Forensic search

Forensic search is an emerging field of computer forensics. Forensic search focuses on user created data such as email files, cell phone records, office documents, PDFs and other files that are easily interpreted by a person.

Forensic search differs from computer forensic analysis in that it does not seek to review or analyze the lower level system files such as the registry, link files or disk level issues more commonly associated with traditional computer forensic analysis.

Purpose
Forensic search has emerged due to a number of factors including:
 * Improvements in technologies to enable lesser qualified users to undertake search and analysis of data that would have previously been undertaken only by a computer forensic expert. (This trend can be seen in many industries).
 * A need to reduce the high cost of undertaking a full computer forensic analysis of a user's computer, when in most cases the evidence found in the user created data is most useful and all that is required.
 * The rise of Cloud computing which has seen a move away from data storage on local computer hardware to data storage in any number of remote locations.
 * A lack of qualified computer forensic experts
 * The need to address the backlog of cases in most policing agencies where computer-based information requires review.
 * The need to involve other types of expertise for proper assessment of evidence, e.g. knowledge of accounting regulations, legal knowledge, etc.

Objectives
The objective of forensic search software is to allow a person with only a general knowledge of computers, but skilled in document review or investigation techniques, to undertake and search user created electronically stored information (ESI). Data that is typically considered to be user created ESI is made up of emails, documents, pictures and other file types created by a user, as opposed to data created by the computer's operating system (i.e. registry files, link files, unallocated space. These are controlled or created by the computer and not the user). The objective of reviewing the user created data is to find information that may be used to base decisions on as part of an investigation.

Forensic search software
Forensic search software differs from using the native applications (e.g. Outlook) or desktop search software (e.g. Google Desktop) to search the data in that no changes are made to the data during processing or searching that may impact the results or skew the findings. Forensic search software will also allow access to the base metadata of items not available via the native application. A good example of this would be the metadata in MS Word documents. A number of forensic search software products will be able to perform data recovery on a range of email file types.

Some examples of how using the native application or non-forensic application can affect the data:
 * Opening a Microsoft Word document in Microsoft Word may change the created, modified or last accessed dates in the document. This could lead to the incorrect dates being supplied in evidence.
 * Reviewing data in some native applications will trigger the systems antivirus software, again changing data or altering evidence.
 * Failure to freeze the evidence prior to opening the files, coupled with the fact that merely opening the files changes them, can and has invalidated critical evidence.

Forensic search software has become popular as a method of reducing the time and cost of search and analysis of larger data sets by focusing on the user data that most often yields evidence or results.

E-mail tends to be personal, plentiful and candid. For most adults, e-mail is their primary means of written communication and is often sought after for evidence. A new generation of tools is being developed in order to address the challenges being faced by digital forensic and ediscovery practitioners.

Other types of review
Forensic search software has been likened to eDiscovery review software, however this is not strictly the case. eDiscovery review software, while dealing with many of the same type of computer records and search options, offer extra functionality to that of forensic search software. Features such as redaction and legal hold are standard in eDiscovery review software. It is also the case that Forensic Search software does not meet with the higher end tasks outlined in the widely accepted electronic discovery reference model (EDRM). Tasks such as identification, collection, reservation or presentation are generally not covered by forensic search software.

However, true eDiscovery review is generally the domain of qualified legal practitioners or companies.

The use of the term eDiscovery has become a catchall in some circles for the processing and searching of electronically stored information (ESI). However, this is not a true representation of the term of eDiscovery. For a more detailed understanding of eDiscovery, the Electronic Discovery Reference Model (EDRM) is a good guideline. It could be said that forensic search is more closely related to early case assessment (ECA) than eDiscovery as ECA does not require the rigor of a full eDiscovery review.

Evidence value of user created data versus other types of data
When presenting data as part of a report that may be used to form a decision or as evidence, it is important that the data be correctly represented so the reader can understand it. In the case of generating reports on system created data such as registry files, link files and other system created data this can be a costly exercise. It can also be the case that there is no straightforward answer or explanation.

