Digital Forensics – An

Introduction

113/11/16 1
Outline
• Background
• Definition of Computer Forensics
• Digital Evidence and Recovery
• Digital Evidence on Computer Systems
• Digital Evidence on Networks
• Challenges
• Ongoing Research Projects

113/11/16 2
 Background (continued)
• Computers and networks have been widely used for enterprise
information processing.
• E-Commerce, such as B2B, B2C and C2C, has become a new business
model.
• More and more facilities are directly controlled by computers.
• As the society has become more and more dependent on computer
and computer networks. The computers and networks may become
targets of crime activities, such as thief, vandalism, espionage, or
even cyber war.
• Cyber activity has become a significant portion of everyday life of general
public.
• Thus, the scope of crime investigation has also been broadened
113/11/16 Dr. Sakshi 3
• Unfortunately, this digital revolution has a downside; it has led to
criminal innovation and created a new forum for both terrorist
activities and criminal behavior.
• It has been further increased by adapting new technologies, wireless
communications, social networking, and smart phones, which has
complicated the investigative landscape even further.

Dr. Sakshi
113/11/16 4
Background (continued)
• 85% of business and government agencies detected security
breaches. (Source:http://www.smh.com.au/icon/0105/02/news4.html.)
• FBI estimates U.S. losses at up to $10 billion a year.(Source: Sager, Ira,
etc, “Cyber Crime”, Business Week, February, 2000.)

Dr. Sakshi
113/11/16 5
 Background (continued)
• In early 1990s, the threats to information systems
are at approximately 80% internal and 20%
external.
• With the integration of telecommunications and
personal computers into the internet, the threats
appear to be approaching an equal split between
internal and external agents.
• (Source: Kovacich, G. L., and W. C. Boni, 2000, High-Technology
Crime Investigatot’s Handbook, Butterworth Heinemann, p56.)

Dr. Sakshi
113/11/16 6
Background (continued)
• Counter measures for computer crime
• Computer & network security
• Effective prosecution, and prevention

Dr. Sakshi
113/11/16 7
 What is forensic science?

• Definition:
• Application of Physical Sciences to Law in the search for
truth in civil, criminal, and social behavioral matters to
the end that injustice
• Sciences: chemistry, biology, physics, geology,
…
• Goal: determining the evidential value of crime
scene and related evidence.

Dr. Sakshi
113/11/16 8
 Forensic Science
(continued)
• The functions of the forensic scientist
• Analysis of physical evidence
• Provision of expert testimony
• Furnishes training in the proper recognition, collection,
and preservation of physical evidence.

Dr. Sakshi
113/11/16 9
2.2 Forensic scientists
• The different specialisms of forensic science include:
• Forensic Pathology – the study of problems relating to unnatural death and
various types of trauma to the living. It is a specialty of medicine and a sub-
speciality of pathology.
• Forensic DNA – the use of biological science to identify individuals by their DNA
profile, using genetic samples such as blood, semen and saliva.
• Forensic Engineering – the investigation of accidents involving vehicle, aircraft,
fire, electrical or metal fatigue by applying engineering principles to solve how
they were caused.
• Forensic Anthropology – the study of human beings in relation to their physical
character. The specialist answers questions on gender, age, ethnicity, stature,
nutritional status, existence of disease processes, and the presence and
character of skeletal trauma.
• Digital Forensics – digital forensics is the area of forensics in which professionals
analyse and gather data from a computer or other form of digital media.
Dr. Sakshi
113/11/16 10
Computer (or Cyber) Forensics
(Warren, G. Kruse ii and Jay G. Heiser, 2002, Computer Forensics – Incident Response Essentials, Addison Wesley)

• Computer forensics is the process of methodically examining computer media

(hard disks, diskettes, tapes, etc.) for evidence.

• In other words, computer forensics is the collection, preservation, analysis,

and presentation of computer-related evidence.

• Computer forensics also referred to as computer forensic analysis, electronic

discovery, electronic evidence discovery, digital discovery, data recovery,
data discovery, computer analysis, and computer examination.

• Computer evidence can be useful in criminal cases, civil disputes, and human
resources/ employment proceedings
Dr. Sakshi
113/11/16 11
USE OF COMPUTER FORENSICS IN
LAW ENFORCEMENT
Computer forensics assists in Law Enforcement. This can include:
•Recovering deleted files such as documents, graphics, and photos.
•Searching unallocated space on the hard drive, places where an
abundance of data often resides.
•Tracing artifacts, those tidbits of data left behind by the operating
system. Our expert know how to find these artifacts and, more
importantly, they know how to evaluate the value of the information
they find
•Processing hidden files — files that are not visible or accessible to the
user that contain past usage information.

