ATHABASCA UNIVERSITY

Transcription

1 ATHABASCA UNIVERSITY SYSTEMATIC APPROACH TO PROCESS, ANALYZE, AND CLASSIFY DIGITAL EVIDENCE BY EMILE WONG A project submitted in partial fulfillment Of the requirements for the degree of MASTER OF SCIENCE in INFORMATION SYSTEMS Athabasca, Alberta February, 2009 Emile Wong, 2009 i

2 DEDICATION This thesis is dedicated to my mother, who raised me up to more than I can be. ii

3 ABSTRACT The paper introduces a systematic approach of digital forensic investigation for digital forensic students to understand the recognition, collection, preservation, documentation, classification, comparison, individualization, reconstruction of digital evidence. The three layered systematic approach of digital forensic investigation can be used on examination of a single piece of evidence as well as large digital criminal cases. Literature is examined relating to considerations of emerging problems in digital forensic investigation; to emergent technologies in the forensic field including forensic tools, methodologies, and investigation best practice. There is an explanation of the three layered structure, and expounds theoretical and practical processes aimed at understand the macro-cycle and micro-cycle digital evidence. It then discusses the roles and ethic of digital forensic investigator. Finally, there is a description of digital forensic technology and tools to support digital forensic investigation. The three layered structure simplified the complexity of digital forensic investigation process in an organized and systematical manner; it can be used as a framework to further develop standard digital forensic operational procedures, or a model for digital forensic software development.. i

4 ACKNOWLEDGMENTS I would like to acknowledge with particular gratitude the assistance of my supervisor, Dr. Harris Wang. I am also indebted to a number of other people presently and formerly at Athabasca University, including Dr. Oscar Lin, Dr. Kinshuk, Dr. Xiaokun Zhang Richard Hundrods, Mahmond Abaza, Kewal Dhariwal, Lil Saghafi, and Steve Leung for their supervision in study for the degree of Master of Science in Information Systems. Finally, I would like to thank my sons, Elvin and Ryan for their forbearance during the long period it has taken me to conduct and write up this thesis. ii

5 TABLE OF CONTENTS CHAPTER I INTRODUCTION....1 Statement of the Purpose... 1 Research Problems and Questions...2 Outline of this Document CHAPTER II - REVIEW OF RELATED LITERATURE...6 Context...6 Computer Forensic...7 Digital Evidence...10 Summary...11 CHAPTER III THREE LAYERED SYSTEMATIC APPROACH...13 Background...17 Basic Concepts...18 Digital Incidents and Threats...20 Top Layer...23 Assessment and Preservation...24 iii

6 Acquisition...28 Examination...31 Analysis...32 Documentation...36 Reporting...38 Presentation...39 Middle Layer...40 Document...40 Preparation...41 Physical...42 Logical...43 Recover...44 Analyze...44 Findings...45 Archive...45 Roles and Ethic...46 CHAPTER IV FORENSIC TECHNOLOGY AND TOOLS...48 iv

7 Previewing Tools...49 Acquisition Tools...49 Examination Tools...51 CHAPTER V - CONCLUSIONS AND RECOMMENDATIONS...54 Conclusions...54 Suggestions for Further Research...56 REFERENCES...58 v

8 LIST OF FIGURES Page 1. Three Layered Systematic Approach of Digital Forensic Investigation Digital Forensic Investigation Macro-cycle Digital Forensic Investigation Micro-cycle...17 vi

9 CHAPTER I INTRODUCTION Statement of the Purpose Digital forensic science provides tools, techniques, and systematic approach that can be used to process and analyze digital evidence. Computer forensic examiners are expected to interact with digital evidence, digital forensic tools, and digital forensic laboratories. The digital evidence can be used to reconstruct what occurred during the perpetration of an offense. The purpose of reconstruction is to restore the links between offender, victim, crime scene, or incident. The final goal is to present legal evidence that can be accepted by the court to prove or disprove a theory. The research described in this document focused on systematic approach to process, analyze, and classify digital evidence. This document also demonstrated the tools and techniques which can be used to analyze and recover the evidence. While the literature research in Chapter 2 shows that there has been a significant amount of digital forensic training materials, manuals, and books from different sources [2] [4] [5] [6] [7] [8] [13] [14] [15], the writing contain somewhat major in professional view of digital forensic examiners or law enforcement 1

10 agents, or otherwise technical demonstration of discovery and analysis of digital evidence by professionals. The research questions for the current thesis are formulated with the aim to sketch out a systematic approach and guideline for digital forensic students to understand the recognition, collection, preservation, documentation, classification, comparison, individualization, reconstruction of digital evidence in the under-researched area. Research Problems and Questions The research questions as defined in the project proposal were as follows: What is digital crime, and the different between digital crime and traditional crime; How to differential a professional digital investigator from a computer technical person; What are the difficulties to present technical evidence in easy understanding format ; What is the proper procedure to handling evidence; How to prove working copy of digital evidence that is the same as the original seized evidence; How to begin an investigation and where to start; Understand your limits, and know when and where to stop; 2