An example of this would be attempting to explain to a lay person the method and techniques of decoding the UserAssist Key in the Windows system registry. The UserAssist key can hold a great deal of information about the actions of the user of the computer. However to explain this key, the reviewer has to be able to identify the key and correctly interpret the key setting. The keys are often encoded by ROT 13.

Once these keys are decoded to human readable formats, the reviewer then has to show how a setting relates to the case. It is often time-consuming to review hundreds, even thousands, of settings that at times only deliver very circumstantial and sometimes contentious findings. When reviewing user created data such as e-mail or contracts, reporting and understanding the findings is often much more straight forward. The semi skilled user will usually have a good grasp of how email works as they use it in their day-to-day work. A person trained in law will understand a contract and does not need specialist forensic knowledge to do so. This can lead to much lower costs of review and less contentious or circumstantial findings.

High-level functionality of forensic search software
The features of forensic search software are focused on allowing the user to search and view a range of data and users’ files at one time.

Specific features of forensic search software include:
 * The ability to process varying types of data enabling it to be searched by the reviewer with little or no computer forensic knowledge
 * Keyword searching across all data and data types processed
 * The ability to create complex searches such as including or excluding data
 * Using MD5 and other algorithms to search and identify files and data
 * The ability to filter based on metadata such as dates, email addresses and file types
 * The ability to review different data typed in the same search results
 * The ability to view all results in the same user interface
 * The ability to export items to various formats i.e. email, Word, HTML
 * The ability to create shareable reports

Changes in computer forensics
There are many newer and emerging fields of computer forensics such as Cloud forensics, mobile phone forensics, network forensics, memory analysis, browser forensics, forensic triage and internet forensics. In the not so distant past a computer forensic expert's most common role was to attend a person's house, place of work or data center to forensically "image" all computers or devices that may be involved in a case. This was categorized as the collection phase.

Once collection phase was complete these images were reviewed and the ESI that was relevant was supplied to the interested parties. This required the computer forensic investigator to have a good deal of experience and training in:
 * Identifying which computer, applications or devices may be involved
 * How to disassemble a computer and extract the hard drives of the computer without causing damage.
 * How to correctly take a forensic image to keep chain of custody
 * How to use the forensic analysis software to correctly interpret and supply the results

This process was time-consuming and costly. The computer forensic expert's primary role is to investigate the computer evidence (ESI). They may not have been as familiar with the entire case or objectives as that of the case agent, detective, forensic accountant or crime analyst. This often led to non-perfect or time-consuming identification of the correct evidence items between the differing parties. What would immediately flag the interest of a detective with a deep knowledge of the case and parties involved may go unnoticed by a computer forensic expert. An example would be an email from a suspect in another case to a suspect in this case, or contact / phone calls to a witness from a suspect.

To compound the issue, there has been a massive increase in the size of the data that the computer forensic expert needs to collect. It is now often the case that the computer hard drive is not able to be imaged, for example if the computer that contains the evidence is too big, or the system cannot be shut down to take an image as it is a mission critical server such as an email server or company file server. The rise of Cloud computing has also added challenges to the collection of evidence. The data that requires collection and review may reside in the Cloud. In this case there is no computer available to image. The forensic expert then needs to collect the information using forensic software designed to work with certain Cloud providers.

In short the collection of evidence has changed significantly in the past few years. Recognizing these challenges, the concept of Hybrid Forensics has been discussed and the creation of tools that adopt a different approach to collecting data. The concept of Hybrid Forensics is the selective collection of data from 'live' systems in such a way that it may be considered as being reliable evidence in court.

Barriers to the adoption of forensic search in law enforcement
Law enforcement organizations like many other organizations are divided into skill specific units. In the computer forensic / cybercrime area these units take responsibility for all aspects of the ESI. These units are usually time poor and under resourced.

Albeit that time and resources are low the main knowledge in the unit comes from officers or consultants with 7+ years of experience (this predates most computer forensic degrees available). These officers have become familiar over time with the methodology of using a forensic analysis software package as this is all that was on offer when they started in the field. Hence when new officers or resources become available it is forensic analysis software that is prioritized over newer more specific software and newer forensic field types.