SlideShare a Scribd company logo

FivePhaseForensicsMagnet.pptx

Download as PPTX, PDF
Jason Wilkins
Jason Wilkins

This was my presentation at the Magnet Forensics Virtual Summit in 2022 describing the five phase digital forensics process model that I developed to use in my daily investigations.

Technology
1 of 17
A Five Phase Process Model for Digital Forensics SOLVING THE CAPER
Objectives • Identify the previous process models • Define the five phases of the CAPER process model • Understand the stages that occur within each phase.
Merriam-Webster Definition of Caper: a. An illegal or questionable act. b. A capricious escapade Ex. This offbeat, Runyonesque caper shows uncanny insight into the psychology of the con man and his all-too-willing victims. ~ Sybil Steinberg
Solving the Cycle Overview Collection Acquisition Processing Examination Reporting chain of custody NOTE TAKING Collection Identification Isolation Preservation Acquisition Protection Selection Extraction Processing Ingestion Categorization Collaboration Examination Analysis Validation Synthesis Reporting Preservation Documentation Presentation Phase Stage
Phase One - Collection
Phase One - Collection Identification Document / Photograph Hardware Triage Device(s) Isolation Authority (You own the device) Implied Consent (Victim’s Device) Letter of Consent Subpoena Search Warrant Preservation Leave Powered On (if already on) Leave Powered Off (if already off) Place in Airplane Mode Place in Faraday Bag Label Cables and Ports Maintain Chain of Custody Log C
Phase Two - Acquisition
Phase Two - Acquisition Protection Faraday Cage Write-Block Ensure storage space Continuous power supply Selection Determine Type of Acquisition: Cloud, Computer, Mobile, Remote Physical, Logical, File System Pre-Extraction Settings (i.e.Hashing) Document actions to prepare device (i.e. Turned off Debugging, etc.) Extraction Select software or tool Some software better than others Automation (Set it, Forget it) A
Phase Three - Processing
Phase Three - Processing Ingestion If able, use multiple programs. Some process artifacts others don’t Proprietary isn’t always better than Open Source Some faster than others Categorization Usually done by software New artifacts may not yet be categorized by software Artificial Intelligence Collaboration Custom Artifacts Keyword/Hash Lists Child Rescue Coalition -CSAM Open Source tools P
Phase Four - Examination
Phase Four - Examination Analysis Start with Artifacts CSAM Protections Tagging / Commenting Profiles Filtering / Searching Validation Validate Hashes Validate Timestamps Use more than one tool Synthesis Putting it all together Examiner or Investigator? Get the details Sit with Detectives E
Phase Five - Reporting
Phase Five - Reporting Documentation Keep it simple Non-Biased Plain language Everything is discoverable Communication Let detectives know Courtroom testimony Deposition Preservation Return device(s) to evidence Preserve Master Copy R
R E P A C
A Five Phase Process Model for Digital Forensics SOLVING THE CAPER JASON WILKINS

Recommended

Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
06 analysis of crime
06 analysis of crime06 analysis of crime
06 analysis of crimeJim Gilmer
 
SIGINT Training Course, Signals Intelligence (SIGINT) Training Bootcamp
SIGINT Training Course, Signals Intelligence (SIGINT) Training Bootcamp SIGINT Training Course, Signals Intelligence (SIGINT) Training Bootcamp
SIGINT Training Course, Signals Intelligence (SIGINT) Training Bootcamp Tonex
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicNovizul Evendi
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 

Recommended

Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
06 analysis of crime
06 analysis of crime06 analysis of crime
06 analysis of crimeJim Gilmer
 
SIGINT Training Course, Signals Intelligence (SIGINT) Training Bootcamp
SIGINT Training Course, Signals Intelligence (SIGINT) Training Bootcamp SIGINT Training Course, Signals Intelligence (SIGINT) Training Bootcamp
SIGINT Training Course, Signals Intelligence (SIGINT) Training Bootcamp Tonex
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicNovizul Evendi
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsDaksh Verma
 
CRIME MANAGEMENT - 2.pptx
CRIME MANAGEMENT - 2.pptxCRIME MANAGEMENT - 2.pptx
CRIME MANAGEMENT - 2.pptxDR AISWARYA GR
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniDr Raghu Khimani
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsSagar Rahurkar
 
