The present forensic case emphasizes on investigating alleged contact between Russian officials and the US. The task involves forensic analysis on a laptop and cell phone of a high ranked US government official. Investigation reveals some evidence that confirms ongoing suspicious activities between the parties involved. Initial investigations conducted on phone depict a text confirming lunch meeting on a particular day (2/15/2016) while the contact list displayed phone number with label ‘Red Ralph’. Investigations on laptop reveal deletion of several zipped files containing classified materials such as weblogs shows uploading to a file-sharing site. The official report provides pieces of evidence that can help the prosecutor to solve the case and identify if something illegal is going on.
Digital forensic examination
A digital forensic examination is a standard methodology adopted for retrieving important information that can help the crime department in investigations. Its role became more evident in the twentieth century due to the use of technology is various criminal activities. It involves assessing, computers, electronic devices and IT infrastructures used by people in suspicious activities. The process focuses on examining the devices and equipment used in data transfer. Investigation searches the system files, devices, warbles,
Recovery of deleted files, internet and cloud storage. A standardized framework to address the issue including increasing volume of the data. Forensic examinations are capable of revealing securely erased files and make them usable for the criminal investigations. Computer forensic analysts play a vital role in revering evidence that is deliberate removes from the systems or corrupted (Garfinkel & Shelat, 2003).
Case identifies is part of pre-preparation involving detection and identification of incident and vulnerabilities associated with the event under analysis. Following are the steps involved in this stage;
- Identification or preliminary assignments before reaching the scene and identifying experienced search experts (Brian & Spafford, 2003).
- Identifying the person in charge with his name and details, assigned responsibility for handling search operation.
- Developing legal activities and the coordination plan
- Initial case assessment mentions investigators involved in performing initial investigations related to the case. The activities included are asking questions related to the computer rule and evidence (O’Seomus, 2004).
- Identification of case requirements involve outlining details in a systematic manner such as;
Recognizing is the case represents a violation of company policies or legal rules.
Nature of the case
It identifies if the suspicious activity is at an individual level, organizational level or associated with the person in question (Reith, Carr, & Gunsch, 2002).
Determining the role of the person or devices in question.
- Determining the type of devices categorized as a hard disk, floppy, CD, USB or memory card.
- Mentioning the case number for the operating system suspected of its involvement in the criminal incident.
- Clearly labelling the disk format as FAT16, FAT32 etc.
- Stating the motive behind the conduction of criminal activity.
- Determination of the resources; private or public is mentioned in the case.
- Identification of the submitter of the information and his involvement in the case.
- Estimating time, resources and money involved in the examination.
- It includes the date of receipt when the case was forwarded for investigations (Brian & Spafford, 2003).
- Reporting the name of agency and data
- Submission number or case identifier
- Date of receipt and reporting
- Identification and names of submitter, examiners and investigators
- Details of examination and collection procedures
- Items such as serial number, make and model
- Titles and names of log files
- The inclusion of specific files requested and other files such as deleted files that support investigations (Garfinkel & Shelat, 2003).
- The inclusion of string searches, keyword searches
- Numbers and specifications of cache files, chat logs and e-mails
- Mentioning model used for forensic examination
- Identifying techniques of encryption, hidden attributes and file name anomalies
- Listing supporting materials including reports, particular items on evidence, number of digital copies and custody of documentation.
The primary focus of the forensic analysts is on recovering the lost information. Through utilization of accredited tools such as Association of Chief Police Officers (ACPO), they search missing pieces that could make the information meaningful. The technicians in the process uncover and restores damaged and deleted parts and search for traces that reveal the time of its use before deletion (Agarwal, Gupta, & Gupta, 2011).
Types of attempts in erasing files
The forensic team identifies the type of attempts involved in damaging the files.
When the data is deleted permanently from the system the forensic investigator will use commercial recovery tools. The evidence that can be useful for examinations involves contact lists, audio files, browser histories, calendars, compressed archives (RAR, Zip etc.), cookies, databases, login files and system files (Brian & Spafford, 2003).
|Level 0||Regular files||The details include file name, attributes and contents. Direct access is possible.|
|Level 1||Temporary files||Include browser cache files, helper applications, print spooler files and the ones sent to recycle bin.
Users think that the systems automatically delete the file.
|Level 2||Deleted files||When the file is deleted operating systems do not overwrite blocks on hard disk.
