What is in the suitcase of a Digital Forensic Expert?
A policeman has his gun and handcuffs with him while attending a crime scene. Likewise, a digital forensics expert has a suitcase packed with the tools and devices needed for evidence collection.
Digital Forensic experts are an essential part of every information security setup in this digital era, whether a private security firm, LEA, department of justice, or the national cyber security department.
Also, security Forensics expert has become an essential part of a crime scene. Because, in this modern age of IoT, and given the omnipresence of digital evidence, it is an infrequent crime that doesn't have digital devices or systems as accomplices.
These days every LEA or organization requires computer forensic experts onboard for collection, examination, handling, and reporting of digital evidence.
Readout to know what is in the suitcase of a seasoned digital forensics expert and how he collects evidence at a crime scene. Besides that, how is the evidence examined and handled?
You will receive answers to these and other questions in this article!
Table of Contents
Disclaimer: This piece is written while assuming that the reader has prior knowledge about digital forensics. We are against the use of information technology for criminal purposes.
- Tools for volatile data collection
- Tools for Live System Imaging
- Tools for Dead System Imaging (Forensic Imaging)
Every forensic analysis in digital forensics also requires some standard industry tools for collecting and handling digital evidence. The analyst is bound to follow the organization's standard operating procedures for incident response and investigation.
Also, the toolkit is customized/developed according to the relevant policy.
Digital Forensics Incident Response (DFIR) policies, procedures and, standards vary depending upon the organization or LEA. Most police around the world have developed their national policies and procedures. Sadly, there are no globally accepted standards for collecting digital evidence.
But, but, but.
Incident Response/Forensic data collection is the most crucial step in the entire process of digital investigation.
Nevertheless, I will present some tools, software and, devices commonly used at a crime scene by seasoned experts. Alongside, highlight some best practices of evidence handling.
The term volatile refers to the data that changes on runtime and is lost when the system or device is powered off. It is essential to collect volatile data first during an investigation because it could contain critical evidence and is time-sensitive.
Moreover, a slight delay might result in the loss of critical data.
RAM is the perfect example of a drive containing volatile data. This process also involves making a forensic image of RAM.
Volatile data can be collected using command-line tools, custom scripts or, GUI-based tools. However, some commonly used tools are:
Besides these CLI and GUI-based tools, custom scripts coded in Bash, PowerShell, Python, and PHP also prove handy.
Again, the choice of tool depends on the organizational policy.
The analyst does volatile data collection in case:
- The system cannot be powered off due to the chances of evidential data being lost
- The system was hit with Trojan, malware, etc.
- Communication or data transfer is in process
- The device is being hacked
Live System imaging refers to capturing the snapshot of the system while it's continuously running or imaging the data at run time. However, seasoned experts do not prefer this method because capturing a live system requires many resources, storage capacity, and time.
Live system imaging is often the last resort if the target system cannot be shut down due to disrupting critical operations or a business operations server involved.
Furthermore, professionals recommend that evidence from hard drives and SSD's and systems running with full disk encryption must be acquired via live system imaging.
The tools used by the digital forensic analyst in this case are:
Often experts prefer dead system imaging over live because of time constraints at a crime scene as the live imaging process is prolonged. But, there are cases in which live imaging is unavoidable.
It is the traditional method preferred by seasoned incident responders or digital forensic experts. The best practice for creating a forensic image is dead acquisition because it involves the use of write blockers, which preserve data integrity.
The traditional approach in Dead imaging is to power down the system -> remove the disk(s). The disk is then connected to a hardware or software write blocker to create the image.
However, dead imaging can only be done if the system is powered off and does not have disk encryption.
In write blocks, we have two types, i.e., hardware and software.
Software write blockers include:
- RCMP HDL
- SAFE BLOCK
Whereas hardware write blockers used in industry are:
Professionals in the field mostly prefer hardware write blockers because they are less prone to human errors.
Likewise, write blockers, dead imaging tools are also available in hardware and software. Software imaging tools are the same as already mentioned industry-standard imaging tools.
Hardware imaging tools include:
- Solo III
If we talk about adaptability and ease of use, then analysts prefer hardware imaging tools.
Image source – oas.org
The first responders at a crime scene should have the following items in their toolkit, along with relevant imaging tools and devices:
- Evidence Inventory bags
- Cardboard boxes
- Evidence tape
- Paper evidence bags
- Crime scene tape
- Nonmagnetic tools
- Antistatic bags
- Permanent markers
- Evidence labels or tags
Besides these, best practices involve using radio-frequency shielding material such as a faraday bag or aluminum foil for storing mobile devices, etc. Thus, faraday isolation bags are also an essential part of the toolkit.
These items are essential for investigation proceeding at a crime scene. Therefore, all first responders of LEA have them in their digital evidence collection toolkit.
Image source – arrowheadforensics.com
In the above chapters, I have discussed the evidence collection and imaging tools only.
But, do you know what comes after the evidence is collected and preserved?
Collected evidence/images need to be examined, analyzed then documented and reported. The investigation process starts at identification and collection and concludes at reporting.
Afterward, the report is presented in front of the court. Then, the jury decides the fate of the accused if it is a criminal case.
Likewise, collection toolkit, analysts use industry-standard tools and procedures for analysis and reporting.
The digital forensics tools used by experts are:
- Encase Forensic
Generally, professionals prefer Autopsy because it is speedy, reliable, easy to use, and user-friendly GUI. It is an open-source tool and contains very efficient modules. Also, it is based on The Sleuth Toolkit, a Windows and UNIX library for forensics analysis.
The significant part about Autopsy is that it offers collaboration features and centralized shared case databases, which helps with multiple examiners working on a single case. Moreover, one can easily customize the modules because it is purely an open-source tool.
The procedures and standards for documentation and reporting vary according to the organization's policy. However, it must include all the essential details of each investigation step.
Also, the tools, protocols, procedures, and methods used for investigation must be mentioned.
The majority portion of the final report consists of the analysis leading to each conclusion with relevant supporting evidence attached and explained.
Image source – ijeat.org
Digital crimes will continue to increase in the future, also as the need for digital forensics experts. The concern here is that there is no globally accepted standard for DFIR and digital forensics investigation.
The policymakers and relevant stakeholders must come together to formulate global standards for this critical yet ignored field of forensics.
Until we have some standards procedures for DFIR and examination, the tools, software, devices, techniques, etc., cannot be fixed. Thus, it would be unreasonable to say that all the tools mentioned above are part of every digital forensic expert's suitcase.
But, most tools are assumed to be standard due to their reliability, features, and popularity in the industry. Therefore, you can expect at least one of each discussed tool in the suitcase.
If you feel like I have missed something, please feel free to discuss it in the comments!