It is useful to draw the evidentiary requirements, legal considerations, and principles together into a framework or model that provides coherency and consistency for all aspects of conducting computer forensics.
In developing such a framework, it is important to focus on the challenges that may be presented to the examiner in applying the model to carry out examinations and in the presentation of the resulting evidence in such a way that it is subsequently accepted in court.
1. Expertise test:Obviously a key test will be to challenge the expertise and credibility of the computer forensic examiner who conducts the forensic analysis and presents the resulting evidence. This test essentially seeks to establish the strength and reliability of the expert’s knowledge as applied to the IT environment in which the electronic evidence is extracted.
2. Methodology test: The methodology test probes the processes and procedures adopted by the computer forensic examiner during the computer forensic examination. The adoption of poorly constructed methodologies can lead to erroneous analysis results, and may even lead to the destruction of, or alterations to, potential evidentiary data.
3. Technology test: The technology test examines the technology used during the forensic examination process, and aims to test the accuracy, reliability, and relevance of the technology as applied in the computer forensic analysis.
3.4.1 Computer forensic—secure, analyze, present (CFSAP) model The CFSAP (computer forensic—secure, analyze, present) model essentially combines the four key elements of computer forensics (identification, preservation, analysis and presentation) into three distinct steps. Each step combines a number of processes to achieve three key objectives:
1. The securing of potential evidence; 2. The analysis of secured data;
3. The presentation of the analysis results.
The CFSAP model (Figure 3.1) provides a framework within which detailed individual forensic processes and procedures may be developed. It is of a sufficiently high level that it can be used to develop procedures for any of the different types of computer forensics as detailed throughout this book [19].
3.4.1.1 Secure—securing potential evidence
The securing of evidence encompasses both the identification of potential sources of evidence as well as the preservation of data residing within each source. The development of a suitable methodology to secure electronic evidence will be dependent upon the rules of evidence and the technology available at the time. The primary focus of this stage is to ensure that all available evidence is identified and captured in such a way that its integrity and value is not diminished.
Figure 3.1 The CFSAP model.
Identification The identification of data requires a comprehensive under- standing of both the nature of the IT environment as well as the underlying technology. Failure to understand both of these can result in the key evidence being missed. Once potential evidence is located, and before it is preserved, the forensic examiner must ensure that it is relevant to the facts under investigation. Depending on the circumstances and grounds on which the evidence is being acquired, failure to determine relevance could see it ruled inadmissible in any future legal examination.
Preservation Once potential evidence has been identified it will be necessary to either preserve the original data in the state in which it is found or to make an exact duplicate of the data. Essentially computer forensic rule 1 (minimal handling of the original) and rule 3 (comply with the rules of evidence) are critical in the securing stage. The preservation of data under these circumstances involves two distinct steps:
1. Duplication; 2. Authentication.
While it is preferred that the original source of evidence be preserved, in reality this may not be possible. Electronic evidence may reside on a computer system that is critical to the ongoing operations of a business, or alternatively it may reside on a computer geographically removed, yet remotely accessible. In either case, securing of the original is not realistic. In such instances, it is desirable to duplicate the data by making an exact copy through the use of forensically sound duplication techniques. Similarly, where data of evidentiary value is being collected in real time, as in the case of live monitoring of system logs during unauthorized network activity, it would be unrealistic to take the receiving system off-line for the purposes of preserving data captured. Interestingly in some instances, such as some criminal investigations, retention of the original data by the systems owner may constitute a continuation of an offence, thereby necessitating the seizure of the original computer system(s).
After duplicating the data it is necessary to authenticate the copy by applying some means of comparison with the original. This is particularly a problem if the original data is resident on a live system that is constantly subjected to change. This raises the question, why would you need to authenticate a copy sometime after the duplication process has occurred? The simple answer is that in some instances, it could be alleged that the copy has been altered, either deliberately or inadvertently, and as such is not reliable. The best way to authenticate data is to fingerprint the files by generating a OWHF—discussed in Chapter 2, of both the original and
copy data at the time of duplication. If the duplication process is accurate, the fingerprints should match up. Additionally, if it is alleged that the data has been tampered with, the retaking of a mathematical fingerprint from the copy data should yield the same result as that derived at the time of duplication.