Traditional undelete tools are useful in recovering these files such as Norton utilities.
|Level 3||Data blocks retained||Recovering data from a disc is possible however it does not belongs to a named file. The information is in slack space storing data in virtual memory. Using windows format command can help in recovering data.|
|Level 4||Vendor-hidden blocks||Vendor-specific commands are efficient in accessing data blocks that contain the deleted files.|
|Level 5||Data overwrote||If the information is overwritten, retrieving from the hard drive is still possible.|
Identification of recovery techniques
The second step involves identification of the recovery technique that is most useful for forensic investigations. Identification of the recovering technique is vital in forensic examinations as it provides details about the most suitable tool for retrieving lost data. To recover hard disk information forensic investigations use tools for analyzing images obtained from different operating systems. Explorer style interface allows a reading variety of files (Garfinkel & Shelat, 2003).
|Drive spy ||DOS/ windows||Inspection of slack space and deleted files from the metadata.|
|Encase ||Windows||Featuring sophisticated drive imaging, error checking, and validation and preview mode.|
|Forensic toolkit ||Windows||Preview of forensic information, graphics searches such as JPEG images and internet texts.|
|I look ||Windows||Capable of handling multiple file systems at a time. Generating hashes and filtering functionality.|
|Norton Utilities||Windows||Containing tools useful for recovering lost files. Examining hard disk of the computer.|
|The coroner’s toolkit ||Unix||Collected programs used in the analysis of the retrieved data.|
|XWays ||Windows||Requires native support of FAT, CDFS and NTFS. Data cloning and imaging of the files.|
|TASK ||Unix||Operating on disk images and created with the help of dd.|
A digital forensic process model
The forensic analysts explain the process of forensic investigation that also identifies the steps involved in the investigation process. Depending on the nature of the case the forensic analysts adopt Refining Digital Forensic Process Model. The reason for choosing the model is that it provides improved specific steps for investigations. It is more effective in dealing with the laptops and mobile devices. Agarwal’s model Systematical Digital Forensic Model (2011) provides an effective approach to reveal the concealed data. The model is useful as it addresses the shortcomings of the previous models (Agarwal, Gupta, & Gupta, 2011).
Phase I: preparation
Phase one of the model is preparation occurring prior to the conduction of investigation. The step involves understanding the nature of the crime, circumstances and activities linked to the incident. The step emphasizes on relating circumstances to the crime. The team adopts appropriate strategy covering the legal and technical factors.
Phase II: securing a scene
The second step of investigation focuses on securing the scene from unauthorized access and to preserve the original evidence. Adoption of a formal protocol is more useful in this phase as it ensures that custody is followed properly. All people involved in investigation maintains the integrity and causes no harm to the data (O’Seomus, 2004).
Phase III: survey and recognition
The initial survey allows investigators to evaluate the scene and determine potential sources leading to the formulation of an appropriate plan. Assessment of power adapter, memory card and cables remain an essential part of the phase. Evaluation of electronic types of equipment is also crucial as it helps in identification of people and scenes (Agarwal, Gupta, & Gupta, 2011).
Phase IV: documenting the scene
The next step involves documentation of the scene that includes photographing, sketching and mapping of the crime-scene. Investigators generate photographic evidence of the devices, power adapters, cradles and accessories. Graphical record allows recreating the scene and using it for in-depth analysis. Date and time related to the incident are also documented (Agarwal, Gupta, & Gupta, 2011).
Phase V: communication shielding
The step blocks the option of possible communications even if the devices appear in off-state mode. The purpose is to secure the information and eliminate the chances of overwriting.
Phase VI: evidence collection
It involves a collection of;
Mobile devices are volatile in nature and exist in ROM. To save the information an efficient solution is to replace the power adapter or recharging. Installation of malicious software also remains part of the investigations (Garfinkel & Shelat, 2003).
It focuses on a collection of information from external storage supported by various devices including compact flash cards, memory sticks and USB. Selection of useful forensic tools helps in presenting the evidence in court. Mechanisms such as hashing and write protection are used to authenticate the evidence collected. It is also vital to view the evidence that are of non-electronic nature including passwords and hardware manuals (Agarwal, Gupta, & Gupta, 2011).
Phase VII: preservation
Investigation team adopts adequate procedures that ensure that the movement of evidence does not destroy the devices. Proper labelling of all potential sources is crucial in the phase. Radiofrequency isolation is used to keep the evidence bag safe and preventing further communications.
Phase VIII: the examination
The phase is most technical as it involves examining the evidence and the content obtained from investigations. An appropriate strategy is to create multiple backups and converting evidence to manageable sizes. Filtration of data, validation and matching of patterns remains part of the phase. Attempts for system tampering and deletion are highlighted (Agarwal, Gupta, & Gupta, 2011).
Phase IX: analysis
Conduction of technical review and teams of experts analyses the evidence for uncovering useful information. It involves identification of an association between fragments of information. Timeframe analysis is most efficient solution leading to sound results. File analysis is conducted for extraction of data. Documenting results is the final part of the phase.
