NTC Forensics uses a formal process for digital forensics.

The Digital Forensic Process

The word forensic means for use in court or pertaining to a trial. In common usage it has come to represent the investigative process of collecting evidence for court. When applied to computers and technology, forensics has come to mean the process of recovering data or other evidence from a digital device in such a way that it would be admissible in court. While some of the work we do is not truly forensic, as it won't be used in court, we apply the same high standards used in our forensic examination process to our data recovery and incident response work.

The process of a digital forensic examination has five basic steps: Defining the scope and goals, defining the work and materials, acquiring images of the devices to be examined, performing the forensic analysis, and preparing the report. These steps are defined in a general way below. No two forensic projects are exactly alike so the exact process may vary from one engagement to another.

The first step in the digital forensics process is to gather as much information about the project as possible, and there are several critical questions to be answered. What are the specific goals of this forensic examination? Which devices or media are to be examined? Will the imaging of the devices be performed in the lab or in the field? Have the proper steps been taken to insure the legality of the examination? What other information is known about the situation? Who is authorized to receive the results of the examination? The answers to these and other questions are used to define the nature and scope of the work to be performed, and to estimate the cost of the project.

The next step in the process is to develop a work plan. The work to be performed is prioritized to reflect the requirements of the project and the work most likely to create results. Some steps, such as imaging a large number of devices, may be prioritized so the most important devices are imaged first. A checklist is produced so that performance of all steps can be verified. As the work is actually performed the schedule or checklist may be updated based on early results. Another part of the work plan is to anticipate any materials that may be needed, such as prepared hard drives or special equipment.

The third step is the acquisition of a forensically sound, verifiable image of each computer, drive, server or other device. This is done using hardware write blockers appropriate to the device, forensically sound software tools, and established acquisition procedures. In cases where write blocking is not possible is taken to minimize the impact of the imaging procedure. More information on the imaging process is available here.

Once the first device image is completed the forensic analysis process can begin. The analysis, always performed on the image and not the device, attempts to gather information and answer the questions indicated when the goals of the project were defined. This step is where data is recovered, evidence of activity is collected, and pieces of the overall puzzle are put together. Analysis results are often used to refine the scope and goals of the overall project or stimulate and support further examination. Click here for more details on the forensic analysis process.

The final step in the digital forensic process is the post-analysis report which details the results of all the preceding steps. This report can consist of several parts, including a summary of the results, recovered data on cd or other media, hardcopy or digital text of email or chat conversations, and details of the conclusions indicated in the summary. The engagement log(s) indicating each step taken during the process and documenting chain of custody are included as part of the final work product. This step may also include deposition or court testimony to support the results as part of a court proceeding.

The goals, environment, work flow and costs of each project are different, and can only be determined at the time the engagement occurs. The basic process of a digital forensic exam remains the same. NTC Forensics can provide you a free initial evaluation of your situation and help you determine the proper course of action. We can be contacted at (915) 544-2034.