Dr. Sakshi
113/11/16 12
DIGITAL FORENSIC
• Digital forensics or digital forensic science is a branch of cybersecurity
focused on the recovery and investigation of material found in digital
devices and cybercrimes.
• Digital forensics was originally used as a synonym for computer
forensics but has expanded to cover the investigation of all devices
that store digital data.

Dr. Sakshi
113/11/16 13
• People leave digital footprints when using a computer.
The footprints are in the form of
• browser history,
• cookies,
• timestamps, and
• log files.
• In addition, digital footprints can be in the form of file fragments, headers,
and metadata.
• Cybersecurity professionals can track online activities through a digital
forensic investigation.
Dr. Sakshi
113/11/16 14
What is Digital Forensics Used For?
• The main target of the digital forensic process is to extract facts that
can be used to re-create the truth of an event.
• This means that a set of actions might be taken on a computing
system that leave traces of that activity on several locations on the
system such as system logfiles, system registry, and Cookies.
• The main entity in the digital forensic analysis is the digital device
related to the security crime under investigation.
• The digital device can be computers, tablets, cellular phones or other
data storage devices that is either used to commit a crime, to target
an attack, or is a source of information for the analyst.
Dr. Sakshi
113/11/16 15
• Digital investigation involves several other goals such as:
• - Assist in following up, in a legally sound manner, all criminal cases
involved in the same digital evidence.
• - Preserve the integrity of seized digital evidence. - Help in training
the public community.
• - Provide technical assistance in the proper safeguarding of system
assets.

Dr. Sakshi
113/11/16 16
 Dr. Sakshi
113/11/16 17
Case study
• https://www.youtube.com/watch?v=U1YWCLo4hSk

Dr. Sakshi
113/11/16 18
The BTK Killer
• What remained to be a mystery for more than 30 years was finally solved
via digital forensics in the early 2000s.
• The “BTK Killer,” aka Dennis Rader, tortured and killed at least ten people
while he was still at loose and undiscovered.
• He’d taunt the police forces by sending them cryptic messages during his
killing sprees, baffling them even more. However, it was this very habit
that finally led to his arrest.
• In 2005, Rader sent the police a Microsoft Word document on a floppy
disk.
• Digital forensics experts were able to trace the metadata contained within
the disk, helping unveil the BTK Killer’s true identity. Rader was finally
arrested and imprisoned shortly after this.

Dr. Sakshi
113/11/16 19
Ross Compton
• One of the most interesting pieces of digital evidence was used in the Ross
Compton case.
• In 2016, Compton set fire to his Middletown, Ohio home as a part of an
insurance fraud scam
• . During the investigation of the fire, Compton, who has a pacemaker with
an external pump, told police he was asleep when the fire started.
• He told police when he woke up and saw the fire, he packed a suitcase,
broke his bedroom window with a cane, and escaped.
• During the investigation, police ordered the data from Compton’s
pacemaker and consulted with a cardiologist who found that Compton
could not have escaped the fire based on data from his pacemaker.
• Compton also submitted forged medical records that did not match the
pacemaker data.
• The pacemaker data included heart rate, pacer demand, and heart
rhythms which were used as evidence to prove insurance fraud and arson.
Dr. Sakshi
113/11/16 20
Investigation Proves Theft of Apple’s
Trade Secrets
• In 2018, an Apple engineer took parental leave and visited China, never to return. The
engineer instead joined a Chinese-based startup developing autonomous technology for
cars.
• His abrupt departure gave rise to suspicion, prompting an investigation by Apple’s New
Product Security Team.
• The team used digital forensics tools to examine the engineer’s network activity, and
extract data from his Apple devices, which he left behind when he quit the company.
• The investigation revealed that the engineer had downloaded a number of files from
Apple’s servers before he left.
• This included engineering schematics of a circuit board for an autonomous vehicle, and
information about prototype and testing hardware.
• Most of this information was related to Apple’s Project Titan self-driving car technology.
• The former Apple engineer pled guilty in August 2022, and is awaiting sentencing

Dr. Sakshi
113/11/16 21
Network Forensics
• Definition
• The study of network traffic to search for truth in civil, criminal, and
administrative matters to protect users and resources from exploitation,
invasion of privacy, and any other crime fostered by the continual expansion
of network connectivity.(Source: Kevin Mandia & Chris Prosise, Incident
response,Osborne/McGraw-Hill, 2001. )

