PRDE Dept Of Computer Science

Applying Forensic Science to Computers

Digital evidence examiners extract valuable bits from large masses of data and present them
in ways that decision makers can comprehend.
Flaws in the underlying material or the way it is processed reduce the value of the final
product.
Digital investigators often perform all of the requisite tasks from collecting, documenting,
and preserving digital evidence to extracting useful data and combining them to create an
increasingly clearer picture of the crime as a whole.
Digital investigators need a methodology to help them perform all of these tasks properly,
find the scientific truth, and ultimately have the evidence admitted in court.

METHODOLOGY CONSIST OF FOLLOWING STAGES

1. Preparation
2. Survey
3. Documentation
4. Preservation
5. Examination and analysis
6. Reconstruction
7. Reporting results

1. PREPARATION

Planning is especially important in cases that involve computers.

Whenever possible, while generating a search warrant, the search site should be researched
to determine what computer equipment to expect, what the systems are used for, and if a
network is involved.
If the computers are used for business purposes or to produce publications, this will
influence the authorization and seizure process.
Also, without this information, it is difficult to know what expertise and evidence collection
tools are required for the search.

If a computer is to be examined on-site, it will be necessary to know which operating system

the computer is running (e.g., Mac OS, UNIX, or Windows).

It will also be necessary to know if there is a network involved and if the cooperation of
someone who is intimately familiar with the computers will be required to perform the
search.

One person should be designated to take charge of all evidence to simplify the chain of
custody.

Such coordination is especially valuable when dealing with large volumes of data in various
locations, ensuring that important items are not missed.

VIJITHA V 2022-23
PRDE Dept Of Computer Science

In situations where there is only one chance to collect digital evidence, the process should
be practiced beforehand under similar conditions to become comfortable with it.

A final preparatory consideration is regarding proper equipment. Most plans and procedures
will fail if adequate acquisition systems and storage capacity are not provided.

Some of the fundamental items that can be useful when dealing with computers as a source
of evidence include the following:

Evidence bags, tags, and other items to label and package evidence
Digital camera to document scene and evidential items
Forensically sanitized hard drives to store acquired data
Forensically prepared computer(s) to connect with and copy data from evidential hard drives
onto forensically sanitized hard drives
Hardware write blockers for commonly encountered hard drives (e.g., IDE and SATA)
Toolkit, including a flashlight, needle-nose pliers, and screwdrivers for various types and
sizes of screws.

2. SURVEY

Surveying a crime scene is a methodical process of finding all potential sources of digital
evidence and making informed, reasoned decisions about what digital evidence to preserve.
One effective approach to conducting a methodical crime scene survey is to divide the area
into a grid and inspect each segment of the grid thoroughly.
By dividing the larger area into smaller segments, there is less chance of overlooking
important items such as a small memory card or hidden pieces of storage media.
This concept can be applied to both the physical area and digital realm.

Surveying a crime scene for potential sources of digital evidence is a twofold process.
First, digital investigators have to recognize the hardware (e.g., computers, removable
storage media, and network cables) that contains digital information.
Second, digital investigators must be able to distinguish between irrelevant information and
the digital data that can establish that a crime has been committed or can provide a link
between a crime and its victim or a crime and its perpetrator.
During a search, manuals and boxes related to hardware and software can give hints of what
hardware, software, and Internet services might be installed/used.

Applying the scientific method during the survey process involves developing and testing
theories about which items contain relevant digital evidence, why expected items are
missing, and where missing items might be found.

 SURVEY OF HARDWARE

VIJITHA V 2022-23
PRDE Dept Of Computer Science

There are many computerized products that can hold digital evidence such as telephones,
mobile devices, laptops, desktops, larger servers, mainframes, routers, firewalls, and other
network devices.

There are also many forms of storage media including compact disks, floppy disks, magnetic
tapes, high capacity flip, zip, and jazz disks, memory sticks, and USB storage devices.

 SURVEY OF DIGITAL EVIDENCE

Different crimes result in different types of digital evidence.

For example, cyberstalkers often use e-mail to harass their victims, computer crackers
sometimes inadvertently leave evidence of their activities in log files, and child
pornographers sometimes have digitized images stored on their computers.
Additionally, operating systems and computer programs store digital evidence in a variety
of places. Therefore, the ability to identify evidence depends on a digital investigator’s
familiarity with the type of crime that was committed and the operating system(s) and
computer program(s) that are involved.

