Automated and Manual Forensic Examinations Research Paper

This sample Automated and Manual Forensic Examinations Research Paper is published for educational and informational purposes only. If you need help writing your assignment, please use our research paper writing service and buy a paper on any topic at affordable price. Also check our tips on how to write a research paper, see the lists of criminal justice research paper topics, and browse research paper examples.


Constant changes in the technology of computers and small-scale digital devices create a number of challenges for computer forensic examiners and the law enforcement community. Two of these challenges are the identification of devices and media and the retrieval of the data from these devices coupled with having the proper training in forensic techniques to recover digital data properly. Automated tools and command-line-driven techniques, known as manual forensics, are the two methods used to retrieve digital evidence from these devices. Today’s automated tools are often a more efficient method for forensic examiners to collect and analyze digital evidence than command-line procedures, which gain the same result. Depending on the situation and the type of device and media, different forensic methodologies are used. The computer forensic process is the identification, collection, preservation, analysis, and reporting of evidence recovered from computers and small-scale digital devices. This research paper looks at collection of digital data in three categories: (1) on-scene collection of digital devices and media, (2) on-scene collection of digital evidence, and (3) in-lab collection of digital evidence. Standards and Best Practices require examiners to perform analysis from a bit-by-bit copy of the original data to ensure data integrity. This bit-by-bit copy is commonly referred to as a forensic image. Depending on the circumstances an examiner is confronted with, forensic analysis can be performed at the logical or physical level of the device or media. Traditional command-line techniques and automated tools each have their own purpose during forensic examinations. Time constraints, type of examination, and exigent circumstances are some examples of why a particular methodology might be appropriate to use during an examination.


Computer forensics is the identification, collection, preservation, analysis, and reporting of evidence found on computer hard disk drives (HDD) and other small-scale digital devices and various storage media. This type of evidence is commonly referred to as digital evidence (Department of Justice 2004). Digital evidence is not only recovered from HDD but also CDs, DVDs, USB drives, SIM cards, etc. Small-scale digital devices such as cell phones, readers, IDevices (IPod®, IPhone®, IPad®), game boxes, GPSs, and even vehicle computers are commonly examined to recover digital evidence. The driving force for the evolution of computer forensics is the investigative needs of law enforcement and the rapid growth of the microcomputer field (Dixon 2005). Digital evidence was being collected and analyzed as early as the mid-1980s by the Federal Bureau of Investigation and certain military units within the Department of Defense. Law enforcement at the state and local level began to develop the expertise in the late 1980s and early 1990s.

In its infancy, computer forensics was accomplished using manual command-line-driven techniques, which evolved into suites of automated tools that are commonly used today. Microsoft’s DOS™ operating system provided some basic tools for early practitioners. For example, examiners used list, dir, chkdsk (check disk), file copy, CD, etc., with switching to identify and copy files. Examiners created batch files in DOS to execute multiple commands to accomplish steps in a forensic examination. Simple commands using DOS could accomplish many of the functions needed to retrieve digital evidence during an examination. However, as technology became more sophisticated, forensic examinations needed to evolve on pace with the technology. This evolution to automated tools happened when software developers began creating suites of automated tools to interpret data and perform the forensic exam (Dixon 2005). Even though some comparatively sophisticated automated computer forensic tools are now commonly used, practitioners often still rely on manual methods using Linux to perform many forensic functions.


Identification Of Digital Evidence

In the 1980s and1990s, identification of devices that actually stored digital data was very simple. With the exception of mainframe computers – which used magnetic tape as a storage media – storage media was only in one form, floppy disks. Personal and business computers used floppy disks to access their operating systems as well as application and data storage. As technology advanced, the operating systems, applications, and usergenerated data could be stored in two places: the HDD or on some configuration of floppy disk, that is, 5.25 in., 8 in., or 3.5 in. (Department of Justice 2004). As a result, law enforcement needed to know what an HDD and floppy disks of various sizes looked like. For those who were already working in the field of computer forensics, this was simple and straightforward because they were using HDDs, various kinds of floppy disks, and, although not as often, tape drives. However, very quickly, this simple task became much more challenging. Manufacturers began producing many different types (a veritable cornucopia) of storage media, Zip® disks, Bernoulli® disks, Jazz® disks, etc., which were capable of storing much more data. These new storage media were relatively expensive, and law enforcement often could not afford them. Another difficulty was that examiners might not have had the right equipment to read and image these media when the digital evidence was seized for examination in the lab.

