1. The preparation phase of most tasks is arguably the most important phase of the process. In
sports, a team that walks onto the field without preparation, in this case practice will likely not
win the game. A doctor who performs surgery without washing their hands and ensuring that
the tools are properly cleaned risks jeopardizing the outcome of the procedure due to an
increased likelihood of an infection. In each case, the proper preparation is a must in order for
the best possible outcome to be achieved.
The same holds true for the digital investigation process. Prior to any digital investigation, certain steps
must be properly completed before the investigation can actually begin. Failure to exercise due diligence
in completing the steps could allow the opposing lawyer in court to question if the methods used to
conduct the investigation were completed in accordance with acceptable practices of a digital
investigation. If not, then key evidence used to prosecute an individual gained through the digital
investigation could not be admissible in court. If this was the only evidence drawing a conclusive link
between the suspect and the crime that was committed, then the individual could walk free or face a
lesser charge. For example, training falls into the preparation stages of a digital investigation.
Department of Justice (DOJ) regulations are applicable in the United States, with other developed
countries having regulations of their own (Nelson, Phillips & Steuart, 2010, p. 150). Entering a digital
investigation without knowing the requisite laws and regulations beforehand is, going back to the sports
analogy, is like a football player not knowing the rules before stepping on the playing field. Additionally,
ensuring that the proper hardware and other tools needed for the investigation are in proper working
order before beginning an investigation is necessary. For example, ensuring that the forensic technician
has a write blocking device before entering a digital crime scene is almost a most. Not having this device
could allow the contents of a hard drive to be compromised when being imaged as part of the evidence
collection process (Department of Justice, 2004). This act of preparation is equivalent to a doctor
ensuring that they have a scalpel and not a butter knife before going into surgery. To ensure that a
computer forensic technician properly executes actions before, during, and after an investigation, a
checklist detailing each step in the process should be created (Boyd & Forster, 2004). The checklist
should flow logically in chronological order and be easy to follow to ensure maximum utility. Following
this checklist reduces the chances that a mistake is made that compromises the investigation.
2. Encryption and steganography are two methods used to conceal data within storage media.
More novels methods are also available, which a suspect with limited experience may try first.
For example, a pedophile with child pornography on their computer may not be that computer
savvy and thinks that simply making the file hidden is enough protection. A number of tools are
available in order to discover hidden files, such as AccessData’s Forensic Toolkit (FTK).
Additionally, some who are slightly more savvy could change the file extension of an explicit
image to something like .exe, which would change the icon to hide the fact the file is an image
(Casey, 2011). This too is easily detected by an experienced investigator with the proper tools at
their disposal.
Encryption, unlike these other methods, does not necessarily hide the data within the storage
media. However, the fact that the file is there and may contain information is obvious, but is difficult
or in some cases impossible to access. Advanced algorithms with varying degrees of difficulty render
the contents of a file or folder unreadable unless the proper decryption keys or a method to decrypt
the file(s) are available. Generally, a password is needed to decrypt the file. If simple, a simple
dictionary attack against the encrypted file could unencrypt the file. However, if more advanced
encryption is applied, a brute force attack may be necessary, with the downside being that this can
take much longer and in the end may not even work. Additionally, the use of tools such as the
Password Recovery Toolkit and the Distributed Network Attack (DNA) from AccessData can also
assist with this effort (Casey, 2009).
Steganography, another more advanced method of concealing data within a storage medium,
generally involves hiding a file within an image (Nelson, Phillips & Steuart, 2010). Freely available
software such as S-Tools allows even a novice user to hide a file within an image. A malicious actor
could use S-Tools to hide a file containing a list of compromised usernames and passwords used in
an attack within an image of something like a smiley face, icon, or anything else. The file could then
be posted to an online forum, e-mailed to an accomplice, and then continue to be used if the
recipients’ have the password. In order to detect if steganography has been used, the existence one
of these tools is a starting point. Additionally, comparing timestamps of the last modified date of
files against the steganography tools could hint towards files that may contain hidden information.
Any suspicious files can be further examined to abstract this information (Nelson, Phillips & Steuart,
2010).