Pre-investigation considerations

The pre-investigation is where you determine your capabilities and equipment specifications to conduct a forensic exam, regardless of whether it is in the field or a lab environment. Now is the time to determine your hardware, personnel, and training budget. Some of those costs will not be a one-time expenditure but will be an ongoing budget expenditure. The equipment must be updated, personnel training must be maintained, and the purchase of new technology as it becomes available.

Being a digital forensic investigator is not about buying the equipment, going to a training class, and never updating either of these afterward. As technology changes, so do the methods of hiding data or conducting criminal activities, so the investigator must be ready to adjust to these changes.

Before you are ready to begin the investigation, you must prepare yourself. This will allow for greater efficiency and a better work product. This includes preparing your equipment and becoming familiar with the current laws and legal decisions and the organization’s policies and procedures.

Some equipment will be reusable, and some will not. For the single-use items, make sure someone replaces them as soon as the incident concludes.

We will now discuss the equipment you will use as an investigator.

The forensic workstation

Whenever you get forensic investigators together, a common topic of conversation is the forensic workstation. How much Random Access Memory (RAM)? How many Solid State Drives (SSD) drives? Which Central Processing Unit (CPU)? Which Operating System (OS)? These are all questions that you might commonly hear. There is always a difference of opinion about the configuration of a forensic workstation. None of the views are incorrect because the investigator’s workstation configuration depends on their budget and the cases that are being investigated.

Forensic workstations are not cheap. Depending on the skill level of the investigator, they can either build their own or purchase a pre-made forensic workstation. Several vendors will configure a workstation to your specification. For example, consider the vendor SUMURI (https://sumuri.com) and their TALINO workstations. The base model costs approximately $8,000 and comes with:

• Intel Core i9-10900X 3.7 GHz 10-Core LGA 2066 processor
• 32GB of DDR4 2666 MHz RAM
• 500GB M.2 NVMe SSD

That is a basic forensic workstation, and you still must add storage for the forensic images. The high-end version costs over $18,000 and comes with:

• Dual Intel Xeon Gold 5220 18-Core processors
• 128GB DDR4 RAM
• 1TB SSD for the operating system
• 1TB M.2 NVMe SSD for temporary files and processing
• 2TB M.2 NVMe SSD for databases
• Eight 6TB hard drives configured in RAID 10 for evidence
• A 30-series GDDR6 Graphics Processing Unit (GPU) such as the NVIDIA RTX 3070 or 3080

One bottleneck that a forensic investigator may face with their forensic workstation is data transfer. I suggest using SSDs because they have much higher throughput than the typical spinning disk does. A fast CPU and a large amount of RAM enable maximum performance for forensic analysis. However, these machines are not portable, and you are not always able to perform the analysis or to acquire the data from the relative comfort of your workstation. A forensic laptop is also an expensive piece of equipment. At the time of printing, the TALINO OMEGA comes with:

• Intel Core i9-11900K processor
• 64GB DDR4 2933 MHz RAM
• 500GB M.2 NVMe SSD for the operating system
• 250GB M.2 NVMe SSD for temporary files and processing
• 1TB M.2 NVMe SSD for database
• 2TB M.2 NVMe SSD for evidence files
• NVIDIA GeForce RTX 3080 GPU with 16GB GDDR6 video memory

As you can see, you can never have too much CPU, RAM, or storage space on your forensic workstations. The equipment I described is on the higher end; you can conduct digital forensic examinations with less expensive equipment and still achieve the same results. In addition, the more high-end equipment will decrease the time involved. If you are a member of a multinational corporation or a large law enforcement agency, you may have the budget for high-end equipment. A smaller law enforcement agency, a smaller organization, or a single practitioner will have to determine what cost is more appropriate for their situation.

Sometimes you must leave the lab, which means you need additional portable equipment. We will now discuss the equipment required in your response kit.

The response kit

The digital evidence is not always delivered to your workspace. Sometimes, you may have to respond to a third-party location to acquire that evidence. The collection of that evidence is the basic building block for any digital forensic examination you may conduct. Like conducting an examination in your workspace, you need the proper tools and supporting equipment to accomplish this task. You need to create a response kit that includes documentary paperwork, pens, and storage containers to store digital evidence.

A response kit is unique to each digital forensic investigator. No kit is perfect; all kits are always subject to improvement. The goal of your response kit is to have everything you need to collect digital evidence, and we will go over some equipment that, in my experience, I have found helpful:

• Digital camera: Capable of still and video recording. You need to document the scene as it was when you arrived. If you testify in official proceedings, you will show the fact-finder precisely what you saw as you arrived. Some organizations also video record all the actions of the digital forensic investigator’s activities as they collect digital evidence.