Today’s USB devices are a great example of storage media that have drastically changed. These devices are now made in hundreds of configurations from Santa Claus statutes to sushi, making it sometimes difficult for the untrained to recognize them as potential repositories of digital evidence. Add to this the number of new small-scale digital devices, cell phones, GPSs, gaming stations, cameras, readers, IDevices, etc. that might also contain digital evidence, and training in identification becomes even more critical. These new sources for digital evidence have also dramatically increased the level of training required by examiners as well as increased the caseload for computer forensics’ laboratories. Additionally, storage schema and proprietary formatting continue to make forensic imaging of media a challenge and require specific training for examiners. Cell phone, GPS, and reader devices are other excellent examples of the diverse number of operating systems and storage schema being used by manufacturers, which now requires not only new tools and techniques to collect digital evidence but again specialized training for examiners.

All levels of law enforcement, from patrol officers to detectives and, of course, computer forensics examiners, are now expected to be able to identify devices and media that could potentially contain digital evidence; specific training in identification and seizure of digital media is now often a basic academy curriculum. This training is becoming standardized by organizations such as the National White Collar Crime Center (NW3C); however, these standards are not mandated. Further, although new automated tools and techniques have been and are being developed to keep pace with these challenges, training in their proper use is also required. Departments are always financially challenged to find the funding and time to keep officers properly trained in the various disciplines within the law enforcement field; computer forensics training at all levels is no less a challenge. (Refer to Open Questions for further discussion.)

Collection And Preservation Of Digital Evidence

Digital evidence must be collected in a fashion that both preserves and protects the device, the media, or the record(s) so that the original evidence is preserved in its exact original state. Additionally, practitioners must be able to demonstrate that the copy used for examination is an exact copy of the original. Preservation begins with the first contact with the evidence, which may be as simple as maintaining the chain of custody, and in the case of an HDD, it is packaged in non-static cushioned wrap and care taken not to expose the HDD to extremes of heat or cold. The National Institute of Justice, in partnership with the National Institute for Standards and Technology (NIST), authored the Electronic Crime Scene Investigation: A Guide for First Responders (2008). This publication is still the definitive guide for law enforcement’s collection of digital evidence today. These guidelines provide law enforcement with standards, guidelines, best practices, and strategies for collecting and preserving digital evidence.

For ease of discussion, collection is explained in three phases: (1) on-scene collection of physical devices and media, (2) on-scene collection of digital evidence, and (3) in-lab collection of digital evidence.

On-scene collection of devices and media simply means the proper marking and packaging and scrupulous documentation of chain of custody of the physical evidence. In the case of a computer that is connected to peripheral devices, such as a computer connected to a printer, router, mouse, and monitor, photographs and diagrams of all connected devices should be taken. These should be in such detail that the “system” could be reconfigured in court exactly as it was at the time of seizure (Department of Justice 2008; NW3C 2011). Digital evidence response training is now broken into three tiers: tiers I, II, and III. Generally, training required for identification and physical collection of digital evidence is tier I level training.

The second area is on-scene collection of digital evidence; tier II level training and expertise is required. There are a number of reasons that digital evidence might be collected on scene rather than in a computer forensics lab. Often the court requires that if a search warrant is being served at a business, for example, officers are required to collect or image the original media on scene and leave the business system up and running; this requirement usually depends on the size of the business. If the business is a relatively small operation, officers can use a forensic copy of the original HDD(s) to leave behind for the business to continue operations because an exact bit-by-bit image is made of the original media on scene. In other circumstances, when a large business operation is involved, examiners may be required to obtain forensic copies of files and folders (Schweha and Inch 2008).

On-scene collection of evidence may require that imaging be accomplished at a logical level as opposed to a physical bit-by-bit image level. A couple of examples that would require a logical level collection of digital evidence would be when encryption is encountered or exigent circumstances require immediate access to information because life or harm is eminent.

