The Digital Forensics Collection Process

Enterprise Security Magazine | Thursday, January 27, 2022

For legal purposes, virtual or digital footprints may be useful as evidence in determining the origins of a document or part of the software.

Fremont, CA: Just as people leave traces of themselves in the physical world – fingerprints, hairs, clothes fibers, DNA, and so on – when they move and interact with people, places, and objects, their activities in the digital domain leave fragments or echoes of them. These virtual or digital traces like file fragments, activity logs, timestamps, metadata, and so on – may be judged valuable for a variety of reasons. They could be used as evidence in assessing the activity of the parties involved in a criminal case or as a resource for cyber-criminals attempting to reconstruct information or locate credentials on their victims.

Individual computer system and network activities usually leave some form of digital fingerprint. These may include deleted file fragments, email headers, document information, process logs, and backup files, as well as web browser history caches and cookies. Any or all of these parts of forensic digital evidence may be critical in documenting an incident, forming a reaction, or developing a strategy for future operations for security professionals protecting an organization or investigators seeking to identify the origins of a breach.

Digital forensic collection

As with physical evidence gathering, care must be taken in the digital forensic collection to ensure that the data being gathered for analysis is as pure and undisturbed as possible. Given that files on a computer are affected in some way, even if people simply open them in their associated application without saving them, a system suspected of containing forensic evidence relevant to a case should be left untouched until such information can be recovered in a non-disruptive manner.

The digital forensic collection procedure often begins with the creation of a "bit-level" image of the system's hard drive or storage medium. When it is required to study a device and read information from it while it is still in operation, a "live acquisition" may be performed. This is accomplished by launching a small diagnostic program on the target system, which replicates data to the forensic examiner's hard disc.

Weekly Brief