Unit-III

Digital Forensics
Total Marks: 08

Prepared By:
Mr. A. A. Patel Khan
 Introduction to Digital Forensics

• Forensics science is a well-established science that

pays vital role in criminal justice systems.
It is applied to both criminal and civil action.
• Digital forensics sometimes known as digital
forensic science, is a branch of forensic science
encompassing the recovery and investigation of
material found in digital devices, often in relation
to computer crime.
• Digital forensics includes the identification,
recovery, investigation, validation, and presentation
of facts regarding digital evidence found on
computers or similar digital storage media devices.
 History of Forensic

• Field of pc forensics began in 1980s when

personal computers became a viable possibility
for the buyer.
• In 1984, an associate Federal Bureau of
Investigation program was created, which was
referred to as magnet media program.
• It is currently referred to as Computer Analysis
and Response Team (CART).
• Michael Anderson, the Father of Computer
Forensics, came into limelight during this
period.
• International Organization on Computer
Evidence (IOCE) was formed in 1995.
 History of Forensic

• In 1997, the great countries declared that law

enforcement personnel should be trained and
equipped to deal with sophisticated crimes.
• In 1998, INTERPOL Forensic Science
symposium was apprehended.
• In 1999, the FBI CART case load goes beyond
2000 case examining, 17 terabytes of
information.
• In 2000, the first FBI Regional Computer
Forensic Laboratory was recognized.
• In 2003, the FBI CART case load exceeds 6500
cases, examining 782 terabytes of information.
 Rule of Digital Forensics
• While performing digital forensics investigation, the
investigator should follow the given rules
• An examination should never be performed on the original
media.
• A copy is made onto forensically sterile media. New media
should always be used if available.
• The copy of the evidence must be an exact, bit-by-bit copy.
(Sometimes referred to as a bit-stream copy).
• The computer and the data on it must be protected during
the acquisition of the media to ensure that the data is not
modified.
• The examination must be conducted in such a way as to
prevent any a modification of the evidence.
• The chain of the custody of all evidence must be clearly
maintained to provide an audit log of whom might have
accessed the evidence and at what time.
 Definition of Digital Forensics

• Digital forensics is a series of steps to uncover

and analyses electronic data through scientific
method.
• Major goal of the process is to duplicate original
data and preserve original evidence and then
performing the series of investigation by
collecting, identifying and validating digital a
information for the purpose of restructuring
past events.
 Digital Forensic Investigation

• Digital forensic investigation (DFI) is a special

type of investigation where the scientific
procedures and techniques used will be allowed
to view the result - digital evidence- to be
admissible in a court of law.
Goals of Digital Forensic Investigation:
• The main objective computer forensic
investigation is to examine digital evidences and
to ensure that they have not been tampered in
any manner.
• To achieve this goal investigation must be able
to handle all below obstacles:
• Handle and locate certain amount of valid data
from large amount of files stored in computer
system.
• It is viable that the information has been
deleted, In such situation searching inside the
file is worthless.
• Data may be stored in damaged device but the
investigator searches the data in working
devices.
 Goals of Digital Forensic
Investigation:
• If the files are secured by some passwords,
investigators must find a way to read the
protected data in an unauthorized manner.
• Major obstacle is that, each and every case is
different identifying the techniques and tools
will take long time.
• The digital data found should be protected: from
being modified. It is very tedious to a prove that
data under examination is unaltered.
• Common procedure for investigation and
standard techniques for collecting and
preserving digital evidences are desired.
 Models of Digital Forensics

• Road map for Digital Forensic Research

(RMDFR)
• Abstract Digital Forensic Model (ADFM)
• Integrated Digital Investigation Process (IDIP)
• End to End Digital Investigation Process
(EEDIP)
• An Extended Model of Cybercrime Investigation
(EMCI)
• UML Modeling of Digital Forensic Process
Model (UMDFPM)
 Road Map for Digital Forensic
Research (RMDFR)
• Palmar designed a framework with the following
indexed processes shown in figure below.

