Digital Forensics

UNIT 1
INTRODUCTION
1
 SUBJECT OBJECTIVE
Explain the process of investigating Computer Crime.
Perform initial decision making process.
Assess the situation
Notify decision makers and acquire authorisation.
Review policies and laws related to forensics investigation
process.
Acquire and Analyse the data.
Report the investigation.
 INTRODUCTION
There is no doubt that those who commit crimes are aware about
the evolution of Information Technology.

Technology has almost in-filtered into every aspect of our lives

starting from with morning alarms to saying good-night to your dear
ones.

No one can deny the extent of convenience being provided by this

technology but in contrast because of its anonymity (namelessness)
it provides a heavily platform for criminals to commit crimes.
CONTINUE..
The worldwide explosion of the computer system and internet
has led to an ever-increasing rise in the computer and cyber
crimes and the world economy is facing a loss of trillion of
rupees because of these crimes, these comes the role of Digital
Forensics which deals with the investigation of such crimes.

Earlier the extent of Digital Forensics was limited to stand-alone

and n/w PCs. But now in this era of mobile and cloud
computing, the scope of the subject has become more
challenging which include the recovery of evidence from any
digital device that has been used for the commission of crime.
CONTINUE..

Report suggests that in comparison to the high pace of cyber

crimes, there is lack of skilled forensics experts, so to fill this
gap, the study of DIGITAL FORENSIC becomes even more
important and rather an indispensable (essential) alternative to be
in this virtual world.
 WHAT IS FORENSIC SCIENCE?
Forensics is the application of science to solve a legal
problem.

In Forensics, the law and science are forever integrated. Neither

can be applied without paying homage (faith/tribute) to the other.

The best scientific evidence in the world is worthless if it’s

inadmissible (invalid) in a court of law.
 WHAT IS DIGITAL FORENSICS?

Ken Zatyko defined digital forensics.

“The application of computer science and investigative procedures

for a legal purpose involving the analysis of digital evidence after
proper search authority, chain of custody, validation with
mathematics, use of validated tools, repeatability, reporting, and
possible expert presentation” (Zatyko, 2007).
CONTINUE..
A Digital Device can be defined as any device which stores
information digitally in zeros and ones, in digital forensic, we are
interested in those types of digital devices that contains a
computer or microcontroller.

So, the DIGITAL FORENSIC is defined as a branch of

Forensic Science which comprises the recovery and investigation
of materials found in digital devices or other storage media like a
computers, Network devices, tablet or a cell phone, hard-drive,
flash drive etc. and accordingly called as Computer Forensics,
Network Forensics, Mobile Phone Forensics and Disk Forensics
etc.
CONTINUE..
Digital forensics encompasses much more than just laptop and
desktop computers. Mobile devices, networks, and “cloud”
systems are very much within the scope of the discipline.

It also includes the analysis of images, videos, and audio (in both
analog and digital format).

Digital Forensics is defined as the process of preservation,

identification, extraction and document of evidence stored in any
digital device which can be used by the court of Law.
CONTINUE..
The focus of this kind of analysis is generally authenticity,
comparison, and enhancement.

Many a time Digital Forensics is used interchangeably as

synonym for Computer Forensics and Cyber Forensics.

Most the cases, The computer system is used as a means of

committing crimes while in other cases, the computer can be
used for the storage of the evidences of these crimes knowingly
or unknowingly or it can be said that logically computer system
or its allied digital media is used in one way or the other way in
commission of cyber crimes.
 SOURCE OF DIGITAL EVIDENCES
These are the Facts or items captured or gathered at the crime
scene which tend to prove or disprove something where the term
digital evidence is defined as facts or things captured or
collected from the crime scene when the crime is committed
with the help of the computer or digital sources.

Digital Evidence is information of value to an investigator that

is either stored on, received or transmitted by an electronics
device.

