensics.
The identification phase of Digital Forensics is simply the documentation of the make, model, serial number, and condition of each device analyzed. This phase would include the identification of any attached components of the device and whether the device was visually damaged. Where possible, photographs of the device would also be included. The primary purpose of the identification phase is to confirm whether the device analyzed was the correct device involved in the investigation.
The acquisition phase includes the creation of an exact copy of the data from the device. Unless special circumstances arise, analysis is never performed on the original device. Using the exact copy in the processing and analysis phases of Digital Forensics reduces the possibility of the unintentional alteration of the original data. Many analyst will obtain two exact copies of the device data with one copy designated as the Master Copy and the second copy designated as the Working Copy. The Master Copy is maintained in an evidence storage vault or locker while the Working Copy is used the perform the processing and analysis. The use of the Work Copy further protects the Master exact copy in the event any unintentional alteration or failure occurs with the Working Copy. The acquisition phase, where possible, will employ the use of write-blockers on the original evidence. Write-blockers can be either hardware-based or software-based. These write-blockers ensure that data can be read from the original device, but that no data can be written to the device. Write-blockers are used to ensure the original data remains unaltered. Successful acquisition also includes verification the data acquired is an exact duplicate of the original data. This verification is performed using mathematical algorithms to ensure the copy is an exact match. Some common algorithms used in Digital Forensics include MD5, SHA1, and SHA256.
The processing phase includes the analysts use of digital forensic software application(s) to categorize the data acquired from the device. Analysts will use industry recognized software applications which have been tested and confirmed to perform as expected. An analyst may often use two or more software applications to process the data acquired from a device. The use of multiple software applications allows the analyst to compare and confirm the processing of the data is accurate. Files on the device may be categorized as pictures, videos, text messages, emails, documents, etc. In addition to categorizing the files acquired from the device, processing also will identify and extract metadata about each file. Metadata is simply data about data and would include things like the creation date and time of the file, the last modification date and time of the file, the owner of the file, etc. Some files contain a special set of metadata embedded in the file itself. Microsoft Office files and picture files are examples. Special metadata in picture files can include the model of the camera used to take the picture, and geolocation (latitude and longitude) data for where the picture was taken. Data processing allows an analyst to focus on specific data types which may be relevant to the investigation, and to exclude categories which may not be relevant. For example, an investigation focused on text messages would allow the analyst to largely ignore Internet history data. Processing also may include the building of an index of all the words contained within the acquired data. The index could then be used to search for keywords which may be relevant to the investigation. Data processing allows the analyst to focus and prioritize relevant data categories while reducing the review of less relevant data on the device.
The analysis phase of Digital Forensics involves taking the processed data, and identifying the relevant to answer the who, what, when, where, and why questions at the center of of every investigation. The analysts' skill and experience become evident during this phase. This phase differentiates a true analyst from a computer technician who merely exports files and/or data for the Client's review without any interpretation of the data. The analysis phase is closely related to and leads into the reporting phase. Here are a couple of examples of analysis I have performed in previous cases:
I have used USB connection history data and data identifying recently opened files to determine whether a former employee, without authorization, copied files from a company computer or server onto a USB device. Since the USB device containing the copied files was not turned over by the former employee on his/her exist from the company, I determined the former employee may have stolen the Client's company data upon their departure.
In another investigation, I was engaged by a doctor who was charged with prescribing unnecessary prescriptions. As evidence against the doctor, the government asserted the doctor did not have any patient examination files for specific patients he/she was charged with issuing prescriptions; and therefore, the government asserted the doctor issued the prescriptions without examining the patients. My analysis of the doctor's computer confirmed the doctor's assertion that his/her computer was the victim of a ransomware attack, and before the attack the specific patient files were present on the computer. As a result of the ransomware attack, most of the doctor's patient files stored on the computer were encrypted. The doctor refused to pay the ransom and his patient files were never recovered. Using data which identified previously opened files on the computer, I was able to identify filenames of opened files matching the names for the specific patients included in the government's charges. Partially as the result of my analysis and report, the government dismissed the charges against the doctor.
The reporting phase is one of the most challenging aspects of Digital Forensics. The analyst must report their findings which often involves complex issues about how electronic devices store data in a manner which is understandable to individuals who may not be computer 'savvy.' Reporting may include the explanation of findings in both a written (Export Analysis Report) and verbal (Deposition or Court Testimony) formats. An analyst who has exceptional technical skills, but lacks the ability to explain their findings to a non-technical audience may prove to be an ineffective asset for their client. When I worked for the Bureau, I used one of my former supervisors, who did not have a technical background, as my test subject to determine if I could adequately explain technical topics in an understandable way. If he maintained eye contact and engaged in my explanation, I knew the explanation was successful. If his eyes started glazing over and rolling back in his head, I knew I had to some up with a different approach. My former supervisor eventually caught on, and he began referring to himself as the 70 year-old outdated man on the jury. While it became comical, we both realized that his characterization was the member of the jury my explanations had to effectively reach.
Hopefully, after reading this post, you will have a better understanding of Digital Forensics and the tasks an analyst performs. If you enjoyed this post, be on the lookout for future posts related to Digital Forensics.