In my early days as an examiner, I did a forensic examination of a personal desktop computer belonging to an alleged participant in a political corruption case. The investigator was a friend of mine and he did not have a clear idea exactly what was going on, but he “knew” that somehow the owner of the computer was involved with whatever was going on. And so, the computer was duly entered into evidence, an examination request made, and the case was assigned to me. After discussing the case with the investigator, I had very little idea what I was looking for, but did have a list of names and “keywords” to search for. I conducted a search for these items, as well as doing a more general “survey” of the drive. While I got some “hits” on a couple of the keywords and names, nothing seemed very pertinent to either me or the investigator. Before I could write up the examination report, the investigator asked me to look for more names and “keywords.” To make a very long story short, this process was repeated, over a period of many months, about seven or eight times. Eventually, my supervisor, during a case review, asked me the most pertinent question: how will you know when you are done with this examination? Eventually, I asked myself the follow-on question: Should not I know that before I start the examination?

We learn from our experiences. Several years later, I was assigned to conduct a forensic examination in a large government fraud investigation. The evidence in the case was several magnetic tape back-ups of a moderately sized UNIX server hosting a proprietary database application. By this point in my career, I understood that restoring a UNIX server could be tricky and that dealing with proprietary databases can be a nightmare. I was determined to find a way to work this case in a more efficient and effective way. First, I determined that the investigators clearly understood the mechanism of the fraud. They needed the examination to largely help them organize their identification of records, find additional victims, and determine the financial value of the fraud scheme. I then determined that the company that wrote the database program and installed the UNIX system in the suspect company’s facility was still in business. I made a proposition to the investigators: collect a half dozen sets of documentation that you know are fraudulent, we will go to the software company with the backup tapes, they will restore the tapes and work with us to develop queries that will provide you with the information you desire in a report format of your design. I will ensure that the process is forensically sound and appropriately documented. And while it cost money for us to fly to the software firm and they charged us a reasonable rate, the investigators got exactly what they were looking for, they got it quickly, and I had a very short report to write.

The difference between these two cases can be summarized in one word: planning. Your super-duper forensic software is capable of doing amazing things. It will scan, index, search, organize, view, and a myriad of other things. All of these things cost time and money. Sometimes, examiners waste huge amounts of both these resources, and still do not conduct an appropriate forensic examination. The term appropriate is used intentionally. While examiners often utilize the word “thorough” to describe the desired examination, in an age where data storage is measured in terabytes, a “thorough” examination is generally unrealistic and probably a tremendous waste of computer resources and time. This chapter will explore how that may not be the optimal approach in the vast majority of digital forensic examinations. The beginning of the examination is not the examination, but the planning for the examination. As the old saw goes: prior planning prevents poor performance.

Collection. Data are identified, labeled, recorded, and acquired from all of the possible sources of relevant data, using procedures that preserve the integrity of the data. Data should be collected in a timely manner to avoid the loss of dynamic data, such as a list of current network connections, and the data collected in cell phones, PDAs, and other battery-powered devices.

Examination. The data that are collected should be examined using a combination of automated and manual methods to assess and extract data of particular interest for the specific situation, while preserving the integrity of the data.

Analysis. The results of the examination should be analyzed, using well-documented methods and techniques, to derive useful information that addresses the questions that were the impetus for the collection and examination.

Reporting. The results of the analysis should be reported. Items to be reported may include the following: a description of the actions employed; an explanation of how tools and procedures were selected; a determination of any other actions that should be performed, such as forensic examination of additional data sources, securing identified vulnerabilities, and improving existing security controls; and recommendations for improvements to policies, guidelines, procedures, tools, and other aspects of the forensic process (Fig. 2.1).

For the purposes of this chapter, we will focus on the second and third phases – examination and analysis. As the definitions make clear, the examination phase is the critical bridge between the collection of the evidence and analysis which makes use of the evidence in the legal context.