11 How to prepare, collect, and use forensic toolkits. Outline of this document Following this introduction, chapter 2 of this thesis consists of a review of literature in a number of areas relevant to computer or digital forensic. The review considers: literature on the topic of computer forensics; literature on the topic of cyber forensics; literature on the topic of computer forensics response; literature on the topic of examination of digital evidence; literature on the topic of emerging problems in forensic computing; literature on the topic of privacy protection; literature on the topic of risks of live digital forensic analysis; literature on the topic of digital forensic tools; literature specifically relating to digital and multimedia evidence; literature specifically relating roles of computer forensic investigator; and literature concerning forensic techniques in general and particular proposed measures. Literature is explored on a variety theoretical concepts, history, principles, 3

12 methodologies, disciplines, and practical procedures of seizure, handling, analysis, and recover of digital evidence; but the emphasis is largely positioned on personal experience or case studies. Following the literature review, chapter 3 examined and extended some of the theoretical issues raised in the literature. This chapter sought to define the systematic approach of recognition, collection, preservation, documentation, classification, comparison, individualization, and reconstruction. In particular, there was an enlightenment of the basis on initial assessment and response to a digital incident. The chapter also includes discussion of the relationship between the discovery, preservation, documentation, and presentation of digital evidence. Roles and ethic of digital forensic investigator is also addressed in this chapter. Chapter 4 described the forensic technology and tools which can be used to preserve, analyze, and recover digital evidence. This chapter also included evaluation of digital forensic tools, their functionalities, and related file systems and operating systems. Chapter 5 concluded the thesis by revisiting the main findings of systematic approach of digital forensics in theoretical, practical, and experimental stages of the research; identified the impact of digital crimes, and raised issues which are likely to be 4

13 useful area for future study. 5

14 CHAPTER II REVIEW OF RELATED LITERATURE Context Computer forensics can be considered as a branch of forensic science which has a different investigation approach. The science of computer forensics encompassed a wide range of disciplines including but not limited to computer hardware and software, telecommunications, security, networks, electronic devices, law enforcement, criminal justice system. The introduction of digital forensics into forensic science reflected the urge need of digital forensic professionals, methodologies and tools to handle the rapidly growing computer crimes. Computer forensics generally deployed to hacking, obscene publication, perjury, murder, espionage, forgery, defamation, narcotics trafficking, credit card cloning, software piracy, and paedophiliac rings [9][11][12]. Today, computer forensic practitioners are faced with a multiplicity of investigative challenges in two main categories. The first is technology. Criminals continuously employ up-and-coming advance information technology and method [20] to commit fraudulent activities that investigators need time to be fully aware or cognizant of. In Addition, the rapidly changing storage media capacities and high speed network transmission increased the 6

15 complexity of analysis [7]. The other is the techniques and protocols of investigation, examination, and analysis of digital evidence. In a dynamic technological environment, the subject matter of examining evidence changes at such an exponential rate that forensic tools are modified regularly in order to keep up [20]. Digital forensic is a continuously developing topic. It is only in the last twenty years or so the literature of computer forensic examination protocols and methodology has been commonly discussed and studied. Computer Forensics The development of the discipline of Computer Forensic began with the realization by the awakening of the White Collar crimes [11]. In 1981, after the make public of the first IBM Personal Computer (PC) to ordinary businesses, U.S. Federal law enforcement noticed the surfacing of White Collar crimes being committed with the aid of the new PC s. In 1980s, the emerging Computer Forensics science finds its starting place as a training developed by U.S. Federal law enforcement agents. U.S. Federal Law Enforcement Training Center (FLETC) started training agents in conducting investigations in the computerized environment, and FLETC s Financial Fraud Institute (FFI) began to develop software and protocols to deal with the emerging discipline of 7

16 computer forensics. Peter Stephenson s book [4] introduced the potential impact of Cyber Crimes, it also introduce a framework for conducting an investigation of a computer security incident, how to prepare for cyber crime, and using of forensic utilities. A generalized investigative framework for corporate investigator has been structured as follows: 1. Eliminate the obvious 2. Hypothesize the attack 3. Reconstruct the crime 4. Perform a trace back to the suspected source computer 5. Analyze the source, target, and intermediate computers 6. Collect evidence, including, possibly, the computers themselves 7. Turn your findings and evidentiary material over to corporate investigators or law enforcement for follow-up A report [11] was published by the National Institute of Justice identified the needs that require attention to keep tempo with the rapid growth of computer crime in 2001, a succinct synopsis of Critical Ten needs was identified: 1. Public Awareness 8

