This was my presentation at the Magnet Forensics Virtual Summit in 2022 describing the five phase digital forensics process model that I developed to use in my daily investigations.
SQL Database Design For Developers at php[tek] 2024
FivePhaseForensicsMagnet.pptx
1. A Five Phase Process Model
for Digital Forensics
SOLVING THE CAPER
2. Objectives
• Identify the previous process
models
• Define the five phases of the
CAPER process model
• Understand the stages that
occur within each phase.
3. Merriam-Webster
Definition of Caper:
a. An illegal or questionable act.
b. A capricious escapade
Ex. This offbeat, Runyonesque
caper shows uncanny insight into
the psychology of the con man
and his all-too-willing victims.
~ Sybil Steinberg
7. Phase One - Collection
Identification
Document / Photograph Hardware
Triage Device(s)
Isolation
Authority (You own the device)
Implied Consent (Victim’s Device)
Letter of Consent
Subpoena
Search Warrant
Preservation
Leave Powered On (if already on)
Leave Powered Off (if already off)
Place in Airplane Mode
Place in Faraday Bag
Label Cables and Ports
Maintain Chain of Custody Log
C
9. Phase Two - Acquisition
Protection
Faraday Cage
Write-Block
Ensure storage space
Continuous power supply
Selection
Determine Type of Acquisition:
Cloud, Computer, Mobile, Remote
Physical, Logical, File System
Pre-Extraction Settings (i.e.Hashing)
Document actions to prepare device
(i.e. Turned off Debugging, etc.)
Extraction
Select software or tool
Some software better than others
Automation (Set it, Forget it)
A
11. Phase Three - Processing
Ingestion
If able, use multiple programs.
Some process artifacts others don’t
Proprietary isn’t always better than
Open Source
Some faster than others
Categorization
Usually done by software
New artifacts may not yet be
categorized by software
Artificial Intelligence
Collaboration
Custom Artifacts
Keyword/Hash Lists
Child Rescue Coalition -CSAM
Open Source tools
P
13. Phase Four - Examination
Analysis
Start with Artifacts
CSAM Protections
Tagging / Commenting
Profiles
Filtering / Searching
Validation
Validate Hashes
Validate Timestamps
Use more than one tool
Synthesis
Putting it all together
Examiner or Investigator?
Get the details
Sit with Detectives
E
15. Phase Five - Reporting
Documentation
Keep it simple
Non-Biased
Plain language
Everything is discoverable
Communication
Let detectives know
Courtroom testimony
Deposition
Preservation
Return device(s) to evidence
Preserve Master Copy
R
17. A Five Phase Process Model
for Digital Forensics
SOLVING THE CAPER
JASON WILKINS
Editor's Notes
Hello everybody, thanks for being here.
My name is Jason Wilkins and I am the Digital Forensics Examiner for the Clayton County Police Department in Clayton County, Georgia. And today, I am going to introduced you to the Digital Forensics Process Model that I use every day in my examinations.
I call it the CAPER model. It is constructed of five phases that are each subdivided into three stages.
The five phases are: Collection, Acquisition, Processing, Examination, and Reporting.
It is my hope that by the end of this presentation, you will find that the CAPER model has both relevance and utility that contributes to improving your understanding, focusing your planning efforts, and improving your work efficiency.
These are the objectives for today. If you take anything of value away from this talk, let it be these three things.
I know my graphic is outdated. I have to go back and create one that contains both Drone and Vehicle Forensics. Regardless, as a Law Enforcement Digital Forensics Examiner, my every day bread and butter work is in mobile, internet (or Cloud), and computer forensics. Although, I am certain that drone and vehicle forensics are just over the horizon for my department as well.
So, how will the CAPER model hold up to these new challenges? I guess we’ll have to wait and see, but for now, it works perfectly for explaining my process to detectives and executive leaders. It gives them a visual picture of where I am in the process, so that they can have a rough idea of how soon or late they will receive evidence for their case.