Using these definitions, we have two goals. The first is to preserve the integrity of the evidence. While this may seem obvious, it puts significant constraints on our examination. We must only use tools and techniques that do not alter the original evidence. It also forces us to preserve the context of the data such as its location within a file system and its metadata. The second goal is really the point of a digital forensic examination, that is, to find and make available information of value to the submitter of the evidence. This then begs the question of knowing what is “of particular interest?” This is the first of many questions we should answer before we begin “flipping bits.”

There has recently been some discussion in the forensic and legal communities about limiting the amount of information that forensic examiners are provided in order to limit potential bias. The need to perform an unbiased examination, with an efficient and effective one, is a delicate balance. Given the uniqueness of each digital forensic examination, this needs to be considered for each examination. Communication between the examiner, the investigator, and the lawyers is critical. All of the parties need to clearly articulate what information is needed, why it is needed, and how it will be used.

One way to begin this process is to review the documentation accompanying the request, sometimes called a “tasking.” It goes without saying that no forensic examination should be done without a written request, accompanied by any needed legal authority, such as a search warrant. This request should answer the investigative questions as related to the requested examination. If it does not, then the examiner should take steps to elicit the needed information. One useful approach is for the examiner to write their own tasking document with the examiner’s understanding of the investigative questions. This document, sometimes only a paragraph or so, should be shared with the investigator. This document offers two major benefits. One is that the examiner clarifies the goals and objectives for the forensic examination. The second benefit is that it serves the purpose of managing the expectations of the investigator. By stating specific goals, the examiner knows when they have completed the examination. This helps limit the “scope creep,” like that shown in the example earlier in the chapter.

An example of a tasking, which sets out the investigative questions in the case, might look like the following:

These represent what the investigator needs to prove. And while each of these elements is important to the case, they may, or may not, be answerable from the evidence presented to the examiner and/or the examiner may not be able to provide scientifically supportable evidence to support these hypotheses.

In our hypothetical case, the theory of the case (legal hypotheses) might look something like:

Note that most of the elements of the legal case are not questions that would likely be answered by a forensic examination. And while some of these questions might be supported by the findings of the forensic examination, often there are likely better ways of proving them. For example, examining Mr. Doe’s computer may help to establish that he is a company employee; it would be much easier to have the human resources manager testify to that fact.

In the digital forensic context, it is useful to extend, slightly, Inman and Rudin’s definition of classification. Digital evidence can be classified by the software or process that created it. TCP, IP, and UDP packets are all created by communications software, but can be separated into these data types by their structure. These, in turn, can be further organized by their header and content. Similarly, document files can be classified by their structure, .DOC or .DOCX. If two files are hashed and yield an identical value, a common source of the files can be reasonably presumed, absent some other, alternative explanation. The ability of many digital forensic software tools makes the classification and individualization of digital objects relatively simple and straightforward. Forensic software often takes the identified file types (as described above), such as word processing, and further classifies them as to origin (Microsoft Word), and may finally be able, using a has algorithm to individualize a particular document, by its hash value, as being the exact same document as found externally. An example of this might be demonstrating that the contract sent to the plaintiff is the same document found on the defendant’s computer.

Knowing what forensic question you are answering about a specific piece of evidence, helps to determine what tools and techniques to use for a given examination. We will delve into that aspect later in the chapter. But at this point of the planning process we need to look at the investigative and legal questions to develop forensic questions that will form our forensic hypotheses. It is the forensic questions that provide a “bridge” between the physical world of the investigation and the digital world contained in our evidence.

The first four questions answer identification and classification questions. The examiner needs to create a process that will look at all the data on the suspect’s computer, classify them by type (Microsoft Word documents, PDF files, etc.), and from those, identify documents that are travel vouchers or receipts. In addition, questions three and four answer individualization questions, because we are attempting to identify the specific original and altered documents that were obtained by the suspect or submitted to the company. Question 5 is an association question, as it seeks to link the means of this crime to the suspect, while Question 6 attempts to reconstruct the fraudulent activity.

Once all of the forensic questions for the specific examination are identified, it becomes much simpler to design an efficient and effective examination, because these are the only questions that the examiner should be answering.

