Introduction to Digital Forensic

2.1 Digital Forensic

2.2 Need
2.3 Rules of Digital Forensic • Forensic science is a well-established science that plays a
2.4 Types critical role in criminal justice systems.
2.5 Ethical Issues
• Forensic science is often referred to as forensics.
• Digital forensics is also referred to as digital forensic science, a
2.6 Investigations
branch of computer forensic science that includes the
2.7 Digital Evidences restoration and inspection of material detected in digital
1
2.8 Rules of Digital Evidence devices, often in relation to a cybercrime.
2.9 Characteristics • Digital Forensic is a series of steps to uncover and analyze
electronic data through scientific method.The major goal of the
2.10 Types of Evidence
process is to duplicate original data and preserve original
2.11 Challenges in Evidence evidence then performing the series of the investigation by
Handling collecting, identifying and validating the digital information for
the purpose of reconstructing past events.
 Need of Digital Forensic
2.1 Digital Forensic
2.2 Need
2.3 Rules of Digital Forensic
• The meaning of the word “forensics” is “to bring to the
2.4 Types
court”.
2.5 Ethical Issues
• It is necessary for network administrator and security staff
2.6 Investigations of networked organizations to practice computer forensics
2.7 Digital Evidences
1 and should have knowledge of laws, because rate of cyber
2.8 Rules of Digital Evidence crimes is increasing greatly.
2.9 Characteristics • the major goal of computer forensics is to recognize,
2.10 Types of Evidence gather, protect and examine data in such a way that
2.11 Challenges in Evidence
protects the integrity of the collected evidence to use it
efficiently and effectively in a case.
Handling
2.1 Digital Forensic
Rules of Digital Forensic
2.2 Need
2.3 Rules of Digital Forensic
2.4 Types Rule 1. An examination should never be performed on the original
media.
2.5 Ethical Issues Rule 2. A copy is made onto forensically sterile media. New media
2.6 Investigations should always be used if available.
2.7 Digital Evidences
Rule 3. The copy of the evidence must be an exact, bit-by-bit copy
1 (Sometimes referred to as a bit-stream copy).
2.8 Rules of Digital Evidence Rule 4. The computer and the data on it must be protected during the
2.9 Characteristics acquisition of the media to ensure that the data is not modified
(Use a write blocking device when possible).
2.10 Types of Evidence
Rule 5. The examination must be conducted in such a way as to prevent
2.11 Challenges in Evidence any modification of the evidence.
Handling Rule 6. The chain of the custody of all evidence must be clearly
maintained to provide an audit log of whom might have accessed
the evidence and at what time.
 Types of Digital Forensic
2.1 Digital Forensic
2.2 Need 1. Computer Forensics – the identification, preservation, collection, analysis and
reporting on evidence found on computers, laptops, and storage media in support
2.3 Rules of Digital Forensic
of investigations and legal proceedings.
2.4 Types 2. Network Forensics – the monitoring, capture, storing, and analysis of network
activities or events in order to discover the source of security attacks, intrusions
2.5 Ethical Issues
or other problem incidents, that is, worms, virus, or malware attacks, abnormal
2.6 Investigations network traffic and security breaches.
3. Mobile Devices Forensics – the recovery of electronic evidence from mobile
2.7 Digital Evidences
1 phones, smartphones, SIM cards, PDAs, GPS devices, tablets, and game
2.8 Rules of Digital Evidence consoles. Mobile device forensics involves the recovery of digital evidence or
2.9 Characteristics data from mobile devices.
4. Digital Image Forensics – the extraction and analysis of digitally acquired
2.10 Types of Evidence photographic images to validate their authenticity by recovering the metadata of the
2.11 Challenges in Evidence image file to ascertain its history
5. Digital Video/Audio Forensics – the collection, analysis, and evaluation of sound
Handling and video recordings. The science is the establishment of authenticity as to
whether a recording is original and whether it has been tampered with,either
maliciously or accidentally.
6. Memory forensics – the recovery of evidence from the RAM of a running
computer, also called live acquisition.
