See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/292975650

THE BASIC STEPS OF DIGITAL EVIDENCE HANDLING PROCESS

Article · February 2016

CITATIONS READS

2 12,134

2 authors:

Haris Hamidovic Hadzib Salkic

Independent Researcher - Information Security University “VITEZ” Travnik
91 PUBLICATIONS   19 CITATIONS    2 PUBLICATIONS   2 CITATIONS   

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Haris Hamidovic on 04 February 2016.

The user has requested enhancement of the downloaded file.

 ISSN 1986-5694
Scientific journal of theory and practice in business informatics and information-
communication tehnologies

Number 4.

INTERNATIONAL JOURNAL OF INFORMATION AND COMMUNICATION

TECHNOLOGIES FACULTY OF INFORMATION TECHNOLOGY,
UNIVERSITY OF VITEZ
and
TAMBOV STATE UNIVERSITY NAMED AFTER G.R. DERZHAVIN

February 2016.
PUBLISHERS:

UNIVERSITY “VITEZ” VITEZ, Bosnia and Herzegovina and

TAMBOV STATE UNIVERSITY named after G.R. Derzhavin, Russia

EDITORIAL

Prof. Mirko Puljic PhD, Rector, University„Vitez“, Prof. Lazo Roljic PhD, Dean FIT
University „Vitez“, Asst. Prof. Hadzib Salkic PhD, Asst. Dean for academic affairs FIT
University „Vitez“,Prof. Ibrahim Obhođaš PhD, FIT University „Vitez“,Mr.sci Almira
Salkic, senior asst. FIT University “Vitez”, Mr.sci Mahir Zajmovic, senior Asst. FIT
University „Vitez“, Asst. Nermina Konjalic, FIT, Univerisity „Vitez“.
Юрьев В.М., д.э.н., профессор, ректор ТГУ имени Г.Р. Державина, Пахомов М.А.,
д.э.н., профессор, зав. кафедрой бизнес-информатики ТГУ имени Г.Р. Державина,
Мукин С.В., к.т.н., профессор кафедры бизнес-информатики ТГУ имени Г.Р.
Державина i Старцев М.В., к.п.н.,доцент кафедры бизнес-информатики ТГУ
имени Г.Р. Державина.

EDITOR IN CHIEF
Assistant prof. Hadzib Salkic, PhD
DESIGN AND PREPRESS
Mr.sci Almira Salkic
ADDRESS OF PUBLISHER
Ulica Skolska 23
72270 Travnik
Bosnia and Herzegovina
ISSN 1986-5694
Number 4.
CONTACT
journal_fit@fit.co.ba
+387 30 519 750
+387 30 519 75
CONTENT

DIGITAL FORENSICS IN EVIDENCE AND IN THE MITIGATING

OF THE CORRUPTION EFFECTS
Lazo Roljić, Almira Salkić
UNIVERSITY OF "VITEZ" VITEZ
lazo.roljic@unvi.edu.ba, almira.salkic@unvi.edu.ba
…......................................................................................................................................3

JOOMLA E-COMMERCE WITH VIRTUEMART

Aldijana Ćorić
UNIVERSITY OF "VITEZ" VITEZ
aldijana.coric@unvi.edu.ba
…....................................................................................................................................17

INTERACTIVE APP ON FIT EXAMPLE

Alen Osmanagić
UNIVERSITY OF "VITEZ" VITEZ
alen.osmanagic@unvi.edu.ba
…....................................................................................................................................29

ONLINE ADVERTISING
Dinka Šakić
UNIVERSITY OF "VITEZ" VITEZ
dinka.sakic@unvi.edu.ba
…...................................................................................................................................41

ADUTODESK MAYA - 3D ANIMATION

FOR EDUCATIONAL PURPOSES GRADUATION THESIS
Toni Matej Radoš
UNIVERSITY OF "VITEZ" VITEZ
toni.rados@unvi.edu.ba
…...................................................................................................................................51