Data that is encrypted is not accessible once a computer is powered down without the password or phrase that allows re-accessing the encrypted volume, that is, file, folder, or disk. Normally, a computer that is being seized as evidence is powered down by removing the power source – power cord or battery – rather than using the operating system to turn the computer off (polite or soft shutdown) (Department of Justice 2004; SWGDE 2008). Powering down is not an option if encryption is running on a computer unless passwords or phrases are known. This circumstance requires either live imaging of the system using automated tools or copying files and folders manually from the computer.

A logical image is not a bit-by-bit image of the drive, but an image of files and folders on the drive. A logical image collects data based on the installed operating system, file system, and applications (Craiger 2005). A logical image does not copy unallocated or slack space, boot partitions, partition tables, etc. Automated tools will produce a forensically sound logical image because they perform hashes of the data at the logical level as they are being obtained during the imaging process. These hashes, which will be discussed later, ensure that the data copied from logical volumes are an exact copy used during onscene or forensic lab examination and analysis of the evidence. In the case of exigent circumstances, a logical image may be the only method of obtaining the evidence. There are at least two software tools that allow forensic-acceptable logical imaging of on-scene digital evidence: EnCase® (EnCase Portable) and Access Data® (Live Response®). These two tools are commonly used for on-scene, live acquisition of digital evidence. If encryption is present, manual methods of accessing data cannot be used because they require that a system be booted from a powered down state before commands can be executed.

Forensic examiners work from a forensic image and use various algorithms such as MD5 or SHA to verify that the two pieces of evidence, the original and the forensic image, are mirror images of each other (Allen 2006). Hashing is referred to as the process of assigning “a mathematical algorithm against data to produce a numeric value that is representative of that data” (Department of Justice 2004, p. 40). Hash values change if the evidence is changed or altered in any way, thus assuring the integrity of the data (SWGDE 2006b). Hashing of the evidence is accomplished in two stages: when the original data is hashed and when the copy is created and hashed. These two hashes must match in order to confirm that an exact copy of the original data has been obtained for examination. If a bit is changed in the process of the hashing, hashes will not match. If hashes do not match, the examiner must be able to explain what happened that caused the alteration of the evidence, and the change must have been a viable change (Bell and Boddington 2010). Automated forensic tools do this seamlessly.

Using manual command-line techniques, examiners are able to copy bit-by-bit copies of files; however, the hash function is missing from the procedure. If the examiner knows that the DOS command-line “copy” command will result in a bit-by-bit copy of a file, a hash is only necessary to verify that an automated tool actually did what it was suppose to do – make a bit-by-bit image. A file could be hashed on the original drive in the exact location it is stored. The file then copies to another forensically clean media, and the file is again hashed. Those two hashes are compared for an exact match. This would confirm that the file on the original media was copied as an exact, mirrored, image to the copy media (Craiger 2005).

An important concept in the forensics process is the difference between a forensic examination and device interrogation. These two processes are performed on various devices and involve two different methodologies. Standard forensic examination of digital evidence requires that an exact, uncorrupted, bit-by-bit image of the data stored on a media be obtained and an exact copy is used to analyze the data to obtain evidence (Department of Justice 2004; Lewis 2008). Although examination of small-scale digital devices such as GPS devices and cell phones are often called cell phone forensics or GPS forensics, the methodologies used to collect data from these devices often cannot be done to forensic standards. These types of examinations are more accurately defined as device interrogations not forensic examinations. The proprietary nature of the operating systems and storage schema of handheld devices often negates the ability for a true forensics copy to be made of stored data as well as the operating and file system. Because many of these devices do not allow a forensic copy to be made, methods such as photographing individual screens and logical acquisition of stored data must be performed (SWGDE 2006a). Because of these limitations, often, the only methodology for collection of digital evidence is capturing photographic images (screenshots) and un-hashable data dumps of stored data on these devices, that is, contact lists, text messages, recent calls, calendars, and photos.

Another methodology for on-scene collection of digital evidence is triage. Triage tools access the computer from a boot disk and parse through files and folders at the logical level. There are a number of tools that use CD, thumb drives, and other bootable methods along with triage application that are specifically designed to assist the investigator in quickly and efficiently determining if there is obvious evidence on the computer. One of the most used triage tools is TUX4N6™ developed and distributed free to law enforcement by NW3C (NW3C 2010). Some of the other commercial triage tools are Blade™, EnCase Portable™, Drive Prophet™, LiveResponse™.