From the digital forensic examiner’s perspective, this has a number of implications. First, the goals and objectives of a digital search must be articulated. Failure to document what was searched, why, and under what legal authority may have negative consequences. The justification for conducting a search must be objectively reasonable and the conduct of the search limited to that which is reasonable. And while some will mourn the ability to peruse the evidence unfettered, these emerging restraints may actually have a beneficial impact on the practice of digital forensics.

There is an old computer saw: garbage in, garbage out. Incompletely formed, incomplete, or unjustified examination requests have wasted untold hours and computer clock cycles. The failure to clearly define what is needed, in terms that are within the capabilities of the digital forensic process usually results in several simultaneous outcomes. First, the investigator is disappointed that the forensic examiner did not solve her case on a silver platter. Unfulfilled expectations of forensic examinations are a major issue in digital investigations. Second, the examiner will conduct numerous, un-focused and needless operations on the data, hoping to find what he thinks the investigator wants. The examination will take far longer than is necessary, slowing the ever-increasing volume of examinations.

The notion that forensic examinations “solve” cases is inappropriate and unreasonable. Forensic evidence does not solve cases; it merely supports good investigative work. The notion that because a computer is involved, a case will be solved by a forensic examination, is irrational. The examiner, who proceeds with an examination for which he does not have enough information, is wasting valuable resources and potentially inviting even more restrictive judicial constraints. In any case, the report will likely not be of the highest quality.

Conversely, if the investigator clearly articulates the facts of the case, how she believes that the computer is being used in this matter, and what specific evidence they might reasonably expect to find, the examiner has something to work with. The examiner can then develop forensic questions, which can be shared with the investigator. If the examiner and investigator agree with both the investigator’s tasking statement and the examiner’s forensic questions, then both will have clear expectations.

Beyond the expectation management, the examiner has not only the information that she needs for designing an efficient and effective examination; she knows that when all of the operations that will likely answer the forensic questions have been conducted, the examination phase is complete. In short, they will know when the examination phase is done.

As we saw previously, the forensic questions are the key to constructing the examination in a way that answers both the investigative and technical/scientific questions. If the forensic questions include identification as part of the mix, then the examiner needs to determine how the exact characteristics that need to be present in order to identify the type of data needed. If the question is one of classification, will the classification be done by data type (word processing file), application (Microsoft Word), metadata (dates/times), and/or content (includes the address “123 Main St.)? If the question is individualization, then what is the known file signature and should we do “fuzzy hashing” in order to identify fragments of identical data? In the cases where the examiner is attempting to associate the data, computer, or user with some other data, computer, user, or location, then the tasking must include enough information that the examiner can identify the most likely location for data which supports a hypothesis of association. Reconstruction examinations can be the most complex. The examiner needs to identify, from the onset, what sorts of actions or activities need to be reconstructed. But in addition to the questioned activities, there should be some additional examination to ensure that the data identified in the reconstruction are consistent with the other data found on the device or collected data. This will help demonstrate if the reconstructed events were created in the normal operation of the computer, device, and/or network.

To a trained and experienced examiner, these questions should suggest some number of places where that kind of information might be present. If the forensic questions suggest that we are looking for documents such as word processing files, they will most often be located in the user’s document folders/directories. But that same experienced examiner also recognizes that those same documents might be found in other local user space, such as a dedicated project folder, or in cloud storage. Selecting the locations to be searched is a balance between the need for conducting a sufficiently thorough examination with an efficient one. Examiners must recognize that it is virtually impossible to examine every piece of evidence, from every aspect, in every way possible. Choices must be made and the examiner must determine, from the information provided, how to balance these elements.

The examination is done when the forensic questions are answered. By this, we mean the forensic hypotheses are confirmed, refuted, or found to be indeterminate. If confirmed, the evidence is then analyzed, first in a technical/forensic context, and then in an investigative/legal context. Depending on the organization of the work, the latter task may fall to an analyst or investigator instead of the forensic examiner. But in order to do that, we need to construct a process that will answer those questions. That process will need some constraints to make the process objective and sufficient.

