Digital Forensics and Analyzing Data

This chapter focuses on digital forensics and the best practices that provide a foundation for digital forensic work. It also addresses some of the technical and procedural challenges a digital forensic examiner faces today. Digital forensics is probably the most intricate step of the cybercrime investigation process, and often yields the strongest evidence in terms of prosecutable cases. Digital forensics is the scientific acquisition, analysis, and preservation of data contained in electronic media whose information can be used as evidence in a court of law. The four main phases of the digital forensic process include: collection, examination, analysis, and reporting. It is a digital forensics best practice to make a full bitstream copy of the physical volume. This usually entails physically removing the hard drives from the suspect system and attaching the drives to another system for forensic duplication. The data must be unaltered and the chain of custody must be maintained. Documenting hardware configuration is a tedious but essential part of the forensic process. The magnitude of documentation is in direct correlation to the number and types of devices being acquired. Examination consists of the methodical sifting and combing of data. It may consist of examining dates, metadata, images, document content, or anything else. Every cybercrime incident will involve at least some analysis of data retrieved from systems, whether it's only a few small files from a system or two or terabytes from many machines. Some of the data analysis tools are GREP, PERL scripts, Spreadsheets, Structured Query Language (SQL), and commercial network forensic tools. The report is a compilation of all the documentation, evidence from examinations, and analysis obtained during a digital forensic investigation.