How To Analyze Electronically Stored Information Strategically?

by Dev Duff on December 27, 2014

Computer forensics is said to be the art of implementing computer science for aiding legal proceedings. The forensics of electronic data are executable on artifacts and evidence captured from the platforms or devices seized from the suspect’s custody. The failure at preserving and producing this electronically stored information comes with a huge cost, to be paid, by the clients as well as the attorneys. Sometimes, unethical / incompetent attorneys put disciplinary actions at stake and end up violating the rules of a professional approach to litigation by not following the right procedure of analyzing ESI. And digital forensics is all about – proceeding strategically with a case, from the start to the very end. Examining electronic data for evidences involves the following stages: Access, Acquisition, Analysis, Reporting, Collection, Preparation, & Presentation of the findings. Thus, meeting the basic criteria of investigating ESI strategically proves to be very crucial in the arena computer forensics.

Let’s discuss in detail, how to analyze electronically stored information in a strategical manner for forensic purposes.

Stage 1: ACCESS

Today, the types of digital media and devices that are being used by the end-users have a significantly large variety. All of these are capable of holding data that might work as potential evidence in the case and prove to be of great value. Thus, the diligent preservation of artifacts storing potential evidence is quite fundamental.

Principle for Assessing Evidence: The evidence from digital media must be assessed thoroughly regarding the determination of its scope in the case for ascertaining the procedure to be carried out.

It is essential to access devices for potential evidences to make further investigation more streamlined for the examiner, by providing them only with the essentials.

Procedure Followed: A thorough assortment of the case related details, nature of software & hardware discovered, possible evidence gathered, and evidence acquisition surrounding circumstances be examined.

While seizing computers and extracting information from them, a forensic analyst must document the activities taking place on the computer, if any, without making any mouse clicks to avoid alteration of evidence by any chance.

NOTE: Forensic imaging techniques can be taken into use for conforming to the stated action. And for added precaution, write blocker devices are advised to be considered while imaging artifacts to debar evidence tampering.


  1. Case Assessment. This part of assessment primarily revolves around the documentation of what’s in custody, discussing with the investigator the possibility of engaging in procurement of additional electronic evidences like; email, identifying remote reposition, order ISP for the preservation of details, etc. In addition to that, determining the type and potentiality of evidence to be gathered as per the nature of the case, arranging an order of examining collected evidence, and determining the required evidences are some of the responsibilities involved during the assessment of a case.
  2. On-The-Spot Considerations. This part of assessment requires the first responder to get the following checked: details of the number and types of computer and other electronic media discovered from the scene, check if a network is available, have a discussion with the users and system admin, documenting the media types and volume, identifying offsite location of storage and/or remote locations of computing, finding out operating system under consideration, etc.
  3. Location Assessment. Assessing evidence to decide the point from where an investigation must begin. Although forensic analysis of evidences must be done in a controlled environment like a laboratory but in case of onsite examination the examiner must take care of: the time required for accomplishing recovery of evidence, impact on the business, suitability of – media, resources, experience and training for performing onsite examination.
  4. Legal Concerns. Determining legal procedures to be carried out for conducting search for evidence on locations not authorized in the warrant.
  5. Assessment of Evidence. Stability of the media, documentation of evidence, storage location evaluation, condition of evidence (before acquisition – for the record), and need of Uninterrupted Power Supply for devices operated on battery.

Stage 2: ACQUIRE

Most of the investigations nowadays depend on the evidences located online and not on a physical location. Online evidences are further divided on two bases respectively; public & private.

Forums are the public location, as most of these websites do not require a login for reading the discussions. However, personal locations could be any email (Web/server/cloud/client based) or social networking account held by the suspect that necessitates a login for traversing the information/conversations stored within.

Principle for Acquiring Evidence: The fragile nature of digital evidence makes them vulnerable to alteration / destruction / damage in case handled or examined improperly. Thus, special precautions are necessary to be taken for the preservation of such evidence types. Failure at doing so may cause it to become unusable or much worse; lead to erroneous conclusions.

Procedure Followed: Original evidence in digital form must be acquired in a way that preserves and protects it. Some basic steps to ensure the same are outlined as follows:

  1. Examiner’s system configuration both in the context of hardware and software must be documented.
  2. A verification of the examiner’s overall system operations must be made.
  3. Identification of storage media for acquisition both; internal and external included.
  4. Document the hardware configuration & internal storage media.
  5. Disconnect storage media and instead connect using data cable or power connectors along with write blocker devices to prevent damage/destruction/alteration of evidence.
  6. Use controlled boots to retrieve system configuration details of the suspect machine.
  7. Make it a point to attach and use the subject device on examiner’s machine for acquisition of evidence.
  8. RAID, Hardware dependency, Laptop computer, or network storage are some exceptional cases where access cannot be made on the examiners machine as it may not give out usable results.

NOTE: Examiner storage media has to be clean from forensic point of view and performing the acquisition of evidence on it.