2.1 Digital Forensic Ethical Issues
2.2 Need
2.3 Rules of Digital Forensic
2.4 Types • “Ethics” is derived from the ancient Greek word ethikos, meaning
2.5 Ethical Issues “moral, showing moral character”. Ethics in digital forensics field
can be defined as a set of moral principles that regulate the use of
2.6 Investigations
computers; some common drawbacks of computer forensics
2.7 Digital Evidences include intellectual property resources, privacy concerns, and the
1
2.8 Rules of Digital Evidence impact of computers on the society.
2.9 Characteristics • Ethical decision-making in digital forensics work comprises of one
or more of the following:
2.10 Types of Evidence
1. Honesty toward the investigation.
2.11 Challenges in Evidence 2. Prudence means carefully handling the digital evidences.
Handling 3. Compliance with the law and professional norms.
2.1 Digital Forensic
General Ethics Norms for Investigator in Digital
Forensic Field
2.2 Need
2.3 Rules of Digital Forensic
2.4 Types
Before starting the investigation in the digital forensic field, the
2.5 Ethical Issues
investigator should satisfy the following points.
2.6 Investigations 1. Should contribute to the society and human being.
2.7 Digital Evidences
1 2. Should avoid harm to others.
2.8 Rules of Digital Evidence 3. Should be honest and trustworthy.
2.9 Characteristics
4. Should be fair and take action not to discriminate.
5. Should honor property rights, including copyrights and
2.10 Types of Evidence
patents.
2.11 Challenges in Evidence 6. Should give proper credit to intellectual property.
Handling 7. Should respect the privacy of others.
8. Should honor confidentiality.
2.1 Digital Forensic Unethical Norms for Digital Forensic Investigation
2.2 Need
2.3 Rules of Digital Forensic The investigator should not:
2.4 Types 1. Uphold any relevant evidence.
2.5 Ethical Issues 2. Declare any confidential matters or knowledge learned in an
2.6 Investigations
investigation without an order from a court of competent
jurisdiction or without the client’s consent.
2.7 Digital Evidences
1 3. Express an opinion on the guilt or innocence belonging to any
2.8 Rules of Digital Evidence party.
2.9 Characteristics 4. Engage or involve in any kind of unethical or illegal conduct.
2.10 Types of Evidence 5. Deliberately or knowingly undertake an assignment beyond his
or her capability.
2.11 Challenges in Evidence
6. Distort or falsify education, training or credentials.
Handling 7. Display bias or prejudice in findings or observations.
8. Exceed or outpace authorization in conducting examinations.
 Digital Forensic Investigations
2.1 Digital Forensic
2.2 Need
2.3 Rules of Digital Forensic • Digital investigations, DFIs, forensic examination, and forensic
2.4 Types investigations have been used to describe an investigation where
2.5 Ethical Issues a digital device forms part of the incident.
• A DFI is thus a special type of investigation wherever scientific
2.6 Investigations
procedures and techniques used can permit the results, that is, the
2.7 Digital Evidences digital proof, to be allowable in a court of law.
1
2.8 Rules of Digital Evidence • The results of a DFI should have a legal basis. Proof cannot be
2.9 Characteristics directly read, and a few tools are employed to look at the state of
2.10 Types of Evidence
the information.
• Digital forensic investigation or DFI is a special type of
2.11 Challenges in Evidence
investigation where the scientific procedures and techniques used
Handling will be allowed to view the results – digital evidence – to be
admissible in a court of law.
2.1 Digital Forensic Introduction to Digital Evidences
2.2 Need
2.3 Rules of Digital Forensic • Digital evidence is any
2.4 Types information or data of
2.5 Ethical Issues value to an investigation
that is stored on, received
2.6 Investigations
by, or transmitted by an
2.7 Digital Evidences electronic device.
1
2.8 Rules of Digital Evidence • Evidence can be stated as
2.9 Characteristics any information that can
be confident or trusted and
2.10 Types of Evidence
can prove something
2.11 Challenges in Evidence related to a case in trial,
Handling that is, indicating that a
certain substance or
condition is present.
 Introduction to Digital Evidences
2.1 Digital Forensic
2.2 Need The Best Evidence Rule:
2.3 Rules of Digital Forensic • The best evidence rule is that the original or true writing or recording
2.4 Types must be confessed in court to prove its contents without any expectations.
• We define best evidence as the most complete copy or a copy which
2.5 Ethical Issues includes all necessary parts of evidence, which is closely related to the
2.6 Investigations original evidence.
2.7 Digital Evidences • It states that multiple copies of electronic files may be a part of the
1 “original” or equivalent to the “original”.
