Principles of Security - 1911194

Topic 10:Digital Forensics and

Ethical Hacking
Learning Objectives
• Upon completion of this topic, you will learn on:
• Digital Forensics terminology
• Evidence.
• Stages of Digital Forensics.
• Tools and challenges.
 Digital Forensics & Ethical Hacking
Definition of Digital Forensics
Definition 1:
• Digital forensics can be defined as a science of applying different
stages of investigation process such as identifying (‫)تحديد االدلة‬,
preserving (‫)حفظها‬, recovering (‫)استعادتها‬, analyzing (‫)تحليلها‬, and
presenting (‫ )تقديمها‬the evidence relating to the crime in appropriate
format accepted in the court.
 Definition of Digital Forensics - Continue

Definition 2
Digital forensics can be also defined as a process of detecting
(‫)اكتشاف‬, extracting (‫)استخراج‬, and analyzing (‫ )تحليل‬digital evidence
from digital media, where this definition is simple and
comprehensive and contains all main stages of any investigation
process.
Evidence

Definition of Evidence

• Digital evidence is information stored or transmitted in binary form

that may be relied on in court. It can be found on a computer hard
drive, a mobile phone, tablets, network devices, etc.

• Digital evidence is commonly associated with electronic crime, or e-

crime.
Evidence - Continue

• What are examples of digital evidence?

• Computer documents, emails, text and instant messages,

transactions, images and Internet histories are examples of
information that can be gathered from electronic devices and used very
effectively as evidence.
Evidence - Continue

• What are the sources of digital evidence?

• There are three major forensics of devices where evidence can be

found: Internet-based devices, stand-alone computers or devices,
and mobile devices.
Evidence - Continue
• Internet-based devices: Routers, firewalls, switches, Cloud Servers,
monitoring software such as Intrusion Detection Software and Packet
sniffers, etc.
• Stand-alone computers or devices: client devices, servers, portable
devices, embedded devices, Application software, digital cameras,
hard drives, CD-ROM, USB etc.
• Mobile devices: social media accounts, audio and video files
Computer Forensics Tools
• Digital evidence can exist on a number of different platforms and in many
different forms. Forensic investigation often includes analysis of files,
emails, network activity and other potential artifacts and sources of clues to
the scope, impact and attribution of an incident.
• Due to the wide variety of potential data sources, digital forensics tools
often have different specialties. This list outlines some of the most common
and widely used tools for accomplishing different parts of a computer
forensics investigation.
Computer Forensics Tools - Continue
List of Computer Forensics Tools:-
1- Disk analysis: Autopsy/the Sleuth Kit
• The Sleuth Kit is a command-line tool that performs forensic analysis of forensic
images of hard drives and smartphones. Autopsy is a GUI-based system that
uses the Sleuth Kit behind the scenes.
• The tools are designed with a modular and plug-in architecture that makes it
possible for users to easily incorporate additional functionality. Both tools are free
and open-source, but commercial support and training are available as well.
Computer Forensics Tools - Continue
2- Image creation: FTK imager
• The benefit of analyzing an image (rather than a live drive) is that the
use of an image allows the investigator to prove that they have not
made any modifications to the drive that could affect the digital
forensic results.
• Through this tool we can recover deleted from the computer drives as
well as from the Recycle Bin.
Image Creation- Continue
Computer Forensics Tools - Continue
• 3- Memory forensics: volatility

• Important forensic information can be stored in RAM, and this volatile

memory must be collected quickly and carefully to be forensically valid and
useful.

• Volatility is a specialized digital forensic memory (RAM) tool that allows

you to extract information from memory about the processes that are
currently running on the device in order to scan them for malware.
Computer Forensics Tools - Continue

4- Windows registry analysis: Registry recon

• The windows registry acts as a database of configuration information for the

Windows OS and the applications running on it. These applications can
store a variety of different data in the registry, and the registry is one of the
common locations where malware deploys persistence mechanisms.
Computer Forensics Tools- Continue
5- Mobile forensics: Cellebrite UFED

• Mobile adoption is constantly growing, and many organizations allow

employees to use these devices at work either via BYOD programs or
corporate-owned devices. Additionally, these devices are a growing
target of cyberattacks, such as phishing, making them a likely source
of valuable forensic information.
Computer Forensics Tools - Continue

6- Network analysis: Wireshark

For network traffic analysis, Wireshark is the most popular and

widely-used tool. Wireshark is free and open-source, offers
dissectors for many different types of network traffic.
Computer Forensics Tools - Continue

7- FAW (Forensics Acquisition of Websites) is to acquire web pages for

forensic investigation, which has the following features.