This evidence is acquired when the data or electronics devices

are seized (custody) and secured for examination.
 USES OF DIGITAL FORENSICS
Digital forensics can be used in a variety of settings,
including…

1. Criminal investigations

2. Civil litigation (hearing/trial)

3. Intelligence

4. Administrative matters.
 1. CRIMINAL INVESTIGATIONS
Digital forensics in the context of a criminal investigation as electronic
evidence can be found in almost any criminal investigation as Homicide,
sexual assault, robbery, child pornography, identity theft and burglary.

Bind, torture, kill :-

Dennis Rader, better known as the BTK killer, is a great example of the
critical role digital forensics can play in a criminal investigation. This
case had national attention and, thanks to digital forensics, was solved 30
years later after it occurred.

In January 2005, Rader left a note for police, hidden in a cereal box in
the back of pickup truck belonging to a Home Depot employee. In the
note, he said:
CONTINUE..
“Can I communicate with Floppy and not be traced to a computer. Be
honest. Under Miscellaneous Section, 494, (Rex, it will be OK), run it
for a few days in case I’m out of town-etc. I will try a floppy for a test
run some time in the near future-February or March.”
 2. CIVIL LITIGATION
The use of digital forensics in civil cases (litigation is big
business.

As part of a process known as electronic discovery (eDiscovery),

digital forensics has become a major component of much
high-dollar litigation.

eDiscovery “refers to any process in which electronic data is

sought, located, secured, and searched with the intent of using it
as evidence in a civil or criminal legal case (litigation)”

Digital evidence can quickly become the focal point of a case, no

matter what kind of legal proceeding (paper-based exercise or
computer based) it’s used in
 3. INTELLIGENCE
Terrorists and foreign governments, the purview (zone / field) of
our intelligence agencies, have also joined the digital age.

Terrorists have been using information technology to

communicate, recruit, and plan attacks.

In Iraq and Afghanistan, our armed forces are exploiting

intelligence collected from digital devices brought straight from
the battlefield. This process is known as Document and Media
Exploitation (DOMEX). DOMEX is paying large dividends by
providing actionable intelligence to support the soldiers on the
ground.
 4. ADMINISTRATIVE MATTERS
Digital evidence can also be valuable for incidents other than
litigation and matters of national security.

Violations of policy and procedure often involve some type of

electronically stored information; for example, an employee
operating a personal side business, using company computers
while on company time. That may not constitute a violation of
the law, but it may warrant an investigation by the company.
 DIGITAL DEVICES FOR EVIDENCES
(TYPES OF DATA)

List of Digital Devices for Evidences:-

1. Computer Systems.
2. Storage Devices.
3. Handheld Devices.
4. Peripheral Devices.
5. Network Devices.

Irrespective of the size and type, these above mentioned devices might
be contain evidence that is crucial to an investigation like image files,
documents, financial records , e-mail attachments etc.
 DIGITAL DEVICES FOR EVIDENCES
(TYPES OF DATA)
1. Computer Systems:-

▪ Different form of Computer systems like desktop, laptops, work

stations, mini and mainframe computers.

▪ Potential Evidences in computer system include software , financial

information, photos, documents, databases, Internet browsing History,
event logs, e-mail and attachments, chat logs, friend lists and data
stored on external devices.
2. Storage Devices:-

▪ Storage devices like hard drives, external har drives, Removable

Storage, Pen Drives, Memory Cards etc.
 DIGITAL DEVICES FOR EVIDENCES
(TYPES OF DATA)
3. Handheld Devices:-

▪ Devices that are portable data storage devices and enable

communication, navigation systems, digital photography
entertainment and personal information management like
smart phones, multimedia (both video and audio) devices,
PDAs, Digital cameras, Mobile phones pagers and GPS
receivers are called the Handheld Devices.

It may be interested in stored images, mms, SMS messages, some

pornographic clips, call details, mobile locations which may help us
to find any clue related with committed crimes.
 DIGITAL DEVICES FOR EVIDENCES
(TYPES OF DATA)
4. Peripheral Devices:-
These are devices that are connected to a computer or
computer system so as to improve user access and also to
expand the functionality of computer systems.