APPLICATION FOR STUDY TESTS,

THE DRIVING TEST IN JAVA TECHNOLOGY

Nihad Karajko
FACULTY OF TECHNICAL STUDIES, UNIVERSITY IN TRAVNIK
nihad.karajko@gmail.com
…...................................................................................................................................63
 CONTROLING THE ROBOTIC ARM REMOTIVELY ON A DISTANCE
USING HMI (HUMAN MACHINE INTERFACE) AND PLC MODICON M340
OVER AN ETHERNET NETWORK
Mahir Zajmović, Said Karaosmanović
UNIVERSITY OF "VITEZ" VITEZ, TEHNICAL HIGH SCHOOL, BUGOJNO
mahir.zajmovic@unvi.edu.ba, said.karaosmanovic@gmail.com
…...................................................................................................................................73

MICROSOFT APLLICATION VIRTUALIZATION (APP-V 5.1) OVERVIEW

Hadžib Salkić, Jasmin Kahriman

UNIVERSITY OF "VITEZ" VITEZ, DALCOM D.O.O., ZENICA, BiH
hadzib.salkic@unvi.edu.ba, jasmin.kahriman@dalcom.com.ba
…..................................................................................................................................87

HUMAN RESOURCE INFORMATION SYSTEMS

Isaković Ines, Dedović Amar

isakovic.ines@hotmail.com, amar.dedovic@nts.ba
…..................................................................................................................................99

THE BASIC STEPS OF DIGITAL EVIDENCE HANDLING PROCESS

Hamidović Haris, Hadžib Salkić
Certified Court Expert Witness for IT, UNIVERSITY OF "VITEZ" VITEZ
mr.haris.hamidovic@ieee.org, hadzib.salkic@unvi.edu.ba
….................................................................................................................................113
 THE BASIC STEPS OF DIGITAL EVIDENCE HANDLING PROCESS
Hamidović Haris, Hadžib Salkić
CERTIFIED COURT EXPERT WITNESS FOR IT, UNIVERSITY OF "VITEZ"
mr.haris.hamidovic@ieee.org, hadzib.salkic@unvi.edu.ba

Abstract: Given the omnipresence of digital evidence it is the rare crime that does not
have some associated data stored and transmitted using computer systems. Despite its
diffusion, few people are well versed in the evidentiary, technical, and legal issues
related to digital evidence and as a result, digital evidence is often overlooked, collected
incorrectly, or analyzed ineffectively. This article presents the basic steps of the digital
evidence handling process, based on ISO/IEC 27037, DFRWS model and best practices
from other professional sources, which can be abstractly defined to produce a model
that is not dependent on a particular technology or electronic crime.
Key words: digital evidence, digital crimes, forensic

OSNOVNI KORACI U PROCESU OBRADE DIGITALNIH DOKAZA

Apstrakt: S obzirom na sveprisutnost digitalnih dokaza danas je rijetkost da postoji

neko kazneno djelo a da u vezi njega ne postoje neki povezani podaci koji su pohranjeni
ili preneseni pomoću kompjuterskih sistema. Unatoč njihovoj rasprostranjenosti, malo
ljudi je dobro upućeno u dokazna, tehnička i pravna pitanja u vezi digitalnih dokaza i
kao rezultat toga, digitalni dokazi se često previđaju, pogrešno prikupljaju ili analiziraju
neuspješno. Ovaj rad predstavlja osnovne korake u postupaku rukovanja digitalnim
dokazima, zasnovano na preporukama međunarodnog standarda ISO/IEC 27037,
DFRWS modelu i najboljim praksama iz drugih stručnih izvora, a kojima se apstraktno
definira model koji ne ovisi o određenoj tehnologiji ili djelu kompjuterskog
kriminaliteta.
Ključne riječi: digitalni dokazi, kompjuterski krimanalitet, forenzika

Introduction
Each year, there is an increase in the number of digital crimes worldwide. As
technology evolves, software changes, and users become digitally savvy, the crimes
they commit are becoming more sophisticated. (Reith, Carr, Gunsch, 2002)
Given the ubiquity of digital evidence it is the rare crime that does not have some
associated data stored and transmitted using computer systems. Despite its prevalence,
few people are well versed in the evidentiary, technical, and legal issues related to

