GLOBAL GUIDELINES FOR DIGITAL FORENSICS LABORATORIES

May 2019 INTERPOL For official use only INTERPOL Global guidelines for digital forensics laboratories

These Guidelines were prepared by the Digital Forensics Laboratory at the INTERPOL Global Complex for Innovation.

Any inquiries can be directed to:

INTERPOL Global Complex for Innovation 18 Napier Road Singapore 258510

E-mail: [email protected] Tel: +6565503462

© INTERPOL Global Complex for Innovation, 2019

Page 2/78

INTERPOL Global guidelines for digital forensics laboratories

FOREWORD BY THE SECRETARY GENERAL INTERPOL GLOBAL GUIDELINES FOR DIGITAL FORENSICS LABORATORIES

In today’s complex international security environment, investigations more often require highly specialized and technical expertise.

To better address these challenges, one of the policing capabilities that INTERPOL focuses on is digital forensics, a rapidly changing discipline which requires robust policies and procedures.

An increasing number of connected devices – smartphones, watches, GPS – can store meaningful information which could potentially become pieces of digital evidence.

To meet this growing challenge, through our Innovation Centre’s Digital Forensics Lab (DFL), INTERPOL is assisting member countries build national digital forensic capacity and develop e- evidence management processes to better support investigations and prosecutions.

As a neutral, global platform for law enforcement cooperation, INTERPOL continues its work to encourage and enhance communication and best practice development among our member countries.

This was one of the driving forces behind the creation of the INTERPOL Global Guidelines for Digital Forensics Laboratories which outlines the key principles and processes which are essential for practitioners.

These guidelines are also part of our ongoing commitment to make both the physical and virtual worlds, a safer place and I would like to thank everyone who contributed towards their development.

Jürgen Stock

INTERPOL Secretary General

Page 3/78

ITL lobal guidelines for digital forensics laboratories

A LETTER FROM THE DIRECTOR OF THE INTERPOL INNOVATION CENTRE

The dynamic history of digital forensics shows its strong interconnectivity with innovation The rapidly evolving nature of digital space and technologies means that an enormous amount of digital traces and data can be produced in the blin of an eye Continuous innovation in the field of digital forensics is a necessity, if not an obligation, for law enforcement

n a global level, many preexisting crimes are developing into a significant global threat by taing advantage of advances in technology and the borderless nature of our interconnected world Further to this, we are witnessing unprecedented types of criminal activities suddenly appearing on the radar of law enforcement These developments are adding another layer of complexity to the challenge

gainst this bacdrop, ITL created its Innovation Centre in ingapore in with a view to fostering innovation in global law enforcement The Digital Forensics Lab (DFL) within the Innovation Centre has been leading the effort to enhance digital forensics capabilities in the member countries I truly believe that the wor of digital forensics laboratories is a crucial part of policing, particularly in combating digital crimes Indeed, digital forensics specialists are obliged to constantly learn and to develop their expertise especially in the context of the emergence of mart Citieshomes, connected cars, drones, mobile networs and cloud platforms

To this end, the DFL has been organiing Digital Forensics xpert roup eetings annually in recent years, bringing together forensics experts in law enforcement, industry and academia to share information, nowledge and best practices aintaining this global networ of experts in digital forensics has been tremendously rewarding and useful in serving our member countries more effectively uilding on the active exchanges at the xpert roup meetings, I am pleased to present the ITL lobal uidelines for Digital Forensics Laboratories

The uidelines aim to provide a universal framewor for establishing and managing a digital forensics laboratory that is applicable anywhere in the world It will also hopefully contribute to closing the gap between member countries in terms of their digital forensics practices and capacity In the hope of creating momentum for the digital forensics field to become a very solid and important area of policing, the ITL Innovation Centre will be at the forefront of instilling innovative spirit in the activities of digital forensics laboratories in the member countries with the aim of contributing to overcoming the complex global security challenges

nita aenberg

Director, ITL Innovation Centre

age

ITL lobal guidelines for digital forensics laboratories

ACKNOWLEDGMENT

any parties have been involved in constructing the ITL uidelines for Digital Forensics

First and foremost, ITL would lie to than the Council of Europe for sharing the ‘Basic Guide for the Management and Procedures of a Digital Forensics Laboratory’ document. The Council of Europe’s guide provided a strong foundation and has been used as a model for developing this document

In addition, ITL would lie to express sincere gratitude to Cyberecurity alaysia as the partner in maing these guidelines a reality Cyberecurity Malaysia’s expertise and experience in an accredited digital forensics laboratory has been invaluable in completing this document

Finally we want to than our colleagues from  I Cybercrime Department, Digital Forensics nit  – IT Forensi, Federal Criminal olice ()  IT Digital Forensic Departmenteneral Department of Criminal vidence of uwait,  I Technology Crime Forensics ranch Criminal Investigation Department ingapore olice Force (F)  I Computer Forensic ection, eneral Commissary of cientific olice (CC) of panish ational olice (C)  T ITD TT F IC Department of omeland ecurity, omeland ecurity Investigations whose valuable input has helped to improve the quality of this document and mae it a common effort to serve as a global reference for Law nforcement gencies worldwide

age

EPL Global guidelines for digital forensics laboratories

Title of Document: EPL Global guidelines for digital forensics laboratories Date of publication: May Original: English Available in: English

CONTENTS Page

1. INTRODUCTION ...... 11 1.1 Document purpose ...... 11 1.2 Intended audience ...... 11 1.3 Applying the document ...... 11 2. INTRODUCTION TO DIGITAL FORENSICS ...... 12 2.1 Digital forensics ...... 12 2.2 Understanding electronic evidence ...... 13 2.3 Principle of electronic evidence ...... 13 3. MANAGEMENT OF A DIGITAL FORENSICS LABORATORY ...... 14 3.1 Conducting a plan ...... 14 3.2 Premises ...... 15 3.2.1 Location ...... 15 3.2.2 Physical Security ...... 16 3.2.3 Size and Layout ...... 17 3.2.4 Facility ...... 19 3.2.5 Visitors ...... 20 3.3 Staff ...... 20 3.3.1 Recruitment ...... 21 3.3.2 Security Clearance ...... 21 3.3.3 Job Description ...... 21 3.3.4 Staff Development ...... 23 3.3.5 Mentoring ...... 24

Page

EPL Global guidelines for digital forensics laboratories

3.3.6 Health and Safety ...... 24 3.4 Equipment ...... 25 3.4.1 Software...... 25 3.4.2 Hardware ...... 26 3.4.3 Tools and accessories ...... 26 4. MANAGEMENT OF DIGITAL FORENSIC CASE ...... 27 4.1 Receiving a request ...... 27 4.2 Registering a case ...... 27 4.3 Registering an exhibit ...... 28 4.4 Photographing an exhibit ...... 28 4.5 Conducting analysis ...... 29 4.6 Returning the exhibit ...... 29 4.7 Closing the case ...... 29 5. LABORATORY ANALYSIS PROCEDURE ...... 29 5.1 Acquisition ...... 30 5.1.1 Overview ...... 30 5.1.2 Computer ...... 31 5.1.2.1 Types of Data Acquisition ...... 31 5.1.2.2 Write Blocker ...... 33 5.1.2.3 Imaging Tools ...... 33 5.1.2.4 Imaging Format ...... 33 5.1.2.5 Process Flow ...... 34 5.1.3 Mobile Devices ...... 34 5.1.3.1 Types of Data Extraction ...... 34 5.1.3.2 Extraction Tool ...... 36 5.1.3.3 Extraction File Format ...... 36 5.1.3.4 Process Flow ...... 37 5.2 Examination ...... 39 5.2.1 General ...... 39 5.2.2 Triage ...... 39 5.2.3 Methods for Computer Examination ...... 40 5.2.3.1 Examination on “Dead System” ...... 40 5.2.3.2 Examination on “Live System” ...... 41 5.2.3.3 Automated Processing ...... 41 5.2.3.4 Data Recovery ...... 42 5.2.3.5 Filtering ...... 42 5.2.4 Methods for Mobile Device Examination ...... 42 5.2.4.1 Automated Processing ...... 42 5.2.4.2 Filtering ...... 43

Page

EPL Global guidelines for digital forensics laboratories

5.3 Analysis ...... 43 5.3.1 Analysing Computer ...... 43 ateoies o diita taes oedes o dieent taes itaiation oess o andin mass data isaiation aids 5.3.2 Analysing Mobile Devices ...... 49 ateoies o diita taes oedes o dieent taes 5.4 Presentation ...... 52 5.4.1 Admissibility of Electronic Evidence ...... 52 5.4.2 Report Writing ...... 53 5.4.3 Expert Witness ...... 53 6. QUALITY ASSURANCE ...... 54 6.1 Quality assurance component ...... 54 6.2 DFL Accreditation ...... 56 7. SUMMARY ...... 57 APPENDIX A: DFL SKILLSET CHECKLIST ...... 58 APPENDIX B: CHECKLIST OF BASIC DFL EQUIPMENT ...... 60 APPENDIX ...... 61 APPENDIX D: SAMPLE OF EXHIBIT REGISTRATION FORM ...... 62 APPENDIX E: SAMPLE OF EXHIBIT SEALING ...... 63 APPENDIX F: DATA ACQUISITION WORKSHEET ...... 64 APPENDIX G: ACQUISITION PROCESS FLOW CHART ...... 68 APPENDIX H: COMPUTER EXAMINATION FLOW CHART ...... 69 APPENDIX I: PROCESS OF ANALYSING EXHIBIT’S ARTEFACTS ...... 70 APPENDIX J: COMMON REQUIREMENTS FOR FORENSIC REPORT ...... 71 APPENDIX K: ELECTRONIC EVIDENCE HANDLING ...... 72 APPENDIX L: INTERPOL DFL SERVICE REQUEST FORM ...... 73

List of Figures

Figure 1. Basic Floor Plan for DFL etup 18 Figure 2. Moderate ie Floor Plan for DFL etup 18 Figure 3. rganiation Chart for Basic etup of Digital Forensic Laboratory 21 Figure 4. Case Management Procedure 27 Figure 5. Digital Forensics Laboratory nalysis Model 30 Figure 6. Data cuisition Process on Computer 34 Figure 7. Data Extraction Process on Mobile Devices 37

Page

EPL Global guidelines for digital forensics laboratories

L T

T Consideration for electing DFL Location T Checlist for Physical ecurity T Common Facility in a DFL T Checlist for isitors T Description of oles and esponsibilities T Method for conducting acuisition Dead cuisition and Live cuisition T Method to solate etor T Mobile Device torage Media T Discoverable and undiscoverable traces from a computer T Method for isual ids T General Criteria for the dmissibility of Electronic Evidence T uality ssurance Components Checlist T Benefits of Lab ccreditation

Page

EPL Global guidelines for digital forensics laboratories

DEFINITIONS AND ABBREIATIONS

AFF dvanced Forensic Format DCO Device Configuration verlay DF Digital Forensic DFL Digital Forensics Laboratory EF Expert itness Format HPA ost Protected rea IDEN ntegrated Digital Enhanced etor IEI nternational Mobile Euipment dentity umber EID Mobile Euipment dentity umber PDP Personal Development Portfolio PDP RA andom ccess Memory SI ubscriber dentity Module SGDE cientific oring Group on Electronic evidence

REFERENCES

. Basic Guide for the Management and Procedures of a Digital Forensics Laboratory Council of Europe CE ersion . une

. cientific oring Group on Digital Evidence GDE https.sgde.org

. CP Good Practice Guide for Digital Evidence ssociation of Chief Police fficers version https.digitaldetective.netdigitalforensics documentsCPGoodPracticeGuideforDigitalEvidencev.pdf

Page

EPL Global guidelines for digital forensics laboratories

INTRODCTION

D

EPL Guidelines for Digital Forensics Laboratories outline the procedures for establishing and managing a Digital Forensics Laboratory DFL and provide technical guidelines for managing and processing electronic evidence.

hese Guidelines should be seen as a template document that can be used by countries hen considering developing their digital forensics capability. he advice given is intended to be used at both the strategic and tactical levels in accordance ith national legislation practice and procedures.

