Saturday, October 22, 2016

Preparations A through G were a complete failure

I agree that preparation for a digital search is the most critical step in a digital investigation. In 'Electronic crime scene investigation' the very first point called out for review is "First responders without the proper training and skills should not attempt to explore the contents of or to recover information from a computer or other electronic device other than to record what is visible on the display screen." (Ballou, 2010, pg x) This is called out so importantly because without the proper training, skill, and tools the collection of digital evidence is impossible: the lack of any of the three will result in destruction of the very evidence to be investigated. Acquiring and properly deploying those three things make up the preparation phase.
If only a partial preparation has occurred, say the correct tools are collected, but a properly trained responder was not able to be acquired, then those correct tools can used incorrectly which then throws off the whole investigation. Leach writes about an example where the proper tool, EnCase, may be used to examine a disk and file system evidence but to have set the wrong timezone for an evidence file. (2010) By botching the preparation phase and proceeding to Collection with an insufficiently skilled responder the evidence file was collected in a way that makes the data be examined incorrectly during the Examination phase. (Cisar, Maravic Cisar, & Bosnjak, 2014)
From a personal standpoint, I have written tools for performing network intrusion response. What is possible in the digital realm is virtually unlimited, given proper preparation. Without being prepared with the proper tools, or without the skill to use them, then some actions are just impossible. For instance, reconstructing recently deleted files (actually deleted, not just recycle binned) is quite possible with a tool that can read the raw disc data and is aware of the file system in use. Without a tool to access raw disc data, though, an investigator will not be able to do it. That is a fun tool to write, I helped with one.

Ballou, S. (2010). Electronic crime scene investigation: A guide for first responders. Diane Publishing.
Cisar, P., Maravic Cisar, S., & Bosnjak, S. (2014). Cybercrime and Digital Forensics–Technologies and Approaches. DAAAM International Scientific Book.
Leach, S. (2010). What Every Lawyer Needs to Know About Computer Forensic Evidence.

No comments:

Post a Comment