DIGITAL FORENSICS PROCESS

• Preparation and identification of digital evidence

• In order to be processed and analysed, evidence must first be
identified. It might be possible that the evidence may be
overlooked and not identified at all. A sequence of events in a
computer might include interactions between:
• Different files
• Files and file systems
• Processes and files
• Log files
•
• In case of a network, the interactions can be between devices in
the organization or across the globe (Internet). If the evidence is
never identified as relevant, it may never be collected and
processed.
• Collection and recording digital evidence
• Digital evidence can be collected from many
sources. The obvious sources can be
• Mobile phone
• Digital cameras
• Hard drives
• CDs
• USB memory devices
•
• Non-obvious sources can be:
• Digital thermometer settings
• Black boxes inside automobiles
• RFID tags
• Proper care should be taken while
handling digital evidence as it can be
changed easily. Once changed, the
evidence cannot be analysed further. A
cryptographic hash can be calculated
for the evidence file and later checked if
there were any changes made to the file
or not. Sometimes important evidence
might reside in the volatile memory.
Gathering volatile data requires special
technical skills.
• Storing and transporting digital evidence
• Some guidelines for handling of digital evidence:
• Image computer-media using a write-blocking tool
to ensure that no data is added to the suspect
device
• Establish and maintain the chain of custody
• Document everything that has been done
• Only use tools and methods that have been
tested and evaluated to validate their accuracy
and reliability
• Care should be taken that evidence
does not go anywhere without properly
being traced.
• Sometimes evidence must be
transported from place to place either
physically or through a network. Care
should be taken that the evidence is not
changed while in transit. Analysis is
generally done on the copy of real
evidence. If there is any dispute over
the copy, the real can be produced in
court.
• Examining or investigating digital evidence
• Forensics specialist should ensure that
he/she has proper legal authority to
seize, copy and examine the data. As a
general rule, one should not examine
digital information unless one has the
legal authority to do so. Forensic
investigation performed on data at rest
(hard disk) is called dead analysis.
• Many current attacks leave no trace on
the computer’s hard drive. The attacker
only exploits the information in the
computer’s main memory. Performing
forensic investigation on main memory
is called live analysis. Sometimes the
decryption key might be available only
in RAM. Turning off the system will erase
the decryption key. The process of
creating and exact duplicate of the
original evidence is called imaging
• Analysis, interpretation and attribution
• In digital forensics, only a few sequences of
events might produce evidence. But the
possible number of sequences is very huge.
The digital evidence must be analyzed to
determine the type of information stored on it.
Examples of forensics tools:
• Forensics Tool Kit (FTK)
• EnCase
• Scalpel (file carving tool)
• The Sleuth Kit (TSK)
• Autopsy
• Forensic analysis includes the following
activities:
• Manual review of data on the media
• Windows registry inspection
• Discovering and cracking passwords
• Performing keyword searches related to
crime
• Extracting emails and images
• Types of digital analysis:
• Media analysis
• Media management analysis
• File system analysis
• Application analysis
• Network analysis
• Image analysis
• Video analysis
• Reporting: After the analysis is done, a
report is generated. The report may be
in oral form or in written form or both.
The report contains all the details about
the evidence in analysis, interpretation,
and attribution steps. As a result of the
findings in this phase, it should be
possible to confirm or discard the
allegations. Some of the general
elements in the report are:
• Identity of the report agency
• Case identifier or submission number
• Case investigator
• Identity of the submitter
• Date of receipt
• Date of report
• Descriptive list of items submitted for examination
• Identity and signature of the examiner
• Brief description of steps taken during examination
• Results / conclusions
• Testifying:This phase involves
presentation and cross-examination of
expert witnesses. An expert witness can
testify in the form of:
• Testimony is based on sufficient facts or
data
• Testimony is the product of reliable
principles and methods
• Witness has applied principles and
methods reliably to the facts of the case
PRECAUTIONS TO BE TAKEN WHEN
COLLECTING ELECTRONIC EVIDENCE
• No action taken by law enforcement agencies or
their agents should change the evidence
• When a person to access the original data held on
a computer, the person must be competent to do
so
• An audit trial or other record of all processes
applied to digital evidence should be created and
preserved
• The person in-charge of the investigation has
overall responsibility for ensuring that the law and
these are adhered to
CHALLENGES IN COMPUTER FORENSICS
• Networks span multiple time zones and multiple
jurisdictions
• Network data will be available offline and online (real-
time)
• Real-time data requires ability to capture and analyze data
on the fly
• The data may involve different protocols
• The data may be huge due to increasing bandwidth
• A protocol might also involve multiple layers of signal
(VoIP, HTTP tunneling)
• Current forensic tools will not be able to handle real-time
data and huge amount of data
TECHNICAL CHALLENGES
• The two challenges faced in a digital forensic
investigation are complexity and quantity. The
complexity problem refers to the data collected being at
the lowest level or in raw format. Non-technical people
will find it difficult to understand such data.
•
• Tools can be used to transform the data from low level
format to readable format. The quantity problem refers
to the amount of data that needs to be analyzed. Data
reduction techniques can be used to group data or
remove known data. Data reduction techniques include:
• Identifying known network packets using IDS signatures
• Identifying unknown entries during log processing
• Identifying known files using hash databases
• Sorting files by their types
LEGAL CHALLENGES
• Digital evidence can be tampered easily, sometimes, even
without any traces. It is common for modern computers to
have multiple gigabyte sized disks. Seizing and freezing of
digital evidence can no longer be accomplished just by
burning a CD-ROM. Failure to freeze the evidence prior to
opening files has invalidated critical evidence.
•
• There is also the problem of finding relevant evidence within
massive amounts of data which is a daunting task. The real
legal challenges involve the artificial limitations imposed by
constitutional, statutory and procedural issues. There are
many types of personnel involved in digital/computer
forensics like technicians, policy makers, and professionals.