I

he document is intended for use by EPL member countries. he obective of these Guidelines is to ensure that electronic evidence produced by the DFL is admissible in member countries’ courts of la as ell as in the international criminal ustice systems.

he Guidelines focus mainly on to distinct groups the first is the digital forensics strategists and managers ho mae decisions for the DFL the second group includes the technical staff ho deal ith electronic evidence on a daytoday basis.

n addition prosecutors udges and layers ill also benefit from this document in understanding the digital forensics process hich may be vital for their cases.

A

he Guidelines are not intended to impose limits on the DFLs hich have to follo the reuirements of their national legal frameor. he advice given in these Guidelines is not intended to contradict ith any national legislation in any member country.

Page

o uieines or iit orensics ortories

INTRODCTION TO DIGITAL FORENSICS

D

iit orensics is rnc o orensic science tt ocuses on ientiin cuirin rocessin nsin n reortin on t store on couter iit eices or oter iit store ei

e couter iit eice or oter iit store sste ic os ue t or inestition is non s eectronic eience uc ees re tos srtones serers iit ieo recorers sstes rones sstes n e consoes

e in o o iit orensics is to etrct t ro te eectronic eience rocess te t into useu inortion n resent te inins or rosecution rocesses inoe tereore sou utiie soun orensic tecniues to ensure tt te inins re issie in court

e nture o te cses in ic iit eience is inoe is ener oreress n te oence ens in sit secon te inins erie ro eectronic eience ust tereore oo stnr set o uieines to ensure tt it is issie not on in a specific country’s court o ut so in te interntion criin ustice sste e uieines or iit orensics roie seine n reerence or te neent o iit orensics

e

oa uieines for iita forensics aoratories

ectronic eience unie any oter eience suc as fire air an unsot resiue is caenin to process ue to te fact tat a e ata can e scattere in seera pysica ocations soeties across countries e ata can e transferre across urisictiona orers effortessy an in a atter of secons c e ata are iy oatie – easiy atere oerritten aae or estroye y te sine stroe of a ey e ata can e copie itout eraation e e ifespan of eectronic eience unie any oter iscipine of forensic eience is sort efore it is renere useess n eape of tis is a sartpone after fie years it ay not e ae to sitc on or function propery

ase on tese facts terefore eectronic eience ust e processe an ane it ue care

P

en eain it eectronic eience te fooin principes ust e aere to

a ectronic eience ust e otaine in a ea anner

e taff inoe ust copete te appropriate trainin prorae prior to anin eectronic eience

c ny actions taen on te eectronic eience ust not cane its ata f it is necessary to access te oriina ata or cane te syste settin it is recoene tat ony copetent staff e ae to o so an tat staff ust e ae to ustify tose actions

ny action tat reuires te oriina ata to e accesse or cane sou e recore an itnesse y a feo practitioner if possie

e recor of a actions taen en anin eectronic eience ust e create an presere so tat tey can e auite n inepenent tir party sou e ae to repeat tose actions an aciee te sae resuts

ae

ANAGEENT OF A DIGITAL FORENSICS LABORATORY

–

C

DFL within its country’s criminal justice system.

    

. These are the “” costs

TL loal uielines or iital orensics laoratories

ees sta salaries sta trainin orensic euiment maintenance an the relacement o oice euiment.

nce this initial research has een conucte ecisionmaers shoul hae a etter iea aout the role an the sie o the DFL as well as the numer o sta reuire to roie an eectie resource or all staeholers. P hen selectin the remises to uil the DFL seeral actors nee to e consiere to ensure its success. The ollowin sections elain in etail the ossile success actors when choosin an eeloin a DFL. L eeral actors nee to e consiere when selectin the location o the DFL. ome concerns that nee to e aresse are

C S DFL L s there suicient electrical ower to run the reuire euiment oes aitional euiment nee to sulement the ower acilities installe acu enerators the la is aoe the roun loor is there a lit aailale to transort lare uantities o electronic eience

s the uilin or oice roust enouh to ensure the security o the ata an rotect the eole within re the walls loors an ceilins stron enouh to withstan hysical or enironmental amae hat is the ris rom loo ire natural isasters an ciil unrest s ue care ein taen to minimie the riss o incursion y a terrorist or criminal oraniation seein to amae inestiations s the uilin suitale to roie the coolin reuire or the amount o euiment to e house within the uilin or can coolin acilities e retroitte T onsierations or electin DFL Location

ae

TL loal uielines or iital orensics laoratories

P S The DFL nees not only to secure electronic eience ut also to ensure the security o the sta aluale sotware an harware. The checlist or hysical security is as ollows

C P S S The sureillance system is use to monitor the remises or unauthorie access an reains. nstallation roessionals shoul consier the est strateic lace as well as the est resolution to ensure maimum security. A

ccess control can e in the orm o hysical locs an eys electronic eyas swie cars anor iometrics eenin on the uet. F DFL must hae a ire etection system an ire suression system installe on the remises. The material use or the ire suression system must not cause amae to the ehiits euiment or ersonnel. hen reuire winows shoul e reinorce with ars an locs to reent reains. the DFL has lass winows an walls care shoul e taen that sensitie ata are rotecte rom iew. onsier usin a ireroo oor in a location such as a stairwell or corriors to rotect the remises rom ire. S uicient ower socets uses an reaers must e installe in the DFL to ensure smooth oeration an reent ower oerloas leain to ire haars an osin riss to the saety o the sta. A ntistatic loorin hels to reuce ossile electrostatic ischare D that may cause harm to emloyees euiment an eience.

R t is recommene that the DFL install a system to loc networ sinals or eamle usin a Faraay cae or a jammin eice. aio jammin system will loc any networ sinals an reent any intrusion into the ehiit. ith current wireless technoloy the ossiility eists or owereon smart hones or latos to automatically attemt to connect to eistin wireless networs hence moiyin their ata. ational leislation must e chece to eriy that the use o such systems is allowe an they o not interere with other systems. C S

t is common or a DFL to hae comuters to conuct wor eneratin a consierale amount o heat within the la. erheatin can lea to loss o ata an amae to harware. The DFL shoul install a coolin system to control its room temerature incluin the eience storae room an serer room.

ae

TL loal uielines or iital orensics laoratories

O D S B

lare amount o ata is store y the DFL once it is ully oerational an it can e sensitie in nature. The ata are usually store in a serer. t is est ractice or the ata to e ace u to an osite serer away rom the DFL. n the eent o a isaster where the DFL is aecte the osite storae can e use to ain access to imortant ata. ain an osite ata storae acu is art o a isaster recoery lan which ensures oerations can e u an runnin in minimal time. A D S L T D S ter analysis ata shoul e store such that they can e retriee at a later ate or the urose o urther juicial rocess or in liht o new eience or inins ertainin to the case. torae time shoul e aate to national leal reuirements.

T heclist or hysical ecurity

S L t a minimum a DFL must consist o esto tales or aminers to conuct analysis a lare tale or eience reistration laellin imain an sealin a ireroo cainet or electronic eience storae an a ilin cainet. This minimum setu is suicient or a smallscale DFL where small uantities o electronic eience are sumitte.

oweer or an aency that eals with a lare numer o electronic eience this minimum setu may e insuicient. t is recommene that the DFL sereate the seciic tyes o actiities to reent crosscontamination an loss o ehiits.

For eamle there must e an area or receiin eience. This can e one in the recetion where an aminer will iscuss case reuests an the euester an Technician will reister the sumitte eience.

The laoratory moile hone la or comuter la or eamle must e restricte to the DFL sta only. ach aminer will reuire a lare es or T euiment ilin cainets to hol their case iles an comortale chairs. n aition eronomic eyoars an ae mats can also roie more comort or eaminers.

the DFL reuires a serer – this may e store securely within the laoratory an i ossile in a searate room.

t is recommene to hae a esinate area or imain an rocessin. t shoul e searate rom the Examiner’s worstations an shoul ieally e close to the eience storae room to reuce the amount o manual hanlin.

The DFL may also consier hain a sace to conuct rieins or meetins as well as an aitional oice or the laoratory manaer.

n aition to the aoe areas eicate to the storae o noneiential euiment such as meia coiers meia rouction euiment rinters scanners iles roerty as tas eience laels storae meia oice euiment an ersonal elonins o sta shoul e consiere when selectin the most aroriate lace to locate a iital orensics laoratory.

ae

E a ieines r iia rensis araries

e iin r ie s e are en exan i ere is an aniiae inrease in eman r r an exisin s ae n i neessar reae r exan in a sr ime e exnenia inreases in ra is nsiera mre exensie reae r exan s i ma e eneiia rie rm r exansin in e iniia siness an e in is a sesin r a asi r an r a

F asi r an r e an aen eies ee a merae sie e in is a sesin r e r an

F r an r a meraesie se

ae

E a ieines r iia rensis araries

F ne e remises ae een seee an seri eares ae een insae e arar anaer nees in e aiiies e insae iin e

mmn aiiies insae in a are as s

C F DFL R e area r eierin an ein eerni eiene is es searae is area rm e as i an aess r is is reen narie aess e as E e rm is eiae srin eerni eiene n sme s is rm is as se sre e serer ess e rm ms e resrie erain sa n ernaie i ere are n a e exiis en a seeie sin is ae a sae x r irer aine sre a e eerni eiene insea ain a eiae srae rm E esinae area isseme asseme ae an imae e eerni eiene This area should be separated from the Examiner’s workstations and should e se e eiene srae rm ree e amn mana anin L eenin n e es ases reeie a an ae seera as sereae r ase n es eiene Exames ine a mer rensis a ie ne a i r ie a P n sme s sa s ae eir n es n aminisraie ass rie rers an reae resenain sies as are se se r anasis r ereas is ersna sae is se e sa r er neessar r rs B riein sae is ere Examiners an isss a ase an ere e manaerirer an a riein sessin a a ase e rm an e eier an en r se sae is ei e rm i a isa sreen an a iear aiiae isssin r resenains I I araries in e mmn ae eir n isae ner rm e organization’s network. This is to prevent malware and viruses from enterin e res e ner

rermre e ms ae nimie an niere nerne aess me ases reire Examiners aess re esies s e nee ae nerne aess i as r is is ner s e rie i seri an a minimm a asi inrsin eein an in ssem i s e mnire an mainaine eriia T mmn aiiies in a

ae

TE lobal guidelines for digital forensis laboratories

isitor aess to the must be restrited to prevent data leakage or an possible damage to the eletroni evidene. isitors an inlude maintenane workers staff from other agenies onsultants or people delivering the eletroni evidene.

