Expert Witness & Digital Forensic Services
Site Contents: © Peter Sommer, 2012. Not to be reproduced without permission
PO Box 6447 London N4 4RX UK
This is a very brief primer for lawyers to familiarise themselves with the basics of the forensic handling of computers and associated data media and to help understand the terminology.
Procedures are defined by the ACPO Good Practice Guide for Computer-based Electronic Evidence .
Computers are seized; if the computer is switched off, all well and good, if not the Good Practice Guide offers advice and procedures. The computer (and data media) is “bagged and tagged” and from thereon in there should be full continuity records and statements.
The computer is passed to a technician who creates a “forensic disk image” which seeks to preserve all the contents of the hard-disk(s) or other media. Usually the hard-disk to be imaged is connected to an imaging computer using a “ write protect” device which prevents any further writing so as to avoid contamination. The hard-disk is either removed from the original computer and placed in an examining computer or connected to the original via a special “cross-over” network cable - the original computer is started up from its CD drive with special software which does not “touch” the computer’s main hard-disk (start it up actively). Imaging software products used for this purpose include Encase and Accessdata FTK Imager. Other “open source” products also produce what is referred to as a “raw” or dd image. The proprietary products create compressed images which are accurate but easier to handle. The most image popular format, and the one most likely to be encountered by criminal defence solicitors, is EnCase.
Experts hired by the defence will want a copy of all relevant forensic disk images in order to carry out their instructions and also copies of witness statements describing what prosecution technicians have done.
There are some inbuilt integrity tests to forensic images, and a defence expert will also want to check that the last recorded dates and times on the forensic image match the continuity statements. Only in very rare circumstances will a defence expert need access to the original seized computer disk(s).
Both prosecution and defence experts conduct their examinations on the forensic copies, not on the originals.
One use of the forensic disk image is to create a clone of the original hard-disk by writing the image back to another hard-disk (or other medium) of the same size. But this technique is used very rarely as the process of examination causes many changes to the disk. The major computer forensics analysis tools, EnCase, AccessData FTK , X-Ways Forensics, allow direct analysis of the disk image. Other tools are for Apple Mac OSX. The investigating technician can ask for a variety of displays, some of them similar to Windows Explorer, others rather more sophisticated. One very useful technique is to be able to build chronologies of activity. Emails are often held in a database on the computer but the analysis software is able to present them for easy reading. Files of interest can be “exported” for further examination or exhibiting.
The tools can, among other things, carry out various forms of data recovery of deleted material, analyse files and file fragments in their “raw” state, and carry out complex searches against “keywords” across the entire hard-disk, including parts normally hidden to the ordinary user, for example the System Registry and Restore Points.
Additional specialist tools may be used to examine Internet browsing activity (NetAnalysis) or, for example, where file-sharing may have been used.
Files to be referred to in evidence (or in Particulars) should usually be identified by means of their “full path” name, eg C:\Documents and Setting\Username\My Documents\My Downloads\interesting file.doc. This works for extant and easily recovered files; file fragments normally have to be identified by their “absolute sector” location on disk.
If it is desired to “see what the user of the computer saw” then a useful technique is virtualisation, where the computer to be examined is made to “run” safely in a window on another computer.
As a prelude to full imaging, some law enforcement examiners use facilities built into the popular products to “preview” computers of concern. The “target” computer and the examiner’s computer are connected over a network cable; very soon thereafter the contents of the target can be examined to see if there is anything of interest, at which point a full image can be made. This approach is important as quantities of computer material to be examined increase, and some form of triage becomes necessary.
The most basic type of instruction given to a defence expert is “due diligence”; in essence to verify the procedures and findings of the prosecution’s experts and any inferences therefrom. Time can be saved at trial where agreement on procedures and exhibits can be achieved, even if different inferences may be drawn.
Procedures are defined by the ACPO Good Practice Guide for Computer-
Computers are seized; if the computer is switched off, all well and good, if not the Good Practice Guide offers advice and procedures. The computer (and data media) is “bagged and tagged” and from thereon in there should be full continuity records and statements.
The computer is passed to a technician who creates a “forensic disk image” which seeks to preserve all the contents of the hard-
Experts hired by the defence will want a copy of all relevant forensic disk images in order to carry out their instructions and also copies of witness statements describing what prosecution technicians have done.
There are some inbuilt integrity tests to forensic images, and a defence expert will also want to check that the last recorded dates and times on the forensic image match the continuity statements. Only in very rare circumstances will a defence expert need access to the original seized computer disk(s).
Both prosecution and defence experts conduct their examinations on the forensic copies, not on the originals.
One use of the forensic disk image is to create a clone of the original hard-
The tools can, among other things, carry out various forms of data recovery of deleted material, analyse files and file fragments in their “raw” state, and carry out complex searches against “keywords” across the entire hard-
Additional specialist tools may be used to examine Internet browsing activity (NetAnalysis) or, for example, where file-
Files to be referred to in evidence (or in Particulars) should usually be identified by means of their “full path” name, eg C:\Documents and Setting\Username\My Documents\My Downloads\interesting file.doc. This works for extant and easily recovered files; file fragments normally have to be identified by their “absolute sector” location on disk.
If it is desired to “see what the user of the computer saw” then a useful technique is virtualisation, where the computer to be examined is made to “run” safely in a window on another computer.
As a prelude to full imaging, some law enforcement examiners use facilities built into the popular products to “preview” computers of concern. The “target” computer and the examiner’s computer are connected over a network cable; very soon thereafter the contents of the target can be examined to see if there is anything of interest, at which point a full image can be made. This approach is important as quantities of computer material to be examined increase, and some form of triage becomes necessary.
The most basic type of instruction given to a defence expert is “due diligence”; in essence to verify the procedures and findings of the prosecution’s experts and any inferences therefrom. Time can be saved at trial where agreement on procedures and exhibits can be achieved, even if different inferences may be drawn.