113
digital evidence and as a result, digital evidence is often overlooked, collected
incorrectly, or analyzed ineffectively. (Casey, 2004)
Due to the fragility of potential digital evidence, it is necessary to carry out an
acceptable methodology to ensure that the integrity of evidentiary value is preserved.
Key components that provide credibility in the investigation are the methodology
applied during the process, and individuals qualified in performing the tasks specified in
the methodology. (ISO/IEC 27037:2012)
Challenges to digital evidence are more common than the literature suggests, although
the challenges are usually based on the grounds of procedure or credibility; consistent
with the literature, challenges are rarely based on reliability or authenticity. (Kessler,
2010)
Currently, there are no globally-accepted standards on acquiring digital evidence, the
first step in the process. Police have developed their own national guidelines and
procedures for the acquisition and protection of electronic evidence. However, this
creates issues when cross-border crimes are committed since digital forensic evidence
acquired in one country may need to be presented in the courts of another. (Meyers,
Rogers, 2004)
One of the results of diverse approaches to collection and analysis of digital forensic
evidence is that is become increasingly difficult to show why the process used in any
particular case is reliable, trustworthy and accurate. (Cohen, 2008)
Since the first Digital Forensic Research Workshop (DFRWS) in 2001, the need for a
standard digital forensics framework has been understood, yet there has been little
progress on one that is generally accepted. A framework for digital forensics needs to be
flexible enough so that it can support future technologies and different types of
incidents. (Carrier, Spafford, 2004)
International Standard ISO/IEC 27037 provide guidelines for specific activities in the
digital evidence handling, which are identification, collection, acquisition and
preservation of potential digital evidence that may be of evidentiary value. These steps
are required in an investigation process which is designed to maintain the integrity of
the digital evidence – an acceptable methodology in obtaining digital evidence will
ensure its admissibility in meeting its purposes.
Although the complete digital evidence handling process includes other steps (i.e.
presentation, disposal, etc.), the scope of this guideline document relates only to the
initial handling processes of identification, collection, acquisition, and preservation of
digital evidence.
ISO/IEC 27037 should ensures that responsible individuals manage digital evidence in
accordance with practical ways that are acceptable worldwide, with the objective to

114
facilitate investigation involving digital devices and digital evidence in a systematic and
impartial manner while preserving its integrity and authenticity. (ISO/IEC 27037:2012)
This article presents the basic steps of the digital evidence handling process, based on
ISO/IEC 27037, DFRWS model (DFRWS, 2001) and best practices from other
professional sources, which can be abstractly defined to produce a model that is not
dependent on a particular technology or electronic crime.

1. Establishing a computer Forensics Team

Computer forensics as a discipline demands specially trained personnel, support from

management, and the necessary funding. Establishing and operating a computer
forensics team may require significant allocation of financial resources and personnel.
Many of the expenses are recurring and will have to be budgeted on a yearly basis.
Resource allocation should include the type of facility that will house the team,
equipment used by examiners, software and hardware requirements, upgrades, training,
and ongoing professional development and retention of examiners.
Because of the dynamic nature of the field, a comprehensive ongoing training plan
should be developed. Consideration may also be given to mentor programs, on-the-job
training, and other forms of career development. (U.S. Department of Justice, 2004)

2. Accusation or Incident Alert

Every process has a starting point, including digital forensic investigations process. This
step can be signaled by an alarm from an intrusion detection system, a system
administrator reviewing firewall logs, curious log entries on a server, or some
combination of indicators from multiple security sensors installed on networks and
hosts. This initial step can also be triggered by events in more traditional law
enforcement settings. Citizens reporting possible criminal activity will lead to
investigative personnel being dispatched to a physical scene. That scene will likely
contain exhibits of which some may be electronic, requiring part of the investigation to
take a digital path. The prevalence of computers makes it increasingly likely that even
traditional crimes will have related information derived from digital sources that require
close scrutiny.
When presented with an accusation or automated incident alert, it is necessary to
consider the source and reliability of the information. An individual making a
harassment complaint because of repeated offensive messages appearing on her screen
might actually be dealing with a computer worm/virus. An intrusion detection system
alert may only indicate an attempted, unsuccessful intrusion or might be a false alarm.