17 2. Data and reporting 3. Uniform training and certification courses 4. Onsite management assistance for electronic crime units and task forces 5. Updated laws 6. Cooperation with the high-tech industry 7. Special research and publications 8. Management awareness and support 9. Investigative and forensic tools 10. Structuring a computer crime unit Another report [12] was published by the National Institute of Justice as a guide for State and local law enforcement to examine computer evidence in The entire examination process of handling digital evidence was outlined: Policy and Procedure Development Evidence Assessment Evidence Acquisition Evidence Examination Documenting and Reporting 9

18 The other report [9] was published by the National Institute of Justice, the guide provided structure for the continuing education of practicing forensic scientists and training to enhance a current digital forensic examiner s knowledge, skills, and abilities (KSA). Digital Evidence The conference paper [20] referred Mark Pollitt s generalization of Digital Evidence as information of probative value that is either store or transmitted in binary form. Digital evidence is a type of physical evidence that is made up of magnetic fields and electronic pulses that can be collected and analysed using special tools and techniques. Brian D. Carrier stated the different of live and dead digital forensic analysis is the reliability of the results. The paper [1] concluded that live digital forensic analysis may not produce reliable result. Michael. G. Solomon, Diane Barrett, and Neil Broom s book [2] described the need for computer forensics including preparation, common tasks, capturing the data image, extracting information from data, passwords and encryption, and testify in court. Albert. J. Marcella and Robert S. Greenfield s book [6] introduced a mature methodology for Digital Forensic investigation; the book described the procedure of search and seizing computers and obtaining electronic evidence, computer crime policy 10

19 and programs, International aspect of computer crime, privacy issues in the high-tech context, critical infrastructure protection, legal issues and consideration. The book also defined that Computer Forensics deals with the preservation, identification, extraction, and documentation of digital evidence [6]. Debra L. Shinda, a former police officer, provided not only forensic techniques, but also investigation process and jurisdictional issues in the book [5], the book stated that many information technology professionals were unconcern of Cyber Crime, and at the same time law enforcement officers have not equipped with appropriate tools to deal with the cyber crime problem. The book Incident Response by Kevin Mandia, Chris Prosise and Matt Pepe [15] showed detail process of live data collection from both Windows system and UNIX system, and required toolkit tools for both operating systems. Summary M.G. Solomon, D. Barrett, and N. Broom [2], P. Stephenson [4], D.L. Shinda [5], A.J. Marcella, and R.S. Greenfield [6], G. Mohay, A. Anderson, B. Collie, O. de Vel, and R. Mckemmish [7], R. Leigh, and A.W. Krings [8], B. Middleton [13], D. Schweitzer [14], C. Prosise, K. Mandia, and M. Pepe [15] have discussed digital forensics in great depth or expand their own model of the discipline into a more general framework. In addition to 11

20 the frameworks mentioned previously, the use of digital forensics in investigations with a view of incident response has also been looked at from different aspects. The present study was designed to create a guideline for digital forensic student to understand the life cycle of digital forensic process. The study sought to define a systematic approach of digital forensic in recognition, collection, preservation, documentation, classification, comparison, individualization and reconstruction. 12

21 CHAPTER III THREE LAYERED SYSTEMATIC APPROACH The paper [20] states that Digital forensics has mostly developed in an ad hoc manner. Many research resources [2] [4] [6] [7] [19] but not limited to the resources of this paper are based on cases, or current practices. Digital forensic methodologies and protocols are introduced depend on certain circumstances, methods and procedures; most of them are developed based on person experience and expertise [8]. The emerging topic is still under development and being discussed. The entire examination process [12] of National Institute of Justice provides a top-level structure of digital investigation. The forensic formalization model [20] creates a low-level implementation of investigative steps. This section generalized entire digital forensic investigation process into a three- layered systematic approach. The entire digital forensic investigation process can be conceptualized as occurring simultaneously in three different scales or time frames. The top layer occurs over the course of an investigation and guides the overall investigation from initial response to final presentation. The top layer has seven protocols as shown in 13

22 Figure 1. Each protocol actually contains one or multiple interfaces described in the middle layer. The top layer of the processes evolves over time and can be considered as the macro-cycle. The early two protocols tend to focus on the collection and acquisition of digital evidence. The next two protocols introduce and focus on the examination and analysis of seized evidence. The last three protocols focus on documentation, reporting and presentation, and the documentation protocol overlapped the early four phases of digital evidence investigation lifecycle as shown in Figure 2. The middle layer defines systematic framework of interfaces for investigation as shown in Figure 3. The middle layer has a limited scope than the top layer that can be considered as micro-cycle of investigation. The middle layer is focused on providing an interface for actual implementation of investigative processes or examination steps. Investigators or examiners can apply their best practice into the interface to create standard procedures for specific type of evidence. The bottom layer is the actual implementation of the examination procedures and steps for individual evidence or file, and it is out of the scope of this paper. 14