The following table gives the basi heklist when reeiving visitors.

C R isitors must be registered using a form or via an online sstem before entering the premises. or a large group of visitors the aompaning staff must organize appropriate registration proesses noting the agen size of the group and purpose of the visit. ID P temporar pass ma be issued to the visitor espeiall for long visits. The pass must learl distinguish the visitor from the staff.

E isitors must be aompanied b staff at all times when on the premises. P lear signs or a poster on isitor oli must be displaed in the ommon area for visitors to read. ules suh as photographing eating and drinking touhing forensi euipment and eletroni evidene et. must be learl stated to visitors. nstrutions must be simple and eas to read for non English speakers. C lear signs should indiate that potentiall illegal and inappropriate images are being analsed and viewed within the . T heklist for isitor

S epending on the size of the laborator and the number of staff reuired the different funtions that are reuired must be onsidered. taff roles and responsibilities will need to be doumented. etailed ob desriptions should be prepared so that eah member of the team has a lear

age

TE lobal guidelines for digital forensis laboratories

understanding of hisher ob profile. here possible the struture of a should allow for staff areer advanement within the organization.

Experiene shows that highl ualified staff spend muh of their time undertaking mundane tasks below their level of expertise. ob profile and a learl set out areer path at the earl stage of the development will provide diretion for the organization’s planning and budget foreasting.

R taff emploed b the organization for work often depends on the tpe of ases and the total amount of eletroni evidene submitted to the . These staff ma ome from an eduational bakground but must have strong fundamentals and a high interest in the omputing field and urrent advanes in tehnolog.

tpiall onsists at a minimum of a ab anager and two Examiners. The Examiner works at the analsing the eletroni evidene and sometimes ma be reuired to go to the field site to ondut evidene preservation. f there is an inrease in ases and more forensi euipment is obtained it is often best for the to emplo a Tehniian. n dministrator ma also be emploed if the deals with numerous administrative tasks suh as managing various douments training visits and talks.

suggested organization hart at minimum level is as follows

F rganization hart for basi setup of igital orensi aborator

S C efore staff are hired it is advisable for andidates to undergo a bakground hek or seurit vetting. t a minimum the or the uman esoures epartment must ensure that a andidate has no riminal reord and has satisfatoril passed learane b the authorities. hile these learanes ma not alwas be ideal the at least provide an indiation of an serious riminal offenes in the past. t is ommon pratie for the uman esoures epartment or the manager to have aess to the vetting and the candidate’s personal reords prior to the interview proess or at least during the interview session. D ll staff must have a lear ob esription one the are emploed b the . Each individual’s roles and responsibilities in the must be explained in the ob esription. t a minimum the roles and responsibilities of eah staff member in the should be explained as follows

age

E lal uidelines diital ensics laaties

D R R L he aat anae ust have technical nlede and a stn undestandin leislative euieents electnic evidence cedues and cesses aat anae ust undestand the veachin inciles descied in this uideline

ehe ust have cntl ve the iinal set u and uildin vesiht cncenin the uchase hadae and stae the cedues and unctins

eshe is esnsile leadin the ecuitent tainin entin cunselin and uidance eved eled ithin the unit he aat anae is als esnsile decisin ain elated t individual cases includin hethe t accet eect a case as ell as the iit

E he Eaine ust have the elevant technical nlede and aiate ualiicatins deall heshe shuld have se tainin in the use stae

n ein hied the Eaine ill e euied t attend seciic tainin t tain a iniu set sills he Eaine ust have nlede leislatin and e aae the eleents each ence in de t aticulate thse acts hen investiatin dieent tes cies hese les euie an analtical and investiative indset he Eaine ust als e ale t delive hishe indins in a clea and undestandale anne theee havin d al and itten cunicatin sills is essential

T he echnician cnducts evidence cessin such as eistatin acuisitin and stae eendin n the sie the laat seveal technicians a e euied he echnician ust have stn technical sills in the cutin ield and technical nlede the vaius ethds ensicall acuiin diital data e sill euieent is attentin t detail and the ailit t cleal dcuent all actins cnducted n each ite evidence

he echnician is als esnsile aintainin ensic euient eshe needs t ensue that the hadae iae is udated and stae atches and udates ae installed hen eleased

he echnician is als esnsile handlin the evidence in the Evidence tae eshe needs t aintain ecds evidence as ell as chec in and chec ut ehiits in the tae

A a als el an dinistat t cnduct the laboratory’s adinistative tass eshe is esnsile anaeent dcuents tainin and tals eshe can als act as a liaisn ice intenal as ell as etenal staehldes he dinistat can als e esnsile handlin the uchase euient the laat

T escitin les and esnsiilities

ae

lobal ls or tal orss laborators

S D aat st sr tat sta ol t tass ar aatly a a t rt slls

raso or ts s tat ata ota ltro a b asly altr aa or stroy by a sl stro o a y so t sta st o o to al t ata tot aa t otr raso s tat t olty o r toay a a t lt to sor t rt ata tror t sta st o o to a trat t

A T sta a b rrt t s ortat to otally lo tr ablts to otat a rta t a stabls a aabl sta lot rora a sort ts s sol b t a to to tr orla ob srto st larly at tr rol a rsosblts a tr rort aar aar st ty a la or sta tra s a a t arorat arrats ay oos to s sta o tra orss or t a arra a ssso or sta to sao a lar ro ollas aor to a la tl or al all ars ll rr trally rt tra to ro t t t o to s t orss tools a t rblty to lr rlabl ort sst sllst tat ay b ll tr t tra s s aalabl at A: DFL S C

B P ats toloy rr t sta to b rlarly at t t rt ol a slls ato to t tra rora t sol osr a a roy ata rora as art o sta ol b rr to att sars o toloy ats att talrlat ts otosly ot ltro aalyss att rot ostratos or att rtra roras rora s ortat to sr tat ars’ skills ar to at t t rrt toloy a tat ty ar alays abl to ror tass

C P D P PDP o tly aa sta lot t ay osr ss a br o sta t a rsoal lot ortolo s ortolo sol ota a tra la tra rtat atta ror as ll as rors o lstos a t orla aars ay s s to st tarts or als a otor tr rora ro t to t

D R D A art ro t tra a roy ata aat st also st as so t or sta to rta rsar a lot atts sta sol alat tools a alatos o o to t art a tr tr s a or t to s t

E S R sol ta ot tat t ts tra rora as sta ly alabl or otr oraatos to r t tror rat t rat al o t a oy ll b st o sta tra a t s tal ty ar rta sally o ty bo or r o t rs o los sta t raato sol a a oo sta rtto rora la a robst rsoal lot las or

a

ll ilis iil sis lis

s ill i i sl is si i s ll s iis ii ii s i s ll ls lii sl l ki i is ii

li s i is i sssi i i i i i is ss i s is li s ’s work l is i s s ll s s ii i il i i i sssis l i s ill iiis s sl i i ls i sll ks l lsi isl ssss i li i i

H S is ssil si l s ll s isis isk ssss s ii iis i iss l ill l s s il s l i is i s ii k l s s is i is ssiili ll l s is

ss s k s isis s s s s illl isssi ils i is ssiili ii lli ssis isl i i s s

l s s i il l

● isi s is ss – isk si i iis ● ss – s ll s l i s i k li ll ls s s sil ls sl s i sss ● lilii – s s li is i i

o s or orss orors

● r s o r rsk o r sok ● r rkrs o r rsk o r sok or o

E

s ss o ors s rr o ro orr ors rss rwr or sowr or o sor or or oos ror o s s s r o sr s o ro orr rss

ro s or s B: C B DFL E

S k sowr rs s osr r r s s r s

os o s s ror s k oro s s o or ss r s s sr sowr o orr s rrs

o o sor sowr ors s rs s rs s sowr k sor r oors

o jurisdictions and standards require ‘dual tool verification’ ssr o rs o sowr orr o o rs orso ro

s so osr s s or s oro s ss w o s o ss s r’s name ors rss rs or s s r s oows

● rso r r o ● rr r ● s rr r ● Requester’s o s ● o r r ● s o s o w s ● rr or s rs ● ors – s s r s or s ● ss ross – o ro s s ● o ss o s w s Examiner’s name ● s o ssr os rs ● s o ss ● or o oo w sr s oro s or o sow o r ro o os r ss r rs os soo or r rorr o o ss

ER loal uidelines for diital forensics laoratories

H ardare must also e roerl maintained eriodicall for ic it is recommended to ave a sceduled lan and an equiment list

n imortant element for te to consider aart from te storae and acu of oerational data is te storae of te electronic evidence e tree tes of data tat te ma need to deal it are te oriinal evidence te forensic coies and te data enerated durin te analsis t is essential for te to ave a lare oerful and seed server due to te volume of data and electronic evidence onsideration must e iven to o tis is to e stored arcived and aced u strinent acu and arcive reimen sould e imlemented to offer resilience

list of asic equiment is availale at A B: C B DFL E

T ools and accessories suc as cales scredrivers and oer extensions are just as imortant as te softare and ardare in a ome or requires electronic devices to e disassemled and reassemled so te needs to ave access to oodqualit tools and accessories e folloin is a list of ossile items tat a ma need to erform datoda tass  oer extension  eads and adators  credrivers  oolit  amera video recorder  anetic taes  ommunication devices  torae ox or container for carrin equiment  orc  anifin lass  Evidence sealin or evidence as  amerroof sticers  ermanent marers  arada a

ae

ER loal uidelines for diital forensics laoratories

ANAGEENT OF DIGITAL FORENSIC CASE

e must estalis a case manaement rocedure efore startin to receive cases enerall tere are seven stes in manain a case as illustrated in te folloin fiure and furter exlained in te susequent sections rior to conductin a case te must ensure tat it is folloin and comlin it relevant leislation e anaer or Examiner must ensure tat leal ermission for rocessin te evidence exists trou arrants or official documents e aim of conductin or is to use evidence to rove or disrove disuted facts ence electronic evidence must e otained in comliance it te leislation t te end of te or it must e ensured tat te electronic evidence is admissile and te forensic reort is accetale in court

Receive Register Photograph Return Register case Conduct analysis Close case request exhibit exhibit exhibit

F ase anaement rocedure

R

e or starts on receit of a formal request from a Requester is formal request can e in te form of a letter email or fax e information sulied in te formal request sould include a descrition of te crime involved te related act electronic evidence details te case ojective and ossil te arrant

e la manaer or aointed staff ill ten revie te request and determine eter te case is feasile ased on te folloin criteria a e case is itin te scoe of diital forensics ie te evidence is electronic and not oterise suc as or finerrints etods and tools tat are availale c taff is availale to conduct te case d e leal requirement is fulfilled

e ill ten formall resond to te request as to eter or not it can accet te case f te decision is to accet te ill rovide a date for deliver of te electronic evidence from te Requester

R

nce te decides tat te case is feasile te Requester ill come to te it te electronic evidence e creates a unique runnin case numer for tat case and fills out a case reistration form samle of te case reistration form is availale at endix C: S C R F

n order to effectivel examine electronic evidence Examiners need to e sulied it a clear and secific case request te Requester ue to lare amount and various tes of data in a device suc as documents videos communications ealt monitorin data locations etc it is imossile for an Examiner to examine te data itout a clear and secific request

ae

ER loal uidelines for diital forensics laoratories

ased on tat information te Examiner can lan te metods and tools to e used to rocess te evidence

ot arties te Requester and te staff must sin te form e or as no officiall eun e ill ten create a folder in a storae medium to store all loical data related to te case

