1.

1 Digital Forensics:
History of Digital Forensics:
• Digital forensics emerged as a discipline in the 1980s as computers
became more integral to society and crime. Early digital forensics
primarily involved recovering data from magnetic storage devices.
• Over time, as the complexity of digital technologies grew, digital
forensics expanded to cover a wide range of devices, including mobile
phones, servers, and cloud-based systems.
• High-profile criminal cases in the late 1990s and 2000s highlighted the
need for formal forensic methods, leading to the development of
standards and procedures used today.
Rules of Digital Forensics:
• Integrity: Evidence must remain unaltered from the moment of
discovery through analysis and presentation.
• Chain of Custody: Proper documentation of all movements of evidence
from collection to presentation to ensure its authenticity.
• Legal Compliance: All forensic activities must comply with the law,
including respecting privacy rights and obtaining proper warrants.
• Documentation: Detailed records must be kept of all steps taken during
the investigation.
• Reliability: Forensic tools and methods used must be scientifically
accepted and validated.
Digital Forensics Investigation and Its Goal:
• Goal: The primary goal is to uncover, preserve, analyze, and present
digital evidence in a way that is admissible in court. It aims to understand
how a crime was committed, who was involved, and the scope of the
crime.
• Investigation Steps:
1. Identification of potential evidence.
2. Preservation of evidence to prevent contamination.
 3. Collection of evidence following legal protocols.
4. Examination and analysis of evidence.
5. Documentation of findings.
6. Presentation of findings in a court of law.
1.2 Models of Digital Forensic Investigation:
DFRWS Investigative Model:
• The Digital Forensics Research Workshop (DFRWS) investigative model
is a structured framework for conducting investigations. It emphasizes a
process-driven approach that includes evidence collection, analysis, and
reporting in a systematic, repeatable process.
Abstract Digital Forensics Model (ADFM):
• The ADFM offers a high-level conceptual framework for understanding
the digital forensics process. It focuses on the key phases of a forensic
investigation: collection, analysis, and presentation, and is useful for
understanding the key concepts without delving into specific
technicalities.
Integrated Digital Investigation Process (IDIP):
• The IDIP is a comprehensive model that integrates multiple stages of
investigation. It highlights the continuous feedback loops between
evidence collection, analysis, and presentation, allowing for a more
iterative approach that adapts as new evidence emerges.
End-to-End Digital Investigation Process (EEDIP):
• The EEDIP is a process model that spans from the initial detection of an
incident through to the final presentation in court. It is a more thorough
model than others, ensuring all aspects of the digital evidence lifecycle
are captured, including response and recovery.
An Extended Model for Cybercrime Investigation:
• This model extends traditional forensic processes to specifically address
cybercrimes. It includes additional considerations for network-related
evidence and incorporates techniques to deal with the high volume and
complexity of data typically involved in cybercrime investigations.
UML Modelling of Digital Forensic Process Model (UMDFPM):
• The UMDFPM applies Unified Modeling Language (UML) to represent
the forensic process. It allows investigators and stakeholders to visualize
and understand the complex relationships between different steps of the
investigation, improving both communication and understanding.
1.3 Ethical Issues in Digital Forensics:
General Ethical Norms for Investigators:
• Objectivity: Investigators must be impartial and avoid bias in their
analysis.
• Confidentiality: They must maintain the confidentiality of sensitive
information.
• Respect for Privacy: Investigators must respect the privacy rights of
individuals and ensure that they only access information necessary for
the investigation.
• Professional Integrity: Investigators should act in a manner that
preserves the credibility and trust of their profession.
Unethical Norms for Investigation:
• Misuse of Power: Using forensic tools or techniques for personal gain or
outside of the legal process.
• Tampering with Evidence: Modifying or destroying evidence to fit a
preconceived narrative or to mislead investigations.
• Failure to Preserve Evidence: Neglecting proper documentation and
handling of evidence, leading to potential contamination or loss.
• Conflicts of Interest: Engaging in investigations where there is a personal
stake, which could impair objectivity or lead to biased outcomes.
2.1 Computers and the Nature of Digital Information:
Magnetic Hard Drives and Tapes:
• Magnetic hard drives (HDDs) store data by using a magnetic field to
record binary information on a rotating disk. They have high storage
capacities and relatively low costs, making them common in both
consumer and enterprise environments.