23 Figure 1: Three Layered Systematic Approach of Digital Forensic Investigation 15

24 Figure 2: Digital Forensic Investigation Macro-cycle 16

25 Figure 3: Digital Forensic Micro-cycle Background In 1988, Robert Morris accidentally unleashed an Internet Worm in 1988 in MIT which infected and subsequently crashed thousands of computers [11]. Morris selected MIT to mask the fact that the worm came from the computer at Cornell University. Morris soon discovered that the worm was replicating and re-infecting machines at a much faster rate than he had anticipated. Following a jury trail, Morris was found guilty, and he was sentenced to three years of probation. The Internet Worm was considered the first case prosecuted under The Computer Fraud and Abuse Act of 1986 in United States of America. This case established a precedent that would help to convict other hackers and 17

26 virus programmers; and the word hacker was introduced into the vernacular of computer and digital forensic community. Basic Concepts Digital evidence is a kind of physical evidence. Although digital evidence is less tangible than other forms of physical evidence such as fingerprints, blood, or weapons; digital evidence is made up of magnetic fields and electronic pulses that can be collected and analyzed using special tools and techniques. Content of digital evidence can only be viewed with particular tools or software. Digital forensic is about to create a story of how this evidence linked with the crime, offenders, and victims. In the cases of digital crime, there may have some transport mechanism of evidence from one storage media to another storage media; also, there may have transfer mechanism of evidence across the network. Think of a person visit a website, there is some auditing and logging going on in the server. There create a trace of IP address, operating system used, pages viewed, and date and time of the person who visited the website. All those information has been stored on log files of the Web server. On the client side, the information, showed the person who visited a website, is stored in the system by the cookies and temperate Internet files in a temp folder. These established a tie between the person and the site. An incident scene is 18

27 somehow a linkage between victims and suspects with some physical evidence. To summarize, digital forensic is the way to discover this less tangible electronic evidence, collect them and analyse them; and somehow the storage of evidence may transfer across the network. Digital evidence need to be able to gather, explorer, collect, and explain what they are represented. Digital evidence can be used to reconstruct what occurred during the perpetration of an offender, and eventual created link between an offender, victim, and the crime scene under a theory. Eventually the evidence might prove or contradict the theory. Digital evidence exists in many types of forms and locations within digital systems or devices. As a digital forensic practitioner, it is crucial to understand the kinds of information that may exist within the system in order to find the information effectively. Classification of digital evidence let us understand the type of information, their purpose, and what is important and relevant to the case. Also, finding pieces of information to build the case and understand the timeline of what occurred is important in digital forensic investigation. The digital forensic practitioner is responsible to conduct a digital forensic analysis to gather digital evidence based upon level of proof. There are basically two levels of proof in court of law. Criminal - we need to prove to people that the case is a 100% sure without any doubt 19

28 or any reasonable doubt that we might be wrong. Civil - we attempt to demonstrate for the preponderance of the evidence and only need to convince by 51% of people in most cases. Digital forensic analysis takes the acquired data and examines it to develop and identify digital evidence. A different level of weight or levels of proofs are obligatory for civil and criminal cases. There are three major categories of digital evidence that are looking for in an investigation. Inculpatory Evidence - that supports a given theory. Exculpatory Evidence - that contradict a give theory. Evidence of Tampering - that cannot be associated to any theory, but shows that the system was tampered with to avoid identification. Digital Incidents and Threats Computer forensic examiner may come across various types of computer forensic incidents. Before digital forensic students get into the investigation process of evidence, they need to understand several basic concepts of digital forensic, and what a forensic investigator will encounter in digital forensic investigation. 20

29 Laws of computer fraud clarify the definitions of criminal fraud and abuse for computer crimes and to remove the legal ambiguities and obstacles to prosecuting these crimes. The following will be considered as criminal cases include, but not limited to: Online auction or electronic trading fraud Trafficking in contraband such as child pornography Network intrusions or hacking Cyber threats such as cyber stalking Theft of identity or personal information Espionage Murder Perjury and forgery Telecommunications fraud Pirating of intellectual property such as copyright Computer forensic practitioners faced with a numerous of investigations which may be considered as civil in nature, the followings are considered as civil incident include, but not limited to: Misuse or damage of corporate information technology assets 21

