Thursday 11 April 2013

SOP 1 about Digital Forensic Examination Procedure

SOP 1 about Digital Forensic Examination Procedure


This SOP comprises 7 parts, namely:
1. Introduction
2. Purpose
3. Scope
4. Reference
5. Materials and Device
6. Implementation
7. Related Documents

1. Introduction

One type of evidence that can be found at the scene, both in civil and criminal cases is electronic evidence such as personal computers (PCs), laptops / notebooks, netbooks, tablet PCs, mobile phones, flashdisk, memory cards etc.. Electronic evidence has a significant role in the disclosure of a case due to store digital data that can be used to explain the history and reconstruction of the case. Therefore, the examination of electronic evidence should be based on SOP 6 s / d 15, which refers to the international guidelines issued by the Association of Chief Police Officers (ACPO) and 7Safe in the UK and by the National Institute of Justice under the Department of Justice , the US, so the results are as expected and can be scientifically justified and legal.
In addition to the SOPs, digital forensic examination of the electronic evidence should also be implemented via SOP 2 governing work hours commitments for each  examination including its phases in details. This is aimed to run the examination efficiently and effectively so that it can support to speed up efforts of inquiry/further investigation.
In order to obtain an integrated SOPs in the digital forensic examinations globally, it requires SOP 1 which describes procedures for a comprehensive examination of digital forensic starting from activities at the scene until laboratory analysis activities. Through this SOP 1, it is expected that digital forensic examiners and investigators are able to understand that the function of digital forensics can be started from the initial examination at the scene until further investigation which is more complex in the laboratory. Due to the initial handling of the evidence involves digital forensics function, then the procedural validity of the evidence and the integrity of the chain of custody (trip chain of evidence from the crime scene to the trial) can be justified scientifically. In addition, the speed to get the initial data for inquiry / investigation can be met because the implementation of SOP 1 in the initial examination of electronic evidence at crime scene can be done correctly.

2. Purpose

For the orderly administration and technical in handling electronic evidence in a comprehensive manner starting from the crime scene to the laboratory in order to support inquiry / investigation quickly and correctly.

3. Scope

3.1. Examination Principles
3.2. Triage Forensic
3.3. Further Examination in the laboratory

4. Reference

4.1. ACPO, 7Safe (2008). Good Practice Guide for Computer-Based Electronic Evidence. UK ACPO and 7Safe.
4.2. National Institute of Justice (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. US National Institute of Justice.
4.3. Al-Azhar, M.N. (2012). "Digital Forensic: Practical Guidleines for Computer Investigation". Salemba Infotek, Jakarta.

5. Materials and Device

5.1. Analysis workstation
5.2. Notes set
5.3. Harddisk doc ot USB to IDE/SATA cable
5.4. Card reader
5.5. External harddisk
5.6. Handphone data cable
5.7. Simcard reader
5.8. Hardware/Software for write protect
5.9. Jammer
5.10. Faraday bag
5.11. Portable mobile forensic device
5.12. Flashdisk
5.13. Software for forensic imaging
5.14. SOftware for triage forensic
5.15. Hardware/software for audio enhancement
5.16. Software for voice recognition analysis
5.17. Software for video forensic analysis
5.18. SOftware for digital image forensic analysis
5.19. SOftware for network forensic analysis

6. Implementation

6.1. Examination Principles

It refers to ‘Good Practice Guide for Computer-Based Electronic Evidenc’ which is published by Association of Chief Police Officers (ACPO). They are:
6.1.1. Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
6.1.2. Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
6.1.3. Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
6.1.4. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

6.2. Triage Forensic

6.2.1. Examination procedure when the evidence is in OFF state
The phases below are comprehensively explained in details on SOP 6 about Triage Forensic:
- Checking
- Power off
- Labeling
- Documentation
- Submitting to the lab

6.2.2. Examination procedure when the evidence is in ON state
The phases below are comprehensively explained in details on SOP 6 about Triage Forensic, except for live acquisition:
- Checking
- Initial Data Extraction
- Live Acquisition, referring to SOP 7
- Power off
- Labeling
- Documentation
- Submitting to the lab

6.3. Further examination in the lab

6.3.1. Examination and Analysis on Harddisk, Flashdisk and Memory Card
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Analysis: SOP 9
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.2. Examination and Analysis on Handphone and Simcard
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 10
- Analysis: SOP 11
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.3. Examination and Analysis on Audio Forensic
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Audio Enhancement: SOP 12
- Decoding: SOP 12
- Analysis: SOP 12
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.4. Examination and Analysis on Video Forensic
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Metadata Analysis: SOP 13
- Frame Analysis: SOP 13
- Bitrate Histogram Analysis: SOP 13
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.5. Examination and Analysis on Digital Image Forensic
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Metadata Analysis: SOP 14
- Enrichment: SOP 14
- Pixel Analysis: SOP 14
- Super Resolution: SOP 14
- Reporting: SOP 3
- Submitting evidence: SOP 5

6.3.6. Examination and Analysis on Network Forensic
The phases below are comprehensively explained in details on each of its SOP, while for the prediction of the length of time required for each stage described in SOP 2.
- Receiving evidence: SOP 4
- Acquisition: SOP 8
- Email Analysis: SOP 15
- IP Address Analysis: SOP 15
- Online Social Media Analysis: SOP 15
- Online Gambling Analysis: SOP 15
- Data Mining and Profiling: SOP 15
- Reporting: SOP 3
- Submitting evidence: SOP 5

7. Related Documents

It is the same as Reference at point 4, and added with:
7. 1. Carrier, B. (2007). File System Forensic Analysis. Addison-Wesley.
7. 2. Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Elsevier Academic Press.
7. 3. Johnson, T. A. (2005). Forensic Computer Crime Investigation. Taylor & Francis.
7. 4. Marcella, A.J. and Greenfield, R. S. (2002). Cyber Forensics : A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. CRC Press.
7. 5. Middleton, B. (2002). Cyber Crime Field Handbook. CRC Press.
7. 6. Sammes, T. and Jenkinson, B. (2007). Forensic Computing: A Practitioner’s Guide. Springer.
7. 7. Indonesian Act No. 11 year 2008 about Electronic Information and Transaction.


Written by:
Chief of Computer Forensic Sub-Department
Indonesian Police Forensic Laboratory Center

Muhammad Nuh Al-Azhar, MSc., CHFI, CEI
Superintendent Police

Agreed by:
Chief of Physics and Computer Forensic Department
Indonesian Police Forensic Laboratory Center

Drs. Andi Firdaus
Senior Superintendent Police


Note:
To download the SOP 1 in Indonesian version, please click the link below:
https://dl.dropboxusercontent.com/u/4868186/DFAT_SOP_2013/SOP1_ProsedurPemeriksaanDigitalForensik.pdf

6 comments:

  1. Hello,
    This is a really good and helpful reference for SOP in digital forensics. Especially for me, as I just have started to be involved in real working environment of digital forensics. Anyways, is there by any chance you have a complete documentation (published or unpublished) for the SOPs, as you mentioned on previous entry, that I can learn and adopt from? or perhaps I should keep stay tune on your blog? It would be really helpful for a newbie like me.Thanks.
    Cheers, -Steph

    ReplyDelete
  2. What a post! This is really informative and I find it really helpful. Thanks for sharing.

    -KAndRForensic.com

    ReplyDelete
  3. You are not selling your book?

    ReplyDelete
  4. Where can i find other SOP which you have stated like SOP 2, 4 5, 6...

    ReplyDelete
  5. Pak Nuh, boleh saya minta kontak bapak, Email atau no.hp. Ini untuk keperluan kurikulum. Terima kasih. Salam

    Mughni

    ReplyDelete