Closely coupled with the determination of what data will be examined is to determine where to look for that data. The “where” in this context means both the location of the data and its characteristics. The above list provides an abbreviated list of potential ways to view the location question. As an example, it does not make sense to look for a user’s slack, in the unallocated space of a multiuser file server. And while the particular skills and abilities of the user may dictate a more, or less, rigorous selection of locations, the examiner needs to make explicit choices. By making explicit, documented choices of the data to be examined, the examiner sets enforceable limits to the scope of the examination as well as justification for the examination conducted or not. On cross-examination the examiner can articulate what they examined and why.

Let us look at some specific criteria. Perhaps one of the decisions that will have the largest impact on the time and efficiency of the examination is whether to look at every byte on the storage media, or to only look at information available to the applications and operating system (physical versus logical examination). In some cases, for example file servers, the examiner may not have authority to search the entire physical drive, and even if she did, usually shared systems do not capture the target user’s unallocated data (slack) when storing files, so it is often not possible to link any slack present to a specific user. The result is that it is usually not productive to perform physical searches of multiuser data storage devices. While slack data (RAM and/or File) can occasionally provide a “smoking gun,” those cases are rare and the level of effort required to extract and review large amounts of unallocated space should be balanced against the tasking, the forensic questions, and the likelihood of success. Particularly on multiuser storage devices, it is often efficient to focus on the data’s owner. In some cases, the examiner’s legal authority may be limited to a specific person’s data. The examiner may be able to articulate why the search should be expanded to additional users, such as a system administrative account, he should determine his authority to do so and document the reasons for expanding the scope of the search.

Another useful classification method is to only examine data from particular applications or application types. If the case involves a financial fraud, certainly accounting, spreadsheet, and database programs and their associated data types should be a high priority. This is not to say that other data types and applications should not be examined. Rather, they should be explicit choices that are prioritized according to an explicit strategy.

A third area that may help define the scope of the search is that of time. Simply limiting the examination to the relevant time period would seem to be a very logical and effective strategy. The use of timelining has become very common and many forensic software tools include it as a feature. Sometimes, it really is this simple. But as all trained digital forensic examiners know, file system and application metadata must be used very carefully, as systems utilize times in many different ways. Data that have been moved from one file/operating system to another are especially tricky. But used carefully, time can not only be used to limit the amount of data to be examined, timelines can be critical into the forensic questions of association and reconstruction.

Once you have selected the data to be examined, the next step is to determine how you are going to extract it. It is often possible to merely check a few boxes in your forensic software suite and wait for the results. But that may not be the most efficient approach, nor may it be as selective as it could be. In the early days of digital forensics there were only command line tools. Two of the benefits of using these tools were that they utilized a plethora of switches and they could be “piped.” Coupled with regular expressions, this allowed examiners to be selective in the data processed, selective in the operations performed on the data, and to pipe the results of one examination to the input of the next, in an increasingly fine sieve. Examiners quickly learned that in order to get relevant results, one had to think through the process and be able to explain why each step was needed and how its output provided reliable and pertinent results.

This same approach can, and probably should, be utilized in the age of forensic software suites. Left to their own devices, many of these tools will perform far too many needless operations on forensic data. Fortunately, most forensic suites offer a scripting function. Learning how to utilize scripts, as well as what the scripts are doing, is a critical skill for examiners wishing to be effective in utilizing these tools. It will also allow the examiner to testify as to why and how the examination was conducted, as opposed to merely; “I ran the software and this is what came out.” It is also very easy to utilize high-level programming languages, such as Python or PERL, to perform operations (scripts) on forensic data. Many scripts are available as open source and some suites allow for the integration of these scripts. Knowledge of these tools will make the examiner much more efficient.

Let us see how this would be applied to our example case. The examiner determines that the company in question utilizes a travel voucher template for the spreadsheet application of their office suite. Travel vouchers are submitted via email with the original receipts attached as .pdf files. She also determines that all desktop computers are connected, via local area network, to laser printer/scanners. These two facts suggest to the examiner that the most likely data files will be associated with the spreadsheet program and that the receipts will likely be in a format generated by the printer/scanners. Further inquiries reveal that these printers email a .pdf file to the user.