30 Employee wrongful termination claims Failed to compliance with Act for financial institutions. Failed to compliance with Acts for business accounting. Sexual harassment Defamation Divorce Theft of proprietary data such as trade secrets The threats involve end-users who commit fraud, or other illegal acts from inside their organization. The persons maybe in positions of trust, and internal threats may not be purposeful against the company itself, they can be committed in a variety of crimes. Internal threats to an organizations computer infrastructure may include, but not limited to: Theft of proprietary data. Using information technology asset to run personal business. Using company servers to deliver contraband. Alteration of official records, such as marks on report card Sabotage via execution of malicious code. 22

31 The threats are considered to be an external threat if it involves end-users from outside of an organization, the person may commit intrusions or other similar illegal acts. The computer forensic practitioner may be called upon to investigate external threats, such as but not limited to: Virus, Malware, and Spyware. Intrusions, Trojan horse, or hacking Denial of service attack (DoS) Spoofing Password Cracking spamming attacks Website defacing Top Layer The seven primary protocols in the top layer extend through the entire lifecycle of an investigation, and the top layer is considered as the macro-cycle of digital forensic investigation process. Each protocol occurs in different scales and time frames as shown in figure 2. 23

32 Assessment and Preservation Digital Incident Response is different from discovery of digital artifacts. Digital Incident Response is about how to assess a digital incident situation, identify the procedures that are essential to protect the digital evidence, and shelter digital evidence in a safe place to shun from contamination. Digital incidents may happen as the consequence of acts committed by persons involving a device which retains binary data, in the form of a desktop, workstation, server, laptop, or similar digital computing devices. A computer forensic practitioner should make an initial assessment of the situation and be prepared to apply the appropriate response seeking to gather digital artifacts when the computer forensic practitioner is called upon to respond to a digital incident. The collected digital artifacts will eventually prove or disprove a theory concerning the commission of a civil offense, criminal offense, or a security violation. The initial assessment of the situation includes consideration of the type of incident, parties involved, incident or equipment location, and available response resources. In digital incident response, the computer forensic practitioner may encounter a wide variety of digital media and devices which may retain potential digital evidence. The 24

33 person shall explore some of the digital devices which may serve as repositories of digital data and be subjected to examination by the computer forensic practitioners. Almost anything can retain binary data; digital forensic practitioners have to decide what to look for, and to make the correct assessment. To determine the type of incident, a digital forensic practitioner needs to identify the relationship between the activities acted and the digital devices. The first type of incident involved the stolen property of hardware and software. The second type of incident involved the digital device which contains evidence of the incident or offense. The third type of incident involved digital device as the tools of the offense. The last type of incident involved the digital device was actively used to commit the offense. An incident can be any one of the above mentioned type of incident or a combination of them. During an incident response, a digital forensic practitioner also needs to recognize the parties involved, identifies the persons involved in the investigation such as complainants, victims, witnesses, informants, suspects, or system administrators and technical supports. Other important information is also crucial in the investigation such as name of Internet Service Provider, any online services, websites, newsgroup, web application, and network and firewall configuration. Digital forensic practitioner must 25

34 aware of any skillful technical person that could lead to a serious loss of evidentiary data. Further in an incident response, an investigator need to find out the location of the incident or equipment involved to determine the proper action should be taken next. The incident might occur in private property or residential, a business office, a public area, or various location worldwide. Finally, the frequency of occurrence of the incident should be addressed, and how long the activities have been occurred. So during a digital incident assessment, we have to figure out how the equipments are to be used and how functioning is important to the company. Digital forensic practitioner should prepare a checklist to a digital incident response; the items in the checklist should include as follows: a digital camera for you take photos of the scene; portable imaging device and blank media to be able to make forensic copies; Chain of Custody and other official documents to record actions and procedures; items such as paper, permanent markers, labels, disassembly tools; packaging items such as sealing tape, cardboard boxes and envelopes; and transport vehicles. Digital forensic practitioners need to use their time, tools, and talent in a professional manner through out the entire case to be able to gather the evidence they 26

35 need and to be able to build a forensic sound case. The goal of a digital forensic practitioner when responding to an incident is to secure all potential digital evident and preserve them for examination and analysis. Due to the fragile nature of digital evidence, the digital evidence must be handled properly and carefully to avoid damage or immediate destruction. The best practice is to keep all the people and suspects away from the evidence except the persons who have been trained to handle them because evidence can be destroyed accidentally or maliciously by triggers with some keystrokes on the keyboard. People should always wear gloves and try not to disturb potential latent or digital evidence because there may have other physical evidence in the crime scene such as finger prints on the digital devices. Running machines should be handled carefully to preserve data in the cache, and the state and configuration of the machine need to be documented or captured. Digital evidence need to be secured to make sure that there is no way for anyone to access the devices. A common practice to seal the digital evidence is to place evidence tape along the edges of the computer s housing, then place your initials, date and time over the seal with permanent ink. Finally, move all digital evidence to a secured facility for storage if possible. Bear in mind that improper handling of evidence can tamper or damage the 27

