A digital forensic investigation is conducted in a manner that parallels physical police investigation. The digital crime scene consists of hardware and software that hold clues to solving a digital crime. The process of conducting a digital investigation requires first the formulation of hypotheses. It is these hypotheses that are tested to give us information about the state of the computer. The process is done in a scientific manner in order to get concrete information from the digital data. The digital evidence lies in the hardware and software of the computer under investigation and it is up to the investigator to successfully extract it. Digital evidence refers to the data that is used to prove or discredit the hypotheses formulated in relation to the investigation (Carrier, 2006). The digital forensic investigation process is divided into three main general steps namely; system preservation, searching for evidence, and reconstruction of events.
System preservation phase
This is the first step in the investigation process and it is aimed at preserving the state of the digital crime scene. The whole purpose of this step is to reduce the amount of data that may be overwritten or lost. It depends on the legal or operation requirements of the investigation and may involve unplugging the system and making a full copy of all data for preservation. A dead analysis is done by running trusted applications in a trusted operating system to find evidence. All processes are terminated by turning off the system then making copies of all data. One can also prevent evidence from being overwritten by using write blockers. In a live analysis, the suspect processes can be terminated or suspended, then the network cable is unplugged. Alternatively, network filters can be used to prevent the deletion of the files from a remote server. To confirm that the preserved data does not change, a cryptographic hash is calculated on the data from the live or dead analysis. This is a mathematical formula that generates a large number based on input data. If it changes later, it is an indication that the data has been tampered with.
Evidence searching phase
This process starts by searching the common locations related to the type of incident involved. In the course of investigations, the search is done both for evidence in support of the hypothesis, and evidence to refute the same. The process involves defining what to look for, and where to look for it. Most of the search is done in a file system and inside files. This can be done by looking for keywords inside the content of the files or looking for file names or patterns in their names. Files can also be searched by looking for the time they were written or accessed. Searching for files based on their signatures enables them to be found even after their names have been changed, while hash databases can be used to find files that are known to be good or bad. When conducting network data analysis, a search is done on all sources from a particular source address, or on all packets going to a specific port. Keywords can also be used to find packets containing them.
Events reconstruction phase
Once the evidence has been gathered, it is used to reconstruct the events that occurred in the system to determine the actual of the crime. The reconstruction phase allows for the determination of the actual cause of the final event, since the event itself may have come about as a result of several processes, some of which may not be illegal or criminal. The digital events reconstruction phase once done, enables the investigator to correlate the digital events with actual physical events. During reconstruction, the investigator must know about the applications and operating system of the computer under investigation, and use them to formulate hypotheses based on their capabilities (Carrier, 2005). Different events can occur in different operating systems, while one application can cause different events. Once the hypotheses are proven, it should be clear what exactly took place and who is responsible.
A digital forensic investigation is a methodical process that follows well-defined steps. A good investigator must be able to preserve the data from a digital crime scene and extract all evidence available from it. Gathering evidence involves ruling out other possible causes and narrowing down to specific suspect processes or events. The investigator must also make sure he/she follows the law without infringing on the rights and privacy of those under investigation. Laws governing digital forensic investigations include The U.S.A Patriot Act of 2001 which allows for searching and seizing of computers and obtaining electronic evidence in criminal investigations. Other legislation include The Communications Assistance for Law Enforcement Act (CALEA) of 2001. These laws are designed to allow for proper digital forensic investigations while at the same time protecting the rights of citizens.