  Note

  A word of advice: I would disable the microphone so as not to record audio. You may have extended discussions about how to proceed using language that may be regarded as less professional. These discussions and use of language could be used as a distraction by the opposing side in the presentation of evidence.

• Latex or nitrile gloves: These protect several aspects of the evidence collection — you are not leaving your fingerprints, and you are also protecting yourself from potential biohazards that may be on the scene. I am talking about blood, urine, feces, and any other biological fluid you can think of.
• Notepads: You need to document your actions on the scene. A notepad is a perfect repository to maintain that information. You can take notes about who you talk to, who secured the scene, and the basic facts of the case. When you begin the investigation, a lot of information will come at you, and it could be easy for you to forget a specific action if you do not record it. Some organizations also make a hand-written sketch of where the digital evidence is being collected. Your organization’s policies and procedures will determine whether a sketch is required.
• Organizational paperwork: This could be a property report for seizing evidence, and it lists exactly what was taken, where it was taken from, and any specific identifying marks or serial numbers on the item being taken. You can also include labels or tags to identify items that contain digital evidence.
• Paper storage bags/antistatic bags: You have to put the containers of digital evidence somewhere to prevent any unauthorized access. Digital evidence is very fragile, and you want to make sure you do not store it in a manner where static electricity can be generated. Static electricity can render the storage media inoperative, and you will lose access to any data.
• Storage media: Hard drives can be a traditional spinning disk or SSD and USB devices. A corporate digital forensic investigator will not shut down a server to create a forensic image. Instead, they will collect the specific datasets in the form of log files, RAM, or user directories and store them on the appropriately sized storage media.
• Write blocking devices: This could be a hardware device, such as the Tableau TK8u USB 3.0 forensic bridge (https://security.opentext.com/tableau/hardware/details/t8u), which allows you to access a storage device without changing its contents. We will discuss the acquisition of evidence in much greater detail in Chapter 3, Acquisition of Evidence. Alternatively, you can use a forensic boot disk, such as SUMURI’s PALADIN, a Linux distribution based on Ubuntu that allows the collection of digital evidence in a forensically sound manner. SUMURI offers PALADIN as a free download at https://sumuri.com/software/paladin.
• Frequency shielding material: This could include commercial aluminum foil, Faraday bags, or any container that will block radio transmissions. You will use this when you seize a mobile device to prevent the user from remotely wiping or resetting the device. Be aware, however, that when you place the device in these containers, the battery will quickly deplete, as it will attempt to reconnect to the network. If you have access to the mobile device’s menu, you can put the device into airplane mode. Then, the device will no longer attempt to connect to the network. Ensure you document any changes you make to the device.
• A toolkit: A small precision toolkit with multiple screwdriver bits is used to disassemble laptops, desktops, or mobile devices to access the digital storage container. You want to make sure you have a variety of screw heads to match what the various manufacturers use. Sometimes, the manufacturers will use two or three different screw heads when assembling their devices.
• Miscellaneous items: This can include extra power cables, data cables, USB hubs, screws, or anything else that might be difficult to acquire when you are at the subject’s location in the middle of the night, and no stores are available for you to purchase the missing item. If you are responding to a commercial site, keep a spare mouse and keyboard in case you need to access a server and they are not available. (If you are conducting network-based investigations, you may also want to include a network tap.) This subset comprises items you don’t think are needed until you are onsite and need them.
• A forensic laptop: Make sure all your software is up to date. I recommend creating a folder containing digital versions of any forms you will use, any processes you need to document, and any applications you find helpful in carrying out your tasks.
• Encryption: If you are traveling out of the country to get to the target site, you might want to encrypt the target drives that contain the acquired data you need to analyze. It is not uncommon for security services or customs to seize devices. This will ensure the data you acquired will not be compromised.
• Software security keys: This is also referred to as a dongle. You will find commercial versions of software that require you to insert a USB-based security key to use it. You want to make sure you have them with you because the software cannot be used without the security key inserted.

Now, the important question is this: how do you carry all of this from one location to another?

My recommendation is a Pelican-type case that is watertight and crush-proof to protect the equipment. Also, include a TSA-compliant locking device if you must travel via commercial air in the United States.

