>> The forensic process can be broken down into three steps.

In the first step, evidence is acquired and imaged.

The evidence is analyzed in the second step.

Finally, in the third step, a report is made, which should be understandable
to even non-technical individuals.

Let\’s explore each of these three steps.

A forensic investigator needs to choose the way to acquire evidence that minimizes data loss,
gather all the pertinent evidence, maintain the integrity of originals,
create copies, and always work on the copies.

Avoid destroying volatile data, missing critical data, altering timestamps,
using untrusted commands or allowed tools, or adjusting the system prior
to evidence seizure through patching or updating.

Digital evidence must be preserved in its original state.

The law requires that evidence be authentic and unaltered to be admissible in a court of law.

Hash functions are used by forensic investigators in two ways.

First, to positively verify that a file or entire hard drive hasn\’t been altered
by comparing a copy\’s message digest with the original\’s message digest.

Secondly, to verify that files, hard drives, and their copies are intact,
and have not changed during the investigation.

Making a bitstream copy means to image a hard drive bit-for-bit from all sectors.

It is performed on the hard drive level, not the file system level.

It copies metadata and data blocs in their entirety,
regardless of whether they\’re allocated to an active file or not.

It also copies slack space.

Hard drives store files in clusters of a certain size.

Slack space represents the location of the end of a file on a hard drive to the end
of the file cluster that the file is stored in.

In this slack space, a forensic investigator can find deleted files, or at least fragments
of deleted files and hidden data.

Since log files are often deleted by cybercriminals,
these may show up in slack space.

Evidence can also be found in unallocated space.

When you delete a file, the operating system marks that location as available,
but the file that was deleted from the file system is still there in the unallocated space
until the operating system chooses to use that location for a new file.

In a cybersecurity-related forensic investigation, the analysis phase can confirm
or dispel the existence of an incident.

What is known at this point?
What kind of incident is it?
Which systems were directly or indirectly affected?
What are they used for?
Are there critical or sensitive related systems or data?
What\’s the damage?
What\’s the potential business impact?
After the investigation, a report will be written.

The step-by-step procedures of the imaging, details of each test, the tools used,
and the facts uncovered should be written in a non-technical form so attorneys, the judge,
and jury can all understand what the investigator is testifying to.

If the investigator, who now becomes the expert witness, doesn\’t include a specific item
in the report, he might not be able to give his opinion on it in a court of law.

Any error, even in terms of grammar or spelling, could cast doubt on the entire report and,
in essence, ruin all the work done in the analysis phase.

Items that need to be documented include the manufacturer, model,
and serial number of hard drives and system components, peripherals attached to the system,
a description of the evidence, the case number, the item tag number of evidence,
as well as hash algorithms and message digests of the digital evidence.

Among items that must be clearly documented and proven are the date and time
when the evidence was collected, the full name and signature
of all people possessing the evidence, location of the evidence,
and all receipt and transfers of the evidence.

This preservation process, known as the chain of custody,
occurs throughout an entire investigation, from acquisition of evidence
through the time the investigator testifies as an expert witness in a court of law.

The chain of custody is used to maintain a record of how evidence has been handled
from the moment it was collected to the moment it was presented in court.

Who was in possession of it, and when?
Who had keys to rooms where it was stored?
Was it stored in a tamper-proof manner?
Any gaps in this chain of custody could cause evidence to be inadmissible.

Anti-forensics is designed to thwart discovery
of information related to illegal activities of a user.

A suspect might manipulate, erase, or obfuscate digital data to make its examination difficult,
time consuming, or virtually impossible.

Data-hiding techniques include obfuscating data by encryption or compression.

Data could also be hidden through codes, giving innocent-looking data an alternate meaning.

One way this is done is through a process known as steganography,
which hides files and data inside of other files.

Files could also be hidden with misleading file names or extensions,
but this won\’t fool forensic tools.

The tools look at the first few bytes of a file, and based on these well-known signatures,
the tools will identify what type of file it is, regardless of an extension.

Changing the file signature though, well, that\’s a different story.