This phase is described by Carrier as the phase where we "...use the evidence that we found and determine what events occurred in the system" (Carrier, 2005).
2.2. The United States Department of Justice's (USDOJ) digital forensic analysis methodology
The second methodology under review in this paper has been put forward by the United States Department of Justice. This consists of four basic phases: collection, examination, analysis and reporting (Shin, 2011). More specifically, stages of this digital forensic methodology are comprised of the following central aspects. Firstly, there is the obtaining of the data, followed by the forensic request; the preparation and extraction phases; identification and finally analysis and forensic reporting leading to case level analysis (DIGITAL FORENSIC ANALYSIS METHODOLOGY).
The preparation and extraction phase is characterized by the examiner's question as to whether there is sufficient information to proceed and to ensure that there is sufficient data available to answer the request or requests that might be made in the investigation (Carroll et al.). The duplication of forensic data is also part of this process, as well as the verification of its integrity. This process assumes that "....law enforcement has already obtained the data through appropriate legal process and created a forensic image" ( Carroll et al.). After verification and integrity testing, the process of extracting the data is begun.
The identification process refers to the rigorous identification of the forensic evidence in terms in the extracted data list. However, if the forensic examiner encounters incriminating items of evidence which are outside the original search warrant, the recommendation is that activity is halted and the authorities notified. (Carroll et al.). An example given is: "law enforcement might seize a computer for evidence of tax fraud, but the examiner may find an image of child pornography" (Carroll et al.). This is an important aspect as it indicates that this methodology is extremely flexible and takes into account context and content outside the initial prescribed parameters.
The analysis phase is all important to the forensic process. In this phase, "...examiners connect all the dots and paint a complete picture for the requester"(Carroll et al.). Part of this process is the correlating of relevant data with questions such as what was the original and other relevant questions that provide insight into the investigation. This phase has been critiqued in this methodology as being "... improperly defined and ambiguous" ( Shin, 2011).
3. Comparisons and Evaluations
Carrier's model or methodology plays considerable attention to data integrity. This is evident for instance the correlation process where data is correlated with various outside sourced in order to prevent forgery or inaccurate forensic data.
If we compare these two methodologies in terms of heading such as evidence integrity, management of lead information and evidential context, we find that
Carrier's Methodology is useful from a number of perspectives. Carrier places emphasis on the initial investigatory process and the identification and verification of data. As Carrier states in an article entitled Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers (2002), " As with any investigation, to find the truth one must identify data that: Verifies existing data and theories (Inculpatory Evidence), Contradicts existing data and theories (Exculpatory Evidence)" ( Carrier, 2002). This focuses on identification and analyse in this methodological model.
The United States Department of Justice's digital forensic analysis methodology is more broadly designed and seems to be more focused on procedural details and protocols and also tends to be more meticulous in terms of guidelines. This is evident in some degree in the preparation and extraction phase of the methodology. It could be argued that this methodology is therefore more effective and integrated in terms of management of information.
Another important difference that is evident in the literature on this methodology is that it could be argued that the USDOJ digital forensic analysis methodology tends to be more concerned with context. This is clear if we compare the identification process and the attention given to the extracted data list and to any other leads that may surface in the process of identification and in comparison to the extraction list. For example,
Depending on the stage of a case, extracted and identified relevant data may give the requester enough information to move the case forward, and examiners may not need to do further work. For example, in a child pornography case, if an examiner recovers an overwhelming number of child pornography images organized in user...
This also refers to aspects of both methodologies that have been discussed. In summation however it should also be pointed out that both these methodologies adequately cover the field of computer and digital forensics and that both provide useful frameworks for collection data, data integrity, analysis and legal considerations.
We could suggest that Carrier's methodology and model tends to lean more towards the investigative and computer orientated aspects of digital forensics, while the forensic model provided by the United States Department of Justice is more inclusive and also seems more deeply concerned with procedural process and patterns and the important aspect of context. Another suggestion is that the United States Department of Justice would be more expensive and time consuming to implement because of its extensive protocols and detailed procedures.
While both these methodologies may have shortcomings, they can be seen as part of the natural evolution towards as more comprehensive set of methods and parameters for contemporary digital forensic investigation and analysis. One should also take into account that there are a number of newer models and methodologies that have emerged which attempt to provide a more inclusive and comprehensive coverage of the different variables. Shin ( 2011) for example discusses a more comprehensive methodology . This proposed model contains the following phases.
a readiness phase consulting with profiler cyber crime classification
Investigation priority decision damaged cyber crime scene investigation analysis by crime profiler suspects tracking, cyber crime logical reconstruction report writing.
( Shin, 2011) .
In the final analysis, while there may be more comprehensive emerging methodologies, those put forward Carrier and the United States Department of Justice should be seen as valuable contribution to the advancement and evolution of forensic methods of investigation and legal procedure.