5. Network Devices:-
In the networking devices, there are lot of evidences which can
be obtained from the internet such as information collected
from website communication, emails, message boards, chat
rooms, file sharing networks and intercepted communications.

Although there is major problem regarding acquisition of such

evidences due to jurisdiction they can easily be tracked and identified.
 DIGITAL DEVICES FOR EVIDENCES
(TYPES OF DATA)

Although there is major problem regarding acquisition of such

evidences due to jurisdiction they can easily be tracked and
identified.
 DIFFERENT BRANCHES OF DIGITAL FORENSICS
Digital Forensics has a very wide scope which is further divided
into specialized branches like…

1. Memory Forensics
2. Disk Forensics.
3. Network Forensics.
4. Mobile Phone Forensics.
5. Database Forensics.
6. Photo Forensics.
7. Printer Forensics.
8. Multimedia Forensics.
 DIFFERENT BRANCHES OF DIGITAL FORENSICS
1. Memory Forensics:- (Memory Analysis)
It is the most important branch which relates to incidence
response is memory forensics which refers to the analysis of
volatile data in a computer’s memory dump.

2. Disk Forensics:-
It is the science of extracting forensics information from digital
storage like in Hard Disk, USB device, CD, DVD, Flash Drives,
Floppy disk etc.
 DIFFERENT BRANCHES OF DIGITAL FORENSICS
3. Network Forensics:-
It is a branch of digital forensics that focus on the monitoring
and analysis of network traffic, it involves the process of gathering
and examining the raw data of network and systematically tracking
and monitoring traffic of network to make sure of how an attack
took place.
N/W Forensics will help in identifying unauthorized access to
computer systems and networks and searches for evidence if it will
happen or in other words N/W Forensics attempt to ascertain how
attack was carried out or how an event occurred on a network.
 DIFFERENT BRANCHES OF DIGITAL FORENSICS
4.Mobile Phone Forensics:-
It is relating to recovery of digital evidence or data from a
mobile devices under forensically sound conditions.

5. Database Forensics:-
It is a branch of digital forensics science relating to the forensics
study of databases and their related metadata. The discipline is
similar to computer forensics, following the normal forensics
process and applying investigative techniques to database contents
and metadata.
 DIFFERENT BRANCHES OF DIGITAL FORENSICS
6. Printer Forensics:-

It is usually forged by criminals like in case of forging

passports, other identity documents, degrees, marksheets and in
counterfeiting the currency which may be used for terrorist
activities.

In such cases, it becomes desirable for forensics experts to

identity the device or type of device used to print the materials in
question would provide a valuable aid for law enforcement and
intelligence agencies.
 THE DIGITAL FORENSICS PROCESS
The digital forensic process can be boiled down into a series of
steps or phases. This eight-phase process provides a good frame of
reference from which to begin.

The eight phases are:

1. Search Authority
2. Chain of Custody
3. Imaging/Hashing Function
4. Validated Tools
5. Analysis
6. Repeatability (Quality Assurance)
7. Reporting
8. Possible Expert Presentation
 1. SEARCH AUTHORITY
Search authority is always the first step any forensic process. Without
the proper search authority, any evidence you recover (no matter how
compelling) will very likely be suppressed.
Search authority can take many forms. In a criminal case, a search
warrant, summons (subpoena), or consent could serve (suffice).
In civil cases, parties could consent to a search or one could be
ordered by the court.
It’s important to note that this first step only applies in a legal context.
There may be situations where there are no legal concerns (such as a
cell phone seized from the battlefield).
There may also be urgent (exigent) circumstances where legal
consequences become secondary to obtaining the evidence (such as
when a child is missing and in danger).
 2. CHAIN OF CUSTODY
A well-documented chain of custody is essential to maintain the
integrity of the evidence.

