Digital Forensics: Tools, Techniques, and a Case Study Approach

In modern-day investigations, it is very unlikely for a suspect not to be involved with at least one digital device, such as their phone, laptop, computer, or hard drive. Without proper techniques, it would be very difficult to find relevant information using these devices. This is where digital hardware forensics can assist investigators in processing these critical devices. 

Digital forensics encompasses anything digital, provides applications for many different types of data sources to be processed. It helps filter out information specifically relevant to the investigation, discover organization policy violations, and pinpoint possible suspects of cyber incidents. It provides important context so that investigators understand what had happened. 

Digital forensics are branches of forensic science that deal with evidence found on any form of digital device. Digital evidence is case-determining information found through digital devices. Each different standard provides its own different classification sets of evidence and forensic branches. The two most popular standards are from the International Organization for Standardization (ISO) with ISO/IEC 27037 and the National Institute of Standards and Technology (NIST) with NIST SP 800-86.  

ISO categorizes evidence into six different types: storage media, mobile devices, network evidence, cloud services, volatile data, and embedded systems. NIST categorizes digital forensic branches based on the four data sources listed: data file, operating systems, network traffic, and applications; it refers to the branches categorization as its evidence type as well.

Both of these standards are created by their respective organizations as a digital forensic outline to follow their own standards of what is considered to be good practice. NIST will be the focus of this article based on its detailed overview of data file forensics, the type of digital forensics that the upcoming case study will be on. 

The three most popular tools used for digital forensics are ProDiscover, FTK, and Autopsy. ProDiscover is designed for capturing, analyzing, and preserving digital evidence from computers specifically. FTK is a suite of tools for forensic imaging, processing, and analysis. Autopsy is an open-source, user-friendly graphical interface to The Sleuth Kit (TSK), containing modular plugins and a variety of additional functions to support a free investigative environment.

ProDiscover’s biggest advantage is that it really excels at live system analysis and has a significant history in successfully dealing with corporate cases with Windows systems. But FTK is the most feature-rich and a class above all else, where one software is needed for large-scale, detailed data investigations of multiple different file system types. They are excellent commercial tools and can provide court-ready evidence. 

Autopsy, on the other hand, while only having about ninety percent of both tools’ capabilities, it excels where they miserably fail at: being economically viable for a lot of users, having community support, being adaptable to a massive library of additional plugins, and having an easy learning curve. This is why Autopsy is the choice of many users and is always recommended everywhere.  

Background

BCJ Company is an upcoming big player in the mousepad industry. Their previous lineup of quiet, textured glass designs with beautiful artworks has pushed the market’s standard for what a mousepad should be. Every business quarter for the past 2 years, they have been able to drop a new jaw-dropping and trend-setting product. This has inspired a lot of competition in the industry, but no one has come close to beating them.

Although this unprecedented chain of success is a massive blessing, BCJ Company has struggled to keep up with the unending rise in demand, which has forced them to speed up their expansion. Upper management and human resources could not always properly keep track of all workers’ activity and training, nor could they properly screen for new hires. Rumors have sparked in the company offices that QCK Company’s latest product is a direct copy of what the development teams are working on.

Human resources has decided to conduct a company-wide survey to check for any suspicious behavior, and an anonymous tip has named Jimmy Thompson to be a likely suspect. Jimmy is a new company hire who previously worked at QCK Company as a low-level executive but wanted to transfer to BCJ Company’s production team due to “working environment conflicts.” Thanks to the company’s IT policy, Jimmy’s company computer has been seized, and he has been put on temporary suspension. The investigation team must now find appropriate evidence if Jimmy has leaked sensitive company documents. 

Case Analysis

Based on NIST SP 800-86, this investigation falls under the Data File Forensics category as the investigators must look through Jimmy’s company computer’s file system. NIST’s guideline for the investigation contains the steps: collection, examination, analysis, and report.

The forensic tools must not deal with the device directly, as it might tamper with its integrity. FTK Imager will be used to capture the state of the device. This copy will be one-to-one and will be the basis for where the investigation will be carried out. FTK is a free imaging tool of the FTK suite that can fulfill this role. Another copy of the output image file will be made to make sure there is as little tampering with the original as possible. 

The examination phase will be carried out using Autopsy for the reasons mentioned above. After importing the evidence, it allows the user to run the evidence through its Ingest Modules. They are core components, which can be imported additionally for more options, and used to perform automated analysis on the evidence provided. For example, they could check through directories to detect anomalies and generate artifacts. Figure 3 shows some modules that BCJ Company’s investigator will run on the evidence. 

After the evidence is thoroughly processed, Autopsy is able to show all data regarding the file system. Figure 4 shows a general overview of what Autopsy looks like at this stage. This is where the analysis stage starts. The investigator can look through specific file types, view deleted files, or go through all the directories within the evidence as if they were a normal user logged in to a computer. By carefully examining and analyzing, case-determining information could be found and added to the built-in case report function.  

After collecting sufficient information, a proper timeline of Jimmy’s activities on his computer can be built. This leads to the report phase of relaying all the information found regarding Jimmy. At this stage, all irrelevant information has been discarded, and only relevant data is left to construct a proper timeline of what has happened on this computer.

Case Report

The general overview of Jimmy’s computer usage is that he only used it as a storage and email client device on the company mail network. His browsing history, suspicious deleted files, and downloaded executable installers were all done by the IT department when they first configured the device before handling it to Jimmy. There was a total of ten email addresses, and 84 email messages were found. The core event timeline based on the email threads is as follows:

Jimmy has a history of not doing work on time and is constantly yelled at by Tony (tonym@company.com), who is a superior that must be reported to. It would not be an exaggeration that Thomas (thomasf@company.com) did the majority of Jimmy’s assigned tasks as his intern/assistant. He appears to constantly lie about his daughter’s illness as an excuse to ask for favors from Thomas. The assistant has shown signs of hatred for Jimmy, which eventually led to his resignation, as seen in Figure 5. 

Jon (jonh@company.com) appears to be a very close friend of Jimmy, and they constantly chat about various things they have going on at the company. When Jimmy shared about how Tony will likely fire him from the company, Jon suggested that they “speed up the plan”. They both seem to want to return to QCK Company along with the exfiltrated sensitive company document. Jon ensured that if the email was deleted, no one would know. This led to the last email sent from his computer to contain two PDFs about BCJ Company’s glass mouse pad blueprint, as shown in Figure 7. The investigators were able to extract email attachments using Autopsy, as shown in Figure 6.  

The investigators can come to the conclusion that Jimmy did, in fact, leak confidential company documents. The evidence also revealed that the documents were sent to another employee in the company, named Jon, via the company email network. Jimmy and Jon are both compliances in this company policy violation. Jon likely has a way to exfiltrate these documents outside of the company network to his own private devices. The case must proceed with an investigation into Jon’s devices to determine where the documents have been leaked to. 

Digital forensics is essential in modern-day investigations. It allows for proper collection, examination, and analysis of digital evidence. NIST SP 800-86 is a good guideline in helping investigators understand what needs to be done during digital forensics, along with properly categorizing evidence and process types. While there are many tools available for purchase, Autopsy is a free, open-source, and excellent digital forensic tool that can be used by any skill level, with community support and libraries of modular add-ons to help expand the depth of investigation further.