Device Handling And Digital Evidence Processing And Analysis

Device Handling and Digital Evidence Processing and Analysis

Using Predefined Criteria

This protocol will cover all the steps needed to comply with the attached court order in case # FMCE13007297 signed by Judge Fabienne Fahnestock.  Specifically, the defined protocol encompasses all the steps taken from the onset of the collection until case reporting if requested and each area below is described in detail.

  • Collection
  • Acquisition/Imaging
  • Analysis
  • Reporting

Collection

Prior to moving the  storage device or data source  such as a hard drive, mobile device, cloud data, social media accounts or another form of digital data, proper documentation of the collection process will be documented and/or photographed.

  1. Create a historical record of personnel access, condition and location of the  storage device or data source .  Document the transfer of the evidence from location to location or person to person in a chain-of-custody form approved by the Law Firm or Attorney.
  2. Connections:   storage device or data source s, such as USB, microSD, SD cards, GPS Units, CD/DVDs, hard drives, GPS units, mobile devices, smart watches, etc. shall be connected to a laptop or another device capable of imaging the  storage device or data source  or cloud based data.  In civil cases where the device itself will be returned to the owner(s)  and will be used after the imaging, live acquisitions using collection devices such as a USB drive with imaging software will be the preferred method vs taking the device apart and removing the storage drive or media.
  3. To preserve the current state of the  storage device or data source , avoid unnecessary usage of the  storage device or data source  while being imaged.  Do not:
    1. Manually search the device using non-forensics tools or techniques
    2. Use or click 3rd-party applications or installed applications on the device itself
    3. Attempt to unlock/lock unless it is required for accessing and imaging
    4. Apply power to the device unless it is required for accessing and imaging
  4. Be aware of and cautious while handling Mobile storage devices or data source with touch screens and side buttons.
    1. To avoid pressing buttons, handle the  storage device or data source  by the corners or with care to avoid inadvertent device actions.
    2. The side buttons may be customizable and may have been changed by the owner.  Assumptions cannot be made about the intended purpose of a particular button.
  5. If applicable, use a power source while imaging the  storage device or data source to prevent powering off during the collection process.
  6. Prior to imaging a mobile device, verify the device is not connected to WiFi, Bluetooth, Cellular or GPS to eliminate all incoming and outgoing data transmissions or potential data changes.
  7. If applicable, locate the “auto-lock” or “screen timeout”, set to “never” or the maximum time allowed to prevent the device from locking during imaging .
  8. Document or notify the device custodian or owner of any changes that are made to the original configuration of the  storage device or data source  in order for them to choose to reset them after the imaging process.

Acquisition/Imaging

Imaging is the process of creating a forensic copy and/or snapshot-image and/or logical collection of files/folders and/or cloud based data such as social media or  cloud services including WhatsApp, iCloud, Google, Microsoft, Mi Cloud, Huawei, Samsung, E-Mail (IMAP) Servers and more.  Prior to performing the acquisition process it is necessary to have a signed court order or consent to search from a person with consent authority.

  1. Search Warrant:  A search warrant is a judicial order issued by a judge or magistrate that gives permission and authorizes the Law Firm, Attorney’s or Cyber Forensics to conduct a search a  storage device or data source .
  2. Consent to Search: Only a signed consent to search form obtained from the owner or custodian is needed to Acquire/Image the device.
  3. During the Acquisition/Imaging steps, personnel shall:
    1. Ensure the destination storage media is forensically clean or digitally sterile of any previously stored data, by conducting a forensics process called “wiping” on the source media.
    2. Upon formatting the drive an encrypted volume using Veracrypt or another encryption program, shall be used to protect the data if the data is to be shipped or placed in an area which could accidentally cause it to be stolen or lost. 
    3. Format the wiped and encrypted volume storage location/media using the Windows extended File Allocation Table (exFAT).
    4. Create a folder on the forensically clean storage media with a unique name relative to the matter but do not use titles which do not identify, in part, the originating source or case name/number; two examples are listed below:  2020_2_10_devicename/model_forensicimagename_1TB or Case1234567_Aaron.vs.Baron_MacBook.  Information which can be included are:
      1. Device owner name and/or case number
      2. Device name/model (evidence and/or serial number, if possible)
      3. Extracted data name/type (Hard drive, USB, Cloud, Facebook, WhatsApp, etc
      4. Data source size either logical, physical or indicated
      5. Evidence item number
      6. Address of the where the data was collected

Execute the forensics tool/software (FTK Imager Lite, Oxygen Detective, Magnet Axiom, etc) to acquire or image the storage device or data source and complete the imaging process.

  • During the initial acquisition/imaging process, the tool/software will allow for the inclusion of a unique signature or “digital fingerprint” of the extracted data and/or image file.  This unique signature is called a hash signature.  If applicable to the matter, at minimum, the examiner shall obtain a MD5 hash value for the data acquired.
  • Once completed, verify the acquisition/image is readable and accessible by forensics software.

Analysis

Utilize appropriate software/tools in accordance with training and/or certification.  During analysis data filtering can be applied if mandated by the court or if mutual agreements are approved.

The analysis will include all areas which contain deleted or non-deleted data and all data types using court order criteria listed below. As an example, a computer search will include all the below areas of a hard drive in a Windows environment:

Evidence Sources
Pagefile.sys
  1. When filtering data using date and time criteria, the analysis will be conducted with a defined date and time range. Specifically, in this case the date and time range known as the Relevant Time Period is:
    1. Any search of the Former Wife’s devices is limited to the time period from August 31, 2017 – September 6, 2017, except as set forth in Paragraph 5 herein. This time period is reflected below as the actual setting to be utilized within  the forensics software:
    2. Calendar
  2. Filtering evidence based on keywords or keyword lists. You can stack keywords or keyword lists to refine your results even further. Once keywords or keyword lists are added to the analysis process, those lists and keywords appear as filtering options.  The search terms to be used to further filter data based on the above Relevant Time Period will be:
    1. Stacy Sarnoff
    2. Terry Fixel
    3. Rae Chorowski
    4. Miranda Soto
    5. Miranda Lundeen Soto
    6. Miranda Lundeen
    7. Miranda L. Soto
    8. Lyle Feinstein
    9. [email protected];
    10. [email protected];
    11. [email protected];
    12. [email protected]
    13. [email protected]
    14. Shook Hardy & Bacon (any variation thereof)
    15. Adam B. Feinstein
    16. David M. Feinstein
    17. Jonathan M. Feinstein
    18. Private investigator
    19. CaseNo: FMCE13007297
    20. Page 2 of 7
    21. Anthony F. Otero
    22. Gail Otero
    23. Top-Notch Investigations, Inc.
    24. [email protected]
    25. [email protected]
    26. Brandon Goldberg (if another one of the Search Terms delineated herein is included)
    27. Dr. Michael A. Schenker
    28. Martha Jacobson
    29. Monica Salgueiro
    30. Bruce Feinstein
    31. Gloria Feinstein
    32. Michael B. Gilden
    33. Supportive relationship
    34. Brett Rogers
    35. [email protected]
    This Screenshot below reflects the actual setting to be utilized within  the forensics software using the complete keywords listed above:
    Keyword Report

    Reporting

    Reporting can be verbal and/or written and/or in a format requested by the Court, Law Firm or Attorney, or the client.

Related Posts

We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information with Google AdWords and Google Analytics who may combine it with other information that you've provided to them or that they've collected from your use of their services. You consent to our cookies if you continue to use this website.

I accept I decline