The chain of custody accounts for each evidence item from the
time it’s collected to the time it’s presented in court (should that
become necessary).

Typically the chain of custody is documented via forms, reports,

evidence receipts, notes, and marking the actual evidence item
itself.

Each time the evidence changes hands it should be recorded.

That’s because, should the chain be broken, the evidence could be
excluded from trial.
 3. IMAGING/HASHING FUNCTION

Examining the original media is something that should be

absolutely avoided if at all possible. The danger is that the original
evidence could very well be modified in some way or even
destroyed outright.

Preferably, a forensic image is made and all examinations are made

on this duplicate, rather than on the original. A forensic clone, also
known as a bitstream image, is an exact copy of every bit (1 or 0)
that is on the media. The process of creating a bitstream image is
called imaging.
 3. IMAGING/HASHING FUNCTION
In a legal setting, the original evidence is always preferred over a
copy. At first glance, this seems to create a major conflict when it
comes to digital evidence: On one hand, working on a forensic
copy is the preference while on the other, copies are unacceptable.
Enter the hash function. Hashing is a mathematical process (via
an algorithm) that produces a unique value that is essentially the
digital “fingerprint” or “DNA” of a particular file, piece of media,
etc. This digital fingerprint can be used to compare the original
evidence to the forensic image. These two values should match
exactly. If they do, then, for all intents and purposes, they are
identical. Courts have repeatedly accepted forensic images since
these can be shown to be mathematically identical.
 4. VALIDATED TOOLS
In forensics, nothing is taken for granted. That includes the
proper functioning of the tools.

Forensic tools, be they hardware or software, must be tested

before they are used to verify the accuracy of their results. Both
new tools and updates should be validated. This validation process
should be documented every time it’s done. In forensics, the
documentation never stops.
 5. ANALYSIS
A hallmark of a true forensic process is an accurate result.
Thoroughly(Painstaking) care is taken from beginning to end to
make certain the results are correct.

The results of a forensic examination (and the process used to

reach them) should be able to be duplicated.

A separate examiner should be able to repeat the process using

the same evidence, the same steps, and the same tool(s), and come
up with the same result.
CONTINUE…
Quality assurance is a collection of practices and procedures,
encompassing the forensic process in its entirety, that help to
guarantee the accuracy of any findings.

Quality assurance addresses a multitude of issues, all of which

affect the forensic process. These include elements such as the
skill and training of the examiners, security of the evidence and
the facility, reliability of the tools, case processing, infrastructure,
and much more.
 6. REPEATABILITY (QUALITY ASSURANCE)
Examiners use their skills, experience, and tools to locate and
interpret artifacts (natural objects) found on the media being
analysed. The analysis depends on the facts and circumstances of
the investigation. Some may be fairly short and straightforward.
Others could be quite complicated and time-consuming. For
example, an analysis could include:

✔ Linking some activity with a specific user account

✔ Establishing a timeline of events

✔ Determining whether a USB storage device was connected to the

machine
CONTINUE…
✔ Breaking encryption

✔ Identifying relationships/connections between individuals (i.e.,

suspect and victim)

✔ Identifying websites that have been visited

✔ Determining whether certain files were opened or downloaded

✔ Identifying what search engine queries have been entered

✔ Locating contraband (such as child pornography)

CONTINUE…
✔ Determining what applications have been installed or uninstalled

✔ Recovering deleted files

✔ Determining whether or not the system has been compromised in

some way

At the conclusion of the analysis, examiners will render an opinion.

Often, this opinion is expressed in degrees of likelihood (e.g., highly
unlikely, unlikely, likely, highly likely, etc.) rather than a definitive
“yes” or “no” answer. The analysis culminates in our next step, the
report.
 7. REPORTING
In almost every context where digital forensics is used, some type
of report is likely to be required.

Reports can (and do) take many forms. Some are quite long and
detailed (reaching over 100 pages or more). Others are less so
(even as few as one or two pages).