After all, the sooner I solve my CAPER, the sooner they can solve theirs as well.
When I was a kid, living in Bad Kreuznach, Germany, my favorite movie for a time was The Great Muppet Caper. I even had a Kermit the Frog watch. From then until now, I have been fascinated and intrigued by criminal investigations and law enforcement. I loved the Hardy Boys books, and detective movies. Batman is still my favorite comic book hero. So I guess it was inevitable that I would end up where I am now. Although, I’m still closer to Kermit, than I am to Bruce Wayne.
Because Kermit is simple and easy to get along with, while Batman is complex and not so easy to get to know well.
Similar to process models. Some of you will love the simplicity of the CAPER model, while others will dislike and discount it’s simplicity.
So, this is the model. Every case that comes across my desk, flows from the crime scene to the court room. It passes through the Evidence locker and my lab on its way. Keep in mind that I do not work in the private sector, so there may be some variations that seemingly don’t quite fit, but I assure you, every process model that has come before has walked through these five phases, regardless of the added complexity it might have evolved. As you can see, each phase is further subdivided into three stages that lead into the next until the completion of the case.
Devices are collected from the crime scene, while maintaining chain of custody throughout, they arrive in the evidence locker, then get processed through my lab, before getting returned to evidence and waiting for trial. Sometimes detectives might bring a device directly to me if there are exigent circumstances, but my lab is also considered an extension of the evidence locker.
From the moment the officers arrive at the crime scene, the Collection Phase has begun. It isn’t until the device is in my lab that the next stage begins. For me, Acquisition, Processing, and Examination all occur within my lab. Though, I also begin to document my report there as well, the remainder of the Reporting phase is concluded in deposition or a courtroom. It is in that Phase that the device returns to evidence until either enough time has passed that it is destroyed, examined further, or returned to the owner.
That’s it. It’s simple and easy to remember. It’s even easier to follow. But how does it stack up to previous models?
Due to the extreme simplicity of the CAPER Model, there are some who might suggest it is more of a Guideline Framework rather than a viable process model to be utilized in the investigation process, but I disagree. The simplicity of the Five Phases makes instructing and training students and apprentices easier and therefore more likely to be remembered. With the additional stages within each phase, the requirements for an investigative process are met. One of the earliest attempts to create a forensic model was the Forensic Process Model, created by the US Dept of Justice. It consisted of four phases, Collection, Examination, Analysis, and Reporting. This would perhaps appear to be the closest model related to the CAPER model, however, the absence of subdivided stages within each phase suggests it is farther removed. The next model is the Abstract Digital Forensics Model (ADFM) which proposed nine phases, with the third phase essentially being a duplicate of the second. Then came Brian Carrier. He proposed the Integrated Digital Investigation Process (IDIP) Model, which consisted of five groups of 17 phases. The complexity of this model led to some criticism as to its practicality. So, in 2004, the Enhanced Digital Investigation Process Model was proposed in answer to the questions left by the IDIP model, however, it is my observation that they simply aren’t that different and is yet in need of some simplification in order to meet both the complexity of the digital forensic investigation and the simplicity of an easily memorized mnemonic.
So, lets take a closer look at each phase.
Phase one is Collection.
It is in this phase that the crime scene, whether physical or digital, and its incorporated evidence is identified, isolated, and preserved.
In this phase, evidence is documented, photographed, and preserved according to forensic standards. No one should be allowed to touch the crime scene or the evidence that does not have the authority to do so.
The same is true in the private sector, although consent is most likely all the authority you will need.
Preservation will of course be dependent upon the type of medium, the urgency, and the condition of the evidence itself. Be sure to document well, and maintain chain-of-custody.
Once the evidence has been gathered from the crime scene and entered into the system for my examination, we enter into the acquisition phase.
