Chapter 24: Digital Evidence Examination Guidelines


Overview

Eoghan Casey and Troy Larson

The forensic sciences require adherence to standards of operation and of performance. These standards must be clearly enunciated and must be, at least in their basic form, the consensus of opinion of workers in that particular subject area. Stated differently, forensic scientists are not entitled to indulge whims in the conduct of their work. They must adhere to performance norms which have been previously laid down. A forensic scientist who adopts an extreme position that runs counter to the flow of prevailing opinion on a subject, or who enters an area in which operational norms have not been established, has a burden even greater than usual to justify that position in the light of good scientific practice. (Thornton J.I. (1997) "The General Assumptions and Rationale of Forensic Identification," for David L. Faigman, David H. Kaye, Michael J. Saks, & Joseph Sanders, Editors, Modern Scientific Evidence: The Law and Science of Expert Testimony, Volume 2, St. Paul, MN: West Publishing Company)

With the decreasing cost of data storage and increasing volume of commercial files in operating system and application software, forensic computer examiners can be overwhelmed easily by the sheer number of files contained on even one hard drive or backup tape. Accordingly, examiners need procedures, such as that outlined below, to focus in on potentially useful data. Less methodical analysis techniques, such as searching for specific keywords or extracting only certain file types, may not only miss important clues but can still leave the examiners floundering in a sea of superfluous data.

A procedure such as the one detailed in the Handbook of Computer Crime Investigation, Chapter 2 (Larson 2001) provides a means for the investigator to intelligently reduce data and obtain consistent, reliable results. Important aspects of this procedure are demonstrated in this chapter. While the data processing steps outlined here focus on preparing electronic records for civil litigation, the process of filtering out irrelevant, confidential, or privileged data is applicable to many forensic computer analysis situations, including:

  • Eliminating valid system files and other known entities that have no relevance to the investigation.

  • Focusing an investigation on the most probable user-created data.

  • Managing redundant files, which is particularly useful when dealing with backup tapes.

  • Identifying discrepancies between forensic computer analysis tools, such as missed files and MD5 hash errors.

Additionally, the output of this process provides a solid foundation for subsequent analysis, including classification, individuation, evaluation of source, and temporal reconstruction.

This chapter demonstrates three approaches to implementing the evidence processing methodology. The first approach uses command line utilities, primarily from Maresware.[1] Sample batch and configuration files described in this chapter are available on the Web site associated with this book. The other two approaches use the GUI tools: EnCase and FTK. The same methodology can be translated to UNIX-based tools.

[1]http://www.maresware.com




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net