• Capture the entire or partial page

• Capture all types of image

• Capture HTML source code of the web page

• Integrate with Wireshark

 Stages of Digital Forensics

Standardized forensics framework consists of the following stages (Reith,

et al. 2002):
1- Identification stage: In this stage, the evidence is examined by type,
location, format and condition.

• It is the first step in the forensic process. The identification process

mainly includes things like what evidence is present, where it is stored, and
lastly, how it is stored (in which format). Electronic storage media can be
personal computers, Mobile phones, PDAs, etc.
Stages of Digital Forensics - Continue

2- Preparation stage, which refers to the process of preparation and

initialization for all tools, techniques, monitoring authorization and
management support which used through the investigation process.

• Define the strategy and procedure which will be used through the
investigation process to maximize the collection of related evidence
and to minimizing the impact of the victim.
Stages of Digital Forensics-Continue

3- Preservation stage, which refers to one of preparation

section. Through this stage the defined evidence must be
preserved to make sure that these evidence will not be changed
through the investigation process.
 Stages of Digital Forensics- Continue

4- Collection stage, which refer to the step of gathering for

identified evidence. Through this stage an entails for recording
evidence of physical scene, and more duplicate digital
evidence using standardized and accepted procedures.
Stages of Digital Forensics - Continue
5- Examination stage, which refers to the step of deeply systematic search
for exact related evidence from all collected evidence through the stage of
evidence collection.
6- Analyses stage, which refer to the step of determination for significant and
degree of relation between collected evidence and the crime.
7- Presentation stage, which involves summary and explanation of
conclusions.
8- Returning evidence, which refer to the stage of returning for all collected
evidence to the proper owner.
The Importance of digital forensics

• The digital forensics has become of great importance and urgency in

recent years in all fields of digital world, such as computers, cellular,
cloud computing, smart environment.

• This importance come from the increased rate of crimes in these

devices or using these devices, especially since daily life depends
entirely on the use of these digital devices.
Main branches of digital forensics
 Main branches and detail information about
each branch

Source of evidence The category of

Digital forensics Main Goals for DF and nature of digital devices that Main stages of the

branch name Branch collected considered as an branch framework

information investigation goal

 The purpose of
Wide data scope
computer forensics
starts with log files
is to analyze Acquisition stage.
such as inter-net Traditional
information Examination stage.
history, individual computers such as
Computer Forensics contained in and Analysis stage
files stored in desktops, laptops,
created with digital Reporting Stage.
storage devices, and servers, tablets, etc.
artifacts, such as Presentation Stage
static memory such
computer systems
as USB.
and electronic data.
 Communication

information (SMS/

Emails),
Recover digital
recovery of
evidence from a Mobile devices Seizure stage.
deleted data,
mobile device such such as Acquisition stage.
Mobile Forensics contact numbers,
as cellular phones, smartphones and Examination and
photos in
smartphones, mp3 mp3 players analysis stage.
smartphones,
player, tablets.
notes,

and other personal

information
 Routing tables, Identification

Monitoring, web browser stage. Preservation

extracting and history log, router Routers, internet stage. Collection

Network Forensics analysis of traffic logs, website applications, VOIP stage. Examination

on wired and pages, email telephone, etc. stage. Analysis

wireless networks. attachments, VOIP stage. Presentation

data Stage.
 Database content,
Identification
Metadata
Study and Stage. Collection
information,
analysis of stage. Analysis
cached
databases and Storage center, Stage.
information
DB Forensics their metadata cash memory, Documentation
which may locate
for incidents such servers RAM. Stage. And
in server RAM,
as security Presentation
database
attacks. Stage (Al-Dhaqm,
transactions, and
et al. 2017)
queries.
 IOT applications,
Collection Stage.
Recovery of digital Smart home IOT devices such
Examination
evidence form IoT applications, as sensor nodes,
IOT Forensics Stage. Analysis
devices such as sensor logs and cars, smart
Stage. Presentation
sensors information, and applications.
Stage
CSP log files
 Investigate the

crimes that have

Users devices
occurred in cloud Preparation stage
connected to the
computing Identification stage
cloud computing Laptops, desktops,
environments Evidence collection
environment, smart phones,
Cloud Forensics because it has many Examination and
servers and storage storage center
weaknesses, such as analysis
center of cloud devices and tablets
the nature of cloud Presentation and
computing, cloud
computing, which Reporting
service provider
can help to increase

the level of crime