In addition to looking for user-created documents and multimedia on storage media, digital
investigators may find relevant information in the Registry, log files, and artifacts associated
with applications used on the computer (e.g., logs of instant messaging chat, and files
exchanged using P2P programs).

Again, the different kinds of digital evidence on a computer are limited only by the user’s
activities and creativity.

3. DOCUMENTATION

Documentation is essential at all stages of handling and processing digital evidence, and
includes the following:

a. Chain of custody: who handled the evidence, when, where, and for what purpose;
b. Evidence intake: characteristics of each evidential item such as make, model, and
serial number;
c. Photos, videos, and diagrams: capturing the context of the original evidence;
d. Evidence inventory: a list or database of all evidential items;
e. Preservation guidelines: a repeatable process for preserving digital evidence, which
may contain references to specific tools;
f. Preservation notes: notation of steps taken to preserve each evidential item and any
necessary deviations from the preservation guideline documentation;
g. Forensic examination guidelines: a repeatable process for examining digital evidence,
which may contain references to specific tools;
h. Forensic examination notes: notation of actions taken to examine each evidential
item, including a summary of the outcome of each action and details about important
findings.

VIJITHA V 2022-23
PRDE Dept Of Computer Science

 CASE MANAGEMENT

In any digital investigation, it is important to keep track of important actions and all items
of evidence that have been obtained.

Case documentation goes beyond chain of custody and evidence in-take forms to include
when important information was received, who was interviewed, and what was said.

It is also important to maintain an inventory of digital evidence and a database can be useful
for keeping track of digital evidence as shown in Figure. particularly when dealing with
many sources of data.

Case management also involves maintaining the physical security of evidential items, and
storing multiple copies of digital evidence to ensure that a pristine copy is available in the
event of a working copy becoming damaged.

4. PRESERVATION

A major aspect of preserving digital evidence is preserving it in a way that minimizes the
changes made.

Imagine for a moment a questioned death crime scene with a suicide note on the computer
screen. Before considering what the computer contains, the external surfaces of the
computer should be checked for fingerprints and the contents of the screen should be
photographed. It would then be advisable to check the date and time of the system for
accuracy and save a copy of the suicide note to sanitized labeled removable media.

 PERSERVING HARDWARE

When dealing with hardware as contraband, instrumentality, or evidence, it is usually

necessary to collect computer equipment.

Additionally, if a given piece of hardware contains a large amount of information relating

to a case, it can be argued that it is necessary to collect the hardware.

 PRESERVING DIGITAL EVIDENCE

When dealing with digital evidence (information as contraband, instrumentality, or

evidence) the focus is on the contents of the computer and storage media as opposed to the
hardware itself.
There are several approaches to preserving digital evidence on a computer:

Place the evidential computers and storage media in secure storage for future reference;

VIJITHA V 2022-23
PRDE Dept Of Computer Science

Extract just the information needed from evidential computers and storage media;
Acquire everything from evidential computer and storage media.
Whether acquiring all data or just a subset, there are two empirical laws of digital evidence
collection that should always be remembered:
Empirical Law of Digital Evidence Collection and Preservation #1: If you only make one
copy of digital evidence, that evidence will be damaged or completely lost.
Empirical Law of Digital Evidence Collection and Preservation #2: A forensic acquisition
should contain at least the data that is accessible to a regular user of the computer.

Therefore, always make at least two copies of digital evidence and check to make certain
that at least one of the copies was successful and can be accessed on another computer.

In addition, it is important to verify that tools used to copy digital evidence capture all of
the desired information, including metadata such as date-time stamps that are associated
with acquired files.

As an example, when acquiring digital evidence from a cell phone, a forensic acquisition
should at least acquire the data that were visible to the user.

5. EXAMINATION AND ANALYSIS

A forensic examination involves preparing digital evidence to facilitate the analysis stage.

there are three levels of forensic examination: (1) survey/triage forensic inspections, (2)
preliminary forensic examination, and (3) in-depth forensic examination.

The nature and extent of a digital evidence examination depend on the known circumstances
of the crime and the constraints placed on the digital investigator.