R

en electronic evidence exiits is received it is imortant for te exiit to e sealed efore custod can e transferred to te o eliminate an reasonale dout aout te interit of te evidence ot te Requester and te Examiner must e ale to demonstrate tat noone else as ained access to te evidence durin te transfer rocess from one art to te oter is ractice is ne and costl for some aencies te ill neverteless rovide constant aareness and rovide a firm timeline to start ractisin tis rocedure it te aencies

Eac iece of electronic evidence tat is sumitted must e reistered and assined a unique exiit lael ic is documented it the exhibit’s details in te reistration form samle of te exiit reistration form is availale at endix D: S E R F

is reistration includes eac exhibit’s subitems suc as sim cards and memor cards e laels must e ale to trac te suitems to te arent item or examle if a moile one is laelled as ten te sim card ma e laelled as

t is imortant to note tat an defects on te exiit must e documented in te exiit reistration form is is to rotect te from an neative claims in te future n forms of softco documents related to te exiit must e uloaded to te case folder

o te cain of custod of te exiits as started and te form must e filled in te staff receivin te exiit ile te exiit is not in use it must e stored in an Evidence storae room as exlained in section

P

otora of te exiit is taen for te folloin reasons to record te state of te exiit and to effectivel identif te exiit in te future otora te overall vie of te exiit as ell as te closeu vie f te screen is active otora its screen disla also e ictures sould ten e uloaded to te case folder t is advisale to otora te exiit efore returnin it to te Requester for future reference as to its condition

ae

lbal uidelies diital esis labaties

C

he aalsis ust be duted i adae ith the alsis del ee t eti details h t dut the aalsis ui the ess xaies ust aitai uiati ith the eueste ad uiate a deiatis liitatis that a aise dui the exaiati e xaies hae eas lede i diital esis ad s the ae able t allate the et data he thee ae eetie uiatis betee xaies ad eueste

R

e the aalsis has bee leted the tats the eueste t i u the eidee atie i the is t etu the exhibit al ith the esi et t the eueste t sae taelli tie ee etui the exhibit the ust seal it he seal ust hae the staff’s initial, the exhibit’s label and the date and time it as sealed exale exhibit seali is aailable at edix E: S E S

C

he ess is the lete ad the a lse the ase lse the ase bth aties ust aee that the is lete ad the et has bee delieed t the eueste his a be de b sii a exale is aailable at edix D: S E R F hee b sii the exhibit etu seti bth aties aee that the is lete

te leti the ase the a ad iles the xaie aeai i ut t ide exet testi the esi esults the ase i euied he eueste is the xaie he heshe is eeded i ut

LABORATORY ANALYSIS PROCEDRE

his hate es the edue duti aalsis eleti eidee at the eall hlial ess del is eseted t ide a bette eie the ai esses

hee ae tiall u hases iled i the aalsis eleti eidee i the auisiti exaiati aalsis ad esetati huhut the ess the hai ustd the eidee ust alas be udated heee it haes hads ad its iteit ust be seued at all ties xaiati ad aalsis hases a be eeated util the satisies the ase euest

t is l udestd that duti i the euies these u hases hee t all ases ill euie all the hases etai ases the auisiti hase a be sied t dut tiae staihtaa dui the exaiati hase exale suh a ase

ae

lbal idelines f diital fensis labaties

is hen thee ae lae sets f data, hee ndtin aisitin n eah eidene item ma be nt feasible

he fllin fie shs the labat analsis mdel

F iital ensis abat nalsis del

he next setin in this dment exlains in detail eah hase inled in the nalsis del

A

O isitin , as it is bette nn, data aisitin, is the ess f eatin a fensi f the eletni eidene exhibit sh as had dis, thmb die see in the fm f an imae file files he imae file files ill then be sed f the next stae f the ess in analsin the eidene he aisitin is made in de t esee the inteit f the eletni eidene t is t de an idential f the data itht hanin the ntent f the eletni eidene in an a

letni eidene needs t be aied in a fensiall snd manne ata is tiall aied b lletin latile data fm a nnin mte din a seah, b aiin a stae medim fm a seied mte at an the stae din an inestiatin he intanible nate f data and infmatin sted in eletni fm maes it eas t manilate and me ne t alteatin than taditinal fms f eidene t is theefe imtant t hae a defined and tested aisitin ede

ne an imae file has been eated, bth the hash ale f the exhibit and the imae file mst be eded ashin is sed t e that the imae file is exatl the same as the ntent f the exhibit hee ae a lt f hashin alithms sed in , sh as ha st fensi sftae and hadae ffe the hash eneatin feate

xaminatin and analsis mst nl be dne n a fensi f the iinal eidene, nless imstanes eent examines fm din s his is imtant in de t esee the inteit f the eidene he fensi f the eletni eidene mst be sted n the stae media, nee nt the eidene itself he fensi mst be leal labelled t

ae

lbal idelines f diital fensis labaties

ense it is nt mixed ith the iinal eidene ith fensi ies fm the ases he mst theefe eae sme stae media befe eeiin ases

his dment exlains the ess f ndtin examinatin and analsis n t tes f deie mtes bile eies

C isitin f mtes is as flls

yes o Data isition

hee ae t leels f data aisitin hsial data aisitin and lial data aisitin hile hsial data aisitin inldes all a data, a lial tiall nl inldes an allated sbset f thse data

hsial data aisitin, at hle dis leel, ies all data ntained n the dis, inldin the atitin sheme, “There are two levels of atitined aea, and natitined aea ial data aisitin n dis leel ies nl a lial atitined data aisitin hsial aea data aisitin and lial data aisitin he xamine mmnl hses hsial data aisitin f a hle dis bease it inldes deleted files and hile hsial data nallated lstes hen dealin ith entin, aisitin inldes all hee, a lial data aisitin f nled data is a data, a lial efeed t a hsial aisitin f the ented data n tiall nl inldes an this ases hsial aisitin is still emmended if the fensi sftae st the mntin f the ented allated sbset f all imaed thse data.”

eate a , the xamine fist needs t hse the state f the exhibit f the sstem is and nnin, the xamine ma need t hse lie aisitin

ee, if the sstem is eed ff, the xamine ma then hse t ndt dead aisitin he diffeene beteen these methds f aisitins is desibed in the fllin table

ae

T loal deles for dtal foress laoratores

D A L A hat ead asto s odted o a ve asto s odted o a lve dead sste. dead sste s a sste. lve sste s a sste that s sste that s ot r tred ad r where forato a off wth o ower. e altered as data s otosl e roessed. he the sste s dead volatle data teorar storae areas ease of the rh evdetar vale sh as eor r that old e dsovered a lve sste roesses ahe or atve swth t off a ase loss of volatle alato daloes o a data sh as data stored o the lod oter wll o loer e erted data r roess avalale. etwor oeted ad oted fle sste. ow The roess of odt dead ata o a sste have dfferet levels of asto s strahtforward as t s volatlt. These data wll e lost f the orall doe atoatall s sste s swthed off or reooted. fores eet. heever the aer ares lve data t s sesle to ollet fro the The hard ds st frst e tae ost volatle data to the least volatle. ot of the oter efore oet t to the eet f The tal level of volatlt fro the ossle. ost to least volatle s as follows  eor soe ases etoo oters  wa le or deves wth soldered sold state  etwor roesses drve storae aot e etrated  ste roesses dead asto.  le ste forato ther ethods to erfor etrato sh ases le oot the sste wth a lve shold e osdered.

he ead asto s odted ve asto s odted whe whe  The sste s sessrtal ad  ste s swthed off aot e sht dow  eleted data s ore ortat  olatle data are ore ortat tha tha volatle data deleted data

T ethod for odt asto ead sto ad ve sto

The aer the eeds to hoose whether to loe the eht or to reate a ae. The loe oes the data tt fro oe storae ed to aother. The ae o the other had oes the data tt fro oe storae ed to a ae fle. Ths fle a the e stored o aother ed. The latter tehe s the ore ool sed as the ae fle a sseetl e read ost fores software for fores aalss roess. lo s ool sed for slato roses. efore that a e doe the aer st esre that the eht s wrte loed a ethod whh eales ol read ad revets a wrt o the eht.

ae

T loal deles for dtal foress laoratores

ite oe

wrte loer s a deve that eales data to e ared fro a hard ds wthot odf the disk’s data. The device allows a read oad t does ot allow wrte oads to e eeted o the hard ds. ost a tools have a lt wrte loer that the aer a tle whle a a hard ds. hle wrte lo a also ee aheved software tools or haes the dows restr hardware soltos wll e referred s.

main oos

The a of a storae ed a e erfored s fores software or hardware. There are free as well as oeral rodts avalale whh a ad the roess. he rhas a tool the ost ortat rtera to loo for are the seed of odt the ae ad the relalt. The a software a lde featres sh as ● reoto of hdde areas ● a ltle deves sltaeosl ● a to ltle destatos orretl ● a ees ● hash verfato wth oo hash alorths ● hash verfato at dfferet staes of the a roess ● sort the ost oo fores ae forats ● rod erted ad oressed aes ● res a terrted asto roess ● tolerae of hardware errors

The aer st alwas e alert to the osslt of atfores tehes. dde areas le hostroteted areas s or deve ofrato overla whh are ol addressale va seal T oads a ol e deteted soe avalale a software soltos.

main omat

There are several oo ae fle forats ael raw or dd. These forats store all data fro the oral ed a raw fle. ther forats lde ert tess orat ad dvaed ores orat . The ota featres sh as ● oresso of data ● rto of data ● rrorhes ● ase etadata ● ash ss ● ltt the ae hs

rtherore dfferet fores software soltos oe wth ther ow roretar ae forats wth slar featres. he hoos a ae forat alwas ot for oe that s sorted ost fores software soltos. oe s se dfferet fores software ad as a reslt there s the osslt that the ae fle a ot e oeed f the aer hooses a e ae fle forat.

ae

T loal idelies o diital oesics laoatoies

oess o

The coo ocess o codcti data acisitio is illstated i the ollowi ie

Identify Image Verify Document storage media the exhibit exhibit and image file all actions

F ata cisitio ocess o ote

The ethod o codcti data acisitio is descied i the ollowi sectio. detailed ocess low is availale at edi G: A P F C.

A I S The aie st eae a coatile stoae edia with siciet data sie eoe hadove. the ehiit is lae the aie a eed to eae seveal stoae edia to stoe the iae ile.

B I E To iae the ehiit ist coect it to a witelocke to ese the ehiit is ot witale ths otecti its iteit. ost oesic tools oe this eate.

The iae ile is the stoed i the eaed stoae edia. To otect the stoae edia ad the iae ile se a stadad laelli oat hashi all the evidece acied with .