Phase X: presentation
Presenting results is the next step of the phase starting after extraction of the information. Presentation involves appropriate corporate management, as it is possible to discard and allege a particular crime. Presenting report is important as it contains a detailed summary of the steps involved in the examination and inquiry (Garfinkel & Shelat, 2003). The features of the good report include;
- Use of proper grammar and readable language
- The absence of errors or ambiguities that makes the report unreadable
- Explaining results in brief with the focused on central information
- Including details of log files generated by forensic tools
- Enhances chances of convincing the jury thus leading to a winning situation
Phase XI: results and review
Reviewing results is a crucial step of the examinations as it leads to sound details regarding the suspicious event. It involves interpretation and evaluation of the results obtained throughout the examination process. The information is helpful in identifying the nature of a crime and finds the involved persons (Agarwal, Gupta, & Gupta, 2011). The process involves;
- Review of the process and investigation techniques
- Collection and preservation of information associated with the incident
- Eradication of system information and prevention of crimes
Results of the forensic investigation are presented in a comprehensive report format that provides clear details about the case. The report includes the description of the activities involved throughout the investigation process. The results lead to the formulation of opinions that helps in resolution of the case. Results of the digital forensic investigation depict need for guidance that helps experts in performing investigations with integrity and present evidences collected under the adoption of the forensic model. The selection of the digital forensic process model suggested by Agarwal helps in retrieving lost files from the metadata. The team looked for specific clues to detect the suspicious files helping in performing cluster comparisons. Handling huge amount of data provided by the forensic teams is often daunting. To overcome the problem an appropriate strategy involves determining suspicions associated with the file names, paths, size, extensions, fragmentation, hash codes and status. Evaluation of the contents reveals the clues that are useful for the investigation. Automated analysis of suspiciousness is more efficient for generating consistent valuations compared to manual analysis. Through metadata, the analysis provides more sophisticated methods for inquiring but these are rare in criminal investigations. Suspicion determined through forensic examinations involved two types; anomalousness that focuses on determining the degree of object variation from its norm (Buchholz & Spafford, 2004). The second type includes deceptiveness indicating a degree of perceiving facts other than the truth. Deceptiveness is more common in concealing information or hiding facts. In forensic investigations measurement of anomalousness depends on comparing statistics in the drive.
The main findings of the investigation reflect;
- One copy containing at least 200 images across 100 files.
- Drives are purchased classified differently for computer disks and portable devices.
- The metadata revealed the file path, name, size and MAC times with NTS flags depicting information about encrypted, compressed, empty.
- Total files exposed were at least 80000 while 2000 displayed unique paths.
- Among collected files, 30 percent were unallocated or marked under deletion category. Other 70 percent had the label of orphans. The discerning file name was not possible without information of the corresponding path.
- File carving was used to find the files that lost their metadata entirely.
- Correction of the file path names helped in marking useful files in so many deleted files from the data repository.
- Assigning files to semantically meaningful groups such as pictures, word documents and spreadsheets was useful in data classification.
- Searching parent directories for the meaningless immediate directories allowed mapping files into groups under experts system methodology. Searching extension names and different terms of software on the web also prove a great help.
- Matching the extensions and the directory names permit filtering and getting rid of the useless data.
- Finding anomalies involved assessment of large JPEG images and specialized applications.
The results acquired for the devices of the US official includes;
Analysis of drive 121
- Operating system Windows (60% non-deleted content and 40% temporary content).
- Time behavior: personal user
Analysis of drive 129
- Operating system Windows (70% non-deleted content and 30% temporary content).
- Time behavior: personal user
Association between files
Clustering allowed finding an association between paired files and in their quantification. The possible factors identified are;
- Temporal association: modification and creation of time leading to causal relationships.
- Filename association: files existing with the same names and excludes extensions.
- Content-hash association: files depicting cryptographical hashes referring to the specific identity on the content.
The assessment of the investigation report presented by the forensic investigation team will lead to the evaluation of contents. Forensic team adopts adequate procedures that result in meaningful outcomes and help in the determination of crime and its nature. A digital forensic process model provides benefits and ensures gaining sound interpretations. The evidence obtained through the process will assist in reconstructing events and uncovering the association between the US official and the Russian. It also leads to the development of generalized solutions.
Agarwal, A., Gupta, M., & Gupta, S. (2011). Systematic Digital Forensic Investigation Model. International Journal of Computer Science and Security, 5 (1).
Buchholz, F., & Spafford, E. (2004). On the Role of File System Metadata in Digital Forensics. Digital Investigation, 1, 298-309.
Brian, C., & Spafford. (2003). Getting Physical with the Digital Investigation Process”, International Journal of Digital Evidence , 2 (2).
Garfinkel, S. L., & Shelat, A. (2003). Remembrance of Data Passed: A Study of Disk Sanitization Practices. IEEE Security & Privacy , 1, 17-27.
O’Seomus, C. (2004). An Extended Model of Cybercrime Investigations. International Journal of Digital Evidence, 3 (1).
Reith, M., Carr, C., & Gunsch, G. (2002). An Examination of Digital Forensic Models. International Journal of Digital Evidence, 1 (3).