Digital Evidence – How to use FTK for examining evidence

Digital or Electronic Evidence is any information and data to investigate value that is stored on or transmitted by an electronic device. Equipment and software are required to make the evidence visible, testimony may be required to explain the examination process and any process limitations. Electronic Evidence is accepted as physical evidence, and by its nature is fragile. It can be altered, damaged, or destroyed by improper handling or improper examination. Thus, special precautions must be taken to document, collect, preserve, and examine this type of evidence. Methods taken to collect evidence must preserve the integrity of evidence.

The Scientific Working Group on Digital Evidence SWGDE (www.swdge.org) and The International Organisation on Computer Evidence IOCE (www.ioce.org) has set standards for recovering, preserving and examining digital evidence.

General tasks that the investigator must perform while working with digital evidence can be as follows –

• Identify digital information or artifacts that can be used as evidence.
• Collect, preserve, and document evidence.
• Analyze, identify, and organize evidence.
• Rebuild evidence or repeat a situation to verify that the results can be reported reliably.
• Properly follow procedures for packing, transportation, and storage of electronic evidence.

Computer records must also be shown to be authentic and trustworthy to be admitted into evidence. Computer-generated records are considered authentic if the program that created the output is functioning correctly. To show that computer-stored records are authentic, the person offering the records must demonstrate that a person created the data and the data is reliable and that it wasn’t altered when it was acquired or afterward. Collecting evidence according to the proper steps of evidence control helps ensure that the computer evidence is authentic, as does using established computer forensics software tools. Courts have consistently ruled that computer forensics investigators don’t have to be subject matter experts on the tools they use. Knowledge of only facts relevant to the case is required. To testify the investigator’s role in acquiring, preserving, and analyzing evidence, the investigator doesn’t need to know the inner workings of the software used but should understand the purpose and operations. For example – Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1) tools use complex algorithms. During cross-examination, an opposing attorney might ask you to describe how these forensics tools work. You can safely testify that you don’t know how the MD5 hashing algorithm works, but you should know how to describe the steps for using the MD5 function in AccessData Forensic Toolkit, for instance.