Cyber Forensics & Challenges
Cyber Forensics & ChallengesCyber Forensics & Challenges
Cyber Forensics & ChallengesDeepak Kumar (D3)
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsMithileysh Sathiyanarayanan
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Search and Seizure
Search and SeizureSearch and Seizure
Search and SeizureLina Nandy
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Digital forensic
Digital forensicDigital forensic
Digital forensicChandan Sah
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Digital Forensic
Digital ForensicDigital Forensic
Digital ForensicCleverence Kombe
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsOne97 Communications Limited
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

More Related Content

What's hot

Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsDaksh Verma
 
CRIME MANAGEMENT - 2.pptx
CRIME MANAGEMENT - 2.pptxCRIME MANAGEMENT - 2.pptx
CRIME MANAGEMENT - 2.pptxDR AISWARYA GR
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniDr Raghu Khimani
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsSagar Rahurkar
 
Search and Seizure
Search and SeizureSearch and Seizure
Search and SeizureLina Nandy
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Digital forensic
Digital forensicDigital forensic
Digital forensicChandan Sah
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 

What's hot (20)

Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
CRIME MANAGEMENT - 2.pptx
CRIME MANAGEMENT - 2.pptxCRIME MANAGEMENT - 2.pptx
CRIME MANAGEMENT - 2.pptx
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
 
Legal aspects of handling cyber frauds
Legal aspects of handling cyber fraudsLegal aspects of handling cyber frauds
Legal aspects of handling cyber frauds
 
Cyber Forensics & Challenges
Cyber Forensics & ChallengesCyber Forensics & Challenges
Cyber Forensics & Challenges
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Search and Seizure
Search and SeizureSearch and Seizure
Search and Seizure
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Nmap
NmapNmap
Nmap
 
Digital forensic
Digital forensicDigital forensic
Digital forensic
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
 

Recently uploaded

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

FivePhaseForensicsMagnet.pptx

  • 1. A Five Phase Process Model for Digital Forensics SOLVING THE CAPER
  • 2. Objectives • Identify the previous process models • Define the five phases of the CAPER process model • Understand the stages that occur within each phase.
  • 3. Merriam-Webster Definition of Caper: a. An illegal or questionable act. b. A capricious escapade Ex. This offbeat, Runyonesque caper shows uncanny insight into the psychology of the con man and his all-too-willing victims. ~ Sybil Steinberg
  • 4. Solving the Cycle Overview Collection Acquisition Processing Examination Reporting chain of custody NOTE TAKING Collection Identification Isolation Preservation Acquisition Protection Selection Extraction Processing Ingestion Categorization Collaboration Examination Analysis Validation Synthesis Reporting Preservation Documentation Presentation Phase Stage
  • 5.
  • 6. Phase One - Collection
  • 7. Phase One - Collection Identification Document / Photograph Hardware Triage Device(s) Isolation Authority (You own the device) Implied Consent (Victim’s Device) Letter of Consent Subpoena Search Warrant Preservation Leave Powered On (if already on) Leave Powered Off (if already off) Place in Airplane Mode Place in Faraday Bag Label Cables and Ports Maintain Chain of Custody Log C
  • 8. Phase Two - Acquisition
  • 9. Phase Two - Acquisition Protection Faraday Cage Write-Block Ensure storage space Continuous power supply Selection Determine Type of Acquisition: Cloud, Computer, Mobile, Remote Physical, Logical, File System Pre-Extraction Settings (i.e.Hashing) Document actions to prepare device (i.e. Turned off Debugging, etc.) Extraction Select software or tool Some software better than others Automation (Set it, Forget it) A
  • 10. Phase Three - Processing
  • 11. Phase Three - Processing Ingestion If able, use multiple programs. Some process artifacts others don’t Proprietary isn’t always better than Open Source Some faster than others Categorization Usually done by software New artifacts may not yet be categorized by software Artificial Intelligence Collaboration Custom Artifacts Keyword/Hash Lists Child Rescue Coalition -CSAM Open Source tools P
  • 12. Phase Four - Examination
  • 13. Phase Four - Examination Analysis Start with Artifacts CSAM Protections Tagging / Commenting Profiles Filtering / Searching Validation Validate Hashes Validate Timestamps Use more than one tool Synthesis Putting it all together Examiner or Investigator? Get the details Sit with Detectives E
  • 14. Phase Five - Reporting
  • 15. Phase Five - Reporting Documentation Keep it simple Non-Biased Plain language Everything is discoverable Communication Let detectives know Courtroom testimony Deposition Preservation Return device(s) to evidence Preserve Master Copy R
  • 17. A Five Phase Process Model for Digital Forensics SOLVING THE CAPER JASON WILKINS