2.8 Rules of Digital Evidence
2.9 Characteristics Original Evidence:
2.10 Types of Evidence
• we define original evidence as the truth or real(original) copy of the
evidence media which is given by a client/victim.
2.11 Challenges in Evidence • We define best incidence as the most complete copy, which includes all
Handling the necessary parts of the evidence that are closely related to the original
evidence.
• There should be an evidence protector which will store either the best
evidence or original evidence for every investigation in the evidence safe.
 Rules of Digital Evidence
2.1 Digital Forensic
2.2 Need • Rule of evidence is also called as law of evidence.
2.3 Rules of Digital Forensic • It surrounds the rules and legal principles that govern all the proof
2.4 Types of facts.
2.5 Ethical Issues
• The rules must be:
1. Admissible: The evidence must be usable in the court.
2.6 Investigations
2. Authentic: The evidence should act positively to an incident.
2.7 Digital Evidences 3. Complete: A proof that covers all perspectives.
1
2.8 Rules of Digital Evidence 4. Reliable: There ought to be no doubt about the reality of the
2.9 Characteristics specialist’s decision.
5. Believable: The evidence should be understandable and believable
2.10 Types of Evidence
to the jury.
2.11 Challenges in Evidence Rule 103: Rule of evidence
Handling 1. Maintaining a claim of error.
2. No renewal of objection or proof.
3. Aim an offer of proof.
4. Plain error taken as notice.
 Rules of Digital Evidence
2.1 Digital Forensic
2.2 Need • Evidence collection should always be performed to ensure that it will withstand
2.3 Rules of Digital Forensic legal proceedings. Key criteria for handling such evidence are outlined as
follows:
2.4 Types 1. The proper protocol should be followed for acquisition of the evidence
2.5 Ethical Issues irrespective of whether it physical or digital. Gentle handling should be
exercised for those situations where the device may be damaged (e.g., dropped
2.6 Investigations or wet).
2.7 Digital Evidences 2. Special handling may be required for some situations. For example, when the
1 device is actively destroying data through disk formatting, it may need to be
2.8 Rules of Digital Evidence shut down immediately to preserve the evidence. On the other hand, in some
2.9 Characteristics situations, it would not be appropriate to shut down the device so that the
digital forensics expert can examine the device’s temporary memory.
2.10 Types of Evidence 3. All artifacts, physical and/or digital should be collected, retained, and
2.11 Challenges in Evidence transferred using a preserved chain of custody.
4. . All materials should be date and time stamped, identifying who collected the
Handling evidence and the location it is being transported to after initial collection.
5. . Proper logs should be maintained when transferring possession.
6. . When storing evidence, suitable access controls should be implemented and
tracked to certify the evidence has only been accessed by authorized individual.
 Characteristics of Digital Evidence
2.1 Digital Forensic
2.2 Need
1. Locard’s Exchange Principle :
2.3 Rules of Digital Forensic • According to Edmond Locard’s principle, when two items
2.4 Types make contact, there will be an interchange.
2.5 Ethical Issues • When an incident takes place, a criminal will leave a hint
2.6 Investigations
evidence at the scene and remove a hint evidence from the
scene. This alteration is known as the Locard exchange
2.7 Digital Evidences
1 principle.
2.8 Rules of Digital Evidence
2.9 Characteristics 2. Digital Stream of Bits
2.10 Types of Evidence • Cohen refers to digital evidence as a bag of bits, which in
turn can be arranged in arrays to display the information.
2.11 Challenges in Evidence
• The information in continuous bits will rarely make sense,
Handling and tools are needed to show these structures logically so that
it is readable.
2.1 Digital Forensic Types of Evidence
2.2 Need
2.3 Rules of Digital Forensic
2.4 Types
There are many types of evidence, each with their own
2.5 Ethical Issues
specific or unique characteristics. Some of the major types
2.6 Investigations of evidence are as follows:
2.7 Digital Evidences 1. Illustrative evidence
1
2.8 Rules of Digital Evidence 2. Electronic evidence
2.9 Characteristics
3. Documented evidence
4. Explainable evidence
2.10 Types of Evidence
5. Substantial evidence
2.11 Challenges in Evidence 6. Testimonial
Handling
 Types of Evidence
2.1 Digital Forensic
2.2 Need 1.Illustrative Evidence:
Illustrative evidence is also called as demonstrative evidence. It is generally a
