In the present digital world, digital evidences are becoming more important for analyzing the crime activities. There is a more chance of finding evidences in the various different digital media such as mobile phones, personal computers and the web servers. The evidence in digital form can be easily copied and it is very difficult to separate the original evidence from the duplicate copy. The digital data containing the crime evidence can be modified or even removed from the original file. Hence there is a need for more sophisticated forensic investigation techniques and tools to get the correct evidences from the digital information which is stored in the suspected computer. The forensic investigators usually perform thorough scanning of hard drives and the memory devices of the suspected computers to get the required evidence data. Suppose, if the suspected computer contains more number of image data, it is difficult and consumes more time to analyze and detect the evidence data (Kim, Hong, & Won, 2008).
The process involved in forensic investigation is very much important as it decides the efficiency of output of the investigation. Any inclusion or exclusion or modification of steps in the investigation process may lead to wrong and incomplete results. If the investigation is not properly conducted, it will make the criminal to walk free in the streets or an innocent can be punished (Baryamureeba & Tushabe, 2004). The digital forensics is said to be the usage of technically proven methods for collecting, validating, preserving, analysis and identification of evidences from the digital sources for supporting the events in criminal cases. The important factor to be considered in the digital forensics is the creditability. The evidences from digital sources cover the computer devices, audio, video, image, mobile phones, faxes etc. The evidences should have the properties such as authentication of person, integrity, non interference, recoverability and so on.
The primary objective of this process is to obtain the digital evidence and analyze it same as the physical crime scene investigation. The preservation phase protects the digital evidence for the further investigation relating with the crime scene. The survey phase involves transforming the digital evidence from the crime location to the secured location. The documentation phase involves documenting the information about the digital evidence. The analysis and search phase involves the analysis of digital evidence to find the details of the data such as creation, modification and last accessed. Timeline information also collected to create the chain of events in the crime scene. The reconstruction phase involves putting together all the pieces of small information to form an evidence to support the crime scene. The presentation phase involves creating the evidence report and submitting to the case investigator for further investigation (Baryamureeba & Tushabe, 2004).
The following diagram shows the systematic digital forensic model with the set of processes involved in it (Agarwal, Gupta, Gupta, & Gupta, 2011).
The digital forensic investigation methodology can be performed in the following eight steps:
The first step is the verification of the incident and assessing the case in all dimensions. The verification involves analyzing the situation, the nature and other specifications of the incident. This step is very much important as this is useful in finding the characteristic of the case and helpful to select the suitable approach for identifying, preserving and collecting the digital evidences.
- Description of the system
This step involves the collection of data related to the particular incident. Here, the description of the system where the incident happened. This description consists of details about the system and its importance inside the organization. The details such as the structure of the system configuration, OS, hard disk format, RAM and other memory locations where the evidence may reside.
- Gathering of evidence
This step involves identifying all the expected sources of data that may be in permanent or temporary storage, the originality of the data and ensuring the chain of custody. It is better to collect the entire data than collecting the less data as the investigator does not know where the evidence is present. It is also significant to collect the data based on priority of sources of data.
- Timeline Analysis
After collecting the evidence data from the sources of the system, investigation of digital evidence can be done using forensic tools. This is a very critical step in forensic investigation methodology as it gives the information about when the file is created, modified and accessed. This timeline information can be used to find the chain of events occurred in the criminal event.
- Analysis of media and artifacts
This step involves a huge volume of information. At the end investigation, the report should contain the information about what data are accessed, what data are copied, what data are deleted, what folders are opened and what links are clicked. Memory analysis can be also being done in this step. This involves analysing the processes, connection requests, libraries, handlers, and mutexes and so on.
- Search of strings and bytes
In this step, the search of bytes will be done on images using standard tools. If the investigator knows what information is needed, this step will search for the information in the image. It also uses regular expression for searching the string. The search byte or string is related to the digital evidence of the case that the investigator is dealing with.
- Data Recovery
This step can be performed in forensic investigation when the evidence needs to be recovered from the system. Various available tools can be used to analyze the hidden files in the file system for the evidence data related to the case. The evidence can also be derived from the file headers related to the raw images.
- Creating the report with the findings
This is the last step in the forensic investigation where the results or findings are created as a report. This report consists of set of actions performed on the system to derive the evidences, set of scientific methods or tools used for performing the investigation. The report should be written in the simple English which can be understood by the audience when submitted as evidence for supporting the legal trials and administrative reasons (Rocha, 2014).
