Seizing, imaging, and analyzing digital evidence : step-by-step guidelines

Hiding and obfuscating their identities and digital evidence are now common activities for many malicious hackers. This coupled with anti-forensic and anonymising techniques, such as encryption and proxy relays, have made the aims of the digital investigator more difficult to achieve. It is simple to make errors which cause vital evidence to remain undetected, or worse having found it go on to contaminate it through poor practice. This chapter suggests best practices to help obtain exhibits and uncover obfuscated evidence while maintaining its integrity for submission in court

Tool testing and reliability issues in the field of digital forensics

The digital forensic discipline is wholly reliant upon software applications and tools designed and marketed for the acquisition, display and interpretation of digital data. The results of any subsequent investigation using such tools must be reliable and repeatable whilst supporting the establishment of fact, allowing criminal justice proceedings the ability to digest any findings during the process of determining guilt or innocence. Errors present at any stage of an examination can undermine an entire investigation, compromising any potentially evidential results. Despite a clear dependence on digital forensic tools, arguably, the field currently lacks sufficient testing standards and procedures to effectively validate their usage during an investigation. Digital forensics is a discipline which provides decision-makers with a reliable understanding of digital traces on any device under investigation, however, it cannot say with 100% certainty that the tools used to undertake this process produce factually accurate results in all cases. This is an increasing concern given the push for digital forensic organisations to now acquire ISO 17025 accreditation. This article examines the current state of digital forensic tool-testing in 2018 along with the difficulties of sufficiently testing applications for use in this discipline. The results of a practitioner survey are offered, providing an insight into industry consensus surrounding tool-testing and reliability

Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow

Forensic analysis requires the acquisition and management of many different types of evidence, including individual disk drives, RAID sets, network packets, memory images, and extracted files. Often the same evidence is reviewed by several different tools or examiners in different locations. We propose a backwards-compatible redesign of the Advanced Forensic Formatdan open, extensible file format for storing and sharing of evidence, arbitrary case related information and analysis results among different tools. The new specification, termed AFF4, is designed to be simple to implement, built upon the well supported ZIP file format specification. Furthermore, the AFF4 implementation has downward comparability with existing AFF files

A general strategy for differential forensic analysis

DFRWS 2012, Aug. 6-8, 2012, Washington, DC.The article of record as published may be found at http://dx.doi.org/10.1016/j.diin.2012.05.003Refereed Conference PaperThe dramatic growth of storage capacity and network bandwidth is making it increasingly difficult for forensic examiners to report what is present on a piece of subject media. Instead, analysts are focusing on what characteristics of the media have changed between two snapshots in time. To date different algorithms have been implemented for performing differential analysis of computer media, memory, digital documents, network traces, and other kinds of digital evidence. This paper presents an abstract differencing strategy and applies it to all of these problem domains. Use of an abstract strategy allows the lessons gleaned in one problem domain to be directly applied to others.Portions of this work were funded by NSF Award DUE-0919593