The list of items we have just discussed is only a recommendation. You will add/subtract from this list to meet the needs of the task at hand. There is no right or wrong answer when stocking your response kit. The budget, the organization, and the task at hand will dictate what equipment is needed.

A government/law enforcement digital forensic investigator may acquire full forensic images at the scene, and they will need larger storage capacity devices. As you become more experienced, you will accurately determine what equipment you need to perform your duties.

The result is that you need to have a response kit when leaving the office to acquire digital data or respond to any incident. How you stock that kit is entirely up to you as the forensic investigator. This is all about making your job easier and more efficient.

That has covered some of the hardware and physical items needed. We will now move on to discussing software.

Forensic software

This is the software that you will use to analyze data. You have a choice of utilizing commercial software designed for the forensic process or open-source tools. You want to make sure that you use fully licensed software in your work environment.

There is nothing more embarrassing than an organization using pirated software to investigate and have that fact come out in the administrative or judicial proceeding. It will be a severe hit to your reputation if you use pirated software to conduct your investigation, and it will call into question your integrity, your ethics, the results of your inquiry, and the results provided by the forensic tool. I cannot stress this enough: you must use fully licensed software in the forensic process. So, what is the difference between open-source and commercially available tools?

Vendors make open-source software freely available for anyone to use. Typically, there are no restrictions on its use; you can use it for educational, profit, or testing purposes. The positive aspect is that it is available at no cost in most situations. The downside is that you will have little or no technical support if something goes wrong. It will depend entirely on your skillset and level of comfort working with these tools. In addition, many open-source tools use a command-line interface (CLI) and not a graphical user interface (GUI), which can intimidate new users.

A commercial tool will typically have better customer support, documentation, and timely updates. The downside is that you are paying for those services. In reality, most of the time anything that a commercial forensic tool can do, an open-source tool can do the same thing. A commercial tool may carry out multiple functions, while with an open-source framework you may have to use different open-source tools to accomplish the same task.

Neither choice is wrong. As a digital forensic investigator, you must know where the data came from and ensure that the tool provides an accurate representation of the data. It does not matter if the tool is an open-source or commercial version; you must validate the results provided by any tool. We will talk about validation a little further on in this chapter.

I often get questions about whether a particular piece of software is court-approved. Forensic software is not court-approved, but you need to explain in the administrative/judicial process whether the tool you used produces reliable results and is accepted within the forensic community.

In the United States, this is known as the Daubert standard, which comes from the Supreme Court case Daubert v. Merrell Dow Pharmaceuticals Inc., 509 U.S. 579 (1993). This standard is used to determine whether an expert witness’s testimony is based on scientifically valid reasoning and can be appropriately applied to the facts of the matter. The factors the court considered are as follows:

• Whether the theory or technique can be or has been tested
• Whether it has been subjected to peer review and publication
• The known or potential error rate
• The existence and maintenance of standards
• Its acceptance within the scientific community

Initially, the courts only used the standard for scientific testimony. That changed with the Kumho Tire Co. v. Carmichael 526 U.S. 137 (1999) case; the Supreme Court clarified that the factors used in the Daubert decision could also apply to non-scientific testimony, that is, the testimony of engineers and other experts who are not scientists. So, as you can see, it is not so much the software being used but the expertise of the digital forensic investigator. Commercial forensic tools simplify the process and sometimes have a find evidence button. However, as the digital forensic investigator, you still must know where the forensic tool extracted the artifact from within the filesystem. (Your local jurisdiction may have different opinions.)

The National Institute of Standards and Technology (NIST) has sponsored the Computer Forensic Tool Testing Project (CFTT) (https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt), which has established a methodology for testing computer forensic software tools through the development of general tool specifications, test procedures, test criteria, test sets, and test hardware. This project provides a source for testing the results of forensic tools on its website. They also offer a collection of testing media to conduct your validation of forensic software. It is part of your best practices to validate the results of your forensic tools at least annually or whenever the tool is updated. It does not matter whether you are a government or private sector digital forensic investigator: you need to have confidence in your tools and be able to testify that you have tested and validated the process.

In 2011, this validation process was called into question during the trial of Casey Anthony. Casey Anthony was being tried on the following charges: first-degree murder, aggravated child abuse, aggravated manslaughter of a child, and four counts of providing false information to police, who were investigating the death of her child. During the trial there was a significant assertion by the prosecution was that someone searched for the term “chloroform” 84 times on Anthony’s computer. While the trial was ongoing, it was discovered that the forensic tool used by the digital forensic investigators had misinterpreted the values in the internet history database. The user had only visited the site one time, not 84 as reported. The software designer of the forensic tool realized the mistake while the trial was ongoing and notified the trial team of the error. My recommendation is that you have multiple forensic tools to validate your findings. For example, you could have two commercial forensic tools, one commercial and one open-source forensic tool, or two open-source forensic tools, but you need to validate your findings.

Some open-source forensic tools include the following:

• Autopsy: Autopsy is a fully functioning suite of forensic tools that allows you to conduct a complete forensic examination. It costs nothing and can be found at https://www.autopsy.com.
• SIFT Workstation: SIFT is a virtual machine that uses the Ubuntu operating system with multiple forensic tools pre-installed. It is free and can be found at https://digital-forensics.sans.org/community/downloads.
• PALADIN Forensic Suite: PALADIN is a live Linux distribution based on Ubuntu and has implemented several open-source forensic tools in a user interface called the PALADIN toolbox. It is free and can be found at https://sumuri.com/software/paladin/.
• CAINE: Computer-Aided Investigative Environment (CAINE) is a digital forensics project that provides a GUI and many open-source forensic tools for free. You can find it at https://www.caine-live.net/.

These are just a few of the open-source forensic suites available. There may be others out there that I haven’t mentioned, or you may wish to use single-purpose tools. As long as you achieve the goal of finding the artifact to reveal the truth about the matter being investigated, it does not matter which tool you use. The key is to use your training and experience to explain the pertinence of the artifact and how you determined the tool is providing reliable results.

Here are some commercial forensic tools available for Windows-based users:

• X-Ways Forensics: https://www.x-ways.net/
• EnCase: https://www.guidancesoftware.com/encase-forensic
• Forensic Toolkit (FTK): https://accessdata.com/products-services/forensic-toolkit-ftk
• Forensic Explorer (FEX): http://www.forensicexplorer.com/
• Belkasoft Evidence Center: https://belkasoft.com/ec
• Axiom: https://www.magnetforensics.com/products/magnet-axiom/

Here are some Macintosh-based tools:

• Cellebrite Inspector: https://cellebrite.com/en/inspector/
• RECON LAB: https://sumuri.com/software/recon-lab/
• RECON ITR: https://sumuri.com/software/recon-itr/

A Linux-based tool is SMART (http://www.asrdata.com/forensic-software/smart-for-linux/).

This is just a sample of the commercial forensic tools available for use. Each tool will have its strengths and weaknesses, which can be debated endlessly with your fellow practitioners.

Right now, I prefer X-Ways as my primary tool, and I supplement it with FEX and Belkasoft Evidence Center.

You can have all the tools, software, and hardware, but how effective will you be without training? So next up are some training options for you to consider.

Forensic investigator training

If you travel on the path of a career in digital forensics, you will need to continually upgrade your skills and training, which must be considered an ongoing expense. Just because someone goes through a 40-hour course does not automatically make them a digital forensic investigator. Instead, they are taking the first steps down that career path, but they will need to continue to attend training sessions and associate with other like-minded peers.

Certification is not a guarantee that the user knows what they are doing. Instead, certification shows that the user met the minimum level to achieve that certification. There are many certifications available, and some are more worthwhile than others. Before joining an organization and participating in its certification process, you must do your due diligence and research the costs, availability, and whether that certification is accepted within the forensic community. Most certifying organizations will require annual dues and a yearly training requirement to recertify the certification. There are tool- and vendor-specific certifications where you are being tested on your ability to use the vendor’s forensic tool and an understanding of the fundamentals of digital forensics. At the other end of the spectrum is tool-agnostic certifications. You can use any tool to complete the certification process.

This is a list of some of the certifications available:

• Certified Forensic Computer Examiner (CFCE) (Tool-Agnostic): https://www.iacis.com/
• EnCase Certified Examiner (EnCE) (tool-specific): https://www.Opentext.com/products-and-solutions/services/training-and-learning-services/encase-training/certifications
• ACE (tool-specific): https://training.accessdata.com/exams
• Computer Hacking Forensic Investigator (CHFI) (tool-agnostic): https://www.eccouncil.org/programs/computer-hacking-forensic-investigator-chfi/
• Global Information Assurance Certification (GIAC) (tool-agnostic): https://www.giac.org/certifications
• Certified Forensic Mac Examiner (CFME) (tool-agnostic): https://sumuri.com/mac-training/

Now that we have explored the equipment and training options, you still must prepare by understanding the legal and case information pertaining to the specifics of an investigation. So, we will discuss legal issues next.