First steps in analysis
Analysis of digital media requires an instinct for routing out evidence and the use of your intuition to connect the dots. In the field of digital forensics analysis can take two forms:
- Evidence recovery
- Where the analyst identifies information relevant to the investigation and presents it in a neutral form
- Expert analysis
- Following on from evidence recovery, the analyst draws expert conclusions from the information (perhaps constructing a timeline of events) or connects various pieces of evidence together.
Expert analysis can vary wildly from simple factual conclusions to a more speculative assessment of what recovered evidence represents. In criminal cases the latter is generally avoided at the analyst level. By comparison, in civil/corporate investigation the latter is more common, this is due to the fact that managers often do not have the technical understanding to draw conclusions that law enforcement personnel might have.
When conducting an investigation it is important to remember who will be receiving the evidence you collect and performing an analysis that meets their requirements and needs. This section will cover some basic ideas about organising the analysis of digital media as well as some of the basic ideas and terminology, you need to have a working understanding of how computers store data on hard drives.
Scope of analysis
The aim of any digital investigation is usually to prove or disprove a hypothesis (alternatively you might be asked to go on a "fishing exercise" to find useful intelligence, perhaps to identify associates of a known criminal). Before you begin work it is a good idea to write down and confirm these aims and define the scope of any analysis. Defining a scope is important for a number of reasons:
- Digital forensics can often be a costly process (in terms of resources and staff costs) and spending time on unrelated searches can be a waste of money
- Closely related to cost, in addition many investigations have a time limit on them imposed by management or (in the case of criminal work) the law courts
- Succinct evidence
- Without focus an analysis may result in a large amount of tangentially relevant information, leaving conclusions hard to draw
One way to ensure a focused analysis is to carefully list the aims of the investigation (i.e. what you wish to prove), then to list the sort of evidence that may contain relevant information. For example, in an investigation into computer hacking, an in-depth graphic image analysis is likely to be of less use than searches for chat logs.[notes 1]
Whilst it is important to define a scope the nature of a forensic investigation means that it is not always stringently followed. For example it might be decided that chat logs are unlikely to be relevant, then subsequently other evidence indicates they may contain useful data. The benefit of defining a scope is that it gives examiners a place to start the investigation.
Once an examiners knows the type of evidence required the next, rather obvious, step is to extract it from the acquired media.
Restoring deleted data is one of the fundamental activities performed by a forensic analyst. To understand why deleted data is recoverable we need some background on how information is stored by a computer.
Obviously the hard drive is the storage medium, data is reduced to a stream of 1's and 0's, or bits. 8-bits make up one Byte of data and, on a typical hard drive, a set of either 512 or 4096 Bytes are stored as one Sector. A sector makes up the fundamental unit of data storage on a hard drive, but file systems consider groups of sectors, termed a cluster.
Operating systems & file format
- Hackers like to brag, collaborate or simply chill out in IRC or other chat networks, so this can be a rich source of intelligence