Importance of Previewing: Why every investigator should consider this approach

Time is always a constraint when it comes to investigations. Whether in a corporate environment with Senior Leadership wanting answers fast, or Law Enforcement working in a hostile environment, the ability to perform an effective triage could be the difference between a successful and unsuccessful investigation.

One technique that is frequently overlooked by computer forensic examiners is previewing, also known as active file review.

In essence, this is when an examiner browses the filesystem prior to imaging to understand what activities have occurred on the systems, and if the system will likely hold information pertinent to the investigation. If the systems are considered unlikely to hold evidential data, the imaging of the device may be unnecessary.

A concern often held by investigators when it comes to performing a preview on a live system, is the risk that evidential data (metadata) will be altered, contravening the well-documented best practice of ‘do not alter the evidence’. With this in mind, the aim of this post is to highlight some of the benefits of implementing this preview and triage collection technique, allowing for more effective data gathering during a time-sensitive situation. Appropriately capturing the actions performed whilst performing the preview technique can help reduce the common fearmongering that is often linked to this technique. This advantage leads previewing to be considered a game changing process that should be considered invaluable to an investigator’s digital examination workflow.

We will not be delving into the world of covert technical surveillance as the use of these techniques are considered illegal in most jurisdiction outside of Law Enforcement or Government frameworks.

Device capacity is constantly increasing and so is the mountain of information found on an electronic device, so it is imperative that an effective triage strategy is used to identify the ‘low hanging fruits’ and maximise the chance of a successful investigation.  A successful digital forensics triage collection involves several phases:

  1. Planning
  2. Preview
  3. Collect
  4. Process
  5. Analyse
  6. Report

0. Planning

Although not strictly part of the triage collection process, the pre-arrival planning is often overlooked. Investigation planning should form the basis for any investigation.

Without a clear idea of what you are looking for (objectives), you will not be able to identify the significance of any findings even if they are stumbled upon.

An effective investigation plan will help an investigator stay on track and focus on the information that matters.

Examples of items that should be considered when planning a successful collection include (but are not limited to):

  • The scene
  • Any PIR (Priority Intelligence Requirements)
    • Suspects (including allegation and history)
    • Financial links
    • Personal links
    • Known devices
    • Person’s technical abilities/ training
  • The evidence
    • Likely sources (emails, internet history, media, documents).
    • Volume of data anticipated
    • Requirement for specialist equipment (hardware adaptors, faraday bags)

1. Previewing the device

On arrival to the scene, and only after the immediate area have been secured, can the process begin. The safety of all personnel must precede any activities – after all you won’t want to be waiting around if the building around you is collapsing!

Previewing allows an investigator to locate and verify the existence of any pertinent data detailed during step 0 (the planning stage). This is critical when faced with multiple devices, large volumes of data, and limited time.

An example of an effective use of previewing, would be if law enforcement was required to obtain electronic evidence in relation to a criminal activity, and an investigator is met with hundreds of devices at the scene. A preview could help the investigator identify the devices containing the relevant evidence and prioritise the collection of these over those that are least likely to hold any valuable information.

If you were met with this on scene, would you know which needs to be prioritised?

An opportunity should be taken during this stage to identify any other sources of digital evidence that could be relevant which, such as flash drives, mobile devices and network storage devices (local law permitting).

Operational environment and time permitting, digital forensic best practices should be followed throughout including the documentation of all evidence (photographs, chain of custody documents, examination notes) and using specialised digital forensic software to avoid inadvertent alterations to the device data ensuring all evidence remain admissible.

Although, it is important to follow your plans with the aim of error and process failure reduction, an examiner must remain flexible throughout their plan so that they can interact and interpret their surroundings and findings as incidents and issues arise. This flexibility requirement is discussed in more depth during stage 3.

2. (Targeted) collection

Once the pertinent data has been identified and prioritised (from the most relevant to the least), the next step would be to collect the best forensic evidence possible, in-situ, using the quickest most practical method available.

There are times where it is not possible to remove a physical hard drive in order to image this through a hardware write blocker; such as in the presence of an encrypted volume where the password is not known or not provided. In these cases, performing a logical acquisition may be the only viable solution.

If time is a critical factor, an investigator may decide not to perform a full logical acquisition and instead opt for a more surgical, targeted approach to the collection to further reduce the time required to obtain actionable items of interest.

3. Processing

There may be times where it is considered acceptable to forgo the considered forensic best practice of processing/ analysing evidence in a controlled environment, such as a laboratory. Due to circumstances, the investigator may have to perform part of the evidence processing and analysis in-situ directly from the suspect device. The nature of performing forensics on scene will also mean that it is unlikely to be in-depth forensics that is performed.

An extreme example of this may be if an intelligence led search of an area reveals plans for further illicit activity with imminent threat to life. It could be argued and justified that benefit of opening this file in a non-forensic manner for the purpose of preventing the loss of life will likely outweigh any alterations made to metadata. The urgency displayed in this example shows the requirement for an investigator to remain flexible and open-minded to adapt to their situation, even if it means straying from their pre-conceived plan.

The key here is to locate the low-hanging fruits quickly which can increase the likelihood of finding pertinent evidence in order to get that quick win.

4. Analysis and Reporting*

For the purpose of brevity, stages 4 and 5 have been combined. Once any imminent danger has been addressed an in-depth analysis can be conducted. This would typically occur after the data has been securely transported to the forensic laboratory where analysis and reporting can continue as per the appropriate standard operating procedures.