The aie eeds to ote that si a availale witelocki techie does ot evet chaes to data o a solidstate dive o lashedia which icldes a cotolle chi. s soo as the cotolle is attached to a owe sl it will stat to eoaie data o the lash chis. Tasks like wealevelli witealiicatio ad aae collectio ae caied ot the cotolle eve whe it is attached to a witelocki device. t this oit i tie thee is ol a esoceitesive wa to ceate a te oesic co o the lashedia. This is doe soldei the chis o the cicit oad ad the easseli the data i the coect wa whee ossile.

C E I F te the iae ile has ee ceated the aie eeds to check that it is ale to si oesic sotwae ad that the hash vales o oth the ehiit ad the iae ile ae atched.

D D A A The last ste i eaii ad aalsi the cote is to docet the ocess the tools sed the hash vales date ad tie as well as the Examiner’s initials i the case otes. sale o case otes o woksheets is availale at edi F: D A

D The ollowi ives details o data etactio o oile devices.

yes o Data Extation

eoe stati the wok the aie st eview the case aewok otaied o the eeste i ode to ascetai the tes o data eied o the ehiit. This ca assist the

ae

E a ieines r iita rensis aratries

Examiner in eiin te est extratin met r te ase n attemt s e mae t ater a asses assrs r atterns te exiit rir t ntin te r sin te mana met r exame reires te ne t e ne mst a extratin mets reire nes t e ne t is terere aas a ratie t tr t tain te n e at te time seire

ere are ie ierent ees ata extratin r mie eies i are esrie rm te ee ere mst ata an e extrate t te ee ere te east an e extrate earess te met se ater te inrmatin as een extrate rm te eie it te an ir inserte te ar an ir mst e anase searate

A P E sia extratin is te aisitin ra inar ata rm te meia strae te eie ese ra ata ten nee t e anase an resse at a ater stae rensi stare is met tia as te Examiner t aess ie an eete ata eratin sstem ies an areas te eie tat are nt nrma aessie t te ser

B F S D FSD e ie stem m is a ri sia Extratin an ia Extratin retriees te eie’s ie sstem an interrets te ata rin te ressin stae is as te Examiner t retriee r exame ataases in eete messaes tat ma nt e aaiae at a ia extratin an ma nt e aessie rin a sia extratin eer a imitatin is tat it es nt retriee a eete ata te a a sia extratin is ae t

C L E ia extratin ines reeiin inrmatin rm te mie eie an ain te eie t resent te ata r anasis is is ten te eiaent aessin te ata n te eie itse is met maes n ie ata aaiae t te Examiner st mie eie rensi stare ers tis te eatre

D imitatin rensi stare is tat smetimes it es nt srt te me ertain nie mie eies r reent ane mes n tis ase it is mmn aetae r te Examiner t se te mana met is met aesses te eie an rers te ata isae n te sreen it tras r ie r transriin its ata r

ae

E TAG CO R B

device’s requires the permanent removal of the device’s memory chip from the memory board. “Rooting” or “Jail Breaking”. This process involves leveraging fe of the running user (similar to the process of gaining “Root” T

Extation oo

ing equipment and specialist jigs to read raw data from the device’s memory

Extation ie omat

TR lobal guidelines for digital forensics laboratories

oess o

Identify Verify Isolate Extract Document exhibit and exhibit and exhibit from network relevant data all actions storage media extracted data

igre ata traction rocess on obile evices

enti te iit an torage eia The aminer observes the ehibit at hand before proceeding to the net process. The exhibit’s label should be affied on the inside of the mobile device or printed on the bac of it. The label must include nternational obile quipment dentity umber ( a obile quipment dentifier ( or erial umber. These data uniquely identify the device and are used to submit the request for billing records or to conduct cell site analysis in the later stages of the investigation. The mae model and can also be used to determine the level of support from the forensic software.

et a storage media should be prepared to store the etracted data. f a cloned card is required a clean empty card should be prepared.

B olate iit ro etork hen conducting mobile device etraction the device needs to be switched on. To prevent any attempt to connect to a networ and subsequently ris changes to any data the ehibit needs to be isolated from a networ. n some countries some public networs are available everywhere and evidence must be configured to connect them by default.

epending on budget isolation can be achieved through different forms such

eto to iolate netork lone card appears in the ehibit as the original card but ar lacs the capability to connect to the mobile networ. card identifies the subscriber and maes a connection to the networ. ome forensic tools offer the function of cloning the card. atest mobile phones could be powered without card and there is no impact on the store data within the phone etork laboratory installed with araday shielding to prevent networ iele roo signals. owever this is a very epensive solution and the use of smaller araday boes can be considered as an effective alternative. f this is not available proper containers such as araday bags or boes can be used. irele This equipment blocs incoming networ signals. n some aing jurisdictions it is illegal to use this as stated in ection .. eient anal eto This is the cheapest easily configured method. owever it needs the aminer to access the ehibit. This poses some ris of changing the data. t is conducted by setting the mobile device to ‘Flight Mode’ and disabling the ii luetooth and any other networ connections. ale ethod to isolate networs

age

lobal gidelines o digital oensis laboatoies

trat Releant ata e to soe seii extation tehnies sh as i oot loade extations and ooting o ndoid deies it is not alas ossible to ileent itebloing to a obile deie hee ossible itebloing shold be ileented o exale on eo ads oee it is idel anoledged that the itebloing ethod is not alas ossible o atial o obile deies Fo this eason it is ieatie that the exaine is ll aae o the onseenes o thei ations hen handling obile deies and is able to exlain and sti these ations

Mobile deies ae esented ith thee distint edia that eie seaate handling tehnies as in the olloing table

eia erition ar eies obile deie oensi tools Method to extat data is logial extation hsial extation is not ossible o this deie t is best that the M ad be eoed o the exhibit ding the F o oee soe deies eie the ad to be inside the deies hen the ae sithed on he xaine a ode a loned M ad to oeoe this eor ar hese an be exained as a ote had dis oth logial and hsial extation an be ondted on these ads as long as the oensi tools sot this eate he xaine has to the ad extat the data and then t it ba into the deie beoe sithing it on oe deies stoe data in the eo ad and i it detets that the ad is not aailable it old ase data loss o the obile deie tie and esoes allo a bittobit lone o the eo ad shold be eated and that lone inseted into the handset nternal eor his eies obile deie oensi tools oe deies ae soted b oensi tools o a boot loade hsial extation his an oten be aied ot ithot a M ad he oensi tools ill boot the deie in a atila a and ondt hsial extation ithot aing an hanges o alteations to the se data on the deie his ethod an otentiall eoe deie lo odes hih allo the xaine to gain ll aess to the exhibit one it is sithed on ale Mobile eie toage Media

he extation oess ill a deending on the extation tool hosen Most oensi tools hae a gide exlaining the oede that st be olloed o a sessl extation n soe ases exaining and analsing the obile deie eies odiiation to the sste iles o the oeating sste in ode to extat the data o soe extent it is neessa to load o install aliations to the obile deie his oess an ase soe data to be ieoeabl lost hoee it aets onl the sste iles ith little eidential ale noledge o hat is alteed b an o these oesses an be gained b holding aoiate taining etiiations sh as taining oided b the anates o obile oensis sotae o atial exeiene inoling the testing o obile deie extation

age

lobal gidelines o digital oensis laboatoies

nothe good soe o oensi eidene is the mobile device’s ba ile oe ses and deies ill eate bas on othe deies sh as in the ote o in the lod hese bas an assist in bilding a tieline o eidene and an also be sed to gain aess to a assodeloed deie t is also ossible to analse soe bas as i the ee a hsial deie

eri te iit an te trate ata ne the data hae been extated the xaine st ei the data against the dislaed data on the exhibit noation sh as date and tie st be oss heed b the xaine as soeties it is oneted to anothe datetie oat ding the extation oess

oent ll tion he last ste in exaining and analsing a obile deie is to doent the oess the tools sed date and tie and the Examiner’s initials in the ase notes

aination

eneral xaination o oiginal eidene shold be aoided hee ossible he xaine st alas o on the oensi o iage ile o the eidene this is ineitable aess to the data st be oteted sing a ite bloe

n etain ases xaines need to se an isolated enionent o eset enionent to ondt the exaination Fo exale ondting the silation on a database sste o gaing sotae o ahiee this xaines a se italiation tehnolog and enaslate the ase in a oing ontaine hen the exaination is olete the xaine a eet the ostation to its eios state sing a non iage o sing a eate oeed b the oeating sste

riage iage is the oess o ioitiing ases exhibits o data o analsis oesses aoding to thei eleane to the ase ased on the eslt o tiage ases exhibits o data ill be analsed deending on thei ioit seene o the ost iotant to the least iotant t is ossible that soe a not be analsed at all de to ieleane to the ase being inestigated

iage is ondted in ode to addess sitations sh as

• hge aont o exhibits o ass data needs to be analsed in a shot tie ae • xhibits annot be stoed an longe de to legal isses • t is a high ioit ase and eslts need to be oded iediatel ie in a ase in hih bodil ha o death is ossible

hile tiaging oes soe adantages thee ae also disadantages that need to be addessed tiage annot elae a ll exaination iage is ondted sing atoated oessing this is oeed b oensi sotae o b nning selitten odes to the exhibits o data hee is a is that this atoated oessing onl exaines sbsets o data and soe iotant data ight be let ot his is needs to be exlained to the inestigato oseto o dge and based on that inoation the a need to deide in ao o o against the tiaging oess o that atila

age

E lobal idelines or diital orensics laboratories

case oever triae remains a valid method to coe ith a sitation that cold not be solved in an other a

here is lots o sotare on the maret that oers triae nctions some are commercial and some are oen sorce riae can be condcted b rnnin the sotare hile the exhibit is still live or b bootin the exhibit sin orensic bootable media he Examiner then ints eords and lets the sstem rn beore selectin relevant iles and storin them in removable storae media doin this mltile exhibits can be rocessed at the same time even overniht or drin eeends

ter triae has been condcted and the Examiner decides that the exhibit is relevant to the investiation the Examiner can then roceed to the next rocess described in this docment and se more sohisticated methods to ather more data rom the comter

eto or oter aination here are man methods and technies to examine a comter ome reire indeth sill hile others reire minimal sill sch as condctin an atomated rocess nmber o orensic sotares can be sed b the Examiner eendin on sotare caabilit some are able to recover assords correlate data beteen electronic evidence and condct eord searches

he rocess lo or condctin an examination on a comter is available at endix oter aination lo art he lo chart is exlained in the olloin section

Examination on “Dead System”

“dead sstem” is a sstem that is not rnnin trned o ith no oer hen the sstem is “dead” volatile data in temorar storae areas sch as memor rnnin rocesses cache or active alication dialoes on a comter ill no loner be available

Examination o a “dead sstem” mst consider the olloin data

ae

  – 

“ ”

A “ ”

     

● ● ● ● ● ●

A

eto or oile eie aination

A

often necessary. A number of available tools use a form of “fuzzy processing”, that is to

nali

naling oter “ leave traces at a “digital crime scene”. and download history”

rae tat are ioerale rae onigre to e nioerale A A

lobal guidelines for digital forensics laboratories

ome of the discoverable traces ome of the undiscoverable traces

 lac space  humb caches  nallocated space  ost recently used lists  entries  og files  A  rowser histories  rowser caches  ost used programs  orm data  agefile.sys  iberfil.sys  olume shadow copies  ownload history ale iscoverable and undiscoverable traces from a computer

ata and information that need to be etracted from a computer depends on the type of case. or eample in a fraudrelated case, datainformation typically etracted from the computer is in the form of spreadsheets, emails and office documents. n a childabuse case, the possible related datainformation may be pictures, videos and communication messages.

he process of analysing various inds of artefacts is illustrated at eni roe o naling Exhibit’s rteat he following sections eplain in detail the types of data that can be etracted from a computer.

ail Analysis of emails, which typically involve the mail clients such as utloo, hunderbird, and ail as well as webmail accounts. ifferent mail clients will produce different types of artefacts. utloo, for eample, stores evidential data in personal folder files such as , , and A files. hunderbird stores messages in inbo files. sually, forensic software is capable of parsing these files, however they do not necessarily etract all messages. ome forensic software cannot retrieve deleted messages from personal folder files, so the data recovery method may be needed in this case.