Editor's Notes

  1. Hello everybody, thanks for being here. My name is Jason Wilkins and I am the Digital Forensics Examiner for the Clayton County Police Department in Clayton County, Georgia. And today, I am going to introduced you to the Digital Forensics Process Model that I use every day in my examinations. I call it the CAPER model. It is constructed of five phases that are each subdivided into three stages. The five phases are: Collection, Acquisition, Processing, Examination, and Reporting. It is my hope that by the end of this presentation, you will find that the CAPER model has both relevance and utility that contributes to improving your understanding, focusing your planning efforts, and improving your work efficiency.
  2. These are the objectives for today. If you take anything of value away from this talk, let it be these three things. I know my graphic is outdated. I have to go back and create one that contains both Drone and Vehicle Forensics. Regardless, as a Law Enforcement Digital Forensics Examiner, my every day bread and butter work is in mobile, internet (or Cloud), and computer forensics. Although, I am certain that drone and vehicle forensics are just over the horizon for my department as well. So, how will the CAPER model hold up to these new challenges? I guess we’ll have to wait and see, but for now, it works perfectly for explaining my process to detectives and executive leaders. It gives them a visual picture of where I am in the process, so that they can have a rough idea of how soon or late they will receive evidence for their case. After all, the sooner I solve my CAPER, the sooner they can solve theirs as well.
  3. When I was a kid, living in Bad Kreuznach, Germany, my favorite movie for a time was The Great Muppet Caper. I even had a Kermit the Frog watch. From then until now, I have been fascinated and intrigued by criminal investigations and law enforcement. I loved the Hardy Boys books, and detective movies. Batman is still my favorite comic book hero. So I guess it was inevitable that I would end up where I am now. Although, I’m still closer to Kermit, than I am to Bruce Wayne. Because Kermit is simple and easy to get along with, while Batman is complex and not so easy to get to know well. Similar to process models. Some of you will love the simplicity of the CAPER model, while others will dislike and discount it’s simplicity.
  4. So, this is the model. Every case that comes across my desk, flows from the crime scene to the court room. It passes through the Evidence locker and my lab on its way. Keep in mind that I do not work in the private sector, so there may be some variations that seemingly don’t quite fit, but I assure you, every process model that has come before has walked through these five phases, regardless of the added complexity it might have evolved. As you can see, each phase is further subdivided into three stages that lead into the next until the completion of the case. Devices are collected from the crime scene, while maintaining chain of custody throughout, they arrive in the evidence locker, then get processed through my lab, before getting returned to evidence and waiting for trial. Sometimes detectives might bring a device directly to me if there are exigent circumstances, but my lab is also considered an extension of the evidence locker. From the moment the officers arrive at the crime scene, the Collection Phase has begun. It isn’t until the device is in my lab that the next stage begins. For me, Acquisition, Processing, and Examination all occur within my lab. Though, I also begin to document my report there as well, the remainder of the Reporting phase is concluded in deposition or a courtroom. It is in that Phase that the device returns to evidence until either enough time has passed that it is destroyed, examined further, or returned to the owner. That’s it. It’s simple and easy to remember. It’s even easier to follow. But how does it stack up to previous models?
  5. Due to the extreme simplicity of the CAPER Model, there are some who might suggest it is more of a Guideline Framework rather than a viable process model to be utilized in the investigation process, but I disagree. The simplicity of the Five Phases makes instructing and training students and apprentices easier and therefore more likely to be remembered. With the additional stages within each phase, the requirements for an investigative process are met. One of the earliest attempts to create a forensic model was the Forensic Process Model, created by the US Dept of Justice. It consisted of four phases, Collection, Examination, Analysis, and Reporting. This would perhaps appear to be the closest model related to the CAPER model, however, the absence of subdivided stages within each phase suggests it is farther removed. The next model is the Abstract Digital Forensics Model (ADFM) which proposed nine phases, with the third phase essentially being a duplicate of the second. Then came Brian Carrier. He proposed the Integrated Digital Investigation Process (IDIP) Model, which consisted of five groups of 17 phases. The complexity of this model led to some criticism as to its practicality. So, in 2004, the Enhanced Digital Investigation Process Model was proposed in answer to the questions left by the IDIP model, however, it is my observation that they simply aren’t that different and is yet in need of some simplification in order to meet both the complexity of the digital forensic investigation and the simplicity of an easily memorized mnemonic.
  6. So, lets take a closer look at each phase.