115
Therefore, it is necessary to weigh the strengths, weakness, and other known nuances
related to the sources and include human factors as well as digital.
In addition, thoroughly to assessing an accusation or alert, some initial fact gathering is
usually necessary before launching a full-blown investigation. Even technically
proficient individuals sometimes misidentify normal system activity as a computer
intrusion. Initial interviews and fact checking can correct such misunderstandings,
clarify what happened, and help develop an appropriate response. To perform this fact
gathering and initial assessment, it is usually necessary to enter a crime scene and scan
or very carefully sift through a variety of data sources looking for items that may
contain relevant information.
This is a very delicate stage in an investigation because every action in the crime scene
may alter evidence. Additionally, delving into an investigation prematurely, without
proper authorization or protocols, can undermine the entire process. Therefore, an effort
should be made to perform only the minimum actions necessary to determine if further
investigation is warranted. (Casey, 2004)
2.1. Incident/Crime Scene Protocols

When a full investigation is warranted the first challenge is to retain and document the
state and integrity of items (digital or otherwise) at the crime scene. Protocols, practices,
and procedures are employed at this critical juncture to minimize the chance of errors,
oversights, or injuries. Whoever is responsible for securing a crime scene, whether first
responders or digital evidence examiners, should be trained to follow accepted
protocols. These protocols should address issues such as health and safety (limiting
exposure to hazardous materials such as chemicals in drug labs or potentially infectious
body fluids), what other authorities are informed, and what must be done to secure the
scene. (Casey, 2004)
Preventing people from disturbing a single computer or room is relatively
straightforward but, when networks are involved, a crime scene may include sources of
evidence in several physically distant locations. Assuming investigators can determine
where these locations are, they may not be able to reach them to isolate and preserve
associated evidence. This raises the issues of evidence collection on a network.
The product or output of this stage is a secure scene where all the contents are mapped
and recorded, with accompanying photographs and basic diagrams to document
important areas and items.
2.2. Identification

Digital evidence is presented in physical and logical form. The physical form refers to
the construction and resultant appearance, in the form of a physical component or digital
device that contains potential digital evidence. The logical form of the digital evidence

116
refers to the format of data and its storage location and address within the digital device,
such as a hard drive.
The identification process involves the search for, recognition and documentation of
potential digital evidence at an incident scene. The identification process should identify
digital storage media and processing devices that may contain potential digital evidence
relevant to the occurred incident. This stage also includes a triage process to prioritize
the evidence collection based on their volatility. The volatility of the data should be
identified to ensure the correct order of the collection and acquisition processes to
minimize the damage to the potential digital evidence and to obtain the best evidence. In
addition, the process should identify the possibility of hidden potential digital evidence.
First responders or digital evidence examiners should be aware that not all digital
storage media can be easily identified and located, for example cloud computing, NAS
and SAN; all add a virtual component to the identification process.
First responders or digital evidence examiners should systematically carry out a
thorough search for items that may contain digital evidence. Different types of digital
devices that may contain potential digital evidence can easily be overlooked, disguised
or co-mingled amongst other irrelevant material. (ISO/IEC 27037:2012)

3. Collection

Once the digital devices that may contain potential digital evidence are identified, first
responders or digital evidence examiners should decide whether to collect or acquire
during the next step. There are a number of decision factors for this. The choice needs to
be balanced with the circumstances.
Collection is a step in the digital evidence handling process where devices that
potentially contain digital evidence are removed to a laboratory or another controlled
environment for later acquisition and analysis. Potential digital evidence can exist in
two conditions: when a system is powered on or when the system is powered off.
Different approaches and tools are required for this process, depending on the condition.
The collection step involves the gathering of physical devices that may contain potential
digital evidence from its original location and documenting all the collected items and
the steps involved. All items collected should be properly recorded and packaged prior
to transportation. It is important for first responders or digital evidence examiners to
collect any material that might relate to the potential digital evidence (e.g. paper with
passwords noted down, cradles and power connectors for embedded system devices).
Potential digital evidence may be tampered with or easily spoiled if reasonable care is
not applied.