Fig. Road Map for Digital Forensic Research

(RMDFR)
Road Map for Digital Forensic
Research (RMDFR)
Six Phases of RMDFR are as follows:
1. Identification:
It recognizes an incident from indicators and
determines its type.
2. Preservation:
• Preservation stage corresponds to freezing the
crime scene.
• It consists a in stopping or preventing any
activities that can damage digital information
being collected.
• Preservation involves operations such as
preventing people from using computers during
collection, stopping ongoing deletion processes,
and choosing the safest way to collect
information.
Road Map for Digital Forensic
Research (RMDFR)
3. Collection:
• Collection stage consists in finding and collecting
digital information that may be relevant to the
investigation.
• Since digital information is stored in computers,
collection of digital information means either
collection of the equipment containing the
information, or recording the information on some
medium.
• Collection may involve removal of personal
computers from the crime scene, copying or
printing out contents of files from a server,
recording of network traffic, and so on.
Road Map for Digital Forensic
Research (RMDFR)
4. Examination:
• Examination stage consists in a \in-depth
systematic search of evidence relating to the
incident being investigated.
• The outputs of examination are data objects
found in the collected information.
• They may include log files, data files containing
specific phrases, times-stamps, and so on.
5. Analysis: The aim of analysis is to draw
conclusions based on evidence found.
6. Reporting: This entails writing a report
outlining the examination process and pertinent
data recovered from the overall investigation.
 Abstract Digital Forensic Model (ADFM)
Reith, Carr, Gunsh proposed Abstract Digital Forensic Model in 2002.

Fig. Abstract Digital Forensic Model

 Phases of ADFM Model
Identification - it recognizes an incident from
indicators and determines its type.
Preparation - it involves the preparation of tools,
techniques, search warrants and monitoring
authorization and management support.
Approach strategy -formulating procedures and
approach to use in order to maximize the collection
of untainted evidence while minimizing the impact
to the victim.
Preservation- it involves the isolation, securing
and preserving the state of physical and digital
evidence.
 Phases of ADFM Model
Collection - This is to record the physical scene
and duplicate digital evidence using standardized
and accepted procedures.
Examination - An in-depth. systematic search of
evidence, relating to the suspected crime. This
focuses on identifying and locating potential
evidence
Analysis - This determines importance and
probative value to the case of the examined
product.
Presentation - Summary and explanation of
conclusion.
Returning Evidence - Physical and digital
property returned to proper owner.
Integrated Digital Investigation Process
(IDIP)
• DFPM along with 5 groups and 17 phases are
proposed by Carrier and Safford.
• DFPM is named the Integrated Digital
Investigation Process (IDIP).
• The groups are indexed as shown in following
Figure:
Physical
Readiness Deployment Crime Review
Investigation

Digital Crime
Investigation

Fig. Integrated Digital Investigation Process

(IDIP)
 Phases of IDIP
Readiness phase
• The goal of this phase is to ensure that the
operations and infrastructure are able to fully
support an investigation.
• It includes two phases:
1. Operations Readiness phase
2. Infrastructure Readiness phase
 Phases of IDIP
Deployment phase
• The purpose is to provide a mechanism for an
incident to be detected and confirmed.
• It includes two phases:
1. Detection and Notification phase where
the incident is detected and then
appropriate people notified.
2. Confirmation and Authorization phase
which confirms the incident and obtains
authorization for legal approval to carry out
a search warrant.
 Phases of IDIP
Physical Crime Investigation phase
• The goal of these phases is to collect and
analyze the physical evidence and
reconstruct the actions that took place
during the incident
• It includes six phases:
1. Preservation phase
2. Survey phase
3. Documentation phase
4. Search and collection phase
5. Reconstruction phase
6. Presentation phase
 Phases of IDIP

Digital Crime Investigation phase

• The goal is to collect and analyze the digital
evidence that was obtained from the physical
investigation phase and through any other
future means. It includes similar phases as the
Physical Investigation phases, although the
primary focus is on the digital evidence.
• The six phases are:
1. Preservation phase
2. Survey phase
3. Documentation phase
4. Search and collection phase
5. Reconstruction phase
6. Presentation phase
 Phases of IDIP
Review phase
• This entails a review of the whole investigation
and identifies areas of improvement.
• The IDIP model does well at illustrating the
forensic process, and also conforms to the cyber
terrorism capabilities.
• It also highlights the reconstruction of the
events that led to the incident and emphasizes
reviewing the whole task, hence - ultimately
building a mechanism for quicker forensic
examinations.
 End to End Digital
Investigation Process (EEDIP)
Identification