The report length and format will be dictated by the organization

or client.
CONTINUE…
Many forensic tools (all of the major commercial ones) have
robust reporting functionality built-in. As you process the case,
you’re able to select specific artifacts, files, etc., to include in the
report. Other reports are written by the examiner, rather than the
tool.

One major issue with reports generated by the tools is that they
are quite often very technical.

These technical reports are great, but really shouldn’t stand-alone.

Always think about your intended audience when creating your
report.
CONTINUE..
A more user friendly report, without all that technical “noise,”
should be included as well. Some of the information to include is
an executive summary, list of the evidence items examined, the
methods and tools used to perform the analysis, findings,
conclusion, and any relevant exhibits.
 8. POSSIBLE EXPERT PRESENTATION
In a purely legal context, the pinnacle of the forensic process is
the presentation of the findings to a judge or a jury.

Explaining complex technology to nontechnical people (such as a

judge or a jury) is no easy feat.

An expert is not necessarily an expert witness. Too often, experts

give trial testimony that is high on jargon and low on useful
explanations.
 8. POSSIBLE EXPERT PRESENTATION
The outcome of a trial could very well come down to the judge’s or
jury’s understanding of a specific piece of technology or technical
process.

A failure at this stage(juncture) could completely disprove(negate )

all the good work done to that point. Anyone who’s ever explained
some aspect of technology to a novice knows what a challenge this
can be.
 LOCARD’S EXCHANGE PRINCIPLE
Locard’s exchange principle says that, in the physical world,
whenever criminals(perpetrators) enter or leave a crime scene, they
will leave something behind and take something with them.
Examples include DNA, hidden(latent) prints, hair, and fibers.

The same holds true in digital forensics. Registry keys and log files
can serve as the digital equivalent to hair and fiber.

As with DNA, our ability to detect and analyze these artifacts relies
heavily on the technology available at the time.
 LOCARD’S EXCHANGE PRINCIPLE
Look at the numerous cold cases that are being solved now as a
result of the significant advances in DNA science.

Viewing a device or incident through the “lens” of Locard’s

principle can be very helpful in locating and interpreting not only
physical but digital evidence as well.
 SCIENTIFIC METHOD
As an emerging discipline in forensic science, digital forensics is
undergoing some expected growing pains.

As of today, digital forensics lacks the vast foundation and

long-term track record set by forensic DNA.

DNA is now considered by many to be the “gold standard” of the

forensic sciences.

Digital forensics simply lacks the years of development, testing,

refining, and legal challenges that DNA analysis has undergone
since its inception.
 SCIENTIFIC METHOD
Plotting the course forward are several organizations that are
looked on to establish the protocols, standards, and procedures that
will push digital forensics ahead.
 SUMMARY
In this Unit, we looked at what forensic science, particularly digital
forensics, is and is not.

Forensic sciences aren’t the fast-paced crime-solving dramas that

we watch on television, but a scientific method of collection,
investigation and analysis used to solve some kind of legal problem.

Digital forensics isn’t limited to computers. It encompasses any

kind of electronic device that can store data. These devices include
cell phones, tablets, and GPS units just to name a few.
CONTINUE..
Digital forensics is applicable well beyond criminal
investigations. It’s used routinely in civil litigation, national and
military intelligence matters as well as the private sector.

Several organizations help establish the standards and best

practices used in digital forensics. These organizations include
the American Academy of Forensic Sciences, Scientific Working
Group on Digital Evidence, and American Society for Testing
Materials.

As a practitioner, communication skills are extremely important.

You will spend a significant amount of time explaining your
findings to police officers, lawyers(attorneys), and clients.
CONTINUE..
Most important, you must be able to explain those findings to judges
and juries. All of these stakeholders must be able to understand your
methods and findings.

Like all scientific evidence, digital evidence can be quite confusing

and overwhelming. With this kind of testimony, it’s very easy to lose
people.

Losing a judge or jury in a trial can have disastrous consequences,

such as having your findings ignored or misunderstood.