Computer Forensics: Digital Forensic Analysis Methodology

1 JANUARY 2008 UNITED STATES ATTORNEYS' BULLETIN1 Computer Forensics: Digital ForensicAnalysis MethodologyOvie L. CarrollDirector, Cybercrime LabComputer Crime and Intellectual Property SectionCriminal DivisionStephen K. BrannonCybercrime Analyst, Cybercrime LabComputer Crime and Intellectual Property SectionCriminal DivisionThomas SongSenior Cybercrime Analyst, Cybercrime LabComputer Crime and Intellectual Property SectionCriminal DivisionI. IntroductionIn comparison to other Forensic sciences, thefield of Computer forensics is relatively , many people do not understandwhat the term Computer forensics means and whattechniques are involved. In particular, there is alack of clarity regarding the distinction betweendata extraction and data Analysis . There is alsoconfusion about how these two operations fit intothe Forensic process. The Cybercrime Lab in theComputer Crime and Intellectual Property Section(CCIPS) has developed a flowchart describing thedigital Forensic Analysis Methodology .

2 Throughoutthis article, the flowchart is used as an aid in theexplanation of the Methodology and its steps. The Cybercrime Lab developed this flowchartafter consulting with numerous Computer forensicexaminers from several federal agencies. It isavailable on the public Web site at flowchart is helpful as a guide to instructionand discussion. It also helps clarify the elementsof the process. Many other resources are availableon the section's public Web site, In addition, anyone in theCriminal Division or Attorneys' offices canfind additional resources on the new intranet site,CCIPS online . Go to DOJ Net and click on the"CCIPS online " link. You can also reach us at(202) Overview of the Digital forensicsanalysis Methodology The complete definition of Computer forensicsis as follows: "The use of scientifically derivedand proven methods toward the preservation,collection, validation, identification , Analysis ,interpretation, documentation and presentation ofdigital evidence derived from Digital sources forthe purpose of facilitating or furthering thereconstruction of events found to be "A Road Map for Digital Forensic Research,Report from the First Digital Forensic ResearchWorkshop (DFRWS), available at Defining Computer forensics requires onemore clarification.

3 Many argue about whethercomputer forensics is a science or States v. Brooks, 427 1246, 1252(10th Cir. 2005) ("Given the numerous waysinformation is stored on a Computer , openly andsurreptitiously, a search can be as much an art as ascience."). The argument is unnecessary, tools and methods are scientific and areverified scientifically, but their use necessarilyinvolves elements of ability, judgment, andinterpretation. Hence, the word "technique" isoften used to sidestep the unproductive STATES ATTORNEYS' BULLETINJANUARY 2008 The key elements of Computer forensics are listedbelow: The use of scientific methods Collection and preservation Validation identification Analysis and interpretation Documentation and presentationThe Cybercrime Lab illustrates an overviewof the process with Figure 1. The three steps,Preparation/Extraction, identification , andAnalysis, are highlighted because they are thefocus of this article.

4 See Figure 1, page practice, organizations may divide thesefunctions between different groups. While this isacceptable and sometimes necessary, it can createa source of misunderstanding and frustration. Inorder for different law enforcement agencies toeffectively work together, they must communicateclearly. The investigative team must keep theentire picture in mind and be explicit whenreferring to specific sections. The prosecutor and Forensic examiner mustdecide, and communicate to each other, howmuch of the process is to be completed at eachstage of an investigation or prosecution. Theprocess is potentially iterative, so they also mustdecide how many times to repeat the process. It isfundamentally important that everyone understandwhether a case only needs preparation, extraction,and identification , or whether it also three steps in the forensics processdiscussed in this article come after examinersobtain Forensic data and a request, but beforereporting and case-level Analysis is try to be explicit about every processthat occurs in the Methodology .

5 In certainsituations, however, examiners may combine stepsor condense parts of the process. When examinersspeak of lists such as "Relevant Data List," theydo not mean to imply that the lists are physicaldocuments. The lists may be written or itemscommitted to memory. Finally, keep in mind thatexaminers often repeat this entire process, since afinding or conclusion may indicate a new lead tobe studied. III. Preparation/ExtractionSee Figure 2, page 5. Examiners begin by asking whether there isenough information to proceed. They make sure aclear request is in hand and that there is sufficientdata to attempt to answer it. If anything ismissing, they coordinate with the , they continue to set up the process. The first step in any Forensic process is thevalidation of all hardware and software, to ensurethat they work properly. There is still a debate inthe forensics community about how frequently thesoftware and equipment should be tested.