Prior to performing any triage examination on a computer, one key element is to recognize what files can be collected during the process. Because triage is done on the logical level, files and folders are accessible, not slack space, partition tables, and other areas of the media. Knowing what files to look at is key. Relevant locations to search commonly include My Documents, Desktop, Recents, Recycle Bin, Temp, Downloads, Internet Explorer® or Firefox®, and Flash® usage histories, the “low hanging fruit” (NW3C 2010). This listing is certainly not all-inclusive, but simply some examples of the data locations that can be quickly searched for digital evidence. An advantage of using modern triage tools is that examiners can do both automated and manual searches of the media for evidence. Digital evidence collected using the triage application with automated or manual search techniques is forensically sound and can often be submitted in court without further forensic examination in the lab. On-scene as well as in-lab triage of computers has been a great help in decreasing the case backlog in many computer forensic labs around the United States.

The third area for discussion is examination and analysis in the forensic lab environment. Any evidence seized from the scene of the crime should be imaged, if possible, and the examination performed on a forensic image of the evidence. According to the working group that set forth the NIJ Analysis Guidelines (Department of Justice 2004), an image is “an accurate digital representation of all data contained on a digital storage device (e.g., hard drive, CD-ROM, flash memory, floppy disk, Zip®, Jazz®) which maintains contents and attributes but may include metadata such as CRCs, hash value, and audit information” (p. 40).

Working from an image is important for several different reasons. First, it is important that there are no modifications accidentally performed to the original evidence. This enables the evidence to stand up to authenticity if it is taken to court (Lewis 2008). Second, all tests performed on the evidence must be able to be replicated. This means that the defense counsel, or an outside examiner, must be able to reproduce all tests performed on the evidence in an attempt to reproduce the same results that the examiner received during the examination (Crozby 2001). Lastly, working from an image is always a fail-safe method in case the image becomes damaged for any reason in the process of examination. In any case, the examiner always has the original evidence to rely on once again to make another image (Department of Justice 2008; SWGDE 2006a).

Analysis Of Digital Evidence

The analysis must conform to the scope of the search warrant (Department of Justice 2009). By example, a search warrant authorizing a search for images, that is, child pornography, may very well prohibit the examination and analysis of documents that may reside on the same hard drive.

Prior to performing the analysis on any evidence, the examiner must become familiar with the operating system and file structure of the device in which is being examined. Operating systems vary depending on manufacturer, and although the types of evidence will always be the same, the location of where it is on the machine or device will change. The Microsoft® operating system is updated often; this requires new training and expertise by examiners. Microsoft® is entirely different from a Linux or Macintosh® operating system. This is also true with different file systems (Britz 2009). While testifying in court, the examiner must be able to state which operating system was used and where that piece of evidence was found in the file structure. Changes made to operating systems and file systems require examiners to have updated training. Updated training for automated tools is expensive, and it is often very difficult for examiners to afford this training. The time away from their caseload for training, not to mention the time required in gaining expertise using the new tool capability, is another burden on examiners and their agency.

Solid-State Drives (see discussion in “Key Issues/Controversies”)

Performing keyword searching, data carving, and email examination are some of the data analysis functions that can be performed at the physical level both manually and by using automated tools. Keyword searches allow the examiner to look for items not related to the operating or file system (Department of Justice 2004). A keyword may be used to search for specific items that pertain to things such as images, documents, spreadsheets, and databases. An examiner can also search by file extension. Email searching falls into two categories: application-based and web-based email. Common email applications are those that are installed when Microsoft® is installed. Yahoo®, Gmail®, and Hotmail® are a few web-based email services that examiners will find in the temporary Internet folders. Data carving looking for deleted files in unallocated and slack space is another important element in physical analysis (Craiger 2005).

