Framework for digital forensic evidence

collection with Chain of Custody (CoC),

A key aspect of electronic data preservation and collection in formal
discovery is initiating and maintaining chain of custody and control
of the electronic data.
Chain of custody is the procedure to do a chronological
documentation of evidence.
CoC allows the data to be submitted as evidence in a court or other
legal or administrative proceeding.
Federal Rules of Evidence Rule 1001

“If data are stored in a computer or similar device, any

printout or other output readable by sight, shown to reflect the
data accurately, is an ‘original’.”
 Chain of Custody (CoC)
CoC allows that the data preserved and collected has not changed since the
preservation and collection and that any printouts of the data are accurate
reflections of the original data.
CoC used to demonstrate the transfer of ownership over digital evidence
between entities and can be used to validate the integrity of evidence being
presented in court.
Chain of custody indicates the collection, sequence of control, transfer and
analysis.
It also documents details of each person who handled the evidence, date and
time it was collected or transferred, and the purpose of the transfer.
It demonstrates trust to the courts and to the client that the evidence has not
tampered.
A cybersecurity analyst is server logs, network
traffic captures, and
creates a detailed log
that includes
transferred securely
between analysts or
analyze the collected
evidence in a
called to investigate a malware samples information about
where the evidence
teams controlled digital
forensics laboratory.
suspected data breach in a was found, the date
and time of
They examine
network logs to trace
company's network. collection, and any
relevant metadata
the source of the
breach, analyze
malware samples to
understand its
behavior, and review
system logs to
identify any
unauthorized access
 Chain of Custody (CoC)
Documentation trail
Who has evidence and when?
Important when it comes to trail.
All transfers must be documented.
Documentation should be complete and accurate.
Inaccessible
Plan to protect the evidence BEFORE you get it.
Do your work in forensic copies
Closely guard the evidence
Keep CoC up-to-date
Don’t Keep evidence longer than necessary
Chain of Evidence
[Details describing where evidence was
identified, techniques used to seize it, methods
used to transport it to a secure location, and its
continuous custody records]
Ensuring CoC using FTK Imager
Capturing Memory
It is the method of capturing and dumping the contents of a volatile
content into a non-volatile storage device to preserve it for further
investigation.
A ram analysis can only be successfully conducted when the
acquisition has been performed accurately without corrupting the
image of the volatile memory.
In this phase, the investigator has to be careful about his decisions to
collect the volatile data as it won’t exist after the system undergoes a
reboot.
To capture the memory, click on File > Capture Memory.
Choose the destination path and the destination
file name, and click on capture memory.
Now let us wait for a few minutes till the ram is being
captured.
Analyzing Image Dump
Now let us analyze the Dump RAW Image once it
has been acquired using FTK imager. To start with
analysis, click on File> Add Evidence Item.
Now select the source of the dump file that you have already
created, so here you have to select the image file option and click on
Next.
Choose the path of the image dump that you have
captured by clicking on Browse.
Once the image dump is attached to the analysis
part, you will see an evidence tree which has the
contents of the files of the image dump. This could
have deleted as well as overwritten data.
We will now remove this evidence item by right-
clicking on the case and click on Remove Evidence
Item
Mounting Image to Drive
To mount the image as a drive in your system, click on File > Image
Mounting
Once the Mount Image to Drive window appears, you can add the
path to the image file that you want to mount and click on Mount.
Now you can see that the image file has now been mounted as a
drive.
Custom Content Image with AD Encryption
FTK imager has a feature that allows it to encrypt files of a particular
type according to the requirement of the examiner. Click on the files
that you want to add to the custom content Image along with AD
encryption.
1. The first step in digital forensics acquisition is to identify the source of the evidence.

1. This includes determining what type of device or system is being examined and what type of data is stored on it.

2. Once this has been established, the next step is to create an image or copy of the data on the device or system. This image will be used as

a reference point for further analysis and investigation.

3. The next step in digital forensics acquisition is to analyze the image or copy created in order to identify any potential evidence that may

be present. This includes examining filesystems, registry entries, application logs, and other areas where data may be stored. Once any

potential evidence has been identified, it must then be extracted from the image or copied to preserve its integrity and authenticity.

4. Once all relevant evidence has been extracted from the image or a copy has been created during digital forensics acquisition, it must then be

analyzed further in order to determine its relevance and value as evidence. This analysis typically involves examining file headers and

footers, analyzing metadata associated with files, examining application logs for suspicious activity, and other techniques designed to

uncover hidden information or patterns that may indicate criminal activity.

 EVIDENCE ACQUISITION FOR WINDOWS OS

Several types of digital forensics acquisitions can be performed on Windows

operating systems, as follows:
Physical acquisitions (also known as dead acquisitions): Physical acquisitions
involve collecting data directly from a physical device such as a hard drive or
USB drive
Logical acquisitions (also known as live acquisitions): Logical acquisitions
involve collecting data from logical sources such as files stored on a computer
Virtual acquisitions (also known as VM acquisitions): Virtual acquisitions
involve collecting data from VMs such as those used by cloud computing
services such as Amazon Web Services (AWS)
Volatile data: Volatile data is the most ephemeral and will be lost first when a
system is powered off or shut down. This includes data stored in RAM, such
as running processes, open files, and network connections.

Non-volatile data: Non-volatile data includes information stored on hard

drives or other storage media that may remain intact after a system has been
powered off or shut down.
This includes information such as filesystem metadata, registry entries, user profiles,
deleted files, and unallocated space on hard drives.
However, certain types of hard drives such as solid-state drives (SSDs) are more volatile than
traditional hard drives and may require special handling by investigators in order to ensure that all
relevant evidence can be recovered successfully.

Once investigators understand which types of data are stored on a computer system and how it is
stored, they can then begin to prioritize their efforts when collecting and analyzing evidence based
on the order of volatility.
One of the most common methods of acquiring digital evidence is disk imaging. Disk imaging involves
making an exact copy of all data stored on a hard drive or another storage device. This copy can then be
analyzed by forensic investigators without altering the original data on the drive.
Disk imaging can also be used to create backups of important data, which can then be used if the original
data is lost or corrupted.
When performing disk imaging for Windows forensics, several steps must be taken to ensure that all relevant
data is captured and preserved properly.
Finally, once the image has been created, it should be verified using checksums/hashing, which are used to
verify the integrity of digital evidence.
A checksum is a unique value generated by a mathematical algorithm based on the data contained in a file.
By comparing the checksum of an original file to that of a copy, investigators can determine if the copy has
been altered or tampered with.
Checksums are crucial in detecting evidence tampering and ensuring that evidence is admissible in court to
ensure its accuracy and integrity before being stored for further analysis.