Timeline for Evidence Acquisition and Investigation Processes

Why is a timeline important? As a digital forensics investigator, you will find that your work will take longer than others involved in the case will anticipate. You will be among the last to leave a search scene, since everyone else will likely have completed a search for physical items before your on-site imaging is complete.

One of the first steps in the electronic evidence investigation process is acquisition. The acquisition process consists primarily of making a copy of the digital evidence. The investigator, as a matter of good practice, often prefers to work on a copy of the electronic stored evidence file, since operating the computer system or accessing the media drive device usually results in the host operating system reading to the disk, or modification of the original disk or media storage device evidence.  Often, the entire hard disk is copied for a digital forensics examination.

However, what if the hard drive is a cloud drive or an extremely large hard disk? The timeline will have to be adjusted to account for more difficult acquisitions. In these cases, it may not be possible or practical to obtain a bit-by-bit copy of the entire drive. The digital forensics examiner must make choices that will be required to explain any steps taken that may alter the original electronically stored information. Record the reasons for any possible alterations.

In the event of a network breach or intrusion, acquisition should occur as quickly as possible after an intrusion has been detected. This prevents evidence from being overwritten or lost as a result of subsequent network or computer activity.

Using Write Blockers

Write blockers are typically used when acquiring a copy of an original media storage device and are designed to prevent any computer involved in the examination process from writing to the target media storage device being examined. These write blockers come in the form of software or hardware mechanisms. It is important that the investigator can demonstrate that write-blocking technology was used when the evidence media storage device was copied and that the evidence image file copy obtained is an exact bit-by-bit copy of the original media device evidence. This can be accomplished using hash algorithms or digital signatures against the original and the copy to demonstrate that the media device content has not change during the acquisition process.

There are many detailed tasks and decisions involved before, during, and after an acquisition of electronic evidence.  How does an investigator remember every task and prove that all tasks were performed? What if some tasks are accidently missed? A detailed checklist can be found within this learning resource to aide an investigator during the acquisition process.

An investigator will likely get questions from others connected with the investigation (e.g., how long will it take, when will the report be completed?). That’s why establishing metrics and timelines will be valuable, not only for the investigation but in court as well.

One way to do this is to base the timeline on the amount of data seized (imaging will take X per GB, the examination will take X hours per GB). Break it down for each process. Tables and/or charts can help as well.

References

Carlton, G. H. (2006). A grounded theory approach to identifying and measuring forensic data acquisition tasks. Journal of Digital Forensics, Security and Law, 2(1), 35–56. http://ojs.jdfsl.org/index.php/jdfsl/article/download/202/152

Morton, T. (n.d.). Introduction to digital forensics.  https://en.wikibooks.org/wiki/Introduction_to_Digital_Forensics/Acquisition