Digital Forensics

Introduction to Digital Forensics – Understanding the Process

1
 What is Forensics?
• Forensics or forensic science means applying scientific methods to
investigating crimes
• From ‘clues’ to fingerprints, DNA analysis, forensic pathology, toxicology, fibre
analysis etc.
• Always important to follow correct legal procedures to make sure the findings
are admissible in court
• Digital or computer forensics refers to applying a similar systematic,
scientific and also legally correct approach to evidence that may be
available on electronic devices: computers, mobiles, networks etc.

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 2

Forensic science (probably) began when fingerprints started to be used in

investigation and progressively with more scientific knowledge analysis of evidence
left at the scene of the crime has been made to yield up more and more information.
Due to the complexity of these processes, their veracity can be challenged and so it is
important to make sure that the procedures are followed correctly, the steps taken
are documented, so that the findings are what is called ‘admissible’ in court.
This scientific approach has now been extended to digital forensics where we apply a
systematic scientific approach to acquiring and analysing evidence that may be
available on computing and similar devices.

2
 Why Digital or Computer Forensics?
• Digital Investigations may be required if there is suspicion of some
crime or incident (e.g. use violation)
• May be computer is used in a suspected crime or
• A digital ‘event’ is itself a suspected crime e.g., cyber attack
• Cyber crime includes such activities as:
• Cyber attacks, hacking, malware attacks
• Identity theft, phishing, online fraud
• Purveying or possessing illegal images
• Cyber stalking and harassment
• In these and other crimes, evidence may be left on the suspect’s
devices
12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 3

It is perhaps important to distinguish between two different possibilities.

1. A digital device or devices may hold evidence relevant to a suspected crime of
another type e.g. murder, theft, money laundering, criminal conspiracy, terrorism
2. The digital event itself may be a crime or vice versa, the crime is a computer-
related crime e.g. cyber attack, hacking, phishing, identity theft, online fraud,
Obviously these two cases overlap where computers are used to perpetrate crimes
like cyber stalking or distributing illegal images.

3
 Foundation of Digital Forensics
• Early work was done by Dan Farmer and Wietse Venema who also
created the first tool: The Coroner’s Toolkit (TCT)
• They defined Computer forensics as:
Gathering and analysing data in a manner as free from distortion or
bias as possible to reconstruct data or what has happened in the past
on a system

(Forensic Discovery, D. Farmer and W. Venema, Addison-Wesley, 1999,

[Link]

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 4

The book is available at the link in an HTML version.

4
 Approach to Digital Forensics
• Ultimate goal is to develop and test hypotheses about possible course
of events
• Use a scientific method approach
• Develop hypothesis
• Test the hypothesis for evidence to refute (or support) the hypothesis
• Reformulate the hypothesis
• Anti-digital forensics
• Consider also that perpetrators may have taken steps to obstruct investigators
• By deleting or hiding evidence, altering evidence, or making investigation
time consuming and difficult

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 5

Brian Carrier in the textbook characterises digital forensics as a scientific method in

terms of developing hypotheses about what happened. Examining the evidence to
refute or lend support to the hypothesis and then reformulating the hypothesis in
light of the evidence.
It also important that perpetrators will take steps to try and obstruct an investigation.
This may vary from simply deleting files (but do they know how the recycle bin
works?- probably by now), to deleting web browsing history to more sophisticated
approaches.

5
 Anti-Digital Forensics
• ADF techniques
• Deleting files, wiping or securely deleting disks, ‘degaussing’ magnetic
storage, destroying SSD storage
• Data hiding by encryption, steganography and data hiding, e.g., slacker
(breaks up files and hides them), transmogrify (alter file headers)
• Obfuscating e.g. timestomp and other tools for altering time stamps and thus
timelines
• Tools for ADF may be rendered ineffective by OS patches (e.g.
timestomp)

See also: [Link] and links

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 6

There are many ways of hiding data from the use of encryption, to ‘hiding data in
plain sight’ (steganography), other methods of data hiding e.g. slacker breaks files up
and hides them in slack space or ‘fake’ bad sectors, or altering file signatures of
headers (transmogrify), trying to alter timelines of incriminating acts by modifying
timestamps (depends on file system – tricky but can be done – although there is an
arms race with OS patches)
Extreme approaches can include attempts to wipe, securely delete or otherwise
destroy disks

6
 Three Main Phases of Investigation

System Event
• System preservation
Preservation Reconstruction • Preserve and record the state of
Phase Phase the digital crime scene
• Legal requirements play a role
• Evidence searching
• Choose where to look
• Choose appropriate analysis level
• Event Reconstruction
Evidence • Application and OS specific
Source: Searching • Timelines
Carrier, Phase
2005 (text
• Iterative procedure
book)

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 7

Carrier characterises the three main phases of the investigation as

1) System Preservation
2) Evidence searching (Analysis)
3) Event Reconstruction
Again this ties in with the hypothesis construction and testing (in the evidence
searching and event reconstruction phases)
Note: I have taken out the ‘feedback’ arrow to system preservation because really
that should be a one-off.

7
 What is Evidence?
• Evidence means ‘investigative evidence’
• Correct procedures should be followed to collect,
preserve, analyse and report on the evidence to ensure
‘legal admissibility’
• Legal admissibility depends on legal system rules –
country specific, details of this outside the scope of this
course

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 8

A short note about the meaning of evidence.

For this course it really means ‘investigative evidence’.
However, we will also stress the importance of following correct procedures to
collect, preserve, analyse and report so as to ensure legal admissibility.
This depends on country/legal system specific rules so will not be covered in this
course which has the focus on the technical aspects.

8
Types of Digital Forensics and Course Scope
• There are potentially many ‘types’ or areas of study in digital
forensics:
• File system forensics or dead analysis
• Network forensics
• Memory forensics and live analysis
• Mobile storage forensics
• Cloud forensics
• In this course we are restricting ourselves to file system forensics with
some mention of other techniques

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 9

9
 General Principles of Forensic Investigation
(PICL)1.
• Preservation
• Record and document the scene
• If doing live analysis
• minimize file creation and actions
• transfer results to trusted machine
• document (with timings) all steps
• Acquire (copy) non-volatile data securely (use write blocking tools)
• Verify integrity of acquired data using hashes
• Begin Chain of Custody records

1. Originated by Brian Carrier in File System Forensic Analysis, Wiley, 2005.

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 10

These general principles are from the introduction to Brian Carrier’s textbook.
He characterises the important points of forensic investigation with the mnemonic
acronym (and it is an acronym – say it out loud) “PICL” which stands for
Preserve
Isolate
Correlate
Log
The main issue with these are that to create the acronym they are necessarily not in
the best order.
The order really should be : Isolate, Preserve, Correlate and Log.
In any case, the mnemonic is useful as a reminder of important steps to be aware of
in forensic investigation. We will look at these more fully in a later set of lectures.

10
 What is a “Chain of Custody”?
• The Chain of Custody is a record of how the evidence item was
handled from arrival at the scene to the final presentation of
conclusions in court.
• It ensures that there is no alternative explanation e.g., tampering to
explain results presented from the evidence item
• To preserve the Chain of Custody, the investigator should:
• Record the scene
• Verify acquisition of evidence via hash
• Document removal of evidence
• Document secure storage of evidence
• Record who has access to evidence

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 11

Chain of Custody is strictly related to the P of PICL – Preservation and is important –

generally speaking – for legal admissibility.

11
 PICL of Forensic Investigation
• Isolation
• Isolate yourself from the suspect data in case it affects your system
• Use a trusted forensic machine
• Isolate it from the outside world in case it alerts the bad guys and to prevent
tampering
• These matters will be discussed more fully later
• Correlate
• Match up your evidence from the data with other independent sources e.g.
timestamps with log entries
• Log and Document
• Make detailed notes of steps taken for use in reporting on the investigation

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 12

The other three parts are isolation – this actually has to be done first – or at the same
time as preservation – again this will be discussed more fully in a later lecture.
Correlate describes how you go about the analysis part of the investigation – it also
relates to the ‘develop and test hypotheses’ part of the investigative process. You
look at different bits of evidence and see if they correlate to support or refute your
hypothesis about what happened.
Finally, the Log and Document part is very, very important as reporting on the case is
obviously essential.

12
 An Alternative Formulation
• An alternative formulation of the (same) forensic
investigative process comes from the original Farmer and
Venema definition:
• Collect – live analysis, acquisition of non-volatile data
• Preserve – use correct procedures, appropriate tools,
hashing
• Analyse – using various tools, timeline analysis
• Report – present your findings and conclusions as to what
happened

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 13

This alternative formulation is used in many courses on Forensics and originates with
Farmer & Venema’s work.

13
 Analysis Stage
• There are very many different steps that can be taken
• Depends on the reason for the investigation, the case objectives
• Analysis may be ‘live’ or ‘dead’ analysis –decision needs to be made
early
• For analysis of acquired non-volatile data, investigation can happen at
different levels
• Analyse the structure of the physical media – partitions, unused space
• Examine file systems and generate a relevant timeline
• Look for deleted files or hidden data
• Keyword or ‘magic number’ searches
• Look in important OS files, Registry

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 14

There are very many different steps that can be taken at the analysis stage depending
most importantly on the objectives of the investigation – what the case is about.
For example, the analysis may need to be live – an example would be a suspected
ongoing hacking attempt where an attacker agent may still be active in the machine –
it may be possible gather information from a still running machine (note this may be
out of scope of this course)
Otherwise for dead analysis we need to preserve and acquire the non-volatile data
and analyse it offline

14
 Different Layers of Analysis
Physical Data
Media Sectors
Hard Analysis
Disk

Volume Volumes
Analysis

File System Files

Analysis
Source: Carrier, 2005 (text book)
Application
Analysis
12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 15

In this diagram from the text book we see the different levels or layers of data storage
analysis. We can first study the physical media for how it has been structured to store
data (in a worst case scenario parts of the disk may be inaccessible to many tools –
e.g. if data is hidden in ‘bad sectors’), including whether it consists of one or more
physical volumes or how it is partitioned into different file systems, we can look for
hiding places between these ‘structures’ and we can analyse the file systems to
uncover what has been done in them e.g. files deleted, copied, moved or altered.

15
 Reporting Stage
• An important part of the process (often neglected in courses) but very
necessary in real life
• Always need to ‘translate’ technical issues for presentation to a non-
technical audience
• Possible scenarios, you are:
• expert witness
• part of a specialist investigative team within a company
• on a forensic investigative team with law enforcement

See also: [Link]

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 16

Report writing is a very important aspect that is often neglected in courses, but in
real life it will be required.
Typically, you will always need to translate the technical findings into an explanation
that a non-technical audience can understand. There are many different possible
scenarios as shown on the slide. If you are working with law enforcement you may
have had additional relevant training on the legal aspects. If you are an expert
witness a lawyer will probably be the first audience for your report and advise you on
what is required.
During the investigation you should have documented what you did so you can use
these to help write the report.

16
 Typical Report Structure
• Overview and Case Summary
• Write this last, bringing out the key relevant points in the whole report
• What was the case about?
• Why were you asked to investigate?
• What you did
• What you found
• What your conclusions are
• What are your qualifications to investigate and report?
• Body of report (see next slide)
• References and links to exhibits
12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 17

The report should begin with (after a Title page with any necessary reference codes
etc.) an overview of the case and summary of the findings. This is meant to be a non-
technical easily understandable and not too long description of the case scenario,
why the investigation was needed, what you did during your investigation, what your
main findings were and what conclusions you drew and finishing with your
qualifications and experience to complete the task. You can say something like:
“Based on my knowledge of […] , I conclude that…” or “In my professional opinion,
this evidence shows that ….”
This overview summary is generally written last drawing out the main points of the
case and the findings.
The rest of the report body follows where you report more fully – but still not
technically – see next slide.

17
 Structure of Full Report
• Body of report – here you fill out the detail
• Case background and objectives
• Case preparation, scene evidence, evidence acquisition
• Evidence analysis – key points, e.g. what was found rather than details on
how you did it all
• Relevant findings, timeline if relevant, and conclusions drawn
• Your signature, qualifications
• Reference Links to more detailed information
• Chain of custody documentation, list of ‘exhibits’, supporting documentation
• You may also document the how in more detail for technical reference and
checking

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 18

In the body of the report you fill out the detail.

You start with a description of the case background and the specific objectives given
to the forensic investigator, what were they looking for e.g. suspicious files, evidence
of cyber attack, evidence of data theft and so on.
Then you describe the ‘case scene’, what relevant items of evidence were there and
what was acquired and how (e.g., disk drive, memory contents, flash drive etc.) There
can be information in the Reference section providing links to the chain of custody
documentation, hash values and so on.
The evidence analysis should show the findings rather than giving detailed technical
information on how the investigation was done, although you will have
documentation of this possibly in a separate report to allow for technical checks or
reproducibility of your analysis.
Present the relevant findings and your conclusions – again ‘in my professional
opinion…’
Finish by signing your report.
In the appendix or reference links you can link to your qualifications and CV (if
required), to any supporting documentation (e.g. hash values for malware if they
were one of the findings), to the chain of custody documentation for the evidence
exhibits and to the detailed technical report.

18
Challenges and Issues in Digital Forensics
• Biggest issue is probably the growth in storage size – makes acquiring
and then analysing data time consuming (and requires yet more
storage space)
• Solid state drives behave very differently from magnetic storage as
regards data deletion
• Growth in different types of storage and file systems that the
investigator needs to understand e.g. mobile and other device storage
• Cloud storage which uses other types of file systems, often
proprietary and in control of third party (cloud provider)

12/01/2024 (c) Jacqueline Walker, University of Limerick, 2023 19

19