117
There is a variety of reliable collection methods. First responders or digital evidence
examiners should adopt the best possible collection method based on the situation, cost
and time, and document the decision for using a particular method.
Removal of digital storage media is not always recommended and first responders or
digital evidence examiners should be sure they are trained and knowledgeable to know
and recognize when it is allowable to do so.
Besides, there are some circumstances when it is impractical to collect digital devices.
First responders or digital evidence examiners should consider the following
circumstances, but is not limited to only these (ISO/IEC 27037:2012):
 If there is no legal entitlement to collect the digital device;
 If there is an obligation to use other methods (e.g. to avoid interrupting a business);
 If first responders or digital evidence examiners wants to capture the method of
operation of a suspect during abuse of a system;
 If the collection or acquisition should take place covertly, if considered legal by the
jurisdiction;
 If it is a mission-critical digital device that cannot tolerate any downtime;
 If it contains volatile data that should be acquired immediately in order to avoid any
loss of data due to interruption of power supply;
 If the physical size of the digital device is too big, such as a server at a data centre or
RAID system;
 If it is a safety-critical digital device that would endanger life if stopped;
 If it is a business-critical digital device that also services innocent parties; and
 If it contains encrypted volume or data which requires recovery of password or key
within the volatile memory.

3.1. Acquisition

The acquisition process involves producing an image of potential digital evidence or

digital device that may contain potential digital device and documenting the methods
and steps used. There are a variety of reliable and validated acquisition methods and
tools. First responders or digital evidence examiners should adopt a suitable acquisition
method based on the situation, cost and time, and document the decision for using a
particular method or tool appropriately.
First responders or digital evidence examiners should use the appropriate method and be
able to justify the selection of that method. The acquisition method used should produce
an image copy of the digital evidence or digital devices that may contain potential
digital evidence. Both the original copy and the image copy should be verified with a
proven verification function (proven accurate at that point in time) that is acceptable to
the person who will use the evidence. Both copies should produce the same hash values
and the image copy be verified as a bitwise copy of the original digital evidence. There

118
will be instances where the verification process cannot be performed, for example when
acquiring a running system, the original copy contains error sectors, or the acquisition
time period is limited. In such instances, first responders or digital evidence examiners
should use the best possible method available and be able to justify and defend the
selection of the method. If the imaging cannot be verified, then this needs to be
documented and justified. If necessary, the acquisition method used should be able to
obtain the allocated and unallocated space.
There may be instances in which an image copy of a source disk may not be feasible,
such as when the source is too large. In these instances, a first responders or digital
evidence examiners may perform a logical acquisition. This acquisition type targets
only specific data types, directory or locations for acquisition. This generally takes place
on a file and partition level. This method will only copy the active files and non-file-
based allocated space on the digital storage media and will not copy deleted files or
unallocated space. Other instances where this method can be useful are if they are
mission-critical systems that cannot be shutdown.
Besides, when the data to be collected contains personal data, some jurisdictions require
that the seals on the data should be done in presence of the owner of the data. (ISO/IEC
27037:2012)
3.2. Preservation

Potential digital evidence should be preserved to ensure its usefulness for investigating
incidents and to protect the integrity of the evidence. The preservation process involves
the safeguarding of potential digital evidence and digital devices that may contain
potential digital evidence from tampering or spoliation. The preservation process should
be initiated and maintained throughout the digital evidence handling steps starting from
the identification of the digital devices that may contain potential digital evidence.

In the best-case scenario, there should be no spoliation to the data itself or any metadata
associated with it (e.g. date and time-stamps). First responders or digital evidence
examiners should be able to demonstrate that the evidence has not been modified since
it was identified, collected or acquired.
In some cases, the confidentiality of digital evidence is a requirement, either a business
requirement or a legal requirement (e.g. privacy). The digital evidence should be
preserved in a manner that ensures the confidentiality of the data.
3.3. Examination

In-depth systematic search of evidence relating to the suspected crime needs to be done
prior to performing a full analysis. This focuses on identifying and locating potential
evidence, possibly within unconventional locations. The result (output) of the work in

119
this stage of the investigative process is the smallest set of digital information that has
the highest potential for containing data of probative value, and detailed documentation
for analysis.
3.4. Analysis

