Keeping in mind that forensics is a science, digital forensics requires that one follow appropriate best practices and procedures in an effort to produce the same results time and time again providing proof of evidence, preservation, and integrity which can be replicated ;if called upon to do so.
Although many people may not be performing digital forensics to be used as evidence in a court of law, it is best to practice in such a way as can be accepted and presented in a court of law. The main purpose of adhering to best-practices set by organizations specializing in digital forensics and incident response is to maintain the integrity of the evidence for the duration of the investigation. In the event that the investigator's work must be scrutinized and critiqued by another or an opposing party, the results found by the investigator must be able to be recreated, thereby proving the integrity of the investigation. The purpose of this is to ensure that your methods can be repeated and, if dissected or scrutinized, produce the same results time and again. The methodology used, including the procedures and findings of your investigation, should always allow for the maintenance of the data’s integrity, regardless of what tools are used.
The best practices demonstrated in this book, ensure that the original evidence is not tampered with, or in cases of investigating devices and data in a live or production environment, show well-documented proof that necessary steps were taken during the investigation to avoid unnecessary tampering of the evidence, thereby preserving the integrity of the evidence. For those completely new to investigations, I recommend familiarizing yourself with some of the various practices and methodologies available and widely practiced by the professional community.
As such, there exist several guidelines and methodologies that one should adopt, or at least follow, to ensure that examinations and investigations are forensically sound.
The 2 best-practices documents mentioned in this chapter are:
- the ACPO's Good Practice Guide for Digital Evidence
- the SWGDE's Best Practices for Computer Forensics.
Although written in 2012, the Association of Chief Police Officers, known as the ACPO, and now functioning as the National Police Chiefs' Council, or NPCO, put forth a document in a PDF file called The ACPO Good Practice Guide for Digital Evidence in best practices when carrying out digital forensics investigations, particularly focusing on evidence acquisition. The ACPO Good Practice Guide for Digital Evidence was then adopted and adhered to by Law Enforcement agencies in England, Wales, and Northern Ireland and can be downloaded in its entirety at https://www.7safe.com/docs/default-source/default-document-library/acpo_guidelines_computer_evidence_v4_web.pdf.
Another useful and more recent document, produced in September 2014, on best practices in digital forensics was issued by the Scientific Working Group on Digital Evidence (SWGDE). The SWGDE was founded in 1998 by the Federal Crime Laboratory Directors Group with major members and contributors including the FBI, DEA, NASA, and the Department of Defense Computer Forensics Laboratory. Though this document details procedures and practices within a formal computer forensics laboratory setting, the practices can still be applied to non-laboratory investigations by those not currently in or with access to such an environment.
The SWGDE Best Practices for Computer Forensics sheds light on many of the topics covered in the following chapters, including:
- Evidence collection and acquisition
- Investigating devices that are powered on and powered off
- Evidence handling
- Analysis and reporting