Digital Forensic Process

Digital forensic process involves the systematic and methodical investigation of

digital devices, systems, and networks to gather and analyze digital evidence for
legal purposes. It typically follows a structured approach to ensure the integrity
and admissibility of evidence in court. The process can be broken down into
several stages:

1. Identification:
The identification phase is the starting point of the digital forensic process. It
helps the person conducting the investigation to get ready and plan the steps.
Here's what happens in simpler terms:
• Case Intake: This is where the person doing the investigation learns about the
case. They find out who is involved, what happened, what kind of evidence
they need, and what the legal consequences might be.
• Case Assessment: The investigator tries to understand the case fully. They
figure out which digital devices might have important evidence, and how
 important that evidence might be. They also decide what skills and tools they
need for the investigation.

• Objective Definition: The investigator decides what they want to find out
from the investigation. These are the specific questions they want to answer.
They make sure these objectives align with what the law requires and what the
investigation is expected to achieve.
• Legal and Ethical Considerations: The investigator makes sure they follow all
the laws and regulations that apply to collecting and analyzing digital evidence.
They also respect the rights of the people involved in the case.
• Resource Allocation: The investigator figures out what resources they need
for the investigation, like staff, tools, and equipment.
• Risk Assessment: The investigator looks at the things that might go wrong
during the investigation and plans for those problems.
• Scope Definition: The investigator decides what digital devices and data
sources to check, and what specific areas to focus on.
• Initial Documentation: The investigator keeps detailed records of everything
they do and decide during the identification phase. This helps keep everything
transparent and accountable.

2. Preservation:
The preservation of digital evidence (DE) presents unique problems beyond
traditional evidence preservation. Digital evidence includes any information in
binary form that can be useful in criminal or other legal investigations and
proceedings. By its nature, digital evidence resides on physical media, but it is the
content and related information, rather than the media, that are most often
important.
Digital storage can contain an exceptionally large amount of information in a small
physical footprint. It is present in a growing number of cases, owing to the
ubiquitous presence of cell phones, social media use, and the vast array of digital
helpers often called the Internet of Things (IoT). Digital data can be easy to change
but there are powerful techniques for preventing and detecting change.

3. Analysis:

The analysis phase involves using collected data to prove or disprove a case built
by the examiners. Here are key questions examiners need to answer for all
relevant data items:

• Who created the data

• Who edited the data
• How the data was created
• When these activities occur

In addition to supplying the above information, examiners also determine how

the information relates to the case.

The analysis phase in the digital forensic process is crucial. Here, the gathered
digital evidence is examined to not only understand what happened but also how
it happened. It involves complex and detailed techniques to uncover data,
including hidden, deleted, or encrypted data.

The steps typically include:

• Data Recovery: Extracting the data from the digital device. This can involve
recovering deleted files or accessing encrypted data.
• Examination: The data is then examined. This often involves looking for
specific files or types of files, examining data in detail, and looking for
evidence of particular activities.
• Analysis: The data is analyzed to draw conclusions about the digital
behavior of the suspect. This could be identifying patterns of behavior,
determining when certain files were created or accessed, or identifying the
source or destination of emails or other communications.
 • Reporting: The findings are then written up into a formal report, detailing
the steps taken, the evidence found, and the conclusions drawn. This may
be used in a court of law or for other official purposes.

Note that the analysis phase must be carried out in a forensically sound manner
to ensure that the results are reliable and admissible in a court of law. This means
that the data must be handled carefully to avoid alteration, contamination or loss,
and the process should be documented thoroughly and accurately.

4. Documentation:
The documentation process in digital forensic investigations is very important, as
it permanently records all relevant information generated during the
investigation. This recorded data assists decision-makers, legal authorities, and
administrative bodies in their respective decision-making processes. Forensic
investigation professionals dedicate a significant amount of time, between 50%-
75%, to writing administrative and research reports.

Documentation is a continuous process that spans the entire investigation. It

meticulously records the location and status of computers, storage media, and
other electronic devices. While there are overlaps between digital and physical
forensic investigations, the process of documentation is crucial in both.

Computers are often involved in criminal investigations. For instance, through a

search warrant, the email and internet activities of murder and rape suspects may
be analyzed to gather evidence about motives or hiding locations. In the
corporate world, computers are investigated when an employee is suspected of
unauthorized actions. Fraud investigations often involve collecting transaction
history evidence from servers. Nonetheless, it's crucial to recognize the unique
differences in the implementation of the documentation process within digital
and physical investigations.
5. Presentation/ Reporting:
To present the evidence in a way the court deems admissible and bring the guilty
to justice, formulating a coherent and comprehensive digital forensics report is
crucial. Without one, retelling the events that occurred in a structured manner, all
while backing up every claim with concrete evidence, would be next to impossible
(hence they are a requirement in the court proceedings).
Digital forensics reports play an instrumental role in coordinating the work
between multiple investigators, law enforcement officers, administrative, and
legal personnel involved in the case, not all of which may share the same
professional background and field of expertise.
They are the interdisciplinary focal point that tells the truth of what happened
and documents the findings, all while presenting them in a factual yet
understandable manner.
At the same time, investigators should keep in mind that other law enforcement
institutions may ask for the report in order to:

• Details of the reporting agency

• Case identifier
• Forensic investigator
• Identity of the submitter
• Date of evidence receipt
• Details of the device seized for examination including serial number, make,
and model
• Details of the equipment and tools used in the examination
• Description of steps taken during examination
• Chain of custody documentation
• Details of findings or issues identified
• Evidence recovered during the examination, ranging from chat messages,
browser history, and call logs to deleted messages, and so on
• Any images captured during the examination
• Examination and analysis information
• Report conclusion