Reporting Of Digital Evidence

Automated analysis tools have built-in reporting capabilities that establish an audit trail of most of the steps of an examination; this is critical for court presentation of digital evidence gleaned from examinations. In addition to these auto-generated report capabilities, when performing manual analysis or automated forensic examinations, it is also necessary to document other steps in the analysis process. In addition to automated reporting, standard policy requires that a separate examination report is prepared that documents steps taken that are not part of application-generated reports, that is, system documentation, peer review of analysis results, and chain of custody. An important element of reporting is to document that standards, best practices, and department policy were followed.

State Of The Art

Various automated tools assist with computer forensic examinations during the imaging and analysis stages. Essentially, all these automated tools do for forensic examiners is to run multiple command-line functions on the computers and media looking for specific evidence. In comparison, this is what a manual examination is; however, it takes a much longer process, and the examiner has to execute one command at a time or create batch files to perform various forensic functions. Law enforcement must be able to prove that the automated tool or manual methods used in the examination process were forensically sound and did not jeopardize the integrity of the evidence that was collected during the examination. The National Institute of Standards and Technology’s (NIST) Computer Forensics Tool Testing project (2001) created validation and testing guidelines that tool developers can use in order to measure assurance for forensic requirements in judicial proceedings.

The automated tools available to law enforcement and forensic examiners can essentially be broken into three categories: imaging tools, triage tools, and analysis tools. Some of the more popular automated forensic tools used by law enforcement forensic labs include WinHex™, EnCase®, Access Data® Forensic Toolkit™, and various Linux tools; however, the availability of these tools relies on the budgets of the agencies (Allen 2006; Dixon 2005). Automated tools have even been developed to perform a variety of forensic functions such as triage, live system acquisition, and small-scale device interrogation. These tools are constantly updated and new tools developed because of the ever-changing varieties of cell phones and other small-scale or handheld digital devices.

Key Issues/Controversies

Changes in technology, such as data storage devices, new proprietary operating and file systems, and other advances, will cause forensic standards to always evolve. Funding for research, testing, and validation to organizations such as NIST is critical for law enforcement to have validated tools available for forensics examinations of these new and changing technologies.

A current example of evolving technology forcing a paradigm shift in computer forensics is solid-state drives (SSD). Files are written differently on HDD and solid-state drives. Some of the differences between the two types of drives are that SSD drives are faster and allow access to parts of data. Bell and Boddington in their research state, “A paradigm shift has taken place in technology storage and complex, transistor-based devices for primary storage are now increasingly common” (2010, p. 5). As a result of their research, the authors identify twenty-one critical areas that examiners must be aware of in their “Recommendations and Guidance” section. This research could indeed change the state of computer forensics as it applies to SSD. Further research will no doubt be forthcoming in this specific area of computer forensics.

Future Direction

There are several areas that are open for discussion in the field of computer forensics, including certification and accreditation, standards for forensic training for practitioners, and law and policy.

Practitioner Certification And Forensic Lab Accreditation

• As the Internet makes connectivity ubiquitous, law enforcement will be challenged in a number of areas. During a criminal investigation, how can law enforcement locate and collect the data generated by hundreds of Wi-Fi networks that will be commonly pushing communication to handheld devices such as cell phones, readers, and pads?

• Software tools used in EDiscovery are beginning to be used by law enforcement to assist in parsing large datasets, that is, email servers. Although these EDiscovery can be of great assistance, testing and validation of forensic soundness of the tools are not commonly done.

• Should live system acquisition and device interrogation be treated as the same type of forensic examination?

• The number of handheld devices has now exceeded the number of computers being purchased. Handheld devices are evolving to include much more capability and sophistication. The research and development required to develop training that keeps law enforcement abreast of these new technologies is a challenge now because of lack of congressional funding, and without long-term solutions, computer forensics will not keep pace with the quantum leaps that technology is making in the twenty-first century.

Standards For Forensic Training For Practitioners

Are colleges and universities keeping pace in their curriculum in the area of computer forensics to match the needs of the law enforcement, the intelligence community, private sector business, and industry? Although there are some excellent undergraduateand graduate-level programs, private sector business and government are still challenged to find enough qualified graduates to fill their needs. Techno-based business often expresses a need for university curriculum focused on knowledge and skill sets that result in graduates being able to enter the field having the practical skills instead of having a degree based on theory and not practice.

Law And Policy

The list of legal issues surrounding computer forensics is endless, from ensuring that privacy is protected to outdated laws and regulations that were enacted decades ago for the telecommunications system that simply do not apply to today’s Internet-driven society. Many heated debates have been raging for decades over jurisdictional issues as they apply to search warrants, subpoenas, preservation orders, etc. Is a digital search warrant that is accepted in all jurisdictions the answer? The Internet has no state, county, city, or even country jurisdictional boundaries, but the laws governing these issues certainly do. Legislation must be as nimble as the technology and the Internet. Crafting cogent regulations, laws, and policy that will live to the future is beyond challenging.

Although more and more potential evidence is now held by third parties such as Internet service providers and cloud services, the laws governing law enforcements’ legal access to potential evidence are not keeping pace with these changes. How are law, policy, and regulation going to change to solve these issues?


Computer forensics is evolving rapidly for law enforcement due to the ever-changing growth of technology. Forensic examiners rely on two methods for analyzing data: automated tools and manual forensics. Automated tools evolved from command-line methods, producing a more efficient method of collecting data. Depending on the circumstances surrounding the forensic examination, that is, whether it is an on-scene device collection, on-scene data collection, live system acquisition, device interrogation, or lab examination, the most important concept during the examination is to maintain the integrity of the evidence. Identifying, collecting, preserving, analyzing, and reporting of digital data found on hard disk drives and small-scale digital devices are known as the computer forensic process. Automated and manual forensic exam principles are introduced at the collection stage and can be used throughout the remaining forensic examination process. Analysis can take place at both the logical and physical levels of a device. The goal of the computer forensic exam is to document the process (no matter whether automatic or manual methods were used), ensure evidence integrity, and maintain proper chain of custody in order to present the evidence in court.


  1. Allen W (2006) Computer forensics. IEEE Secur Priv 59–62. Accessed 6 Oct 2011. http://dsonline.
  2. Bell G, Boddington R (2010) Solid state drives: the beginning of the end for current practice in digital forensic recovery? J Digit Foren Secur Law 5(3):1–20
  3. Britz M (2009) Computer forensics and cyber crime: an introduction, 2nd edn. Prentice Hall, Columbus
  4. Craiger JP (2005) Computer forensics procedures and methods. In: Bidgoli H (ed) Handbook of information security, vol 3. Wiley, Hoboken
  5. Crozby P (2001) Methods in behavioral research, 10th edn. McGraw Hill, Boston
  6. Dixon P (2005) An overview of computer forensics. IEEE Potent 24:1–10
  7. Lewis P (2008) Understanding the basics of computer forensics. EDPACS 37:3
  8. National Institute of Standards and Technology (2001) Computer forensics tool testing program. Accessed 6 Oct 2011.
  9. National White Collar Crime Center (NW3C) (2010) “TUX4N6™ user guide.” Accessed 6 Oct 2011.
  10. National White Collar Crime Center (NW3C) (2011) Identifying and seizing electronic evidence training.
  11. Schweha J, Inch S (2008) Remote forensics may bring the next sea change in e-discovery: are all networked computers now readily accessible under the revised federal rules of civil procedure? J Digit Foren Secur Law 3(3):5–28
  12. Scientific Working Group on Digital Evidence (SWGDE) (2006) Best practices for computer forensics. Accessed 6 Oct 2011.
  13. Scientific Working Group on Digital Evidence (SWGDE) (2006) Data integrity within computer forensics. Accessed 20 Oct 2011.
  14. Working Group on Digital Evidence (SWGDE) (2008) Special considerations when dealing with cellular phones. Accessed 24 Oct 2011.
  15. U. S. Department of Justice (2009) Searching and seizing computers and obtaining electronic evidence in criminal investigations. Office of Legal Education Executive Office for United States Attorneys
  16. U.S. Department of Justice (2004) Forensic examination of digital evidence: a guide for law enforcement. NIJ Special Report
  17. U.S. Department of Justice (2008) Electronic crime scene investigation: a guide for first responders, 2nd edn. NIJ Special Report

See also:

Free research papers are not written to satisfy your specific instructions. You can use our professional writing services to buy a custom research paper on any topic and get your high quality paper at affordable price.


Always on-time


100% Confidentiality
Special offer! Get discount 10% for the first order. Promo code: cd1a428655