SOP 2 about Working Hours Commitment
This SOP comprises 7 parts, namely:
1. Introduction
2. Purpose
3. Scope
4. Reference
5. Materials and Device
6. Implementation
7. Related Documents
1. Introduction
One type of evidence that can be found at the scene, both in civil and criminal cases is evidence of electronic / digital such as the personal computer (PC), laptops / notebooks, netbooks, tablet PCs, mobile phones, flash disks, memory cards, voice recordings, video recordings, digital image and others. Electronic evidence has a significant position in the disclosure of a case due to storing digital data that can be used to explain the history and reconstruction of the case. Therefore, the examination of electronic evidence should be based on SOP 8 to 15 that refers to the international guidelines issued by the Association of Chief Police Officers (ACPO) and 7Safe in the UK and by the National Institute of Justice under the Department of Justice , the US, so the results are as expected and can be justified scientifically and legal.
SOP 8 to 15 requires a working reference that describes the time range needed for technical implementation. This is necessary so that the digital forensic examination of the evidence in electronic / digital can be run efficiently and effectively, so that the results can be more powerful for investigators who need speed of test results to determine further investigations. With the time range that is required to be described technically, the examiner can determine how long it will be used in solving one type of digital forensic examination procedurally.
For that reason, the SOP 2 is described about the time range required for each type of examination is called the 'Working Hours Commitment'. This working hours commitment describes in more detail about the time range on each type of examination generally which consists of 5 (five) stages, namely the acceptance phase, acquisition, analysis, reporting and submitting evidence. With the detailed steps, it can be a technical guide for digital forensic examiners in the start up to the end of examination in accordance with the procedures expected. Nevertheless the time range is predictive and flexibly adapted to the complexity of the case.
2. Purpose
For the orderly administration and technical in conducting digital forensic examinations such as the described in SOP 8 to 15 with a description of the time range (hours of work commitments)
required for each examination, in which the working hours commitment is based on the assumption
that 7 working hours within 1 working day.
3. Scope
The scope of this SOP are as follows:
3.1. Working Hours for examination and analysis on Harddisk
3.2. Working Hours for examination and analysis on Handphone
3.3. Working Hours for examination and analysis on Simcard
3.4. Working Hours for examination and analysis on Flashdisk/Memory Card
3.5. Working Hours for examination and analysis on Triage Forensic
3.6. Working Hours for examination and analysis on Audio Forensic
3.7. Working Hours for examination and analysis on Video Forensic
3.8. Working Hours for examination and analysis on Digital Image Forensic
3.9. Working Hours for examination and analysis on Network Forensic
4. Reference
4.1. ACPO, 7Safe (2008). Good Practice Guide for Computer-Based Electronic Evidence. UK ACPO and 7Safe.
4.2. National Institute of Justice (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. US National Institute of Justice.
4.3. Al-Azhar, M.N. (2012). "Digital Forensic: Practical Guidleines for Computer Investigation". Salemba Infotek, Jakarta.
5. Materials and Device
5.1. Analysis workstation
5.2. Notes set
5.3. Harddisk dock or USB to IDE/SATA cable
5.4. Card reader
5.5. External harddisk
5.6. Handphone data cable
5.7. Simcard reader
5.8. Jammer
5.9. Faraday bag
5.10. Portable mobile forensic device
5.11. Flashdisk
5.12. Software for forensic imaging
5.13. Software for write protect
5.14. SOftware for triage forensic
5.15. Hardware/software for audio enhancement
5.16. Software for voice recognition analysis
5.17. Software for video forensic analysis
5.18. Software for digital image forensic analysis
5.19. Software for network forensic analysis
6. Implementation
The following working hours commitment do not include the number of hours used for clarification of data / digital findings with investigators because it often takes a long time and can not be predicted exactly, adjusting to the bustle of the investigation team. This SOP only discusses about working hours for technical examination and analysis of digital forensics Computer at Computer Forensic Sub-Department environment.