B ie oent or roeor reaeet reentation Analysis of office documents typically starts with file signature analysis and is followed by filtering the files of interest. ile signature analysis compares the file header with its etension to ensure it is matched. f it does not match, there may be a possibility that the document header or etension is being modified to hide the content. iltering files involves using a eyword search. ost forensic software is able to perform both tass automatically.

nce the aminer has discovered related documents, it is good to refer to the euester for content analysis. his is to ensure that the etracted document is indeed related to the case being investigated. hen the euester has confirmed the documents, the aminer can conduct further analysis on the document, document metadata, document maer, and identify whether it has been sent or received on the computer.

itre an ieo o conduct analysis on pictures and videos, the aminer first needs to have a clear idea from the euester of what to loo for. f it involves searching for identical photos, then the

age

lobal guidelines for digital forensics laboratories

euester needs to supply the aminer with the necessary photos. f it involves files with nown hashes, then the euester may need to supply the aminer with the hashes, or the aminer can use a list of hashes from nown databases. f it involves a certain portion of a video, then the euester needs to state its uniue features. or eample, to etract all pictures from the video that has a motorcycle.

Analysis of pictures typically starts with signature analysis. et, the aminer may sift through pictures in the gallery by using the thumbnail view.

f the case reuires searching for a set of nown pictures for eample in a child abuse case or stolen blueprints a hash comparison can be used to accomplish this tas. ome forensic software offers a feature of similar picture detection, he aminer can use this feature by supplying the necessary picture to the software.

or video analysis, some software offers the feature of etracting still pictures from the videos. or eample pictures, in every secondminute. hese etracted pictures can then also be viewed in a gallery view. his allows for the much more efficient previewing of video files.

n cases where location or production details of pictures and video files are important, the aminer should consider etracting the metadata of those files. etadata are sets of data that describe and give information about other data, for eample coordinates where the picture was taen, creation date and time as well as the device used to capture the picture.

ome ehibits may have thousands of photos and videos, and it is impossible for the aminer to sift through and locate one specific video or pictures files. he best way of doing this is by etracting all pictures and then passing them to the euester.

he simple tas of viewing the contents of the picturesvideos does not reuire any digital forensic epertise and could therefore be carried out by the euester. hen the relevant photosvideos have been identified, further analysis can be conducted by the aminer to etract more meaningful data, such as coordinates and creation or modification data.

tt s nternet browsers are of evidential value in many cases. hey typically contain the following artefacts

● ebsite visit history ● ocal cache temporary internet files ● oomarsfavourites ● essions information ● ooies ● aved usernames and passwords ● ntries from form fields ● nternet eyword searches

Analysing browser artefacts can be important for suggesting purpose or intent, an eample is the eywords used in search engines which could prove intent.

opular browsers include oogle hrome, icrosoft nternet plorer dge, ozilla irefo and Apple afari. All of them store data within the user’s home directory. ith the eception

age

s ss s

s ss ss s ss s s

s ss s s s s s s ss s s s s s s s s s s ss s ss ss s s s s ss

s s s s s s ss ss s s s ss

E t s s s s s s s s s s s s s s s ss ss ss s s s s

s s s s s s s s ss s s s s

s tiit ss s s s s

● s s ● s ss ● s s s ss ● s ● s s ● s ● s ● s s ● ss s

s s s s s s’s s ss s s s s s s s s s s s ss

sss s s s sss s s s s

is s s s ss ss s s sss s s s s s s s ss ss s ss s

s ss s

s s s s s s

Eti s sss s s s s s ss s sss s s s ss s

s sss s sss s ss s sss s s s s ss s

s s s s ssss s ss s sss

t s s s s s s s s s s s s s s s s s s s ss s ss s

t t ss s ss

 s s  s s

s s s s s s ss s s s s s

ss s a company’s computers because the s s s ss

s s s ss s s s s s s ss s s s s

s s s ss ss s s

oba uenes or ta orenscs aboratores

he possbty o acurn an anaysn remotey store ata s epenent on the esaton an urscton n some ursctons or eampe uner certan crcumstances the amner s aoe to connect to the remote storae usn the suspects creentas rom the computer n orer to acure the ata ther ursctons may not accept such an acuston n these cases oca channes can be use to reuest preseraton an access to the ata rom the proer

t hen the computer memory has been acure he the see computer as st runnn the memory ump can be anayse n the

nerstann memory structures o erent operatn systems n orer to anayse the memory ump reures ery hh an technca ss so ony a uae amner shou o the or peca sotare s reure to anayse the memory ump ampes o ths are oatty an ea hch are pubcy aaabe on the nternet or ree

ypca arteacts that can be etracte rom memory umps ncue

● unnn processes ncun ther memory ● rocess normaton e hanes ● ncrypton eys ● pene es ● sernames passors ● nsae ocuments

pcture s orth a thousan ors ths s partcuary true or rtuaaton sn rtuaaton the amner can e the operatn system enronment o an ehbt the same ay as the suspect has seen t nn eence rom thn a rtua machne can sometmes be aster an more epresse than reassembn traces o ata rom the mae e n eampe s en counteret amn sotare

hen mountn an mae t shou be mounte th rteprotecte or rea ony parameters th a rte cache aon the rtua operatn system to rte o es thout aectn the nterty o the mae e

ome operatn systems reuse to start n rtua enronments hs can typcay be soe by repacn some rers an by conurn the system settns usn sotare e penates an penobs the rtua operatn system starts th a passor prompt the amner nees to ether crac the passor or remoe t

ome cases noe ots o computers th masses o ata o eecute the orensc tas a stratey nees to be mpemente n orer to epete the or ne ay to o ths s to separate the orensc anayss tas rom the content anayss tas he amners concentrate on the orensc anayss tass such as recoern parsn mountn an processn o ehbts he the nestators th case specc noee o the content anayss

ae

oba uenes or ta orenscs aboratores

he proper processes or hann an en etracte es may nee to be eeope an mpemente beteen the amners an the nestators to ensure smooth operaton

nother metho or processn mass ata s by conuctn trae rae s epane n secton n ths ocument

o a the unerstann o compe ata an os suaaton as can be useu ome eampes o such as are

ths is is iis hese can be use to spay user behaour hen the suspect oe n hen he connecte to a certan meum hen he connecte to a certan reess router an hen he ee a partcuar ebste tishi hese can e ansers to uestons such as ho has met th is hom at hch pont n tme usn hch meum hat normaton as sentrecee ho nos hom ho s the man suspect that coornate others hese can hep to unerstan at hch pont n tme an amount o is money has been sent oer hch channe an by hch nuas

iti mar to a reatonshp aram but these o not necessary is noe persons hey cou sho ho oten certan aresses attac certan serers rom erent countres b etho or sua s

raphca representatons mae t easer to unerstan the correaton beteen the ata hey can aso enabe the nestator to n ne reatonshps not preousy note ypcay the bass or such arams s ra ata store n a structure ay or eampe n or ormat hese es are oae nto anaytca sotare

n nu or eampe smpe commans e a sort an un use n conuncton th raph or ot can hep to ra raphca representatons

si bi is obe eces contan recors an os o communcatons aon th tmes an ates o partcuar communcatons n aton to ths mobe eces may aso contan mea es an ocatons

ta traces oun on mobe eces can be spt nto three stncte roups communcaton ata mea es an other ata ommuncaton ata can ncue ca recors messaes an other messan serce messaes ea es as th computers can contan normaton beyon hat s epcte by the e etaata on mea es capture n a mobe phone or eampe are ey to contan eotas or other useu ocaton an entcaton ata embee thn the e tse

ae

oba uenes or ta orenscs aboratores

he oon sectons epan the types o ata that can be etracte rom a mobe ece

hist he ca hstory proes nsht nto the ca actty o the oner beore the acuston o the martphone ece he nestator can see ncomn outon an msse cas ncun the tme an uraton hs can hep the orenscs nestator to ra an nrect concuson about the suspecte acttes thereore assst the n speen up the anayss process by pron a concse an cear case reuest

tt ist he contact st not ony proes contact names but potentay aso the home number mobe number an or number ther types o normaton such as contact tte company aress an assocate emas can aso be etracte rom the contact st ome smartphone eces store a pcture o the contact n the contact st hch can assst n entyn a certan nua he normaton store n the contact st proes the nestator th the soca an or reatons o the oner o the martphone ece eses ths many peope store erent types o account normaton an the passors n the contact st

xt sss Eis ne the ca hstory an contact st hch proe nrect normaton tet messaes an emas e epct normaton that can be use as eence n court hs s because they contan the eact tet ntenesent an recee by the user o the ece

i i its is i ea es such as pctures eos an auo es can be use as potenta ta eence n court any smartphone eces such as hones embe coornates o the ocaton nto the metaata cae chaneabe e ormat o the pctures ther normaton embee n the ata can ncue the bran o smartphone ate an tme n hch pctures ere taen as e as the sotare that s use to moy the pcture any hs proes the nestator th more nsht nto the acttes o the oner o the smartphone

