Joseph Naghdi
4 min readMay 12, 2018

--

Digital Evidence Assessment -How is done?

A key component of the investigative process involves the assessment of potential evidence in cyber crime. Central to the effective processing of evidence is a clear understanding of the details of the case at hand. For instance, if an agency seeks to prove that an individual has committed crimes related to identity theft, computer forensics investigators use sophisticated methods to sift through hard drives, email accounts, social networking sites and other digital archives to retrieve and assess any information that can serve as viable evidence of the crime. This is, of course, true for other crimes, such as engaging in online criminal behaviour like posting fake products on eBay, Craigslist and social media intended to lure victims into sharing credit card information. Before conducting an investigation, the investigator must define the types of evidence sought (including specific platforms and data formats) and have a clear understanding of how to preserve pertinent data. The investigator must then determine the source and integrity of such data before entering it into evidence.

Evidence Acquisition

The most important feature of successful computer forensic investigation is a rigorous, detailed plan for acquiring evidence. Extensive documentation is needed prior to, during, and after the acquisition process; detailed information must be recorded and preserved, including all hardware and software specifications, any systems used in the investigation process, and the systems being investigated. This step is where policies related to preserving the integrity of potential digital must be in place. General guidelines for preserving evidence include:

1. The physical removal of storage devices

2. Using controlled boot discs to retrieve sensitive data without affecting existing stored data

3. Ensuring functionality,

4. Taking appropriate steps to copy and transfer evidence to the investigator’s evidence repository

Being able to document and authenticate the chain of evidence is crucial when pursuing a court case, and this is especially true for computer forensics given the complexity of most cybersecurity cases.

Evidence Examination

In order to effectively investigate potential digital evidence, procedures must be in place for retrieving, copying, and storing evidence within appropriate databases. Digital forensics investigators typically examine data from designated archives, using a variety of methods and approaches to analyse information; these could include utilising analysis software to search massive archives of data for specific keywords or file types, as well as procedures for retrieving files that have been recently deleted. Data tagged with times and dates is particularly useful to investigators, as are suspicious files or programs that have been encrypted or intentionally hidden.

Analysing file names is also useful, as it can help determine when and where specific data was created, downloaded, or uploaded and can help investigators connect files on storage devices to online data transfers. This can also work in reverse order, as file names usually indicate the directory that houses them. Files located online or on other systems often point to the specific server and computer from which they were uploaded, providing investigators with clues as to where the system is located; matching online filenames to a directory on a suspect’s hard drive is one way of verifying digital evidence. At this stage, computer forensic investigators work in close collaboration with criminal investigators, lawyers, and other qualified personnel to ensure a thorough understanding of the nuances of the case while understanding what types of information can serve as important evidence in court.

Documenting and Reporting Digital Evidence

In addition to fully documenting information related to hardware and software specs, computer forensic investigators must keep an accurate record of all activity related to the investigation, including all methods used for testing system functionality and retrieving, copying, and storing data, as well as all actions taken to acquire, examine and assess evidence. Not only does this demonstrate how the integrity of user data has been preserved, but it also ensures proper policies and procedures have been adhered to by all parties involved. As the purpose of the entire process is to acquire data that can be presented as evidence in a court of law, an investigator’s failure to accurately document his or her process could seriously compromise the validity of that evidence and ultimately, the case itself.

All actions related to a particular case should be accounted for in a digital format and saved in properly designated archives. This helps ensure the authenticity of any findings by allowing these cybersecurity experts to show exactly when, where, and how evidence was recovered. It also allows experts to confirm the validity of evidence by matching the investigator’s digitally recorded documentation to dates and times when this data was accessed by potential suspects via external sources.

For more information about digital forensics investigations, visit Computer Forensics Lab website.

--

--

Joseph Naghdi

Forensic computer scientist and senior computer forensics analyst working with Computer Forensics Lab in London, United Kingdom.