36 evidence. Failure to do so may leave it unusable in court or lead to an imprecise conclusion, or even worse permanently destroyed what you are seeking. Acquisition Acquisition is the process of obtaining or extracting digital information from a digital device or media with specialized forensic tools. There are difference between copy and duplicate of digital evidence. A copy of original evidence is an accurate reproduction of content stored on an original physical item, and it is independent of the electronic storage device. The process copied the contents contained in the storage device of the original evident, but attributes may change during the reproduction and other hidden information is not transferred. For example, the last access date and time will be replaced by the current date and time at the moment you are copying the content. A copy is not considered as exact duplication of the original evidence. A duplicate is an exact duplication of all data contained on an electronic storage device. The process of duplication maintains all contents; all information of the storage device is transferred including all viewable and hidden contents, metadata, attributes and all slack space. Duplication may take place either at the incident scene or in the digital forensic laboratory 28

37 by a trained and certified digital forensic practitioner. Copy of digital evidence is as admissible as original evidence as long as they can be authenticated by professionals or experts. Any examination on the original piece of evidence may alter or contaminate it. The goal of the digital evidence acquisition process is to duplicate the original digital evidence in a manner that protects and preserves the original evidence, in order to prevent destruction, damage, and alteration prior to analysis. So in examination of digital evidence, original digital evidence must be kept intact; and digital forensic examiner must have a duplicate exact copy of the original evidence, and work with the copy of the original evidence alone. Acquisition can be conducted in the forensic laboratory or on-site. The main consideration of where to conduct the acquisition depends on the control of circumstances and time. If the situation is beyond your control, an on-site acquisition of the potential digital evidence may be necessary. For example, a running web-based application server in a large corporation is vital to maintain their daily operation of business, and people cannot simply take the server back to laboratory, the digital forensic practitioner should consider conducting an on-site imaging or live acquisition of the activities on the server. Authentication of the acquired digital evidence is essential to make the copy of 29

38 original evidence as admissible evidence in court. Cryptographic checksums can prove the integrity of the contents of copy is as exactly the same as the original. Hashing function is well-known authentication methods with cryptographic checksums; it inputs some items and passes through mathematical processes or algorithms, and outputs with certain answers in one way only. People cannot reverse the process by using the answer to generate the same original source. A single bit different in the original objects will output a significant different answers. Two different items will never generate the same hashed result. The three main authentication methods are CRC-32, MD5, and SHA-1. Digital evidence acquisition is one of the critical stages in the digital forensic examination process. Any errors during the execution of this procedure could cause undesirable results. Examiner must ensure documentation of all physical aspects of hardware device such as serial number, makes, model, configuration details, and procedures of the acquisition. Prior to the acquisition procedure, ensure that a sufficiently-sized, forensically sterile target media. Digital forensic examiner can initiate the acquisition procedure with the use of forensically sound acquisition tool. Forensically sound tools can be proved by other professionals that the tool does not produce error or mistake, and the same result will be generated by other forensically sound tools with same 30

39 procedure and on the same digital evidence. Forensically sound tools help to create an accurate, authenticated duplicate of the original evidence. Examination After acquired a working copy of the original evidence, digital forensic examiner can begin the examination phase of investigation on the duplicated image of evidence by mounting the image with your digital forensic program. The examination can help the examiner to focus on what the case is. During a digital forensic examination process, some of the known files such as the operating system files can be ignored. Examiners have to following certain rules and steps, and apply forensic examination protocols in the analysis; those rules and steps ensure the evidence can be used as admissible evidence. Digital forensic practitioner needs to understand the way to gather information with methodology and accepted practices; and the findings can ultimately be presented in court or similar venues. A key section of digital forensic is the examination of digital storage media. Due to the rapidly changing and increasing in size of data storage media, standard digital forensic methods and procedures do not have the time to be established. Digital forensic 31

40 practitioners usually conduct examination in ad hoc manner. Examiners examine available evidence, generate hypotheses about what occurred to create the evidence, carry out tests to prove or contradict the hypotheses; work through the examination process with forensically sound tools. The findings of the examination helps digital forensic practitioners to fabricate strong possible about what occurred. A forensically sound examination is one conducted under controlled conditions that it is completely documented, the examination is repeatable and the result is verifiable. A forensically sound methodology does not alter any data on the original evidence, it preserves in original condition, and regardless of who completes the examination of the media and the specific tools and methods employed. If anyone uses forensically sound tools and methodologies, they should get the same results. So an investigator or analyst has the flexibility to choose among many acceptable tools and techniques as long as they are forensically sound. Anyone use forensically sound tools and methodologies can reproduce the same examination result. Analysis The goal of analysis of digital evidence is to reconstruct the digital incident scene. 32