E tt bsi hist sh he nternet brosn hstory an eyor searches mae n the smartphone ece proe the nestator th a enera unerstann o the nternet acttes o the oner he nestator scoer the types o ebstes that the oner has ste an to some etent the user’s aourte stes

ht s ssi s here are seera aaabe chat appcatons an messan apps ampe ncue hatsapp eeram ype ne eebo ehat nos e essener ooe a an acerry essener sers o these appcatons usuay choose to sae the chat os he chat os can be use as ta eence n court as to hat the oner communcate to others ome chat os are bace up n the cou or oca storae such as a computer so anaysn the computer may be useu to an more ata

essan apps can aso oer o oce oer serce hs enabes the oner o the smartphone to communcate th many peope usn the protoco thout ean a recor n the ca hstory o the ece he suspect may use ths sotare to communcate

ae

uees r t ress rtres

th r r t r ee h use ses the r ute th the h us these ess s

i t ts etr uts suh s str e tter ur stre user reets the ee tse str the reets users t he t eh te the t t st these stes hese reets re ue t the er s the can be used to gain access to suspect’s social media account e t t e etrte r the ee

t t s stre s e uts tt sts esses etee us rus tures es user tt – the st s eess he er ees t e sue th er se reuest rer t etrt the rret t reset ss resuts ete se ress rerts

ts he er es ture the reus urret uture e ttes the er the srthe he er e use t sste the er the srthe th se ts tes rer t r sse tesses he er the rthe s he se tes tht he ue rt tht e resete s eee urt

tis bi t ii tth hese e the esttr ere the etr ttes tht ere erre by the owner’s srthe ee he e etr e ture hh utr r re the er hs re e ture hh re etr the srthe hs ete t uetth ets e the esttr rt ut the es the ees tht ere ete th the er the srthe

s tis itis h its hs re the nvestigator with a geographical view of the owner’s movements hh e use s tet eee urt GPS coordinates of the user’s movements can also e ture se suh s the se here ts tht re rets re use hese ue e s s s e s

t t ssi t st srthes er the eture ret et uets uet ress stre suh s r heet t tet eee rete t the se

e

P Global guidelines for digital forensics laboratories

stti

he Presentation phase reuires putting together findings in a presentable and understandable way for staeholders hen the analysis phase is completed the aminer needs to put the findings and results in a forensic report he aminer should illustrate and translate complicated technical contets into facts that udges prosecutors and other parties involved can easily understand hey may also be epected to interpret those facts and to epress an opinion on their meaning n some cases when a large number of ehibits are analysed it will be difficult for the eaminer to present the outcome to the investigation team t is recommended to adopt an analytic software to facilitate matching digital evidence with other data from the investigations his ind of tools can also be used to inde and search all the ehibits providing the investigation team with a global overview of the case

issibiit Eti Ei he criteria for the admissibility of electronic evidence may differ from urisdiction to urisdiction Generally the aminer should consider the following criteria when evaluating electronic evidence for trial

iti th issibiit Eti Ei thtiit he evidence must establish facts in a way that cannot be disputed and be representative of its original state tss he analysis of or any opinion based on the evidence must tell the whole story and not be tailored to match a more favourable or desired perspective ibiit here must be nothing about the way in which the evidence was collected and subseuently handled that may cast doubt on its authenticity or veracity ii he evidence must be persuasive as to the facts it represents and must be able to convince the staeholder of the truth in court tiit he methods used to gather the evidence must be fair and proportionate to the interests of ustice the preudice ie the level of intrusion or coercion caused to the rights of any party should not outweigh the probative value of the evidence ie its value as proof b General riteria for the dmissibility of lectronic vidence

Page

P Global guidelines for digital forensics laboratories

t iti forensic report must be written in clear and understandable language he result must be properly summaried and it must also provide a concise answer to the case reuest supplied by the euester

t is recommended that all technical details be listed in the appendi section rather than put in with the main content his is to facilitate the layman’s understanding in reading the report

he aminer must also refrain from providing a statement that cannot be proven or eample "The suspect has altered File A”. n appropriate sentence would be “File A found in Computer B has been altered”.

common reuirement for a forensic report is available at ppendi it si t of this document

ue to the compleity of the case sometimes it is difficult for the aminer to epress the findings in the report he use of visual aids and visual representation such as animation slides pictures and live demonstrations are good methods of facilitating understanding

Ext itss n some urisdictions a submitted forensic report is sufficient in court in lieu of the aminer attending the court session owever in other urisdictions the aminer is reuired to attend a court session and present hisher epert testimony related to the case

n epert witness is a person who by virtue of education training sill or eperience has an epertise and specialied nowledge beyond that of the average person he witness’s nowledge is sufficient that others may officially and legally rely upon hisher specialied scientific technical or other opinion about evidence or a fact within the scope of hisher epertise referred to as the epert opinion

n some urisdictions epert status is decided on each and every case by the trial udge and the person is only an epert in that case n other urisdictions epert status is appointed by the legal institution and the person is responsible for any case within hisher epertise

he rights and duties of an epert witness differ from country to country t is important for aminers to familiarie themselves with their legislation their court procedures their role and their rights and duties in that role

Page

T lobal guidelines for digital forensics laboratories

E hen presenting the forensic report in court eaminers may not only be reuired to eplain the analysis process. They will also be reuired to eplain their proficiency the euipment they used the method they chose the eidence handling method and much more. t is important that procedures to address the aboe matters are established and implemented in the F.

The following section eplains in further detail the components as well as the accreditation which should be obtained.

it ss t The basic uality assurance that can be implemented in a F includes but is not limited to

it ss ts hist bt a. Create an rganiation Chart at F leel and at the organiation leel. b. Conduct an internal audit annually. c. stablish a procedure to address internal and eternal complaints. d. stablish a procedure to control documentation. iit a. stablish lab premises – access and eits. Eit b. Create an access list and limit access by using eys indiidually iti assigned identification cards or biometric deices. c. onitor the lab enironment regularly – temperature humidity cleanliness. d. stablish a ealth and afety programme. e. stablish isitor policy. f. Conduct regular houseeeping. Eit a. stablish a procedure for handling transport storage use repair disposal and planned maintenance for euipment. b. Before putting into use ensure that the euipment is woring according to specifications. c. mplement the maintenance programme. d. pdate the firmware according to reuirements. e. aintain euipment documentation manuals and warranties.

age

t  

    Evaluate staff’s competency by conducting Competency Test  Evaluate existing staff’s proficiency by conducting  

si th i st

–

ix E i st

TE lobal guidelines for digital forensics laboratories

Ei Establis and implement a policy and procedures on evidence i andling Tis sould contain a Evidence preservation b Evidence labelling c Evidence sealing d tems to document including te cain of custody e Evidence tat is left unattended f recautions for securing and andling te evidence g torage and retention

ee ppendix Eti Ei i for details on evidence andling

si st a eep tecnical records to support te forensic result Te records must indicate te Examiners conducting te process and te date mendments to previous records must be traced b Conduct tecnical and administrative revie of te forensic results c utorie te forensic result before releasing to te euester d Establis a common format for a forensic report ee ix it si t e en providing an opinion it must be clearly mared in te forensic report f Establis a process for amending a forensic report

b uality ssurance Components Ceclist

itti orensic results impact te urisdictional system so tey must be correct and reliable Te can assure and demonstrate confidence in its forensic result by oining te accreditation programme Te accreditation body ill evaluate te process on an annual basis to ensure it is meeting te global standard

ltoug oining te accreditation programme is recommended in general it is voluntary and not mandatory in most countries tat is interested in te accreditation programme may refer to its own country’s Accreditation Body for details of the process.

ome notable benefits of being accredited are its b itti Es i i th si st en a receives numerous cases in a year it is generally difficult for te laboratory to monitor te performance of te forensic or and of te Examiners Te standard defines te process of monitoring te uality aspect of te forensic result it accreditation tis process ill be assessed annually to ensure te laboratory continues to maintain its performance n addition te process of managing and examining te evidence must follo te international standard providing confidence to te staeolder in te forensic result produced by te

age

loal uidelines for diital forensics laoratories

sstti ith sti sss A with seeral ainers ust ensure that each ainer follows the sae set of processes. his is to ensure that testionies in court are coherent and consistent etween each ainer coin fro the sae thus facilitatin iediate understandin y the prosecutors udes and other court staff. ain this accreditation in place ensures that the estalishes the necessary standard processes and also ensures that ainers ipleent the. it sts ne of the reuireents in is to conduct continuous iproeents to the la processes. he can enefit fro accreditation y ipleentin continuous iproeents and ensurin the la produces ore uality results. An eaple of such ipleentation is court testiony onitorin. ainers are ale to continuously iproe their ethods of presentin the results in court if they are ein onitored and proided with constructie feedac. b Benefits of a Accreditation

lectronic eidence has posed challenes to the inestiation of certain cases due to its nature which is uniue and different fro traditional types of eidence. herefore it ust e handled with due care. he ai of this docuent is to proide the standard uidelines for the anaeent of a and for the eaination of electronic eidence. his is to ensure that the electronic eidence and the result produced y eer countries is accepted in other urisdictions.

he ainer and the anaeent of the ust always strie to update ethodoloies uidelines and procedures with current adanceents in technoloy. nly then can we toether rin down criinals and sere ustice as it should e sered.

ae

loal uidelines for diital forensics laoratories

E E E

he followin is a recoendation of sillsets for the ainer. he reader shall tae note that the list is nonehaustie and needs to e updated fro tie to tie.

t i ist

oundation oputer raniation of coputer ow coputer

oundation stores data Bits ytes olution of diital edia and storae syste. ile yste ecial headecial inary ittle

endian i endian ectors cluster slac space etadata data filenae A . ntroduction to aw enforceent and reulators

nestiation and ntroduction to forensic science electronic iital orensics eidence and its nature ateories of electronic eidence ethodoloy orensics terinoloies.

dentification nforation ather facts of the case online resere atherin the athered facts. ollection ollection and irst responder roles and ead and aination acuisition and lie acuisition hoosin aination the est data acuisition ethod riae ethod riae tool.

Analysis ata ecoery torae technoloy aaed hard dis and flash drie syptos oical and physical recoery ata recoery tools ecoery of data usin tools. oputer orensics peratin systes technoloy etadata

reistry artefact ata traction ata analysis ata hidin techniue Analytics for lare sets of data eory Analysis. oile hone oile phone echnoloy and eolution orensics ser telecounication proider technoloy types of data acuire and analysis tools preseration of data. etwor orensics etwor ypes nternet history files and

ooies ser redentials etwor forensic tools eadin pacets. Audio ideo and nderstandin the technoloy

ae orensics nhanceent ile Authentication oparison. erin nderstandin the technoloy Accessin

echnoloy data fro the deice ata traction ata

ae

loal uidelines for diital forensics laoratories

- ocial edia analysis ata interpretation eportin the orensic findins. - ataase orensic - rone orensic - ehicle orensic - hipourne forensic - ryptocurrency orensic - Bioetric orensic resentation eport ritin he forat of the report ffectie result presentation to staeholders. aw oc ourt aws related to cases nternational aw nternational ollaoration resentin epert testiony in court ntroduction to ourt structure uittin electronic eidence in court. tiuette tiuette rofessional ode of ethics ethical non ethical code of conduct. a uality anaeent nderstandin standards onductin anaeent Audit uality anaeent yste. ealth afety dentify haards ealth and afety easures elfprotection.

ae

loal uidelines for diital forensics laoratories

E E EE

he followin is a suested list of asic euipent that a should own. he reader should note that the list is nonehaustie and ore ay e reuired dependin on the nature of cases receied.

o te

aptop oputer analysis software ata recoery software

oile deice analysis software

nternet artefacts analysis software

irtual achine software

ain ardware

ocin yste

rite locer

pty storae edia – to store data etracted fro electronic eidence in the short and lon ter  en drie  ternal hard dis  ard dis  erer toolit

ower cale etension

rinter

ocuent shredder

ae

E E E E

E E E E

E E E E E

The exhibit, a hard disk, is put in an anti-static plastic bag and a tamper-proof sticker is put at the opening of the bag. The Examiner then puts his/her initials on the sticker, along with the exhibit’s label, date and time that the exhibit is sealed.

In this sample, the exhibit is put in a tamper-proof plastic bag. Details of the exhibit, the Examiner and the chain of custody are available on the plastic bag.

