Digital Forensics Process—Identification

By Rene Novoa, Senior Manager of eDiscovery and Digital Forensics

Forensic Process: Identification

This article is part of a series that delves into each step of the digital forensic process. If you missed the introduction to the series, which provides a synopsis of the process as a whole, you can click here.

Identification is an extremely important first step in the forensic examination process. It directly impacts efforts to develop a plan of action and ultimately the success of the project. It also allows the customer to control cost.

Identification

Before any digital forensic examination begins, the scope of actions must be identified. Who are the key players and custodians? What are the best sources of potential electronic evidence that will need to be accessed for collection? This information is needed for many reasons, including:

  1. So that no essential evidence is missed that might affect a case
  2. So costs can be estimated in advance and the scope of the case can be adjusted to fit actual needs
  3. So potential sources of evidence identified later will have smaller impact in cost increases

Interview

Conducting interviews is a very important early step in a successful digital forensic examination. When determining relevant devices from which to collect data for a case, these individuals must be interviewed at a minimum:

  1. Custodians
  2. Site administrators
  3. Users—when available

Identify

Look at the range of variables and determine what factors are at play in the case, including:

  1. To what extent does legal authority exist to make a search?
  2. Is there an administrator who can identify devices and custodians?
  3. How many and what type of devices may be involved?
  4. Are any peripheral devices involved, such as flash drives, printers, scanners or memory cards?
  5. What types of electronically stored information (ESI) are potentially involved? It could be photographs, documents, spreadsheets, emails, text messages, databases and many other types of ESI.
  6. How was ESI communicated and who was communicating? We may be looking for email addresses, text numbers, IP addresses and other similar information.
  7. Has information been stored in an offsite location? On backup media? In the cloud? In remote locations?
  8. Are there devices involved that have potential remote login capabilities?
  9. What different operating systems may be involved?
  10. Do any devices require continuous electric power to operate?
  11. Other variables?

Document

  • Interviews, including:
    • Names and titles of interviewees
    • The number and types of primary and peripheral devices to be included in the collection and search
  • Any locations from which peripheral devices may have been removed or where they were found
  • Whether or not any kind of network is present
  • File types involved
  • Any off-site storage that is used
  • What different types of software are present, including any proprietary software

Revise if Necessary

If it is determined that additional electronic evidence (not included in the original plan) needs to be gathered, it’s important to determine if there is a need for a legal warrant, amended consent form or any other changes to the original scope of work.

Measure Twice, Cut Once

Digital evidence needs to be thoroughly assessed with respect to the scope of the case. The scope of a forensic examination cannot include “everything.” At least, not unless there is unlimited time and budget involved.

It is important to spend time at the very beginning to more accurately determine the true scope of the examination, narrow down what digital evidence is needed for a case and where to find it. Otherwise, costs will grow and grow as the investigation moves forward, as will the amount of time required for the investigation.

Taking the extra time and attention to accurately determine necessary devices and custodians prior to proceeding with the next steps in the forensic process will dramatically impact the investigation as a whole and, therefore the outcome of the case.

Stay tuned for your lesson in preservation and collection!