DIGITAL FORENSIC

PROCESS
1. Kruse And Heiser Model
Acquire-Authentication-Analysis
2. Yale University Model
Preliminary Investigation-Planning-Recognition-
Preservation, Collection, and Documentation-
Classification, Comparison, and Individualization
3. Rodney McKemmish Model
Identification-Preservation-Analyze-Presentation
4. The five-step model of the Philippine National Police
Anti-Cybercrime Group
Step 1. Identification
Step 2. Data Acquisition
Step 3. Examination/Analysis
Step 4. Reporting/Documentation
Step 5. Court Presentation
DIGITAL INVESTIGATIVE PLANNING
a. Pre-search Activities
b. Intelligence Gathering
c. Assembling Investigation
d. Planning the Search
INVESTIGATIVE PERSONNEL
1. General Lead Investigator
(Team Leader)
2. Searchers (Seizing officer)
3. Seizure Officer
4. Exhibits Officer
(Evidence Custodian)
5. Photographer
6. Digital Investigator
7. Scene Security Team
World has become increasingly interconnected
Robustness and redundancy

Not security and traceability

 Complexity and
uncertainty of digital
investigations
Training of the
first responder
are critical

INCIDENT
RESPONSE
Collaboration between
the prosecutor and
forensic examiner is
necessary in prosecuting
cybercrimes.
Digital evidence poses unique
challenges to the investigation
process. Each step must be
precise to ensure the probative
value of potential digital
evidence.
•UK examiners adhere with the Association of Chief Police Officers
(ACPO) guidelines:

• Action by agents should not change data held on a

computer or storage media

• When necessary to access original data held on a computer

or on storage media, the person accessing must be
competent.

• The person in charge of the investigation has overall

responsibility
• An audit trial or other record of all
processes applied to computer-based
electronic evidence should be created
and preserved.

• The person in charge of the investigation

(has overall responsibility for ensuring
that principles are adhered to.
•Live Response Forensic

•acquisition of computer data while the

computer is powered on
•The main purpose of the collection is to
preserve volatile evidence that will further the
investigation.
 Live data
collection is
not without
risk
Collecting evidence according to the
proper steps of evidence control
helps ensure that the computer
evidence is authentic
Message Digest 5 (MD5)
and Secure Hash
Algorithm (SHA-1) tools
use complex algorithms.
• Is there reason to believe volatile data contains
information critical to the investigation?
• Can the live response be run in an ideal manner
• Is the number of affected systems large?
• Is there risk that forensic duplications will take an
excessive amount of time?
• Are there legal or other considerations that make
it wise to preserve as much data as possible?
Dead-box Forensic
the acquisition of computer
data when the computer is
powered off.
The hard drive will be removed
and attached first to the write
block device before connecting it
to the forensic computer
workstation.
Forensic Investigation Steps

• Acquisition

• Identification

• Evaluation

• Presentation
1. Acquisition - is the first
step in the forensic
process and is critical to
ensure the integrity of the
evidence.
2. Identification - this phase
determines the context in
which the evidence was
found.
3. Evaluation - refers to the
interpretation and
reconstruction of the
digital crime scene.
4. Presentation - is the final
stage that involves
reporting data pertinent to
the case to the prosecutor
and eventually, must
prepare to testify in court.
 First Responders are
Responsible for the
Acquisition Step
• Which evidence was obtained?

• Which individual or individuals retrieved the

evidence?

• Where the evidence was gathered?

• When was the evidence was collected?

• How was the evidence acquired?

Digital forensic investigator must
carefully choose the forensic tool to
be used in the digital examination.
It must be able to perform various
tasks depending on the need of the
case.
1. The system time and date, including the
time zone
2. Operating system version information
3. General system information, such as
memory capacity, hard drives, and
mounted file systems
4. List of services and programs configured
to automatically start
5. List of tasks scheduled to automatically
run at given times or intervals
6. List of local user accounts and group
membership
7. Network interface details, including IP
and MAC addresses
Forensic image
Identification and
collection must be
done in a

VERY SYSTEMATIC
MANNER
 Coordinated
and structured
approach
DOCUMENTI
NG
THE SCENE
Powered “Off”
Computers
• Do not turn the power on

• Immediately secure all

electronic devices

• Ensure that no unauthorized

person has access to any
electronic devices

• Remove all persons from the

search/crime scene

• Ensure that the condition of any

electronic device is not altered.
First responders must
secure and take control of
the scene both physically
and electronically
 COLLEGE OF CRIMINOLOGY AND CRIMINAL JUSTICE
Calayan Educational Foundation, Inc.

Powered “ON” Computers

• Look and listen for indications that the
computer is powered on.

• Check the display screen for signs that

digital evidence is being destroyed.

• Look for indications that the computer is

being accessed from a remote computer or
device.

• Take note of all cameras or Web cameras

(Web cams) and determine if they are
active
 1 10
2 9
6
3 5 8
7
4
If the responder detects excessive
hard drive activity suggesting the
drive is being wiped, consider
terminating the wiping program if
possible, or removing power from
the computer to prevent further
damage.
6GB
RAM

6 ft
High
1. Configuration information
2. Typed commands
3. Passwords
4. Encryption keys
5. Unencrypted data
6. IP addresses
7. Internet history
8. Chat conversations
9. Emails
10. Malware
Image hard
drive
Source: Mr. OVIE L. CARROL
Director, US Department of Justice Computer Crime and Intellectual Property Section (CCIPS)
1. Plug-in the “LIVE
RESPONSE TOOL”
thumb drive to the
computer, then open
the live response folder
2. Click the AccessData
FTK imager icon to
launch the program
3. Click the
capture
memory
button
Or click the file toolbar
and select the capture
memory
4. Select where the
RAM will be saved
in your Flash drive
or externa drive by
clicking the
browse button
5. Choose where
RAM will be saved.

Select Make New

Folder
6. Type the folder
name

Click OK
7. The destination
path of the RAM
has been selected

Default filename is
memdump.mem

Click capture
memory
8. The progress bar
will show the
amount of RAM
being dumped

After successfully
capturing memory,
click close
Source: MR. OVIE L. CARROL
Director, US Department of Justice Computer Crime and Intellectual Property Section (CCIPS)
1. Click the EDD
icon to launch
the program
2. Click “I accept”
3. EDD will scan the
computer and
report if
encryption was
detected
Source: Mr. Ovie L. Carrol
Director, US Department of Justice Computer Crime and Intellectual Property Section (CCIPS)
1. Plug-in the “LIVE
RESPONSE TOOL”
thumb drive to the
computer, then open
the live response folder
2. Click the AcceData
FTK imager icon to
launch the program
3. Click the icon for
create disk
image
4. Select logical
drive

Then click next

5. Click the drop-
down button
and select the
encrypted drive

Click finish
8. Click add
8. Select E01
9. Type the
necessary
information

Then click next

10. Choose where to
save the
contents of the
encrypted
container

then click finish

11. Click start
12. You will see the
progress bar and
after
completion, a
notification of
imaged
successfully will
be seen.

Then click close

13. After the imaging
process, the FTK
imager will
generate a report
and indicating the
hash value