 • Magnetic tapes, which are typically used for backup or archival purposes,
store data using a similar magnetic mechanism but on long, flexible
tapes. They are slower but are an economical solution for large-scale
storage needs.
Optical Media Storage Devices:
• Optical media like CDs, DVDs, and Blu-ray discs store data using laser
light to read and write information. Data is stored in pits and lands on
the surface of the disc, which are read by a laser. Though optical media
offer a long shelf life, they are less commonly used in modern systems
due to their slower speed and lower storage capacities.
Random-Access Memory (RAM):
• RAM is volatile memory used by computers for temporarily storing data
that is actively being used or processed. Data stored in RAM is erased
when the power is turned off. Forensically, RAM can contain vital
information, such as passwords, encryption keys, and running processes
at the time of a system shutdown.
Solid-State Drive (SSD) Storage Devices:
• SSDs use flash memory to store data, offering faster read and write
speeds compared to traditional hard drives. Unlike HDDs, SSDs have no
moving parts, making them more durable. However, due to wear leveling
and other features, recovering deleted data from SSDs can be more
challenging compared to HDDs.
Network-Stored Data:
• Network storage refers to data stored on remote servers or devices
connected via a network, such as network-attached storage (NAS) or file
servers. Data may reside in various locations within a network, and
forensic investigators must account for potential access points like email
servers or shared drives.
The Cloud:
• Cloud storage refers to data stored on remote servers maintained by
third-party service providers like Google Drive, Dropbox, or Amazon Web
Services. Cloud storage allows for remote access but introduces
 challenges in terms of jurisdiction, access control, and data recovery,
especially if the data is deleted or encrypted.
2.2 File Systems that Contain Evidence:
File System Category:
• A file system organizes data on storage devices and defines how files are
stored, named, and accessed. Forensic investigators need to understand
the structure of different file systems (e.g., NTFS, FAT32, EXT4) to
effectively locate evidence. Some file systems support advanced features
like journaling or encryption, which can impact the discovery of
evidence.
Filename Category:
• The filename itself often contains vital information about the contents of
a file. Forensic investigators may focus on analyzing filename patterns or
extensions to identify potential evidence (e.g., .docx for documents or
.exe for executables).
Metadata Category:
• Metadata includes information about a file beyond its content, such as
timestamps (creation, modification, access), file size, and owner.
Metadata can help establish timelines and provide evidence of the file's
origin, use, or modifications.
Content Category:
• The content of the file itself is often the most important for
investigation. This refers to the actual data within a file, such as text in a
document or images in a photo. Forensics tools can help extract content
and analyze it, especially if the file is hidden or encrypted.
2.3 Locating Evidence in File Systems:
Determining the Means of Transgression, Opportunity to Transgress, and the
Motive to Transgress:
• To locate evidence, investigators must understand the means,
opportunity, and motive behind the crime. The means refer to how the
perpetrator carried out the crime (e.g., through hacking, using a
particular software tool). The opportunity refers to the conditions that
 allowed the crime to take place (e.g., access to a specific system or
network). The motive refers to the reason behind the crime (e.g.,
financial gain, revenge).
Deciding Where to Look for Possible Evidence:
• Investigators must choose where to search based on the crime’s nature.
Evidence might be found in specific locations, such as user directories,
temporary files, log files, or system directories. By knowing how data is
typically structured, investigators can focus their search to save time and
increase efficiency.
Indexing and Searching for Files:
• Forensic investigators use specialized tools to index file systems and
quickly search for evidence. Searching for keywords, file types, file
signatures, and file attributes is a critical part of the forensic process.
Tools like FTK Imager, EnCase, and Autopsy help automate this process.
Unallocated Data Analysis:
• Unallocated data refers to the space on a disk that has been marked as
available for new files but may still contain remnants of deleted files.
Analyzing this space can uncover files that were deleted but not yet
overwritten. Forensic investigators use disk imaging and recovery tools
to examine unallocated space for evidence.
2.4 Password Security, Encryption, and Hidden Files:
User Access to Computer Devices:
• User access is controlled by authentication methods, such as passwords,
biometrics, or tokens. Investigators may need to determine whether
unauthorized access to a system occurred and what information was
accessed.
Importance of Information Confidentiality, Integrity, and Availability:
• Confidentiality ensures that sensitive information is only accessible to
authorized individuals.