6.1. Working Hours for examination and analysis on Harddisk
Number of working hours commitment for the examination and analysis on 1 unit of hard disk is about 38 working hours (about 6 working days) with the details are as follows:
6.1.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours
6.1.2. Acquisition phase
- Preparing data cable/docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 320GB harddisk, including bad sectors in average): 10 hours
Total: 11 hours
6.1.3. Analysis phase
- Extracting investigative data (including physical recovery in average): 8 hours
- Analysing investigative data: 8 hours
Total: 16 hours
6.1.4. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours
6.1.5. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours
6.2. Working Hours for examination and analysis on Handphone
Number of working hours commitment for the examination and analysis on 1 unit of handphone is about 25 working hours (about 4 working days) with the details are as follows:
6.2.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours
6.2.2. Acquisition phase
- Preparing data cable for connection: 0.75 hour
- Labeling evidence: 0.25 hour
- Physical/logical backup: 6 hours
Total: 7 hours
6.2.3. Analysis phase
- Extracting investigative data: 3 hours
- Analysing investigative data: 3 hours
Total: 6 hours
6.2.4. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours
6.2.5. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours
6.3. Working Hours for examination and analysis on Flashdisk/Memory Card
Number of working hours commitment for the examination and analysis on 1 unit of flashdisk/memory card is about 21 working hours (about 3 working days) with the details are as follows:
6.3.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours
6.3.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 32GB flashdisk): 1 hour
Total: 2 hours
6.3.3. Analysis phase
- Extracting investigative data (including physical recovery): 3 hours
- Analysing investigative data: 4 hours
Total: 7 hours
6.3.4. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours
6.3.5. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours
6.4. Working Hours for examination and analysis on Simcard
Number of working hours commitment for the examination and analysis on 1 unit of simcard is about 16 working hours (about 3 working days) with the details are as follows:
6.4.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours
6.4.2. Acquisition phase
- Preparing for connection: 0.25 hour
- Labeling evidence: 0.25 hour
- Physical/logical backup: 0.5 hour
Total: 7 hours
6.4.3. Analysis phase
- Extracting investigative data: 1 hour
- Analysing investigative data: 2 hours
Total: 3 hours
6.4.4. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours
6.4.5. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours
6.5. Working Hours for examination and analysis on Triage Forensic
Number of working hours commitment for the examination and analysis on 1 unit of PC computer/laptop (ON and OFF) at the scene is about 9 working hours (about 2 working days) with the details are as follows:
6.5.1. Discussing about facts of the case: 2 hours
6.5.2. Searching evidence: 0.5 hour
6.5.3. Checking technical specification: 0.5 hour
6.5.4. Computer is OFF (checking status and power): 1 hour
6.5.5. Computer is ON (inquiry and extracting investigative data): 4 hours
6.5.6. Documentation and labeling: 0.5 hour
6.5.7. Packaging evidence to submit to the lab: 0.5. hour
Total: 9 hours
6.6. Working Hours for examination and analysis on Audio Forensic
Number of working hours commitment for the examination and analysis on 1 case of audio forensic is about 49 working hours (about 7 working days) with the details are as follows:
6.6.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours
6.6.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 32GB recorder): 1 hour
- Extracting audio file, then hash and spectrum analysis: 1 hour
Total: 3 hours
6.6.3. Metadata Analysis phase
For file authentication analysis: 1 hour
6.6.4. Audio Enhancement phase
For increasing audio quality: 3 hours
6.6.5. Decoding phase
For transcripting audio (for 30 minute duration): 6 hours
6.6.6.Analysis phase
- Selecting at least 20 different words (between known and unknown samples): 4 hours
- Analysis of statistical (for formant and bandwidth), graphical distribution (for formant) and Spectral pattern (for spectrogram): 20 hours
Total: 24 hours
6.6.7. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours
6.6.8. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours
6.7. Working Hours for examination and analysis on Video Forensic
