I was recently asked if I could speak to a student, who has an interest in digital forensics. They have been researching the area and many good questions were asked, but one in particular has stuck in my mind:
What is the preferred strategy when it comes to performing digital forensic investigations?
Let me explain. For example, the acquisition phase of an investigation is an area that is well researched and documented. There is generally an accepted ‘correct’ method to perform the tasks that individuals are expected to follow, and if not, be able to explain and justify their reasoning for not following best practices.
However, there does not seem to be anything similar for the actual examination of the artifacts themselves, post acquisition. I have seen a range of investigators ranging from those who will spend weeks examining everything, to those who will only look for the items that they are interested in but, seldom have I spoken to someone who strikes the middle ground.
In my view, there is no ‘standard’ flow to an investigation. To conduct a successful examination, the investigator must be flexible enough to ‘think on their feet’, adapting to each task/ obstacle as it arises. A successful investigation cannot be accomplished purely by going through a ‘check-list’ as time may be wasted and pertinent items missed. Often, investigators are not presented with the luxury of unlimited resources. We are constrained by time and we must achieve a balance between getting the most evidence we can, in the allocated timeframe, in order to draw a forensically sound and accurate conclusion.
All investigations are unique and therefore should be treated as such.
With that said, if checkboxes are used, they should be generic enough provide a wider view of the overall picutre. Considerations could include:
Context – An examiner must have sufficient background information to the case. I have often been asked to ‘examine a computer for nefarious activities’, but without being told what the subject was accused of, or the details around how it became an investigation. An examiner can easily spend hours and days looking for an item which has little impact on the overall case.
Once they know what you are trying to achieve, they can plan their investigation activities around the items that can truly establish the facts (the smoking gun, if you will).
Percieved Technical ability of the subject – Investigation strategy must account for the perceived technical abilities of the subject. An individual known to be very technical, with intimate knowledge around the file systems, processes and security controls in place will warrant extra considerations including anti-forensic techniques.
Balance of probability /existing controls – This is more aimed at corporate as opposed to criminal investigations. If HR has reported that an employee has exfiltrated data via USB how much time should an examiner spend looking for evidence of the above?
Would you spend as much time on USB artifacts if an organisation has adequate USB security controls and logging in place (therefore if a data loss event had occurred it is more likely that another vector was used) or should the investigator consider examining other vectors for potential exfiltration attempts?
Introduction of the unconsious bias. This is unavoidable as it is a trait of being human and is a topic which needs to be discussed.
Investigators must be aware of this phenomenon which affects everyone. I have worked with experienced investigators, who upon learning about the allegation, will look for the evidence – ignoring the items that disproves the theory in the process (tunnel-vision).
Finally, experience matters – the most effective strategy will be the one that works! It is something every investigator will learn over time through trial and error.
To me, there is no ‘right’ or ‘wrong’ approach to analyse the evidence. As the expression goes, “there’s more than one way to skin a cat”.
The only thing that should matter is that we, as investigators, stay true to our moral and ethical compass. Our decisions and the subsequent reports matter because they can have a profound effect on real individuals.
In the corporate world, it could be the difference between an innocent employee getting fired or a guilty person continuing their activities, damaging the company financially.
In the criminal world, our examination could be the difference between an innocent person going to prison, or a guilty person walking free.
As a final thought, did I mention… All investigations are unique!