6 Mostpeople agree that, at a minimum, organizationsshould validate every piece of software andhardware after they purchase it and before theyuse it. They should also retest after any update,patch, or reconfiguration. When the examiner's Forensic platform isready, he or she duplicates the Forensic dataprovided in the request and verifies its process assumes law enforcement hasalready obtained the data through appropriatelegal process and created a Forensic image. Aforensic image is a bit-for-bit copy of the data thatexists on the original media, without any additionsor deletions. It also assumes the Forensic examinerhas received a working copy of the seized data. Ifexaminers get original evidence, they need tomake a working copy and guard the original'schain of custody. The examiners make sure thecopy in their possession is intact and typically do this by verifying a hash, ordigital fingerprint, of the evidence. If there are anyproblems, the examiners consult with therequester about how to proceed.

7 After examiners verify the integrity of thedata to be analyzed, a plan is developed to extractdata. They organize and refine the Forensic requestJANUARY 2008 UNITED STATES ATTORNEYS' BULLETIN3into questions they understand and can Forensic tools that enable them to answerthese questions are selected. Examiners generallyhave preliminary ideas of what to look for, basedon the request. They add these to a "Search LeadList," which is a running list of requested example, the request might provide the lead"search for child pornography." Examiners listleads explicitly to help focus the examination. Asthey develop new leads, they add them to the list,and as they exhaust leads, they mark them"processed" or "done."For each search lead, examiners extractrelevant data and mark that search lead asprocessed. They add anything extracted to asecond list called an "Extracted Data List."Examiners pursue all the search leads, addingresults to this second list.

8 Then they move to thenext phase of the Methodology , identification See Figure 3, page 6. Examiners repeat the process of identificationfor each item on the Extracted Data List. First,they determine what type of item it is. If it is notrelevant to the Forensic request, they simply markit as processed and move on. Just as in a physicalsearch, if an examiner comes across an item that isincriminating, but outside the scope of the originalsearch warrant, it is recommended that theexaminer immediately stop all activity, notify theappropriate individuals, including the requester,and wait for further instructions. For example, lawenforcement might seize a Computer for evidenceof tax fraud, but the examiner may find an imageof child pornography. The most prudent approach,after finding evidence outside the scope of awarrant, is to stop the search and seek to expandthe warrant's authority or to obtain a secondwarrant. If an item is relevant to the Forensic request,examiners document it on a third list, the RelevantData List.

9 This list is a collection of data relevantto answering the original Forensic request. Forexample, in an identity theft case, relevant datamight include social security numbers, images offalse identification , or e-mails discussing identitytheft, among other things. It is also possible for anitem to generate yet another search lead. An e-mail may reveal that a target was using anothernickname. That would lead to a new keywordsearch for the new nickname. The examinerswould go back and add that lead to the SearchLead List so that they would remember toinvestigate it completely. An item can also point to a completely newpotential source of data. For example, examinersmight find a new e-mail account the target wasusing. After this discovery, law enforcement maywant to subpoena the contents of the new e-mailaccount. Examiners might also find evidenceindicating the target stored files on a removableuniversal serial bus (USB) drive one that lawenforcement did not find in the original these circumstances, law enforcement mayconsider getting a new search warrant to look forthe USB drive.

10 A Forensic examination can pointto many different types of new evidence. Someother examples include firewall logs, buildingaccess logs, and building video security document these on a fourth list, theNew Source of Data list. After processing the Extracted Data list,examiners go back to any new leads any new data search leads, examinersconsider going back to the Extraction step toprocess them. Similarly, for any new source ofdata that might lead to new evidence, examinersconsider going all the way back to the process ofobtaining and imaging that new Forensic data. At this point in the process, it is advisable forexaminers to inform the requester of their initialfindings. It is also a good time for examiners andthe requester to discuss what they believe thereturn on investment will be for pursuing newleads. Depending on the stage of a case, extractedand identified relevant data may give the requesterenough information to move the case forward, andexaminers may not need to do further work.