41 The analysis process has three main aspects. The first aspect is recovery of data and information; important information can be found in hidden, corrupted, or protected data. The other aspect is classification of digital artifacts. Reconstruction the digital incident scene relies on classification of digital artifacts. Classification is the process of finding characteristics of the digital evidence in order to distinguish it from similar specimens. Classification can be carried out by comparison and individualization. The third aspect is reconstruction, reconstruction determines the events surrounding an incident The concept of reconstructing an incident is to puzzle out the picture of who, what, when, where, why and how of an incident using all available digital evidence, and construct a timeline and a sequence of events of what had occurred The recovery of active, backup, hidden, encrypted, deleted or damaged digital artifacts is usually the first step in recreating the digital incident scene. A computer forensics practitioner must have access to the appropriate tools and time necessary to fully develop any recoverable digital artifacts, and ultimately construct the story behind the scene. The recovery process takes times not only to examine depending on the of tools and how much information you are going to look at, but the documentation and recovery of the artifacts you try to make the case. Recovery is a time consuming process, it could 33

42 take a months or years to produce a result. The analysis result lets an investigator be able to put together the digital evidence and precisely establish what occurred during the perpetration of the incident. Comparison is crucial when analyzing digital evidence. Comparing piece of digital evidence with a control specimen can highlight unique aspects of the artifact. Individualization is individualizing characteristics which are created by mistake, arbitrarily, or intentionally that can be recognized later. Digital evidence can therefore be classified, compared and individualized with contents, functions, and characteristics. Contents usually in plain text form and graphical images, investigators can use the content determine the information, such as the original, the message, the receiver, and the motivation. Functions usually programs or applications for specific purpose, investigators can examine how a program functions to classify it and individualize it, as in the case of a Trojan horse program. Characteristics file names, file extension, file size, and time stamps can be helpful in classifying and individualizing digital evidence. The process of classifying, comparing and individualizing digital evidence can be 34

43 lengthy. An investigator must examine each digital artifact carefully to reveal the unusual or unique details of an artifact. The smallest detail may provide clues which could prove or contradict your overall hypothesis as to what occurred. Digital forensic practitioner may find a variety of data files during an examination; these files are usually stored in the hard drive of a computer or other storage device elsewhere. Those files can be classified as ordinary, hidden or deleted, system and metadata. Ordinary data includes active data that is available and easily access, and backup or archival data that is no longer in use, but stored separately for later retrieval. Hidden or deleted data is the information appeared not existed or not noticeable, but it is recoverable from the digital media. System data includes background data and information created by operating, systems such as log file, which can be used to supplementary expand the details of a case. Metadata is information of data about data, important information such as the time, date, and creator of a document may be embedded in the document. During reconstruction, digital evidence can be used to sequence events, determine locations, and establish the time and or duration of the incident. Some of the clues that are used to recreate an incident, they are relational, functional, temporal data. Relational data shows the relationship between objects or evidence, multiple files can be parts of the 35

44 overall crime that we are investigating. Functional data contains the purpose of works or how it was used during the incident. For example, shows the recipient and the server information that received it. Temporal data shows the timeline when the data is created, they can be used to reconstruct an incident. Time is used to connect event, access, victims, and offenders; examine and verify the time stamps attached to digital evidence which can help to reconstruct the order of events. Documentation An experience investigator relies on the practice to follow good methodology during the course of evidence collection and handling so that the evidence can be presented in court. Document everything is the key for a successful case. A digital forensic investigation requires investigator to perform process of preparation, collection, assembly, examination, analysis of digital evidence. Throughout the forensic process, the investigator examines and extracts huge amount of information. Ultimately, information has to be processed into a succinct and concise report that people can easily understand. Properly documenting the steps, along with sound forensic procedures, is essential for success in computer crime cases. Documentation is tedious. Simple mistake in 36

45 documentation can completely ruined the evidence that we found in the case. Good documentation reflects the professionalism of investigators and examiners, mistakes or errors in documentation can turn out to be an issue to question in a presentation. A good documentation practice includes documenting all investigation steps, examination procedures, and analysis results as soon as possible. Information has to be writing in a clear and concise manner, date and time must be included in all documents. Other information also needs to be stated in the document precisely. The documents must have the names and signatures of the person who participated in the investigation or preparing the document. Chain of Custody is a one of indispensable documents for all forensic investigations. Establish a chain of custody is required upon securing any piece of digital evidence. Any delay in the submission of digital evidence in a timely manner could break the chain of custody. The chain of custody starts at the point of properly marked with initials, current date and time onto the device; and then record and make notes on the form of chain of custody of all items of digital evidence to be turned into evidence custody facility or locker. Simply leaving the evidence unattended violates the chain of custody. 37