Dr. Sakshi
113/11/16 22
Digital Evidence
• Definition
• Digital data that can establish that a crime has been committed or can
provide a link between a crime and its victim or a crime and its perpetrator.
(source: Casey, Eoghan, Digital Evidence and Computer Crime: Forensic Science, Computer
and the Internet,Academic Press, 2000.)
• Categories
• Text
• Audio
• Image
• Video

Dr. Sakshi
113/11/16 23
Where Evidence Resides
• Computer systems
• Logical file system
• File system
• Files, directories and folders, FAT, Clusters, Partitions, Sectors
• Random Access memory
• Physical storage media
• magnetic force microscopy can be used to recover data from overwritten area.
• Slack space
• space allocated to file but not actually used due to internal fragmentation.
• Unallocated space

Dr. Sakshi
113/11/16 24
Where Evidence Resides (continued)
• Computer networks.
• Application Layer
• Transportation Layer
• Network Layer
• Data Link Layer

Dr. Sakshi
113/11/16 25
Evidence on Application Layer
• Web pages, Online documents.
• E-Mail messages.
• News group archives.
• Archive files.
• Chat room archives.
•…

Dr. Sakshi
113/11/16 26
 Evidence on Transport and
Network Layers

Dr. Sakshi
113/11/16 27
 Evidence on the Data-link and Physical
Layers

Dr. Sakshi
113/11/16 28
Challenges of Computer Forensics
• A microcomputer may have 60-GB or more storage
capacity.
• There are more than 2.2 billion messages expected
to be sent and received (in US) per day.
• There are more than 3 billion indexed Web pages
world wide.
• There are more than 550 billion documents on line.
• Exabytes of data are stored on tape or hard drives.
• (Source: Marcella, Albert, et al, Cyber Forensic, 2002.)

Dr. Sakshi
113/11/16 29
Challenges of Computer Forensics
(continued)
• How to collect the specific, probative, and case-
related information from very large groups of files?
• Link analysis
• Visualization
• Enabling techniques for lead discovery from very
large groups of files:
• Text mining
• Data mining
• Intelligent information retrieval

Dr. Sakshi
113/11/16 30
Challenges of Computer Forensics
(continued)
• Computer forensics must also adapt quickly to new products and
innovations with valid and reliable examination and analysis
techniques.

Dr. Sakshi
113/11/16 31
On Going Research Projects
• Search engine techniques for searching Web pages which contain
illegal contents.
• Malicious program feature extraction and detection using data
mining techniques.

Dr. Sakshi
113/11/16 32
 References
• Bickers, Charles, 2001,”Cyberwar: Combat on the Web”, Far Eastern Economic
Review.
• Casey, Eoghan, Digital Evidence and Computer Crime: Forensic Science, Computer
and the Internet,Academic Press, 2000.
• Casey, Eoghan, 2002, Handbook of Computer Crime Investigation, Academic Press.
• Kovacich, G. L., and W. C. Boni, 2000, High-Technology Crime Investigatot’s
Handbook, Butterworth Heinemann.
• Lane, C., 1997, Naked in Cyberspace: How to find Personal Information Online,
Wilton, CT: Pemberton Press.
• Marcella, A. J., and R. S. Greenfield, 2002, Cyber Forensics, Auerbach Publications.
• Rivest, R., 1992, “Reqest for comments : 1321 (The MD5 Message-Digest
Algorithm)”, MIT Lab. for computer science and RSA data security, Inc.
• Saferstein, Richard, 1981, Criminalistics—An introduction to Forensic Science, 2nd
edition, Prentice Hall.
• Warren, G. Kruse II and Jay G. Heiser, 2002, Computer Forensics – Incident
Response Essentials, Addison Wesley

Dr. Sakshi
113/11/16 33
 Cybertrail and Crime Scene

crime
scene
network
evidence

Cybertrail

Dr. Sakshi
113/11/16 34
Cyberwar or Information Warfare
• Information warfare is the offensive and defensive use of information
and information systems to deny, exploit, corrupt, or destroy, an
adversary's information, information-based processes, information
systems, and computer-based networks while protecting one's own.
Such actions are designed to achieve advantages over military or
business adversaries. (Ivan K. Goldberg)

Dr. Sakshi
113/11/16 35
Slack Space

Old file Old New file

Dr. Sakshi
113/11/16 36
Evidence Recovery from RAMs on modern
Unix systems

Dr. Sakshi
113/11/16 37