Digital forensics investigations

There are plenty of crime-dramas for us to pick from for our evening entertainment, be it a modern look at policing with Line of Duty, an American twist with CSI, or maybe a nostalgic throwback with The Bill.

No matter your preference, the one thing these shows have in common is the presence of the forensic evidence team. Though analysing data might not seem as gripping as traipsing through a field on the hunt for evidence, the presence of digital crime is a wide-spread and thriving threat, and access to digital evidence can be the key to ending a cyber criminal’s spree. Time to discover what that counts as digital evidence and the protocol surrounding data storage.

Digital forensics 

Forensic science provides legal evidence, so it has a set of requirements for handling and extraction of evidence that must be rigorously adhered to. If the rules of handling evidence are not followed, the evidence can be deemed inadmissible and can often lead to the breakdown of a case.  

The discipline of computer forensics involves:  

• Evidence acquisition 
• Evidence authentication 
• Evidence analysis 

Digital evidence, such as a log file, is often transparently created by a computer’s operating system without the knowledge of the computer operator. It’s the job of the forensic investigator to find this evidence and ensure it’s handled, interpreted and presented correctly.  

Often, the forensic investigator will act as an expert witness in a court case. It’s common for large organisations to form relationships with digital forensic service providers and specialist computer crime units so that forensic examinations can be carried out almost immediately.

Support from the NCSC and CPNI 

In the UK, the National Cyber Security Centre (NCSC) works to improve the underlying security of the internet and collaborates with government, law enforcement, defence and businesses, offering cyber incident management and security advice. It aims to make the country the safest place to live and do business online, protects our critical services from cyber attacks, and manages major incidents. 

Aligned to the NCSC is the Centre for the Protection of National Infrastructure (CPNI). It provides security advice and guidance to organisations that form part of the UK’s national infrastructure, including electricity companies, water and gas agencies, emergency services, financial services, health services, and transport organisations who are considered critical to the economy of the country. Provided by NCSC, the Active Cyber Defence Hub helps protect our critical services from cyber-attacks, manage major incidents and improve the underlying security of the UK internet.  

Handling evidence - Chain of custody (chain of evidence)

Two important concepts in digital forensics are chain of custody (also known as chain of evidence) and evidence integrity. 

Chain of custody, as the name implies, accounts for all aspects of the handling of evidence, from acquisition to presentation in court. Evidence integrity ensures that evidence has not been altered or corrupted. 

The chain of custody should provide accountability for an item of evidence from its seizure through to production in court. The chain of custody must account for the location and security of the evidence at all times - any gaps in the chain of custody could render the item inadmissible in court.

The chain of custody is usually kept using evidence bags; these are tamper proof bags with unique seal numbers. The first bag used when seizing the item will be recorded in the seizing officer's notebook and the property officer's exhibit book. It will usually be signed into the secure property office and any movement to the digital forensics lab subsequently recorded.

When imaging an exhibit, the digital investigator will need to break the seal – the date/time/location and reason for this should be recorded in the officer’s notebook. On completion of imaging, the exhibit is resealed into a new evidence bag along with the original evidence bag. If the bag needs to be opened for any subsequent reason, each reseal should include the previous evidence bags. The details should be updated in the property register accordingly.

The reality of most prosecutions is that defence barristers will very rarely question the evidence produced as it is usually overwhelming against their client. They will invariably test the administrative procedures and chain of custody looking for weaknesses in the system. Failures in documentation, gaps in the chain of custody are areas they will focus on, hoping to convince the court that the evidence is tainted.

For examinations of hard disks which contain large quantities of illegal material, if the drive is excluded due to failures in administrative procedures and the chain of custody, then under the principle of ‘fruit of the poisoned tree’, everything from that drive is inadmissible.

Handling evidence

Beware! Magnets and computer forensics don't mix! Never use a magnetic tool of any kind even if you're working on optical media.

Techniques for effectively handling evidence include: 

• Using write blockers, which are devices that allow acquisition or copying of information from a disk drive without accidentally damaging the source drive’s contents. They do this by allowing read commands to pass to the target disk drive whilst blocking write commands. 
• Physically and/or electronically sealing the evidence, for example, cryptographically signing the data. This ensures that evidence integrity is maintained, and the evidence can’t be altered.  Hashes can also be used to show that data has not been modified.
• Maintaining control of the evidence by the custodian signing, dating and sealing it. This shows who has current and previous control of the evidence and attests to the chain of custody during the whole process.  

NPCC guidelines

As well as support from the NCSC, the National Police Chiefs Council Guidelines for Digital Evidence Capture were initially created in the 1990’s, to give Police investigators guidance on how they should handle digital investigations. Although they are a Police creation, the four principles can be applied equally to civil investigations, and they are often taken as being best practice for any cyber investigations. 

You can have a look at those principles in more detail now:

Principle 1: 

No action taken by law enforcement agencies, persons employed within those agencies, or their agents should change data which may subsequently be relied upon in court. (bag and tag). 

Principle 2:  

In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. 

Principle 3:  

An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. 

Principle 4:  

The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to. 

The question is whether this principle applies to digital forensics where a crime can be committed with no human presence? The answer to this is yes – any software installed will update registry keys and may leave traces of its existence on the hard drive, in link files or other traces. Plugging in external devices triggers the operating system to detect device drivers and install them and there is usually a trace that external devices have been used on systems. Quite often, if hackers get into a system, they will aim to wipe audit logs to try and cover their tracks and the act of such a wipe in itself leaves a trace on the system that there has been unauthorised access. Windows is an OS that logs a lot of activity and often will retain evidence of activity even if the user wipes the obvious locations.

What’s next? 

Before our expert Mark is going to takes you through an incident review, we’re going to look at Forensic planning.