History of Digital Forensics
Digital forensics is the science of collecting, maintaining, and recording evidence from digital devices. These devices may include, but is not limited to, computers, mobile phones, cameras, and storage devices (ISFS, 2004). The science of digital forensics is built around the idea that any information obtained from the digital device must be preserved in a manner that protects the integrity and accuracy of the digital evidence collected so that it may be used in a legal proceedings. The process needs to follow recognized procedures, which have been upheld in court proceedings, to ensure admissibility in a court of law. However, it is important to remember that there are many different digital forensics organizations, and each one has its own set of standards and procedures (Leong, 2006), but each organizations procedures should contain some commonality to ensure that they are admissible in court proceedings. In this paper I will be using the Scientific Working Group on Digital Evidence Standards as a model for standards and procedures for collecting digital evidence, as this is a widely accepted model and has been used in court proceedings across the United States.
In 2004, the Scientific Working Group for Digital Evidence (SWGDE, 2004), consisting of experts from the field of digital forensics, published a procedural manual for the collection and maintenance of digital evidence from digital devices. The manual covers everything from first on scene triage to report writing and is quite long. For this reason, I will discuss some of the more important steps the committee laid out in its report.
Powered On Systems
1. The examiner should first check the system for any running processes. Do not turn the computer off as it could damage the system or data.
2. Try to capture any data that is easily and readily available.
3. Make sure to document any other machines that may be connected to the network.
4. The examiner should isolate the device from any network it may be connected to.
5. Power off the machine if necessary for transport.
Powered Off Systems
1. Do not turn the computer on.
2. Disconnect the device from any network activity.
3. Power on the computer and capture evidence to a trusted media.
1. Every piece of equipment should be labeled and secured for proper chain of custody.
2. All equipment should be handled with care as damage may occur during transport.
1. All examiner equipment should be examined for proper working condition and documented.
2. Hardware and software need to be configured properly to maintain integrity.
3. Digital forensic tools must be validated prior to use.
1. All digital forensics examiners should be properly trained in the field of digital forensics.
2. All physical evidence should be inspected for proper working condition and documented.
3. Methods should be forensically sound and need to be verifiable.
4. All evidence should be maintained as to assure integrity.
5. All errors should be documented.
6. Hardware or software blockers should be employed to prevent examiner from writing to the original source.
1. Examiners should be trained in digital forensics.
2. Examiner needs to review requestor information to determine examination
3. Examiner should review legal documents/warrants.
4. Examinations should be conducted on digital copies, not the originals, if possible.
5. Examination should always follow appropriate standards and departmental
Documentation and Chain of Custody
1. All processes and steps should be documented properly.
2. Chain of evidence should always be ensured.
Report of Findings
1. Report should be written in a non-technical form and easily understandable for non-technical persons.
2. Examiner should be able to explain his processes and findings.
3. Report should include all relevant information and address the requestor’s needs.
4. Report should be fact based and non-biased.
The processes outlined above are neither complete nor exhaustive and have been paraphrased. The goal here was to provide a representation of some of the standards and processes that digital forensic examiners take to ensure that court cases are not dismissed due to examiner error while conducting a digital forensic examination.