. Brian Carrier ( 2002) Defining Digital Forensic Examination and Analysis Tools Using
Abstraction Layers. Retrieved from http://www.digital-evidence.org/papers/opensrc_legal.pdf
This study discusses the link between digital forensic analysis tools and their use in a legal setting. The article provides insight into the necessary methodologies used to meet evidentiary and legal demands.
DIGITAL FORENSIC ANALYSIS METHODOLOGY. Retrieved from http://www.cybercrime.gov/forensics_chart.pdf
This is a very useful chart of the digital analysis methodology employed by the United States Department of Justice's (USDOJ. The graphic explanation is fairly comprehensive and detailed.
Carrier B. ( 2002) Open Source Digital Forensics Tools: The Legal Argument.
Retrieved from http://www.digital-evidence.org/papers/opensrc_legal.pdf
This is a useful article for a number of reasons. The first is that it sheds light on the thinking behind Carrier's methodological process. Secondly, it discusses the issue of effectiveness and reliability in digital forensic investigations and the possibility of legal challenges to this aspect of reliability.
Carrier B. ( 2005) File System Forensic Analysis. Retrieved from http://dubeiko.com/development/FileSystems/BOOKS/FileSystemAnalysis.pdf
This is a comprehensive and detailed study on the subject. This work also has a comprehensive introduction and overview section, which sheds light on the topic under discussion. The first section on Digital Investigation Foundations was especially useful as background to the understanding of the methodological procedures involved. This section also outlines the digital crime investigation process.
Carrier B. ( 2006). Basic Digital Forensic Investigation Concepts. Retrieved from http://www.digital-evidence.org/di_basics.html
This study is a short but insightful insight into the forensic investigative process by Carrier. This article refers to certain fundamental views and concepts that underlie his digital forensic methodology.
Cohen F. Fundamentals of Digital Forensic Evidence. Retrieved from http://all.net/ForensicsPapers/HandbookOfCIS.pdf
This study provides an excellent introduction to the subject and is useful as a general resource in terms of the legal aspects of digital forensics. The Introduction and overview are especially extensive and useful as a fundamental resource. The section entitled The Legal Context provides a concise but thorough overview of the various processes as well as legal limitations.
Carroll O. et al. ( 2008). Computer Forensics: Digital Forensic Analysis Methodology.
UNITED STATES ATTORNEYS ' BULLETIN. Retrieved from http://www.justice.gov/usao/eousa/foia_reading_room/usab5601.pdf
This is a succinct but through comparison of digital forensic methodologies. The section entitled Overview of the digital forensics analysis methodology provides some useful insights which contributed to the subject of this paper.
Forensic Examination of Digital Evidence: A Guide for Law Enforcement (2004).
Retrieved from http://www.nij.gov/pubs-sum/199408.htm
This article provides an extensive guide to the responsible use…
Forensics and Digital Evidence Forensics is a discipline which uses standardized techniques to pull apart an event, analyze what happened, and find a more accurate conclusion to the data analysis than just witness testimony. For centuries, lacking even rudimentary techniques like fingerprinting or blood type analysis, the legal system relied on confessions and witness testimony. We may turn to Ancient Greece for one of the first recorded examples of a type
Benchmarking Keyloggers for Gathering Digital Evidence on Personal Computers Keyloggers refers to the hardware or software programs, which examine keyboard and mouse activity on a computer in a secretive manner so that the owner of the computer is not aware that their actions are monitored. The keyloggers accumulate the recorded keystrokes for later recovery or remotely convey it to the person employing them. Keyloggers aimed to serve as spyware and currently
The rapid development of predictive routing algorithms that seek to anticipate security breaches are also becoming more commonplace (Erickson, 2009). Evidence acquisition through digital forensics seeks to also define preservation of all patterns of potential crime, regardless of the origination point (Irons, 2006). The collaboration that occurs in the open source forensic software industry acts as a catalyst of creativity specifically on this point. There are online communities that
Digital forensic can be described as a branch of forensic science surrounding the recovery as well as investigation of materials which are found within digital devices, in many occasion regarding computer crime. Originally the term was always used as a synonym for computer forensics; however it has spread out to be used in investigations of the entire devices with capability of storing digital data. Having its grounds in the personal
Forensics in Criminal Investigations Exploring the Use of Forensics in Criminal Investigations Forensic Science and Technology This paper explores the role of forensic science and technology in modern criminal investigations. It first examines the nature and role of physical evidence in regards to how it is uncovered, preserved, and analyzed within forensics today. Physical evidence is described in the varying types and categories. Then, the paper moves to evaluating different types of forensic
Hash Values in Digital Forensics Introduction Hash values denote condensed representations of digitized or binary content within digital material; however, they offer no additional information pertaining to the contents of any material interpretable by an individual. Moreover, the hash function is algorithms that convert variable-sized text quantities into hash values (which are fixed-sized outputs). Also called “cryptographic hash functions,” they facilitate the development of digital signatures, short textual condensations, and hash tables