2.3 Rules of Digital Forensic
representation of an object which is a common form of proof. For example,
2.4 Types photographs, videos, sound recordings, X-rays, maps, drawing, graphs, charts,
2.5 Ethical Issues simulations, sculptures, and models.
2.6 Investigations 2. Electronic Evidence:
2.7 Digital Evidences
1
Electronic evidence is nothing but digital evidence. As we know, the use of
2.8 Rules of Digital Evidence digital evidence in trials has greatly increased. The evidences or proof that can
be obtained from an electronic source is called as digital evidence (viz., emails,
2.9 Characteristics hard drives, word-processing documents, instant message logs, ATM
2.10 Types of Evidence transactions, cell phone logs, etc.)
2.11 Challenges in Evidence
3. Documented evidence:
Handling Documented evidence is similar to demonstrative evidence. However, in
documentary evidence, the proof is presented in writing (viz., contracts, wills,
invoices, etc.). It can include any number of medias. Such documentation can
be recorded and stored (viz., photographs, recordings, films, printed emails,
etc.).
2.1 Digital Forensic Types of Evidence
2.2 Need
2.3 Rules of Digital Forensic 4. Explainable Evidence (Exculpatory):
2.4 Types This type of evidence is typically used in criminal cases in which it
supports the dependent, either partially or totally removing their guilt in the
2.5 Ethical Issues
case. It is also referred to as exculpatory evidence.
2.6 Investigations
2.7 Digital Evidences 5. Substantial Evidence:
1 A proof that is introduced in the form of a physical object, whether whole
2.8 Rules of Digital Evidence
or in part, is referred to as substantial evidence. It is also called as physical
2.9 Characteristics evidence. Such evidence might consist of dried blood, fingerprints, and
2.10 Types of Evidence DNA samples, casts of footprints, or tires at the scene of crime.
2.11 Challenges in Evidence
6. Testimonial Evidence:
Handling It is a kind of evidence spoken by a spectator under oath, or written
evidence given under oath by an official declaration, that is, affidavit. This
is one of the common forms of evidence in the system.
 Challenges in Evidence Handling
2.1 Digital Forensic
2.2 Need
2.3 Rules of Digital Forensic
2.4 Types
1. Authentication of Evidence
2.5 Ethical Issues The evidences that are collected by any person/investigator
2.6 Investigations should be collected using authenticate methods and techniques
2.7 Digital Evidences because during court proceedings these will become major
1
evidences to prove the crime. In other words, for providing a
2.8 Rules of Digital Evidence
piece of evidence of the testimony, it is necessary to have an
2.9 Characteristics
authenticated evidence by a spectator who has a personal
2.10 Types of Evidence knowledge to its origin.
2.11 Challenges in Evidence
Handling
2.1 Digital Forensic Challenges in Evidence Handling
2.2 Need
2.3 Rules of Digital Forensic 2. Maintaining the chain of custody
2.4 Types means that the evidences collected
2.5 Ethical Issues should not be accessed by any
unauthorized individual and must be
2.6 Investigations
stored in a tamper-proof manner. For
2.7 Digital Evidences each item obtained, there must be a
1
2.8 Rules of Digital Evidence complete chain of custody record.
2.9 Characteristics Chain of custody is nothing but the
requirement that you may be able to
2.10 Types of Evidence
trace the location of evidence from
2.11 Challenges in Evidence the moment it was collected to the
Handling moment it was presented in a judicial
proceeding
2.1 Digital Forensic Challenges in Evidence Handling
2.2 Need
2.3 Rules of Digital Forensic
3. Evidence Validation
2.4 Types
The challenge is to ensure that providing or obtaining the data that you
2.5 Ethical Issues have collected is similar to the data provided or presented in the court.
2.6 Investigations Several years pass between the collection of evidence and the
2.7 Digital Evidences production of evidence at a judiciary proceeding, which is very
1
common. To meet the challenge of validation, it is necessary to ensure
2.8 Rules of Digital Evidence
that the original media matches the forensic duplication by using MD5
2.9 Characteristics hashes. The evidence for every file is nothing but the MD5 hash values
2.10 Types of Evidence that are generated for every file that contributes to the case. The verify
2.11 Challenges in Evidence function within the Encase application can be used while duplicating a
Handling
hard drive with Encase. To perform a forensic duplication using dd, you
must record a MD5 hash for both the original evidence media and
binary files or the files which compose the forensic duplication.