Preservation

Collection

Examination

Analysis

Presentation

Fig. End to End Digital Investigation Process

(EEDIP)
 End to End Digital
Investigation Process (EEDIP)
• This model is proposed by Stephenson
comprises of six major mechanism within
framework.
• EEDIP stands for End-to-End Digital
Investigation Process which ensures
investigation operation from beginning
to end.
 Phases of EEDIP
The phases of EEDIP are as follows:
1. Identification phase involves identifying the nature of
incident from possible known indicators. Indicators are
experience investigator.
2. The preservation phase includes condensing the
investigation and finding till date.
3. The collection phase includes documentation of the physical
scene and replication of the digital evidence using approved
standard procedure.
4. Examination phase involves obtaining and studying the
digital evidence. Method of a extraction is used for
reconstructing data from the media.
5. In the analysis phase the vitally of the documented evidence
is explored and conclusions are drawn by integrating chunk of
data.
6. The presentation phase involves summarizing the evidences
found in the process of a investigation.
 An Extended Model of
Cybercrime Investigation (EMCI)

Fig. An Extended Model of Cybercrime Investigation

(EMCI)
 Phases of EMCI
Phases of EMCI:
• The EMCI follows waterfall model as
every activity occurs in sequence.
• The sequence of examine, hypothesis,
present, and prove/defend are bound to
be repeated as the evidence heap
increases during the investigation.
 Phases of EMCI
1. Awareness is the phase during which the
investigator are informed that a crime has taken
place; the crime is reported to some authority. An
intrusion detection system may also triggered such
awareness.
2. Authorization is the stage where the nature of
investigation has been identified and the unplanned
authorization may be required to proceed and the
authorization is obtained internally or externally.
3. Planning is impacted by information from which
and outside the organization that will affect the
investigation. Internal factors are the organization
policies, procedures, and former investigative
knowledge while outside factors consist of legal and
other requirements not known by the investigators.
UML Modeling of Digital Forensic
Process Model (UMDFPM)
Kohn, Floff, and Oliver proposed the UML Modeling of
Digital Forensic Process Model, apt paradigm for
modeling forensic processes.

Collect Examine Analysis Report

Evidence
Report

Fig. UML Modeling of Digital Forensic Process Model

(UMDFPM)
UML Modeling of Digital Forensic
Process Model (UMDFPM)
Phases of UMDFPM:
• Kohn and Oliver made use of UML and case
diagrams to demonstrate all the phases and its
interaction with all investigators
• Two processes have been added to the activity
diagram to club with Kohn framework.
• These are "prepare" in preparation phase and
"present" in presentation phase.
 Ethical issues in Digital
Forensic
• Ethics in digital forensic field can be
defined as set of moral principles that
regulate the use of computers.
• Ethical decision making in digital forensic
work comprises of one or more of the
following:
1. Honesty towards the investigation
2. Prudence means carefully handling
the digital evidences
3. Compliance with the law and
professional norms
 General ethical norms for
investigator
• Investigator should satisfy the following
points:
1. To contribute to the society and human
being
2. To avoid harm to others
3. To be honest and trustworthy
4. To be fair and take action not to
discriminate
5. To honor property rights, including
copyrights and patents
6. To give proper credit to intellectual
property
 Unethical norms for Digital
Forensic Investigation
• Investigator should not:
1. Uphold any relevant evidence
2. Declare any confidential matters or knowledge
3. Express an opinion on the guilt or innocence
belonging to any party
4. Engage or involve in any kind of unethical or
illegal conduct
5. Deliberately or knowingly undertake an
assignment beyond him or her capability
6. Distort or falsify education, training,
credentials
7. Display bias or prejudice in findings or
observation
8. Exceed or outpace authorization in conducting
examination