This step involves the detailed scrutiny of data identified by the preceding activities.
The techniques employed here will tend to involve review and study of specific, internal
attributes of the data. (Casey, 2004) Analysis determines significance, reconstruct
fragments of data and draw conclusions based on evidence found. It may take several
iterations of examination and analysis to support a crime theory. The distinction of
analysis is that it may not require high technical skills to perform and thus more people
can work on this case. (Reith, Carr, Gunsch, 2002)
3.5. Reporting

To provide a transparent view of the investigative process, final reports should contain
important details from each step, including References to protocols followed and
methods used to seize, document, collect, preserve, recover, reconstruct, organize, and
search key evidence. The majority of the report generally deals with the analysis leading
to each conclusion and descriptions of the supporting evidence. No conclusion should
be written without a thorough description of the supporting evidence and analysis. Also,
a report can exhibit the investigator or examiner's objectivity by describing any
alternative theories that were eliminated because they were contradicted or unsupported
by evidence. (Casey, 2004)
3.6. Persuasion and Testimony

In some cases, it is necessary to present the findings outlined in a report and address
related questions before decision makers can reach a conclusion. A significant amount
of effort is required to prepare for questioning and to convey technical issues in a clear
manner. Therefore, this step in the process includes techniques and methods used to
help the analyst and/or domain expert translate technological and engineering detail into
understandable narrative for discussion with decision makers. (Casey, 2004)
3.7. Returning evidence

Ensuring physical and digital property is returned to proper owner as well as

determining how and what criminal evidence must be removed. Again not an explicit
forensics step, however any model that seizes evidence rarely addresses this aspect.
(Reith, Carr, Gunsch, 2002)

120
Conclusion
Digital data are all around us and should be collected in any investigation routinely.
Even if digital data do not provide a link between a crime and its victim or a crime and
its perpetrator, they can be useful in an investigation. Digital evidence can reveal how a
crime was committed, provide investigative leads, disprove or support witness
statements, and identify likely suspects.
Digital evidence can be fragile in nature. It may be altered, tampered with or destroyed
through improper handling or examination. Handlers of digital evidence should be
competent to identify and manage the risks and consequences of potential courses of
action when dealing with digital evidence. Failure to handle digital devices in an
appropriate manner may render the potential digital evidence contained on them
unusable.
Digital evidence is identified, collected, transported, stored, analyzed, interpreted,
reconstructed, presented and destroyed through a set of processes. Challenges to this
evidence come through challenges to the elements of this processes. This processes like
all other processes and the people and systems that carry them out is imperfect. That
means that there are certain types of faults that occur in these processes. (Cohen, 2008)
First responders or digital evidence examiners should know all the risks involved in
performing all steps during the investigation. Consideration should be given to protect
personnel and potential digital evidence at the scene of the incident.
In ensuring that the integrity of the potential digital evidence is preserved, first
responders or digital evidence examiners should have adequate experience, skills and
knowledge in handling them.
New technologies will inevitably present new challenges for digital investigations. In
order to adequately respond to these new challenges continuously development of the
profession is essential.

References:
[1] Casey Eoghan, 2004, Digital Evidence and Computer Crime: Forensic Science,
Computers, and the Internet, Second Edition , Academic Press
[2] Cohen Fred, 2008, Challenges to Digital Forensic Evidence, Fred Cohen &
Associates
[3] Digital Forensic Research Workshop (DFRWS), 2001, A Road Map for Digital
Forensic Research, August 7-8, 2001 Utica, New York
[4] ISO/IEC 27037:2012 Information technology -- Security techniques -- Guidelines
for identification, collection, acquisition and preservation of digital evidence

121
 [5] Kessler Gary Craig, 2010, Judges’ Awareness, Understanding, and Application of
Digital Evidence, Graduate School of Computer and Information Sciences, Nova
Southeastern University
[6] Meyers Matthew, Rogers Marc, 2004, Computer Forensics:The Need for
Standardization and Certification, International Journal of Digital Evidence, Fall 2004,
Volume 3, Issue 2
[7] Reith Mark, Carr Clinton, Gunsch Gregg, 2002, An Examination of Digital Forensic
Models, International Journal of Digital Evidence, Fall 2002, Volume 1, Issue 3.
[8] U.S. Department of Justice, 2004, NIJ Special Report, Forensic Examination of
Digital Evidence: A Guide for Law Enforcement

122

View publication stats