Skip to content

Page286

Identification

During the identification phase, the analyst attempts to determine systems, media, and data relevant to the investigation. Identified resources will be targeted for acquisition. Though generally a linear process involving identification progressing to acquisition, subsequent analysis or simply better understanding of scope can warrant revisiting the identification phase of the process during later stages of the investigation.

Acquisition

Acquisition represents the fundamental first step of a forensic investigation. During acquisition media and data pertinent to the forensic investigation are collected in a manner that will facilitate later steps in the forensic investigation. Acquisition will leverage binary backups and the use of hashing algorithms to verify the integrity of the binary images, which we will discuss shortly. When possible, the original media should not be used for analysis: a forensically sound binary backup should be used.

Analysis

The investigative work begins in earnest with the analysis phase. During this phase artifacts are identified to help develop an understanding of what occurred, from the vantage point of the media being analyzed. A preliminary step that might be necessary prior to the analysis phase involves extraction. During extraction, the analyst takes the raw forensic data from acquisition and processes it in a manner to facilitate further analysis. A key component of the analysis phase often necessitates creation of a timeline. The timeline allows for artifacts to be plotted chronologically and will be vital documentation that undergirds the final report.

Reporting/Presentation

The final phase of a digital forensics investigation has the analyst present their findings in a structured report. Details regarding relevant artifacts and their representation on a timeline are commonly included. Documentation regarding tools and methods employed will typically also be noted. Further, an accounting of the acquired forensic evidence will also be noted. A common thread throughout forensic investigations is the need to demonstrate the integrity of the process and the data upon which the investigation and subsequent report were based.

Preservation

Though not truly a distinct phase of the digital forensics investigation process, the importance of evidence and data preservation warrants explicit callout. Given the potential impact of forensic investigations, caution should be exercised to ensure preservation of evidence, media, and data to the extent possible. Preservation begins during acquisition, but should also be ensured during all phases of forensics.

The overarching goal of preservation is to be able to speak to the trustworthiness of the data, and thereby the fidelity of resultant analyses of that data. A key technique associated with preservation involves the use of hashing algorithms. Hashing algorithms such as MD5, SHA-1, SHA-256, or SHA3-256 are routinely created during acquisition and can be later verified to demonstrate that no changes to the underlying data have occurred during the process of the investigation.