The Autopsy tool is used for analyzing the evidence file in this forensic investigation study. Autopsy is a html based forensic digital analysis tool which can analyze the files in the disks and file systems such as NTFS, FAT, UFS and Ext. There are two modes by which the analysis can be done. They are dead analysis and live analysis. In dead analysis, the suspected system is analyzed on a dedicated system in the trusted environment which contains the tools of autopsy. In the live analysis, the suspected system is analyzed using the autopsy tools which are run in an untrusted environment. The analysis techniques provided in the autopsy tool are listed below:
- List files:
This is used to list all the files and directories including the files which are deleted and Unicode files.
- View Content of file:
This is used to view the contents of the file in various formats such as raw, hexadecimal and the ASCII codes.
- Lookup unknown files:
The unknown files in the hash database are evaluated and identified whether it is a good or bad file.
- Sorting based on file type:
All the files in the suspected system are sorted based on the file type. It also lists the files whose extensions are changed to hide them.
- Time line of files:
The timeline of activities can be used to identify the evidence data. The timeline of the file includes creation time, timeline of access activity, modification and deletion of files.
- Search of keywords and strings:
The strings and keywords can be searched in the file system for finding the evidence data. The search can be performed using ASCII strings and regular expressions.
- Analysis of meta data:
The analysis retrieves the details about the files and directories. This will be helpful when the investigator want to recover the deleted files.
- Analysis of data in various formats:
The data in a file can be analyzed by transforming them into various formats such as hexadecimal, strings and ASCII codes.
- Details of disk image:
The disk layout image can be viewed with file system details and timeline activity of files on the disk. This is useful when the data need to be recovered ( The sleuth kit, 2020).
To check the integrity of the file, choose the radio button that shows calculate the hash value for the given image, and tick the checkbox adjacent to Verify hash after importing the file.
The timeline of activities can be used to identify the evidence data. The timeline of the file includes creation time, timeline of access activity, modification and deletion of files. After collecting the evidence data from the sources of the system, investigation of digital evidence can be done using forensic tools. This is a very critical step in forensic investigation methodology as it gives the information about when the file is created, modified and accessed. This timeline information can be used to find the chain of events occurred in the criminal event.
For creating a timeline by EnScript, the evidence file must be imported into a case file in EnCase. Once it is uploaded into encase, it is suggested to always execute the file mounter EnScript, to guarantee all of the files can be perfectly shown in the timeline of events. Once the files are selected, choose the Timeline Report EnScript inside the EnScript pane of EnCase, and the option window will be displayed. In this selection pane, a set of options can be chosen for creating a timeline.
Keyword Search Hits
The search of bytes will be done on images using standard tools. If the investigator knows what information is needed, this step will search for the information in the image. It also uses regular expression for searching the string. The search byte or strings are related to the digital evidence of the case that the investigator is dealing with.
The keyword search can be performed in EnCase Forensic tool easily by click on the links in the Hits column viewed below the Keyword Hits tab. This enables EnCase to show the resultant data, which can then be seen in detail in the Text tab of the View pane.
Allocated and unallocated data blocks
At the end investigation, the report should contain the information about what data are accessed, what data are copied, what data are deleted, what folders are opened and what links are clicked. Memory analysis can be also being done in this step. This involves analysing the processes, connection requests, libraries, handlers, and mutexes and so on. The following figure shows the allocated and unallocated space of the disk image.
The sleuth kit. 2020. Autopsy. https://www.sleuthkit.org/autopsy/desc.php#:~:text=Case%20Studies-,Description,2%2C%20Ext2%2F3). , 1-1.
Agarwal, A., Gupta, M., Gupta, S., & Gupta, S. C. 2011. Systematic Digital Forensic Investigation Model . International Journal of Computer Science and Security (IJCSS), Volume (5) : Issue (1) , 118-131.
Baryamureeba, V., & Tushabe, F. 2004. The Enhanced Digital Investigation Process Model. The Digital Forensic Research Conference, (pp. 1-10). Baltimore.
Baryamureeba, V., & Tushabe, F. 2004. The Enhanced Digital Investigation Process Model. The Digital Forensic Research Conference , 1-9.
Kim, Y., Hong, D., & Won, D. 2008. A Forensic Investigation for Suspects’ Digital Evidences Using Image Categorization. Advanced Software Engineering and Its Applications (pp. 241-244). Hainan Island, China: IEEE.
Rocha, L. 2014. COMPUTER FORENSICS AND INVESTIGATION METHODOLOGY – 8 STEPS. DIGITAL FORENSICS AND INCIDENT RESPONSE , 1-1.