E EE

isiti sht

E

E E ☐st ☐t ☐ ☐th ☐ ☐ ☐ ☐ ☐th ☐ ☐ ☐ ☐th ☐s ☐ – s

E See Guidance Notes

☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐ ☐

This section is available to add additional notes that are not included in the standard form, or to expand upon notes, i.e. types of errors received, problems encountered during imaging process.

refers to the “code” name assigned by the project manager

is a standalone drive, check ‘other’ and write in ‘ drive’ refers to the date and time from the examiner’s computer

–

lobal guidelines for digital forensics laboratories

cuisition ardware indicate the type of acuisition it was, whether you used a write block device, crossover cables, boot disk, etc vidence edia refers to the drive where the image will be located ndicate the rive abel, serial number, and the vidence isk rive umber ie of rive total sie of hard drive in or ie of mage indicate the total sie of the image the sie of the hard drive, indicate whether or mage erified when the image is completed and verified, check the box rrors indicate if any errors were found during the verification process f so, use the “Notes” section on the back of the sheet to record the specific errors ash alue record the hash value generated during the imaging process e sure to check that the acuisition hash value and the verification hash value match

age

N oba ieines fo iita foensics aboatoies

tat

et esi li eie hawae witeble

set wie ha is i the li eie i the esi wstati

eeate exat esi iae si t aliate ha stwae tls

e w ies

ei the les esi iaes b hash allati a ais

eel a the iaes

eel tast the iaes t the esis lab eiee alt notary’s office or court obtaining the hai st

ae

N oba ieines fo iita foensics aboatoies

tart

eie reuest assess urgency an aount of ata

rgent or arge onsier conucting ata triage

rocess eibits in orer of riority

ecoer eete artitions

ter casesecific ecoer eete rocessing tass fiesfoers

as fitering arsing of artefacts

ne eyor ignature naysis searces

ount container fies asignature anaysis for ounte containers

nayse ata

n

ae

N oba ieines fo iita foensics aboatoies

ANALYSING EXHIBIT’S ARTEFACTS

age ie

entification of artefact categories an rioritie te

ffice ictures nternet ais ser ctiity ncrytion ocuents ieos roser

earc for earc for earc for fu iter for instae eai cients arse user oue arious eia nternet secific encrytion iter for arious forats brosers artefacts eg office forats ie eg g recenty use ie oc ot gif ng ai ocuents arse arious t o an ounte eai cients s base on fie eg an eices an earc for fies forat ie signature base on fie ost it big sies signature arse broser istory cace freuenty unnon fie for fie starte signatures an entries softare a ig entroy assors earc for booars ebai enerate eb searces icture an brosing tubnais earc sessions f encryte sit ieos ocuents ouesfies ecoer into accoring to reate user ere foun ages tubnais for case reuest actiity gater faster ieing tieine inforation incuing ogins about assors ort ata an ogoffs iter eais incuing into reaabe accoring to nayse forat ie case reuest tubnais accoring to sreaseet case reuest ui a ort ort ictionary an ocuents an tieine into use ort eais its etaata iter ata for ort eia reaabe custers to incuing case secific an its forat attac te attacents etaata criteria encrytion

ncue a finings into forensic reort

ae

N oba ieines fo iita foensics aboatoies

AENIX CN REIREENTS FR FRENSIC RERT

oon eieents fo oensic eot ite Nae an aess of aboato ocation hee coection an eaination take ace ae nbe an inication of ae en eeste nae an contact infoation etho se fo the case escition of eectonic eience ate hen eience as eceie b ate of eaination ate of eot issance oensic est Nae an fnction of the eson athoiin the eot

ae

N oba ieines fo iita foensics aboatoies

AENIX ELECTRNIC EIENCE HANLING he fooin is a basic sestion fo the hanin of eectonic eience

heckist fo eectonic eience hanin L  ience st be nie abee once it is eiee to the f it is iffict to t a abe on the eience the DFL can put the label on the evidence’s seal.  he abe st sta thohot the ifetie of the eience in the  abes st aso be abe to tack sbites ae fo a obie hone an fo the i ca containe in the hone S  ience st be seae sin a oe containe  he containe st be abe to etect an access ae to the eience  he sea st be sine an ate b the aine  ach tie eience is accesse the eson oin so st sea the eience aain once the ocessin is coete beain hishe sinate an ates  f eco of eectonic eience st be estabishe tes to be ecoe ince eience te seia nbe anfacte an efects an an abes  ience inento ist st aso be estabishe in the  chain of csto eco st be estabishe fo each iece of eectonic eience t ini it st contain a nie abe initias an ate N L  ience not in the ocess of eaination e to the Examiner’s long leave or aines focsin on hihioit cases st not be eft nattene in the t st be oe stoe aa to eent containation  ience st aso not be eft nattene in the tansotation ocess  ectonic eience st be oe taken cae of an be ket aa fo soces of containation sch as ate heat etee hiit an eectoanetic fie

S  ectonic eience st be stoe in a sece ace ith iite access  eco of checkin an checkot of the eience fo toae oo st be ket ate  co of the oiina eectonic eience st be ae to esee inteit of the oiina eience  ash ae of oiina eience an its co st be the sae  aination an anasis st be concte on the co of eectonic eience

ae

EL lobal guidelines or digital orensics laboratories

AENIX L INTERL FL SERICE REEST FR F FL R A se this orm to ormall reuest assistance rom EL DFL. he orm must be illed out completel and accuratel b the . dierent criminal la enorcement agenc authoried b the NCB (“Contact Agency”) may fill out the form, however this request must be sent to INTERPOL b the . he inormation in this orm ill be assessed to determine hether the EL DFL is able to provide assistance. ore detailed inormation ill allo or a timel response. n case o an uestions EL ill liaise ith the contact persons indicated in this orm.

R EL ember ountr itlean o ontact erson Last ame First ame ontact email address oicial ontact phone pproval to coordinate E. E FED LL E EL directl ith ontact genc EE. E. DE L E. . D L E .

C A NCB ame o genc ontact address ice phone itlean o ontact erson Last ame First ame ontact email address oicial ontact obile phone

C rimar ence unishment upon conviction under ember ountr la ther ountries nvolvednternational haracter o the ence Exhibit relates to ic all that uspect appl ictim erson o interest. Explain

age

INTERPOL lobal guielines for igital forensics laboratories

Brief escrition of Case

R INTERL FL T () Lac of eertisenowlege () Lac of resourcesfuns () Lac of equimentsoftware () Others Please secify

E G ill INTERPOL L Officers be require to interact with () E ehibits () NO If YES…

(1) Will exhibits be “original” exhibits or “copies” () ORIINAL As far as possible, please restrict exhibits to copies. () COPIE () ill INTERPOL staff have to visit the ember () E Country for the assistance () NO () Contact etails of erson(s) from ember Country () ame as Contact Agency who will be resent uring the assistance Please note () ifferent – Please secify that INTERPOL will assist an guie this erson to erform the tas requeste here, an to reare a reort for ember Country use

INTERL FL T () Etraction of information from the ehibits Please escribe the information to be etracte (Choose all that aly) () Imagesvieos Relating to () iles Relating to () Tet messages Relating to () Technical etails () Others Please secify () Information on how to etract material from the ehibits, the etraction to be one by the ember Country () Information on available software or roucts to erform a tas on the ehibits

Page

IE lobal gielines for igital forensics laboratories

What is the tas (Exaple nlocing a loce obile eice) nl open sorcefree softare recoenations () YES () roprietar softare recoenations elcoe () YES ()

E H R I

I Exhibits (incling riginal Exhibits) are reire to be hanle please proie instrctions in relation to the folloing (1) lease proie specific instrctions or reireents on hanling

() lease list an specific actiities or processes that S be one

() lease specif an particlar instrctions ith respect to recoring of the assistance process particlars of the Exhibit or the chain of csto

() lease proie an other inforation of releance for the assistance (For example, is the Exhibit in ‘switched off’ mode? Were any prior attempts made to extract information?)

() If IE consiers that thir part assistance is necessar to proie the assistance soght in this reest oes the agree to see assistance fro another eber ontr subject to both NCB’s consent? (*) YES (*) NO

A C he an ontact genc proie IE the folloing assrances his reest for assistance is lafl as teste against the las of the () YES applicable Member Country, applicable international laws and INTERPOL’s onstittion an rles

age

INTERPOL lobal uidelines or diital orensics laboratories

Specifically, Article 3 of INTERPOL’s Constitution states: (*) YES

“t is stricty forbidden for the raniation to ndertae any interention or actiities of a poitica miitary reiios or racia character”

The assistance reuested here will not any in manner cause an infringement of Article 3 of INTERPOL’s Constitution. Nothing in the Member Country’s laws preents the NCB or the Contact (*) YES ency rom obtainin the inormation reuested throuh this reuest or assistance The oence to which the reuest relates has an international lin and is a (*) YES serious offence within the Member Country’s laws. The NCB and Contact Agency understand that INTERPOL’s provision of (*) YES assistance is subject to the assessment o this reuest as per criteria applicable under INTERPOL’s Constitution, rules and regulations. I any inormation is souht to be etracted rom Ehibits, the NCB and the (*) YES Contact ency endeaour to limit the reuest or etraction to inormation o releance to the oence concerned, and proportionate to the purpose or which the etraction is souht Should INTERPOL aree to proide the assistance souht throuh this (*) YES reuest, the Contact encyNCB shall sin an areement in the orm proided by INTERPOL, prior to the proision o assistance In case interaction with Ehibits is necessary, INTERPOL shall proide (*) YES assistance and uidance to desinated Member Country personnel to perorm the reuest outlined in this reuest or assistance, and prepare necessary reports urther to the same Etractions will not be perormed in the absence o Member Country personnel, other than in eceptional circumstances as INTERPOL may consider appropriate The Member Country personnel (whether rom the NCB or Contact (*) YES ency) accompanyin the Ehibit(s), i any, shall obsere or ensure the obserance o all reuirements as per the Member Country’s applicable criminal, procedural and eidentiary laws The Member Country personnel (whether rom the NCB or Contact (*) YES ency) accompanyin the Ehibit(s) shall certiy that all reuirements under the Member Country’s laws were met, in etractin the releant information from the Exhibit(s), in the report produced using INTERPOL’s assistance or epertise The NCB and Contact ency acnowlede that INTERPOL shall not be (*) YES responsible with respect to the use o any inormation etracted rom any Ehibits, or any reports produced with the assistance o INTERPOL ny use o such inormation or reports in judicial proceedins or otherwise, is at the discretion and responsibility o the NCBContact ency

E S Ehibit Type Mobile eiceard rie Other Physical escription

MaeModel

Pae

INTERPOL lobal guidelines for digital forensics laboratories

Serial

IMEI

Local Exhibit Identifier PasscodePasswords

Any other Relevant Information

E S Exhibit Type Mobile eviceard rive Other: Physical escription

MaeModel

Serial

IMEI Local Exhibit Identifier PasscodePasswords

Any other Relevant Information

E S Exhibit Type Mobile eviceard rive Other: Physical escription

MaeModel

Serial

Page

INTERPOL lobal guidelines for digital forensics laboratories

IMEI

Local Exhibit Identifier PasscodePasswords

Any other Relevant Information

E S Exhibit Type Mobile eviceard rive Other: Physical escription

MaeModel

Serial

IMEI

Local Exhibit Identifier PasscodePasswords

Any other Relevant Information

Page

INTERPOL General Secretariat 200, quai Charles de Gaulle 69006 Lyon France Tel: +33 4 72 44 70 00 Fax: +33 4 72 44 71 63

WWW.INTERPOL.INT INTERPOL_HQ @INTERPOL_HQ INTERPOLHQ INTERPOLHQ