This special type of digital investigation uses procedures and techniques that can produce results admissible in a court of law. It is basically formulated and tests hypotheses of the state of a computer system. However, in order to extract information from the computerized devices and systems, there are a number of steps forensic experts follow when gathering evidence to ensure it meets the court’s threshold.
Guidelines for Digital Forensic Investigation:
The lead detective seizes the digital media involved in the crime. It is then stored in order to preserve evidence especially if it’s a criminal case. In civil cases, the company officer does not need a warrant to seize the digital media as so long he does not breach the privacy and rights of the employee.
This is done to ensure that the device is a vital part of the evidence. System description helps in giving the forensic expect some rough idea of what part of the system was involved in the crime. Here, the operating system and general configurations of the computer are listed; disk format, RAM and location of the device in the crime scene.
The device is acquired in order to prioritize the evidence collection process. A forensic duplicate is created using a hard drive duplicator or imaging tools like Guymager, FTK Imager or TrueBack. To prevent evidence tampering, the original piece of evidence is returned for secure storage. Before storage in the evidence room, hashing is done to ensure that evidence is not tampered with and is in its original state.
An analysis is done on the hard drive of the device in order to gather the necessary evidence vital in supporting or contradicting a hypothesis that was carried by the lead detective. An analysis is basically an in-depth research of digital evidence related to a given crime or event. Analysis entails the following:
- Time Analysis- This touches on when information was created, modified, accessed or changed. Information is translated from the computer language to a human-readable format. After this, a reconstruction of the events prior to the crime done bringing out the relevant interpretation of the motive of the criminal. An open tool such as SIFT Workstation is used.
- Media Analysis- This is basically the separation of good files from the bad ones. Here, forensic experts have to create a super timeline, vital in incorporating multiple time sources into one file. Experts only have to deal with information relevant to the investigation process.
Data Recovery- This step is vital in tracing or recovering other hidden information deemed necessary in the investigation process. An analysis of the file system, data and metadata layer is done in order to find files of interest. This gathers further evidence vital to the case.
This final and key stage of investigation involves the following;
- Describing the events of the crime.
- Describing the procedures, tools, and policies adopted when gathering evidence.
- Offering further recommendations on the case based on evidence gathered.
From here, the prosecution will decide whether or not to use the evidence in a court of law.