This information suggests to the examiner that she should verify the existence of the office suite on the suspect’s computer, extract all of the spreadsheet data files on the computer. Since original receipts are scanned and emailed, all of the emails (and their attachments) originating from the assigned printer/scanner should be extracted, as well as the emails that submitted the travel voucher. The examiner needs to determine if there is software installed on the user’s computer, such as PhotoShop®, which can be used to alter the original receipts. This might be accomplished by examination of the Windows registry files or even by booting a forensic copy of the suspect’s computer. If located, the data types associated with this software, for example, .tiff, .jpg., or .pdf should be determined.

In order to minimize the number of files to be visually reviewed, the examiner might begin a timeline. Using the dates of travel and the dates the vouchers were submitted, will allow for the elimination of many irrelevant files. This timeline will be critical in the analytic phase, as it serves as a framework for the reconstruction of the suspect’s activities. It may be possible, with a brief review of the initial round of data extraction, to eliminate, or at least to reduce the priority of, data located in areas to be less likely to hold relevant information. The goal is to eliminate as much nonpertinent information, while identifying pertinent information. The more that this process can be done using efficient data queries, the less information that the examiner has to visually inspect and evaluate. Visual confirmation that the recovered data are responsive the forensic questions and that it is as complete as can be determined, is a necessary step before moving forward to the next phase.

What we are doing is extracting and organizing data into information. The difference between data and information is that information is structured and contextualized. Once the data are extracted and organized, the examiner needs to evaluate the result to determine if the examination obtained the desired data. We are, of course, not talking, at this stage, about whether the data support or refute any hypothesis, but rather; “is this all of the data that intended to extract?” When the examiner has extracted and organized all of the data identified in these steps, the data collection phase is complete. Only then can the examiner evaluate the information to determine if it supports or refutes the forensic hypotheses developed from the forensic questions. This is the beginning of the forensic analysis.

The analysis phase tests the forensic hypotheses. In our example case, we had six forensic hypotheses. As previously noted, the first four were identification questions. The data need to be reviewed to determine if any of the extracted data files can support or refute any of these hypotheses. If the examiner were able to identify software that could be used to alter the original receipts, then the fourth hypothesis is supported, if not, it is rejected. The last hypothesis, relating to the use of software to alter the original receipts, requires knowledge, logical thinking, and a degree of judgement from the examiner.

Even if we affirm all of the hypotheses, the examiner’s job is not complete. The overlying forensic questions seek to answer questions of association and reconstruction. The examiner must answer the questions of whether the data identified in the examination were likely performed by the suspect and the sequence of the suspect’s actions. It is here that the timeline can be an invaluable tool to support or refute the allegations. It is also one of the ways that the examiner can accomplish two critical functions; determine (if possible) a confidence level and identify alternative explanations for the identified data.

Finding data is rarely sufficient. It is its context that allows the examiner, investigator, judge, and jury to evaluate the reliability and weight of the evidence. Forensic examiners have a legal and professional responsibility to not overstate the confidence in their results. A review of the evidence in the timeline may help to expose strengths and weaknesses in the examiner’s analysis. Similarly, in constructing and evaluating alternative explanations, the timeline is useful to point out data that support or refute each alternative explanation.

The investigator provides the investigative questions in the examination request. A set of investigative hypotheses are developed which would potentially answer those questions. Combined, these form the tasking for the examination.

The examiner then develops a set of forensic questions, which in turn, yield a set of forensic hypotheses. The examination steps are then designed, focusing on the data and artifacts that will answer those specific questions and hypotheses, to most efficiently and effectively complete the examination phase.

Once the data have been extracted, the examiner then enters the analysis phase, where the data are organized to show where the data support, refute, or demonstrate the indeterminate nature of each of the forensic hypotheses. In turn, these results will dictate the answers to the forensic questions posed by the tasking.