Number of working hours commitment for the examination and analysis on 1 case of video forensic is about 22 working hours (about 4 working days) with the details are as follows:
6.7.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours
6.7.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 32GB recorder): 1 hour
- Extracting video file, then hash analysis: 1 hour
Total: 3 hours
6.7.3. Metadata Analysis phase
For file authentication analysis: 1 hour
6.7.4. Frame Analysis phase
For analysing edited parts and descripting activities: 4 hours
6.7.5. Bitrate Histogram Analysis phase
For analysing edited parts: 2 hours
6.7.6. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours
6.7.7. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours
6.8. Working Hours for examination and analysis on Digital Image Forensic
Number of working hours commitment for the examination and analysis on 1 case of digital image forensic is about 23 working hours (about 4 working days) with the details are as follows:
6.8.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours
6.8.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 32GB recorder): 1 hour
- Extracting video file, then hash analysis: 1 hour
Total: 3 hours
6.8.3. Metadata Analysis phase
For file authentication analysis: 1 hour
6.8.4. Enrichment phase
For increasing digital image quality: 3 hours
6.8.5. Pixel and Zooming Analysis phase: 2 hours
6.8.6. Super Resolution
For increasing resolution quality before extracting frames: 2 hours
6.8.7. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours
6.8.8. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours
6.9. Working Hours for examination and analysis on Network Forensic
Number of working hours commitment for the examination and analysis on 1 case of network forensic is about 39 working hours (about 6 working days) with the details are as follows:
6.9.1. Acceptance phase
- Accepting evidence: 0.25 hour
- Checking technical specification: 0.75 hour
- Discussing about facts of the case: 2 hours
Total: 3 hours
6.9.2. Acquisition phase
- Preparing docking and storage: 0.75 hour
- Labeling evidence: 0.25 hour
- Forensic imaging (for a 320GB harddisk of server): 10 hour
Total: 11 hours
6.9.3. Email Analysis phase: 2 hours
6.9.4. IP Address Analysis phase: 2 hours
6.9.5. Online Social Media Analysis phase: 2 hours
6.9.6. Online Gambling Analysis phase: 6 hours
6.9.7. Data Mining and Profiling phase: 4 hours
6.9.8. Reporting phase
- Re-checking technical specification: 0.5 hour
- Re-checking findings/digital evidence: 0.5 hour
- Making formal report for pro-justice: 6 hours
Total: 7 hours
6.9.9. Submitting phase
- Packaging evidence: 1 hour
- Labeling the package: 0.5 hour
- Logging evidence submitted: 0.5 hour
Total: 2 hours
7. Related Documents
It is the same as Reference at point 4, and added with:
7. 1. Carrier, B. (2007). File System Forensic Analysis. Addison-Wesley.
7. 2. Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Elsevier Academic Press.
7. 3. Johnson, T. A. (2005). Forensic Computer Crime Investigation. Taylor & Francis.
7. 4. Marcella, A.J. and Greenfield, R. S. (2002). Cyber Forensics : A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. CRC Press.
7. 5. Middleton, B. (2002). Cyber Crime Field Handbook. CRC Press.
7. 6. Sammes, T. and Jenkinson, B. (2007). Forensic Computing: A Practitioners Guide. Springer.
7. 7. Indonesian Act No. 11 year 2008 about Electronic Information and Transaction.
Written by:
Chief of Computer Forensic Sub-Department
Indonesian Police Forensic Laboratory Center
Muhammad Nuh Al-Azhar, MSc., CHFI, CEI
Superintendent Police
Agreed by:
Chief of Physics and Computer Forensic Department
Indonesian Police Forensic Laboratory Center
Drs. Andi Firdaus
Senior Superintendent Police
Note:
To download the SOP 2 in Indonesian version, please click the link below:
http://db.tt/o7KXuW4m
Thank you for sharing this valuable resource. I really appreciate that you have done the metrics on how long certain routine events in the lab should take. This saves a lot of time at our end "reinventing the wheel". Looking forward to more of your posts on this topic. The lack of SOP's is a major downfall in many local departments that I'm aware of. This information will be distributed widely. --Cheers, Preston
ReplyDeleteVery systematic and clean way of outlining the forensic procedure. This is really useful to us who often get to write some details on forensic cases. Thanks for sharing your thoughts and exemplifying things for us!
ReplyDelete- KAndRForensic.com
Very useful resource, especially for beginners. Your attention to detail (in hours) is very precise. This is a great tool to defend investigative integrity before the defense system.
ReplyDelete