Digital forensic investigations are, for the most part, predominantly conducted in direct response to an incident. By taking a reactive approach like this, investigators are under great pressure to gather and process digital evidence before it has been modified or is no longer available.
There are practical and realistic scenarios where a more proactive approach to gathering digital evidence can ease tension during forensic/incident response activities. (See How ‘Digital Forensic Readiness’ Reduces Business Risk.) But what is often overlooked in these situations is the need to supplement the data content with relevant context.
Here are seven examples of criteria that can be used to enhance the relevance of digital evidence during a forensic investigation.
When it comes to analyzing digital evidence collected from different systems and/or devices, time synchronization is a major factor in establishing a chronology. Using Network Time Protocol (NTP) set to Greenwich Mean Time (GMT), with the time zones of each system configured locally, is the best practice for establishing consistent and verifiable timestamps to ensure digital evidence can be correlated, corroborated, and chronologically ordered during a forensic investigation.
On its own, digital evidence content presents a number of challenges because it lacks situational awareness. However, when combined with a supplemental layer of information, or “data about data,” investigators can bring about a better understanding of digital evidence structural metadata (e.g. used to describe arrangement of information) or guide metadata (e.g. used to assist with locating information) Because that metadata is also electronically stored information (ESI), the same digital evidence management requirements must be taken to ensure its authenticity and integrity are maintained.
Cause and Effect
A common challenge with any digital forensic investigation is to determine the cause of an event because the effect can vary depending on the context of the event. The "Pareto Principle," also referred to as the "80/20 Rule," states that approximately 80 percent of all effects come from roughly 20 percent of the causes. Instead of trying to understand every cause-and-effect combination, referring back to the six business risk scenarios can reduce the scope of which cause-and-effect combinations need to be considered. By narrowing the scope down to the applicable risk scenarios, supplementary information can be identified and considered for collection.
Correlation and Association
The scope of a digital forensic investigation can be made up of several interconnected and distributed technologies where an event on one system can have a relationship to an event on other systems. Creating a linkage amongst the various technologies is critical when it comes to establishing a complete trail of evidence, so a more comprehensive picture of the incident can be compiled. Achieving a holistic view requires thinking in terms of gathering digital evidence in support of the entire trail of evidence, instead of as individual data sources that may or may not be useful during the investigation.
Corroboration and Redundancy
Generally, the goal of every forensic investigation is to use digital evidence as a means of providing credible answers to substantiate an event and/or incident. However an investigation is initiated, establishing credible facts can be challenging, because individual pieces of evidence on their own may not provide the necessary context. By aggregating different data sources, the strength of digital evidence collected will improve because it can be vetted across multiple data sources. Over time, continuing to gather data from multiple sources will provide a sufficient amount of digital evidence that can minimize the need for forensic analysis of systems.
Retention of ESI, regardless of whether it is preserved as digital evidence, has unique requirements for the length of time for which it has to be preserved; such as those defined by regulators or legal entities. Not only does preserving ESI support regulator or legal requirements, but it also has evidentiary value and might need to be recalled to support one of the six business risk scenarios. Careful planning must be done to determine which type of electronic storage medium will be used to ensure that the type of backup media used will not impact the authenticity and integrity of ESI.
Although advancements have been made in the processing and analysis of digital evidence, there remains an underlying issue of how to effectively manage the ever increasing volumes of data that are gathered. Solutions such as an Enterprise Data Warehouse (EDW) can be easily adapted and scaled to support the growing volumes of ESI that need to be accessed in both real-time and near-real time. When implementing any type of digital evidence storage solution, it is important that the solution adheres to the best practices for maintaining the integrity and authenticity of digital evidence and not risk making the ESI inadmissible in a court of law.
Determining the meaningfulness, usefulness, and relevance of digital evidence requires additional layers of supplemental information to enhance its contextual awareness. By ensuring the factors discussed in this article are included when proactively gathering digital evidence, the significance of digital evidence can be better realized during a digital forensic investigation.
This article was sourced from the forthcoming book by Jason Sachowski, titled Implementing Digital Forensic Readiness: From Reactive To Proactive Process, available for pre-order at the Elsevier Store and other online retailers.Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio