March 17, 2013
Four sources of data that stand out for forensic investigators in most criminal investigations are files, operating systems, routers and network traffic, and social network activity. Each data source presents a variety of opportunities and challenges for investigators, meaning that the more reliable data collection and analysis activity typically involves examination of a variety of sources. Digital forensics must cover the four basic phases of activity, which include: data collection, which describes the identification and acquisition of relevant data; data examination, which includes the processing of data through the use of automated and manual tools; analysis, which describes the evaluation and categorization of examined data into coherent groups, such as their usefulness in a court proceeding; and reporting, in which the results of analysis are described with careful attention paid to recommendations (Marcella & Menendez, 2009). The viability of each data source to an investigation must be evaluated based on how they can contribute to each phase. For example, the ability of routers and switches as a data source to help investigators might be effective in one area, but not in the other three. An examination of router activity might yield a surfeit of observable data that fails to provide diverse analytical tools that cannot be relied upon in a forensic setting. Another example is network traffic, which may yield a large amount of data that is unreliable or has a high degree of volatility (Garfinkel, 2010). Time is often essential for forensic investigators, and it is often important to know in advance the dynamics of each data source. This helps investigators avoid wasted time, or spending time analyzing data that may of minimal help in a forensic setting. For these reasons, it is important to critically assess the pros and cons of each data source for their ability to provide contributions.
A valid assessment of each data source should be made based on consistent factors such as costs, data sensitivity, and time investment. The overall costs of each data source depend on the equipment that will be required to collect and analyze data without corruption. Costs also refer to the training and labor required during the course of the collection and analysis, which may be higher for uncommon sources that require a unique process and chain of command pattern. Data sensitivity is critical is a forensic tool, but may be more questionable depending on the source. For example, network activity can provide a wealth of information depending on the device and setting upon which data is moved. However, a network environment with many devices and multiple configurations may provide unreliable data that cannot be recognized in court proceedings. In addition, chain-of-command issues regarding the contribution of outside network analysts could compromise a source that would be otherwise valid. These issues have to be considered in any data source assessment. Data Files
The most common data sources in a digital forensic examination are current and deleted files. Most forensic investigators in most data retrieval environments begin with an examination of the various media store on the hard drive of a computer, network, or mobile device. The variety of types of stored data in current and deleted files, in addition to partitioned packet files and the slack space of a device’s memory, can be massive and diverse. A typical first step in data retrieval is to shut down a system and create a data grab or forensic duplicate upon which collection and analysis can be made. This ensures the integrity of the original data, while allowing investigators the ability to manipulate data however they see fit. However, this process alone creates challenges for forensic investigators, including an inability to capture live system data....