Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
69 views11 pages

Digital Forensics Essentials

This document discusses topics related to computer forensics analysis and validation. It covers scope creep in investigations, basic investigation steps, situations requiring plan alterations, data validation importance and tools, and benefits of hashing. It also addresses dealing with hidden data through techniques like file encryption, steganography, and partition hiding. Recommended exercises include studying encryption algorithms, BitLocker, steganography, and validation tools.

Uploaded by

ABC
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
69 views11 pages

Digital Forensics Essentials

This document discusses topics related to computer forensics analysis and validation. It covers scope creep in investigations, basic investigation steps, situations requiring plan alterations, data validation importance and tools, and benefits of hashing. It also addresses dealing with hidden data through techniques like file encryption, steganography, and partition hiding. Recommended exercises include studying encryption algorithms, BitLocker, steganography, and validation tools.

Uploaded by

ABC
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 11

Digital Forensics

Module 5
Computer Forensics Analysis and Validation

Dr. Nagaraj S V & Prof Seshu Babu Pulagara, VIT


Chennai
2

Scope creep
 Scope creep happens when investigation expands beyond the original
description
 Occurs when unanticipated evidence is found
 May be caused because attorneys want more exploration to be done by
the investigators
 Increases time and effort
 In criminal cases more detailed examination is often needed before trial
3

Exercise
 List the basic steps to be taken for all digital forensics investigations.
Hints:
Use formatted disks/ media free of malware
Observe the state of the impounded computer
Make a list of hardware on the suspect’s computer
Work on the drive’s contents in an orderly fashion, according to logical
reasoning etc.
4

 Give examples of situations where it may be needed to alter and /or


fine-tune a plan for investigation
 Explain the importance of validating forensic data. Mention the tools
that can be used for this purpose
 List the benefits of hashing for digital forensics
5

Dealing with hidden data


 Cyber criminals often try to hide data
 Common techniques include
1. Altering file extensions
2. Setting up password protection for files
3. Using encryption
4. Using steganography
5. Fixing file attributes to hidden
6. Hiding entire disk partitions
7. Shifting bits
6

 File header and footer information helps in determining file extensions


 The Windows diskpart remove letter command can be used to hide disk
partitions
 The diskpart assign letter command can reverse the above process
 There are many tools for partitioning disks e.g. Partition Magic,
Partition Master, and Linux Grand Unified Bootloader (GRUB)
7

 Answering for all disk space when analyzing an evidence drive can help
detect hidden partitions
 Analyzing disk areas containing space that cannot be reported can also help
detect hidden partitions
 A data-hiding technique used in FAT file systems is placing secret or
criminative data in free or slack space on disk partition clusters
 Good clusters can be marked as bad clusters to make them appear
unusable
8

 Encrypted files are hard to work with unless passwords, passphrases


or key escrows are available
 Key escrow is an arrangement in which the keys needed to decrypt 
encrypted data are held in escrow so that, under certain
circumstances, an authorized third party may gain access to those
keys.
9

Exercise
 Study some encryption algorithms
 Read about BitLocker - a full volume encryption feature included
with Microsoft Windows versions
https://en.wikipedia.org/wiki/BitLocker
 Study the Encrypting File System
https://en.wikipedia.org/wiki/Encrypting_File_System
 Explore steganography https://en.wikipedia.org/wiki/Steganography
10

 Explore how tools such as OSForensics can be used to perform forensic


analysis on various file systems
 Explore the use of hexadecimal editors for validation
https://en.wikipedia.org/wiki/Hex_editor
 Explore how tools can be used to perform validation
 Explore how to deal with data hidden using steganography
11

References
 Nelson, Amelia Philips, Christopher Steuart, “ Guide to Computer
Forensics and Investigations”, Fifth Edition, 2015
 Wikipedia

You might also like