  7. Phase one is Collection. It is in this phase that the crime scene, whether physical or digital, and its incorporated evidence is identified, isolated, and preserved. In this phase, evidence is documented, photographed, and preserved according to forensic standards. No one should be allowed to touch the crime scene or the evidence that does not have the authority to do so. The same is true in the private sector, although consent is most likely all the authority you will need. Preservation will of course be dependent upon the type of medium, the urgency, and the condition of the evidence itself. Be sure to document well, and maintain chain-of-custody.
  8. Once the evidence has been gathered from the crime scene and entered into the system for my examination, we enter into the acquisition phase.
  9. The evidence should be protected from contact with networks and from being corrupted or damaged. In this phase, you will select the type of acquisition and which tool that is needed. Sometimes you may need to use one tool to unlock the device and another to acquire the image, and another still to process the artifacts. Some software has everything built into one program. Magnet Axiom is just one example. Also, automation occurs within this stage if you so happen to use software to assist you in that way.
  10. Once you have your acquired image, you then have to process the raw data into something more organized for easier examination.
  11. In Phase three, the acquired image is ingested into whichever tool you have chosen. It isn’t a bad idea to use multiple programs to see what artifacts may or may not be categorized. It’s kind of like the old adage, “measure twice, cut once.” And don’t forget that the digital forensics community is always there to offer advice and free software to help when you run into brick walls. For example, sometimes an open-source tool works better to review something like emails than a proprietary one. Magnet has the Custom Artifact Exchange for just such collaboration. You can also find tools on GitHub from people like Eric Zimmerman, Alexis Brignoni, and many others. Magnet Axiom even has built in collaboration tools that help with identification of sexual predators and their possible connections to other offenders. But, you will find that collaboration in the community is the most valuable tool in your arsenal. And everyone is eager to help as we all have the same goal and the same mission.
  12. So, once you have acquired the image, and then processed and categorized the artifacts, it is time to analyze and extract all items of evidentiary value and begin synthesizing them into a big picture.
  13. You may be an analyst that is only expected to deliver the evidence to an investigator for them to review, or you may be an examiner that has more authority to search for evidence yourself, delivering only that which you have found of value to the investigator assigned to the case. And then, in some cases, you could be a sworn Digital Forensics Investigator that does it all. Regardless, the evidence is going to be analyzed, validated for credibility, and then synthesized into a report of findings. In fact, validation is such an important step that several people from across the Digital Forensics community collaborated last year on a white paper discussing the subject. People from Magnet, Cellebrite, and the Open Source community together. In validating your evidence, you will most assuredly use multiple programs, so you want to make sure you build a good tool box and practice using many different tools as often as you can. You can find all sorts of resources on sites like AboutDFIR.com or the Digital Forensics Discord Server.
  14. Last year, I gave a presentation on Reporting for Digital Forensics at the SANS Digital Forensics Virtual Summit. It was my very first time doing something like that and if you happen to see it floating around YouTube, then you know how nervous I was and maybe you had a good laugh.
  15. But that leads us into the final phase. Reporting. This is where you will gather your notes and document your findings in a Digital Forensics Examination Report. You will also return the evidence to be preserved in case it is needed to be accessed again by yourself or another examiner. You will also eventually have to give testimony, so I hope that you documented well. Thanks to COVID, there are cases that are still waiting to be heard from two years ago. Without good documentation, you could forget everything about one specific case. So, go search for my video on YouTube if you want a deeper dive into this subject. After I have completed my white paper on the CAPER model, I intend to make an accompanying series of videos covering each phase and stage in greater detail.
  16. This chart is something I started to help categorize which programs might possibly fall into which phase as far as their functionality. Some fall into only one phase, while others cross into multiple. Maybe one day, Digital Forensic software will come out with a labeling system like this to describe their proposed functionality. Or maybe not. But there are so many tools available and more being created every day, that I think a categorization such as this would be helpful to both new analysts and experienced examiners alike. If you would like to add your opinion on this chart or perhaps help me to identify other programs not listed, then I would greatly appreciate it.
  17. But that’s it! That’s my presentation. That’s my proposed process model, or Guideline Framework if you prefer. I recognize that I am still fairly young in my career, however, this is the model I use to actually do the job every day. And now that you have seen it, I hope that you will challenge it with your questions, so that together perhaps, we can all create something more perfect and practical for everyone. And by the way, this QR code links to my LinkedIn, and not my bank account. You can also find me on Twitter under, TheJasonWilkins. Not to be pretentious or vain, but JasonWilkins was taken. So, thank you for joining and I will be happy to answer any questions in the chat or in private message on social media. Enjoy the Summit!