Page 17 - Understandinging Forensic Technology Landscape
P. 17
What types of evidence may exist on acquisition targets? Tools and techniques
Evidence could be located in many places, on many
different types of media and systems. It is critical to Forensic collection of electronic evidence requires care
identify the best sources of responsive data and define and appropriate skill. Qualified professionals should
the most appropriate acquisition protocol. The following be consulted since corrupted evidence may be lost or
represent some of the types of evidence that may exist rendered permanently unusable. Any suggestion that
within an acquired data set: the data on the original drive may have been altered,
deleted or appended may result in a spoliation claim by
• Active files
counsel or the court, which may result in the ESI being
• Deleted files inadmissible in court.
• Fragments of files that have been partially overwritten Specialized hardware and software are used to create
from within slack or unallocated space
duplicate images of computer or network files, system
• Information related to the operating system and logs, and other ESI. These images must be exact bit-by-
applications loaded on a device bit duplicates of the original information. Typically, the
• Configurations and user activity information from specialist will document the chain of custody so that the
the Microsoft Windows Registry or other operating underlying evidence can be properly authenticated.
system files
The accuracy of an image is tested by running a
• Logon information program against the original data and producing a
• Internet history for multiple web browsers and unique 32-character alphanumeric code called a hash
cloud-based products number, which is the “fingerprint” of the data to be
imaged. The imaged data is also analyzed, and a hash
• Lists of most recently used files
number is produced and must match the hash number
• Network drive mappings of the original data that was imaged.
• USB device use (external storage media, peripherals,
and the like) The scale of ESI collections may vary from case to case,
ranging from the imaging of a single computer drive to
• Evidence of any mass data copies the collection of thousands of data sources. Depending
• Information related to drive-wiping activities on the scale and complexity of the project and the
• Temporary files created by various applications systems and sources involved, different approaches, the
number of professionals, and the skills of the team may
• Information indicating when applications were used differ substantially.
• Microsoft Windows Recycle Bin activities
Forensic capture
• Print spooler information In the simplest configuration, the hardware used in
• LNK files pointing to things like actively used files, forensic collection of electronic evidence consists of
applications or external storage locations a laptop configured with specialized software. The
• Local archived or active email files software tools used to create duplicate images include
EnCase, Cellebrite, FTK Imager, SANS Investigative
• Chat history for a number of products Forensic Toolkit, X-Ways Forensics, and Open
• Apple Mac OS or Linux specific forensic artifacts Computer Forensics Architecture (OCFA). During
• Evidence specific to mobile devices, such as call logs, the capture process, a “write blocker” blocks two-way
SMS messages, MMS messages, mobile internet communication between the drive being imaged and the
history, location related information, or chat data duplicate image being analyzed to prevent unintentional
within third-party applications alteration or deletion during the imaging process.
Understanding the forensic technology landscape | 13