The evidence should be protected from contact with networks and from being corrupted or damaged. In this phase, you will select the type of acquisition and which tool that is needed. Sometimes you may need to use one tool to unlock the device and another to acquire the image, and another still to process the artifacts. Some software has everything built into one program. Magnet Axiom is just one example. Also, automation occurs within this stage if you so happen to use software to assist you in that way.
Once you have your acquired image, you then have to process the raw data into something more organized for easier examination.
In Phase three, the acquired image is ingested into whichever tool you have chosen. It isn’t a bad idea to use multiple programs to see what artifacts may or may not be categorized. It’s kind of like the old adage, “measure twice, cut once.” And don’t forget that the digital forensics community is always there to offer advice and free software to help when you run into brick walls. For example, sometimes an open-source tool works better to review something like emails than a proprietary one. Magnet has the Custom Artifact Exchange for just such collaboration. You can also find tools on GitHub from people like Eric Zimmerman, Alexis Brignoni, and many others. Magnet Axiom even has built in collaboration tools that help with identification of sexual predators and their possible connections to other offenders. But, you will find that collaboration in the community is the most valuable tool in your arsenal. And everyone is eager to help as we all have the same goal and the same mission.
So, once you have acquired the image, and then processed and categorized the artifacts, it is time to analyze and extract all items of evidentiary value and begin synthesizing them into a big picture.
You may be an analyst that is only expected to deliver the evidence to an investigator for them to review, or you may be an examiner that has more authority to search for evidence yourself, delivering only that which you have found of value to the investigator assigned to the case. And then, in some cases, you could be a sworn Digital Forensics Investigator that does it all. Regardless, the evidence is going to be analyzed, validated for credibility, and then synthesized into a report of findings. In fact, validation is such an important step that several people from across the Digital Forensics community collaborated last year on a white paper discussing the subject. People from Magnet, Cellebrite, and the Open Source community together. In validating your evidence, you will most assuredly use multiple programs, so you want to make sure you build a good tool box and practice using many different tools as often as you can. You can find all sorts of resources on sites like AboutDFIR.com or the Digital Forensics Discord Server.
Last year, I gave a presentation on Reporting for Digital Forensics at the SANS Digital Forensics Virtual Summit. It was my very first time doing something like that and if you happen to see it floating around YouTube, then you know how nervous I was and maybe you had a good laugh.
But that leads us into the final phase. Reporting.
This is where you will gather your notes and document your findings in a Digital Forensics Examination Report. You will also return the evidence to be preserved in case it is needed to be accessed again by yourself or another examiner. You will also eventually have to give testimony, so I hope that you documented well. Thanks to COVID, there are cases that are still waiting to be heard from two years ago. Without good documentation, you could forget everything about one specific case.
So, go search for my video on YouTube if you want a deeper dive into this subject. After I have completed my white paper on the CAPER model, I intend to make an accompanying series of videos covering each phase and stage in greater detail.
This chart is something I started to help categorize which programs might possibly fall into which phase as far as their functionality. Some fall into only one phase, while others cross into multiple. Maybe one day, Digital Forensic software will come out with a labeling system like this to describe their proposed functionality. Or maybe not. But there are so many tools available and more being created every day, that I think a categorization such as this would be helpful to both new analysts and experienced examiners alike. If you would like to add your opinion on this chart or perhaps help me to identify other programs not listed, then I would greatly appreciate it.
But that’s it! That’s my presentation. That’s my proposed process model, or Guideline Framework if you prefer. I recognize that I am still fairly young in my career, however, this is the model I use to actually do the job every day. And now that you have seen it, I hope that you will challenge it with your questions, so that together perhaps, we can all create something more perfect and practical for everyone.
And by the way, this QR code links to my LinkedIn, and not my bank account. You can also find me on Twitter under, TheJasonWilkins. Not to be pretentious or vain, but JasonWilkins was taken.
So, thank you for joining and I will be happy to answer any questions in the chat or in private message on social media.
Enjoy the Summit!