Digital Forensics

"What one man can invent;

another can discover."
Sherlock Holmes
 What is Forensics?
• Use of scientific or technological technique to conduct an
investigation or establish facts (evidence) in a criminal
case.
– Judd Robbins, Computer Forensic Legal Standards and
Equipment
 Digital Forensics
• Digital Forensics is defined as the process of collecting,
preserving, analyzing, interpreting, and documenting
digital evidence and then presenting the outcomes.

• Used to be called “Computer Forensics”

 Digital Investigation focuses on digital
devices
• Computer • PDA
– PC, Laptop, Server • Digital Cameras
• Router, Switch • Thumb Drive (aka USB)
• Phones • Backup Media
• SIM Card – CD, DVD, Tapes
• ATM Machines • Printers
• Game Systems
Preparing a Digital Investigation
• Role of digital forensics professional is to gather evidence
to prove that a suspect committed a crime or violated a
company policy
• Collect evidence that can be offered in court or at a
corporate inquiry
• Investigate the suspect’s computer
• Preserve the evidence on a different computer
• Follow an accepted procedure to prepare a case
 Overview of a Digital Crime
• Digital media can contain information that helps law
enforcement determine:
• Chain of events leading to a crime
• Evidence that can lead to a conviction
• Law enforcement officers should follow proper procedure
when acquiring the evidence
• Digital evidence can be easily altered by an overeager
investigator
Examining a
digital crime
 Chain of custody
• Route the evidence takes from the time you find it until the case is
closed or goes to court
• Due to the fact digital evidence can theoretically be altered,
attorneys have argued that digital evidence is inherently less
reliable than other forms of evidence. Therefore, chain of custody
must be maintained to preserve the integrity of digital evidence
as it passes through the stages of investigation. For example,
cryptographic hash functions are widely used to ensure digital
evidence integrity. It is crucial to preserve digital crime scene
during a digital investigation.
 Chain of custody (continued)
• Chain of custody involves documenting who had control of the
evidence, and what was done to the evidence during what
period of time. Also, the evidence should be appropriately
physically protected.
• Two types:
1. Single-evidence form
- Lists each piece of evidence on a separate page
2. Multi-evidence form
- Lists multiple evidences on a same page
 Single-
evidence
form
 Multi-
evidence
form
Types of computer
forensics
 Types of computer forensics
• File system forensics
• Memory forensics
• Operating System
forensics
• Network forensics
• Malware forensics
• Mobile Device forensics
 File system forensics
• Data on a physical medium, such as a hard drive or flash drive, is
organized, labeled, and governed by a file system; FAT, NTFS, and EXT are
the most commonly used file systems, but there are many more, and it is
also possible that a suspect could have created their own file system, in
order to complicate an investigation. File System Forensics is generally
used for discovering the locations of files that are more useful as evidence
than the file system itself; however, the presence of a custom file system, as
well as the presence of anomalies in the locations of data (namely, data
existing where it shouldn’t), are usually proof of immoral activities. Though
not directly punishable, the presence of immoral activities is a very strong
indicator of illegal activities, which warrants further investigation.
 Memory forensics
• Despite being called RAM forensics, this term actually
refers to the application of forensic techniques on any/all
volatile memory, which includes RAM, caches (of all
levels), and registers (not to be confused with registries).
Memory forensics must be performed during live analysis,
because the contents of volatile memory are permanently
lost when the system is shut down
 Operating System Forensics
• Logfile analysis is a major part of operating system
forensics, because logfile formats differ wildly between
operating systems. The Linux equivalent to the Windows
registry for example is not a hierarchical GUI like the
registry, but a series of organized text files instead. To
perform operating system forensics, the investigator must
have deep and thorough knowledge of multiple operating
systems, as well as the ability to understand the meaning
of logs generated by different operating systems.
 Network Forensics
• IP Tracing and Network Traffic Monitoring are the major
components of Network Forensics. The main objective is
to look for evidence of illegal activities that involve a
transfer of files or information. It is important to note that
while most applications of Network Forensics make use of
the Internet, LANs, local ad-hoc networks, and emulated
network connections between virtual machines (VMs) and
their host machines, can all be analyzed with the same
techniques.
 Malware Forensics
• Malware Forensics mostly refers to the reverse
engineering of malware, but also covers the detection of
existing or possible malware.
 Mobile Device Forensics
• Some mobile devices use proprietary operating systems, such as iOS, Windows
Mobile/CE, and BlackBerry OS, while others are built on opensource systems,
such as Android; an investigator would need to know all of them to be effective
in the field. There are also many different types of mobile devices: smart
phones, PDAs, and digital cameras and all of them use different operating
systems and have different capabilities, storing different types of data. A mobile
phone might contain taped conversations, digital pictures, texts and emails,
contact lists, and sometimes even digital video recordings. It is worth noting
that the manufacture and model also play a role in the methods used, further
complicating the investigation. Even analyzing two devices that are very
comparable in the consumer market could, and usually does, result in using
very different combinations of techniques to retrieve the information required.
 Procedures for conducting
digital Forensics investigation
 Methodological models
• There exist many methodological (procedures) models
which have been developed in the field of digital forensics.
• Examples of methodological models:
• KRUSE and HEISER model
• Yale University model
• Rodney McKemmish model
Rodney McKemmish model

Identificat Preservati Presentati

Analysis
ion on on
 Identification
• The identification of digital evidence is the first step in the
forensic process. Knowing what evidence is present, where
it is stored and how it is stored is vital to determining which
processes are to be employed to facilitate its recovery.
• In addition, the computer forensic examiner must be able to
identify the type of information stored in a device and the
format in which it is stored so that the appropriate
technology can be used to extract it.
 Preservation
• The preservation of digital evidence is a critical element in the forensic process.
Given the likelihood of judicial scrutiny in a court of law, it is imperative that any
examination of the electronically stored data be carried out in the least intrusive
manner.
• There are circumstances where changes to data are unavoidable, but it is
important that the least amount of change occurs. In situations where change is
inevitable it is essential that the nature of, and reason for, the change can be
explained. Alteration to data that is of evidentiary value must be accounted for
and justified.
• This applies not only to changes made to the data itself, but also includes physical
changes that are made to the particular electronic device to facilitate access to
the data.
 Analysis
• The analysis of digital evidence—the extraction,
processing and interpretation of digital data—is generally
regarded as the main element of forensic computing. Once
extracted, digital evidence usually requires processing
before it can be read by people. For example, when the
contents of a hard disk drive are imaged, the data
contained within the image still requires processing so
that it is extracted in a humanly meaningful manner. The
processing of the extracted product may occur as a
separate step, or it may be integrated with extraction.
 Presentation
• The presentation of digital evidence involves the actual
presentation in a court of law. This includes the manner of
presentation, the expertise and qualifications of the
presenter and the credibility of the processes employed to
produce the evidence being tendered.
 References
• https://link.springer.com/book/10.1007/978-3-030-00581-8
• Dr. Ali Hadi ashemery slides