If a computer is the fruit or instrumentality of a crime, the digital investigators will focus on
the hardware.

If the crime involves contraband information, the digital investigators will look for anything
that relates to that information, including the hardware containing it and used to produce it.

If information on a computer is evidence and the digital investigators know what they are
looking for, it might be possible to extract the evidence needed quite quickly.

 FILTERING/REDUCTION

The process of filtering out irrelevant, confidential, or privileged data includes the
following:

Eliminating valid system files and other known entities that have no relevance to the
investigation.

VIJITHA V 2022-23
 PRDE Dept Of Computer Science

Focusing on the most probable user-created data.

Focusing on files within a restricted time frame.
Managing duplicate files, which is particularly useful when dealing with backup tapes.
Identifying discrepancies between digital evidence examination tools, such as missed files
and MD5 calculation errors.

 CLASS/INDIVIDUAL CHARACTERISTICS AND EVALUATION OF SOURCE

Three fundamental questions that need to be addressed when examining a piece of digital
evidence are what is it (identification), what characteristics distinguish it (classification or
individualization), and where did it come from (evaluation of source).

 DATA RECOVERY/SALVAGE

When a file is deleted, the data it contained actually remain on a disk for a time and can be
recovered.

The details of recovering and reconstructing digital evidence depend on the kind of data, its
condition, the operating system being run, the type of the hardware and software, and their
configurations.

Eg: word document vs. images or video

6. RECONSTRUCTION

Investigative reconstruction leads to a more complete picture of a crime—what happened,

who caused the events when, where, how, and why.

The three fundamental types of reconstruction—functional, relational, and temporal.

 FUNCTIONAL ANALYSIS

In an investigation, there are several purposes to assessing how a computer system

functioned:

To determine if the individual or computer was capable of performing actions necessary to

commit the crime.
To gain a better understanding of a piece of digital evidence or the crime as a whole.
To prove that digital evidence was tampered with.
To gain insight into an offender’s intent and motives. For instance, was a purposeful action
required to cause damage to the system or could it have been accidental?
To determine the proper working of the system during the relevant timeperiod. This relates
to authenticating and determining how much weight to give digital evidence

 RELATIONAL ANALYSIS

VIJITHA V 2022-23
PRDE Dept Of Computer Science

In an effort to identify relationships between suspects, victim, and crime scene, it can be
useful to create nodes that represent places they have been, e-mail and IP addresses used,
financial transactions, telephone numbers called, etc. and determine if there are noteworthy
connections between these nodes.

 TEMPORAL ANALYSIS

When investigating a crime, it is usually desirable to know the time and sequence of events.
Fortunately, in addition to storing, retrieving, manipulating, and transmitting data,
computers keep copious account of time. For instance, most operating systems keep track
of the creation, last modification, and access times of files and folders. These date-time
stamps can be very useful in determining what occurred on a computer

7. REPORTING

The last stage of a digital evidence examination is to integrate all findings and conclusions
into a final report that conveys the findings to others and that the examiner may have to
present in court.

Writing a report is one of the most important stages of the process because it is the only
view that others have of the entire process.

A sample report structure is provided here:

Introduction: case number, who requested the report and what was sought, and who the
wrote report, when, and what was found.

Evidence Summary: summarize what evidence was examined and when, MD5 values,
laboratory submission numbers, when and where the evidence was obtained and from
whom, and its condition (note signs of damage or tampering).

Examination Summary: summarize tools used to perform the examination, how important
data were recovered (e.g., decryption or undeletion), and how irrelevant files were
eliminated.

File System Examination: inventory of important files, directories, and recovered data that
are relevant to the investigation with important characteristics such as path names, date-time
stamps, MD5 values, and physical sector location on disk. Note any unusual absences of
data.

Analysis: describe and interpret temporal, functional, and relational analysis and other
analyses performed such as evaluation of source and digital stratigraphy.

VIJITHA V 2022-23
PRDE Dept Of Computer Science

Conclusions: summary of conclusions should follow logically from previous sections in the
report and should reference supporting evidence.

Glossary of Terms: explanations of technical terms used in the report.

Appendix of Supporting Exhibits: digital evidence used to reach conclusions, clearly

numbered for ease of reference.

VIJITHA V 2022-23