Principle for Evidence Collection & Analyzing: Basic principles of forensic may apply on the examination of digital evidence. Different examination methods are followed depending on the type of media and case. Respective authority conducting the examination of digital evidence ought to be trained for the purpose depending upon the nature of evidence; online or local.

Procedure Followed: Keeping in mind the significance of evidence integrity and originality, it is strictly recommended NOT to conduct the examination on the original copy of evidence. In addition to that, it is very important that the examination of evidences be performed using accepted procedures of forensics.

Steps to Remember

  1. Preparation. Prepare a separate set of directories on a different media for extraction and recovery of evidentiary data / files.
  2. Extraction. One can perform the physical or logical extraction of the evidence. Physical extraction involves performing keyword based search on particular directories related to the case to find suspect files. Apart from that, file carving techniques or utilities can also be engaged for the same. Examination of partition structure and file systems is where logical extraction of evidence comes into the scene. This may help extract data from areas; active files, file slack, deleted files, or unallocated file space. Logical extraction involves extraction of a crucial set of evidence, i.e. recovery of deleted data, encrypted / password protected / a compressed file, which is where the highest potential evidence is mostly found.
  3. Analysis. This is where interpretation of extracted/recovered data or files is done for determining their significance in the case. Some of crucial information to be analyzed includes; data hiding, time frame, ownership & possession of the data, application and file type to which it belongs, etc.
  4. Conclusion. Each procedure individually may not yield results as expected however; forming an association between these individual results may help make the picture clearer. Make sure that analysis results and extraction results are examined in their totality as a final step of analysis.

Online Evidence Analysis: These steps are common in case of analyzing both; online as well as local data. However, the technique/utility used for the execution purpose differs accordingly. And in case of email data analysis (online or offline), usage of an examination software becomes a requisite. One of the forensic Email analysis tool, namely, MailXaminer, caters to these stages of evidence analysis, in case of email data involvement. Preparation, extraction, and analysis are executable in a strategic manner, on this unified platform.


Principle for Evidence Reporting: Findings acquired through the analysis of evidences have to be accurately and completely reported by the examiner, along with the analysis results. However, documentation remains to be an apparently ongoing process till the examination ends. Thus, recording each step taken as part of the evidence examination is important.

Procedure Followed: The documentations made must be comprehensive, complete, and absolutely accurate. Resulting report of the examination must be written concerning the targeted audience.

Preparatory Notes

Documentation must remain a contemporaneous task along with examination and the consistent preservation of notes should be fulfilled following departmental policies. Follow the general tips on the documentation process:

  1. When consulting the investigator of the case, ensure taking notes.
  2. Maintain an accurate and complete copy of the custody documentation.
  3. When taking notes, be sure of adding as much details as possible to make the duplication of complete actions performed.
  4. While documenting, include the date, time, along with detailed descriptions and outcomes of the taken actions.
  5. Document any kind of irregularities that may have encountered on the implementation of any action during examination.

NOTE: On encountering any information that seems to be of great evidentiary value but is beyond the current legal authority’s scope, document it to obtain additional authorities for search.

Report by Examiner

In order to prepare the report to be presented to – the prosecutor, investigator, and other authorities involved. However, this guidance is being provided on a general basis and in no particular order of arrangement and the examiner can make alterations accordingly:

  • Reporting agency’s identity
  • Submission number or identifier of the case
  • Investigator of the case
  • Submitter identity
  • Receipt date
  • Report date
  • A descriptive list of the submitted items examined along with the – serial number, model, and make.
  • Examiner’s signature & identity
  • Brief explanation of the actions taken during the examination – graphics/image search, erased file recovery, string searches made, etc.
  • Results or Conclusions

Stage 7: PRESENT

Principle for Presenting Evidence: When presenting electronic evidence at trial the involved authorities, from the agent, examiner to the investigative leads must be sure that standard e-Discovery protocols have been followed during the examination.

Procedure Followed: It is advised to use visuals as much as possible while presenting electronically stored information and evidences during a trial. Visuals help the jury to comprehend relevance and context of the evidence more clearly. The complex technical details of the examination process and findings converted to visualized form alleviates the interpretation process which can be done via mediums like a document, presentation, or HTML.

Bottom Line: Failures encountered during the eDiscovery involving ESI have been observed to be on the rise. Redundancy of such cases where a party fails to produce pertinent ESI with preservation has been revealed largely. More and more clients and juries are demanding attorneys to develop a novel approach in solving these litigation issues. Thus, the use of forensic imaging prior and during the onset of a litigation process is promoted as one of the solutions of these unforeseen consequences. This guide will serve as a helpful aid for ESI investigators and examiners to avoid the most common inaccuracies during an examination of digital evidences and their presentation in the court of law.

This post was written by...

– who has written 305 posts on Dev Duff.

Contact the author

Leave a Comment

Previous post:

Next post: