Digital Forensics

Lecture 1
Anum Hasan
 Outline
• Overview of Computer Forensic
• Forensic Soundness
 Forensic Science
• What is Forensic?
– Originated from latin “Forensis”  Debate or public
discussion
– The American Heritage Dictionary defines forensics as
“the use of science and technology to investigate and
establish facts in criminal or civil courts of law.”
• What is Science?
– A systematic study of the structure and behaviour of
physical and natural world through observation and
experiment.

• What is Forensic Science?

– Application of scientific method to aid in solving crimes
– Forensics is the use of science to process evidence
so you can establish the facts of a case
 A Brief History of Computer
Forensics
• By the 1970s, electronic crimes were increasing, especially in the
financial sector
– Most law enforcement officers didn’t know enough about
computers to ask the right questions
• Or to preserve evidence for trial
• One-half cent crime

• 1980s
– PCs gained popularity and different OSs emerged
– Disk Operating System (DOS) was available
– Forensics tools were simple, and most were generated by
government agencies
 A Brief History of
Computer Forensics
• Mid-1980s
(continued)
– Xtree Gold appeared on the market
• Recognized file types and retrieved lost or deleted files
– Norton DiskEdit soon followed
• And became the best tool for finding deleted file

• 1987
– Apple produced the Mac SE
• A Macintosh with an external EasyDrive hard disk with 60
MB of storage
 A Brief History of
Computer Forensics
• Early 1990s (continued)
– Tools for computer forensics were available

– International Association of Computer Investigative

Specialists (IACIS)
• Training on software for forensics investigations

– IRS created search-warrant programs

– ExpertWitness for the Macintosh

• First commercial GUI software for computer forensics
• Created by ASR Data
 A Brief History of Computer
Forensics (continued)
• Early 1990s (continued)
– ExpertWitness for the Macintosh
• Recovers deleted files and fragments of deleted files
• Later one partner of ASR left and developed EnCase
• Large hard disks posed problems for investigators
• Now
– iLook
• Maintained by the IRS, limited to law enforcement
• Can analyze and read special files that are copies of the disk
– EnCase
• Available for public or private use
– AccessData Forensic Toolkit (FTK)
• Available for public or private use (Most Popular)
 Introduction
• Media also report wide diversity of cases that involve digital evidence

• The University of California at Berkeley notified students and

alumni that an intruder had gained unauthorized access to a
database containing medical records of over 160,000 individuals.

• Computers seized during military operations in Iraq contained

details about enemy operations

• David Goldenberg, an executive of AMX Corp, pled guilty to

gaining unauthorized access to and stealing sensitive business
information from the e-mail systems of a marketing firm that was
working for a competitor, Crestron Electronics.
 Digital Forensics?
• A sub-category of Forensic Science

• Concerned with the systematic recovery verification

and investigation of a digital data.

Note: Forensic examiners are

neutral finders of fact, not
advocates for any side
Classifications
 Field of Digital Forensics
• Military: Uses digital forensics for intelligence gathering from captured computers
during military actions.
• Government Agencies: FIA, and foreign agencies employ digital forensics for
investigating computer-related crimes.
• Criminal Prosecutors: Utilize digital evidence to link incriminating documents to
crimes such as drug trafficking, embezzlement, financial fraud, homicide, and child
abuse.
• Academia: Engages in forensic research and education, with many universities
offering degrees in digital forensics and online criminal justice.
• Data Recovery Firms: Apply digital forensics techniques to recover data after
hardware or software failures and data loss.
• Corporations: Use digital forensics for employee termination and prosecution related
to intellectual property theft, trade secrets, fraud, embezzlement, harassment, and
network intrusions.
• Insurance Companies: Rely on digital evidence to detect possible fraud in accident,
arson, and workers’ compensation cases.
• Individuals: Hire forensic specialists for cases like wrongful termination,or age
discrimination to support their claims.
 Overview
Computer Forensic
• Computer forensics is a branch of digital forensic science pertaining
to evidence found in computers and digital storage media. The goal of
computer forensics is to examine digital media in a forensically sound
manner with the aim of identifying, preserving, recovering, analyzing
and presenting facts and opinions about the digital information.
Reconstructs events from
digital traces on a device such
as
•Computer, Router, Switch,
Cell-phone, SIM-card, GPS
system (car accident
investigation), Servers, etc…

Remember that any device that can store

data is a potential subject
of computer forensics
 Computer Crimes
• As computer and networks becomes an integral part
of our daily lives. Most of the cases have an
associated digital side.

• Following crimes usually involve computers.

• Drug Trafficking
• Financial Fraud
• Murder
• Harassment
• Child Abuse
 Challenges & Directions
• Criminals are becoming more aware
• Anti-Forensics Techniques
• Designed to conceal activities and destroy the evidences
• Data unreadable format, tunneling, onion routing, steganography
• Data Encryption
• In OS may challenge
• Advances in the field demand improvement in technical knowledge
and standards of practice.
• New forensic tool are being created to acquisition of
• Volatile data
• Inspection of remote system and analysis of network traffic
• Embedded systems
• Enterprise networks and mobile telecommunications
systems
 Objectives

 Identify, gather, and preserve the evidence of a cybercrime

 Identify and gather evidence of cybercrimes in a forensically sound
manner
 Track and prosecute the perpetrators in a court of law
 Interpret, document, and present the evidence such that it is admissible
during prosecution
 Estimate the potential impact of malicious activity on the victim and
assess the intent of the perpetrator
 Find vulnerabilities and security loopholes that help attackers
 Understand the techniques and methods used by attackers to avert
prosecution and overcome them
 Recover deleted files, hidden files, and temporary data that can be
used as evidence
 Perform incident response (IR) to prevent further loss of intellectual
property, finances, and reputation during an attack
 Know the laws of various regions and areas, as digital crimes are
widespread and remote
 Objectives

• Know the process of handling multiple platforms, data types, and

operating systems
• Learn to identify and use the appropriate tools for forensic
investigations
• Offer ample protection to data resources and ensure regulatory
compliance
• Protect the organization from similar incidents in the future
• Support the prosecution of the perpetrator of a cybercrime
Digital Evidence

Exculpatory Evidence
• Evidence that can prove a defendant’s innocence or reduce their
culpability.
• Example: An email or message proving the suspect was in a
different location during the crime.
Inculpatory Evidence
• Evidence that establishes or increases the likelihood of a person’s
involvement in a crime.
• Example: Chat logs indicating the suspect planned the criminal
act.
Digital Evidence

Direct Evidence
• Evidence that directly proves a fact without requiring inference. It is
straightforward and directly links a person to a crime or event.
• Example: A security camera recording showing a suspect
committing the crime.
Circumstantial Evidence
• Evidence that suggests a fact or event occurred but requires
inference to connect it to the conclusion.
• Example: Metadata showing a suspect’s phone was near the
crime scene at the time of the crime.
Types of digital Evidence
Sources of Evidence
Rules for Evidence
 Forensic Soundness

• Computer Forensic evolved from primary dealing with HDD

(generally accepted practices) and one of the most fundamental
challenges has been updating the general practice.

• Requirement of a generally accepted practice to balance the needs

to extract most useful evidence efficiently and to acquire the
precise copy of all the data without any modification.

• The purpose of a forensically sound authentication process is to

support identification and authentication of evidence.
• What you claim and has not been altered or substituted since
collection.
 Forensic Soundness

• Generally, due to improper processing of digital evidence, violate

the soundness of evidence
For example:
• Evidence was collected from several identical computer but not
documented, making it very difficult to determine which evidence
came from which system.
• During acquiring data overwritten by Zeros.
• Misinterpretation of data either by tool/person

• ‘Preserve everything but change nothing’

• The evidence that what you claim and has not been altered or
substituted since collection.
 Forensic Soundness
Challenges
• New technology Challenges
• Volatile memory, mobile devices and embedded system.
• Quantity of digital evidence grows and case backlogs mount, difficult to in-
depth analysis
• Integrity preservation is not possible with Mobile devices and Network of
systems.
• Modern investigators deal with networked systems (international
scope, organized criminal groups) so forensically acquiring all the
data is not possible for signal system.
• Quantity of data is increasing due to local level logs etc.
• As realized, utilizing more volatile data can be helpful in investigation (i.e.
Password) and various techniques are developed to recover data from RAM
in turnoff mode.
• Recover data from RAM chips after a computer has been turned off
• Mobile devices has gained more attention (Embedded system analysis)
 Forensic Soundness

• Forensics soundness does not end with acquisition but

continues to all the subsequent sub-processes.
• Need to follow processes that Reliability, Repeatability,
Documentation, Preservation and Checking for Possible
Errors.

Forensic Soundness can be achieved by

• Documenting unique characteristics of the evidence, like
device IDs and MD5 hashes of acquired data, and showing
continuous possession and control throughout its lifetime.
 Forensic Soundness
• Chain of Custody
• A process that tracks the movement of evidence through its
collection, safeguarding, and analysis lifecycle by documenting each
person who handled the evidence, the date/time it was collected or
transferred, and the purpose for the transfer.

• Some worst-case scenarios resulting from sufficiently large breaks

in chain of custody include misidentification of evidence,
contamination of evidence, and loss of evidence or pertinent
elements (e.g., metadata).

• Forensic practitioners, should careful to preserve the selected digital

evidence completely and accurately, document the process thoroughly,
and check their work objectively for possible errors or omissions, these
kinds of failures can be avoided or overcome.
 Forensic Soundness
• Protecting Digital Evidence Integrity
by Using Smart Cards
 Digital Forensics
Investigator
• Investigators often work as a team to make
computers and networks secure in an
organization

Digital Investigations
Role of Forensics Investigator
Forensics and Legal Compliance
 Forensic Analysis Fundamentals

• As an investigator, how to obtain data

using forensic tool ? Is it enough?
• For an investigator it is important to:
• Know how the underlying technology
works.
• Know how the data is arranged.
• Know how the tool interpret and display
the info.