3.4.1.2 Analyzing data
The analysis of potential digital evidence essentially encompasses three steps: 1. The preparation of data;
2. The processing of extracted data; 3. The interpretation of data.
Preparation This is the preparatory process in which captured data is made ready for processing. Whether the original data is seized, or an authenticated copy of the original is obtained, it is essential that the forensic examiner possess a master copy of the data to be examined. The master copy is simply an authenticated copy of the original that is preserved for future reference. To alleviate possible changes, it is not uncommon for the master copy to be stored on some form of permanent storage media (e.g., CD-ROM or DVD). The master copy forms the benchmark upon which the forensic process may proceed. To this end, it is regarded as standard practice to work from a secondary copy of the master copy. If during the examination process changes to the data occur, or some form of research and development on the data is required to overcome a problem, the computer forensic examiner still has, by way of the master copy, an authenticated duplicate to recommence the examination. Processing The processing of data essentially encapsulates the application of computer technology, in the form of data recovery and analysis tools, to the retrieval of relevant electronic evidence. Simply put, it is the finding of the proverbial needle in the haystack. The processing of data entails two key steps:
1. The search for relevant data; 2. The extraction of relevant data.
The search for relevant data involves scanning through all preserved data, searching for information that matches a predetermined criterion. The predetermined criteria can encompass things such as key words, recorded events or activities, system changes or anomalies, or disguised or encrypted
data. In searching for relevant data, the forensic examiner will not only examine current files, but also consider searching for deleted material or residual data. Additionally, the computer forensic examiner may apply various pattern matching or data analysis techniques in an effort to identify relationships between data that may afford valuable evidence of an event or course of conduct.
The extraction of data can only take place when relevant data has been located. The extraction process simply involves the isolation and duplication of the relevant items of data from the copy undergoing examination. These extracted copies form the basis of the electronic evidence for the particular matter under investigation.
Interpretation The interpretation stage relies heavily on the knowledge and skill of the computer forensic examiner, rather than the capabilities of the forensic technology as relied upon in the processing step. Once the computer forensic examiner has isolated electronic evidence, he/she must be able to interpret it to establish its meaning and, therefore, its bearing within any investigation or inquiry. The interpretation of data is undertaken to establish key issues, such as relevance, context, ownership, and identity (these are discussed in more detail later on in the book). It is in the interpretation stage that the computer forensic examiner may express an opinion or belief regarding things such as the following:
w How the data came to be on the computer system? w The accuracy and reliability of the data.
w The possible identity of the owner. w The purpose of the data.
In expressing an opinion that may be used in subsequent legal proceedings, the computer forensic examiner must possess sufficient knowledge regarding the IT environment from which the data is derived to satisfy the expertise test.
3.4.1.3 Presentation of results
The presentation of the results of a computer forensic examination is the final step in the computer forensic process. It is at this point that all relevant data should have been identified, preserved, and extracted. In presenting the results of an examination, it is critical for the computer forensic examiner to be able to clearly and concisely convey both the results obtained and the meaning of those results. To this end, it is essential that the computer
forensic examiner be able to explain complex technological concepts and techniques in easy-to-understand terms.
This is important given that in some instances the results of the computer forensic examination may end up being tendered in evidence before a court of law. Consequently, the computer forensic examiner must be able to convey the significance of any results to persons who may have little or no understanding of the technology employed.
To assist the computer forensic examiner in the presentation stage, it may be necessary to employ various visualization tools, such as flow charts and link analysis charts, in an effort to explain underlying concepts and relationships. While such visualization techniques may assist, it should be remembered that they are merely an aid to, and not a substitute for the actual evidence.
In presenting the results, the computer forensic examiner is faced with the possibility of being challenged on his/her findings based on the following:
w The tools used;
w The methodology employed; w The examiner’s expertise.
A failure to satisfy any challenge can result in the electronic evidence being regarded with suspicion, and may ultimately result in the computer forensic examiner’s credibility being challenged.