Digital Investigation Process

Investigations are inquiries into past events. The purpose of an investigation is to find evidence that can establish an understanding of previous events. During an investigation, evidence is examined in order to produce information about past events. Possible sources of evidence in­clude witness statements, documents, physical evidence (i.e. fingerprints or biological evidence) and data stored on digital media. From examination of the evidence, information about the past events can be reconstructed. Event reconstruction is the final outcome of an investigation, and forms the basis for a decision. The final event reconstruction relies on interpretation of the evidence and is usually performed by a person or group of persons separate from those per­forming the investigation. This person or group is called the finder of fact, and could be a judge, magistrate, jury or other depending on the case and jurisdiction. During the investiga­tion, the investigator formulates theories about possible events in order to find further sources of evidence, prepare the case for the correct jurisdiction and present the evidence to the fact finder in an appropriate manner.

Investigation of digital media with the purpose of finding evidence is commonly referred to as digital investigation. The purpose of digital investigation is to find evidence related to the events under investigation and present them to the fact finder. The process of investigating digital media has in previous works been divided into different phases. The Electronic Crime Scene Guide divides the digital investigation process into the following phases: Preparation, Collection, Examination, Analysis and Reporting. [1] Here, the collection phase involves identify­ing digital media potentially containing evidence and collecting them physically or by making a digital copy of their contents. Examination involves searching the collected data for evidence and analysis involves reviewing the examination results for their value in the case. Reporting involves presenting evidence in a form acceptable to the fact finder. Carrier and Spafford have proposed using a model similar to the model used in physical crime scene inves­tigation. [2] In this model, the physical crime scene investigation is divided into Preservation, Survey, Documentation, Search, Reconstruction and Presentation of Theory. The digital crime scene investigation takes place in the Search and Reconstruction phase of the physical process. During these steps, any digital media are found and analyzed. The model proposes similar steps in the digital investigation process: Preservation, Survey, Documentation, Search, Reconstruc­tion and Presentation of Theory. Preservation involves isolating the digital medium and mak­ing a forensic image backup of it. Survey, Documentation, Search and Collection involves find­ing the relevant evidence on the digital medium and preserving it. Reconstruction and Presen­tation involves performing a preliminary event reconstruction and present the resulting theory to the fact finder.  

Both models reflect the steps actually taken by investigators in digital investigations. First, digital media must be found and enumerated. Then, data on it must be preserved in order to secure the evidential integrity. This usually involves copying the data on the medium to an­other medium in such a way that no data is changed on the original. The data on the copy can then be analyzed for contents relevant as evidence. Due to the large amounts of data stored on modern data storage devices, the search is usually performed by a combination of manual and automatic search. There exist a number of helpful techniques employed by investigators in this phase such as keyword search, hashing and signature search. When any relevant data has been found, it must be documented, usually in the form of a report. Finally, the data is presented to the fact finder, either as printouts, or by having the investigator appear before the fact finder to report the findings. Although final event reconstruction is up to the fact finder, one should bear in mind that the fact finder usually has little expertise in digital computing. The investi­gator is often asked to present his theory on how the presented evidence can be used to recon­struct the investigated events.

A formalization of the digital investigation process has been proposed by Carrier, by introduc­ing the concept of an object history. [3] For a computer, the history includes the complete set of configurations, states and events that has occurred during the lifetime of the computer. A state is the sum of all variables that may occur in the computer, whereas an event is any action that may change the state. In this model, the digital investigation process is defined as formu­lating hypotheses about the history of the computer, and testing them against known values such as known user-input, data from other evidence sources and the final state of the system. With this model, the assumptions on which the event reconstruction is based are more explicit. This makes it possible for the investigator and the fact finder to assess the assumptions and decide if they are justified or not.