46 Reporting Reporting is a stage of collaboration and explanation that come after complete of the investigation. The documentation stage provides the essential information for reporting. Reporting requires discipline and organization to prepare information for presentation. Reporting can be the most difficult phase of the digital forensic investigation. The challenge is to create reports that accurately describe the whole situation of the case including digital response, evidence collected, preservation, examination, and findings of analysis. These reports have to show the events and information in a timely manner. Many standard documents must be included in reporting so that they can withstand the barrage of legal scrutiny. Investigators should develop a standard format for reporting; forms and templates should be created for easy recording of the process, pertinent information and data. Various software help to generate reports on the data. They provide view, search, sort, bookmark, and report creating features. The basic guidelines of reporting are to document your steps clearly, organize the report by using a template, be consistent, and include supporting material and methods used in data collection. Documenting in a clear and concise manner helps ensure that the details can be recalled when needed. The final report may include the sections of summary, objectives, analysis, findings, supporting 38

47 documentation, Glossary [2]. Presentation When anyone wants to join the field of digital forensic, the person cannot avoid presentation of findings in court of law or similar venues. Presentation of digital evidence is out of the scope of this research paper, but few points are worth to mention. First, all evidence must be admissible to court, always discuss any legal issues with our corporate attorney, lawyers prior to conducting seizures or presenting digital evidence. Second, make sure the person follow the guideline of the jurisdiction of where the presentation takes place. Evidence is considered to be type of proof legally presented at a trail allowed by the judge. Evidence is intended to convince the judge or jury of alleged facts material to the case. Proper control over maintenance of evidence and documentation can be crucial in overcoming inevitable objections that will be raised in the courtroom or legal authorities. Third, defendants often attempt to challenge the authenticity of computer generated records by challenging the reliability of the program and verification of the findings. Investigators must be prepared to proof that the forensic tools are forensically sound and licensed. Fourth, explain procedures, findings, technical information in 39

48 laymen s terms. Complex forensic data and procedures can be converted into something easy to understand with some simple devised frame of reference. Finally, the person s appearance, attitude, tone, professionalism are important factors to convince the audience. Middle Layer The middle layer is considered as the micro-cycle of digital forensic investigation that contains one or more systematic interfaces, as shown in Figure 3, that can be applied iteratively or nested to digital forensic investigation as a framework to develop procedures of examination. Digital forensic practitioner can apply the best practice into the interface to develop a particular implementation of steps or procedure for specific type evidence. The interface contains eight functional units in different time frames. Each unit specifies particular nature of procedures or steps throughout the micro-cycle of investigation; and the steps or procedures may vary depending on the type of evidence. Document Document unit is a fraction of the whole documentation process which is stated in top layer. Document unit contains standard documents needed in the investigation, and it 40

49 is the starting point of every procedure. Upon any requests for digital forensic investigation service, investigator should start to make notes on all information related to the service. Some software designed for digital forensic investigation help the investigator to create related documents for cases; they usually assign a unique number to each case for later reference. Prepare log files, checklists that are convenient for the investigators to fill out the time, date, and events. Reports can be easily created from proper records or log files. Chain of Custody is one important document. Preparation Preparation unit includes all preparation that is ready to use for investigative service requests. Digital incident response usually does not have time for the investigator to get prepared. Investigator should always be prepared tools and laboratory environment for any forensic investigation service. Establishing sterile examination storage media is a good practice. Sterile examination media need to be prepared by practitioner; all data areas of the media should be wiped out and documented. Sterilized hard drives take time to wipe the data and they should be prepared when needed. All forensic systems and media have to be scanned for viruses and verified virus-free before use. The laboratory 41

50 should have ready to use systems running with licensed software, and make sure all forensic software up-to-dated and licensed to the practitioner or the organization. Make sure the systems are time-validated because time is important part of the analysis especially when we need to create a timeline of the activities of the suspects. Procedures or policies must be set to secure the laboratory environment from unauthorized person to avoid violation of chain of custody, the evidence must be proved that it is under control of authorized personnel all the time. Physical Physical unit refers physical inspection and examination of the evidence. Physically examine the hardware of computers and digital device and document specific description of hardware; record all serial numbers, USB port, network cabling socket. Take notes on anything unusual, take digital photographs and record in log file. Initialize BIOS and capture CMOS information. Boot the system without media installed and record all important data, such as system date, time, boot sequence and storage media settings. Examine boot record data, check and record all partition data, look for any unusual configurations. Understand the baseline of particular type of machines and aware of 42