• Integrity ensures that data has not been altered or tampered with.
 • Availability ensures that authorized users can access information when
needed. These principles are critical in maintaining the security of
devices and data during forensic investigations.
User Access Security Controls:
• Security controls such as passwords, two-factor authentication, and
account lockout policies are used to protect user access. Investigators
may attempt to bypass these controls if necessary, but they must adhere
to ethical and legal standards during this process.
Encrypted Devices and Files:
• Encryption is a security measure that transforms readable data into
unreadable code to prevent unauthorized access. Investigators must be
aware of encryption methods (e.g., AES, RSA) and may need to decrypt
files to retrieve evidence. Some encrypted devices or files can be
challenging to crack without the appropriate keys or passwords.
3.1 Digital Evidence:
Definition:
• Digital evidence refers to any data stored or transmitted in digital form
that can be used in a legal investigation. This can include files, emails,
logs, records, and any other form of digital information that may have a
bearing on a case.
Best Evidence Rule:
• The Best Evidence Rule requires that the original version of a document
or evidence be presented in court unless it is unavailable or there is a
valid reason for not presenting the original. In digital forensics, this can
be challenging as copies or digital representations are often more
accessible than the original data.
Original Evidence:
• Original evidence refers to the actual item or data that is being used to
establish facts in an investigation. In the case of digital evidence, this is
typically the device or storage medium that contains the data, such as a
hard drive, smartphone, or server.
3.2 Rules of Digital Evidence:
 • Digital evidence must be collected, preserved, analyzed, and presented
according to strict legal and technical rules. This includes ensuring:
1. Authentication: Evidence must be proven to be what it claims to
be.
2. Chain of Custody: The handling and movement of evidence must
be thoroughly documented to ensure its integrity.
3. Preservation: Evidence must be protected from tampering,
alteration, or destruction.
4. Admissibility: The evidence must be relevant and legally obtained
for it to be admissible in court.
3.3 Characteristics of Digital Evidence:
Locard's Exchange Principle:
• Locard's Exchange Principle states that "every contact leaves a trace,"
meaning that whenever a person interacts with a digital system,
evidence will likely be left behind. In digital forensics, this could involve
traces such as files, logs, timestamps, or residual data left on storage
devices.
Digital Stream of Bits:
• Digital evidence is composed of a stream of bits (binary data). This
means that digital evidence does not have physical characteristics, such
as paper documents, and can be easily copied or altered. The bit-stream
nature of digital evidence requires forensic investigators to handle it
carefully to avoid corruption or modification.
3.4 Types of Evidence:
• Illustrative Evidence: Non-testimonial evidence used to help explain or
illustrate facts (e.g., graphs, charts, and diagrams derived from digital
data).
• Electronics: Devices or systems that produce or store data, such as
computers, smartphones, or network devices, which can hold digital
evidence.
 • Explainable Evidence: Evidence that can be explained logically or
scientifically, such as log files or system records that show user activity or
file interactions.
• Testimonial Evidence: Evidence provided by a witness, either in person
or through a written statement, explaining the facts related to the case.
• Documented Evidence: Evidence that has been documented or
recorded, such as metadata, records of transactions, or digital photos.
• Substantial Evidence: Evidence that is significant and directly supports
the case or helps establish key facts of the investigation.
3.5 Challenges in Evidence Handling:
• Authentication of Evidence: Proving that digital evidence is what it
claims to be, especially when dealing with complex data formats,
encrypted files, or files that could be easily modified.
• Chain of Custody: Maintaining an accurate, documented history of who
has had control over the evidence to ensure that it has not been
tampered with or altered during the investigative process.
• Evidence Validation: Validating that the digital evidence is complete,
reliable, and correctly reflects the original data. This can include ensuring
that any analysis tools used are functioning properly and have not
introduced errors or changes.
3.6 Volatile Evidence:
• Volatile evidence refers to data that is temporary and can disappear
quickly. This can include information stored in RAM, network
connections, or system logs. Volatile evidence is crucial in cybercrime
investigations because it can provide real-time insights into what
occurred on a system before it is erased or overwritten. Investigators
must prioritize capturing this evidence quickly to ensure it is not lost.
3.7 Evidence Handling Procedure:
Evidence System Description:
• The evidence system involves procedures and practices used to track
and manage digital evidence through the entire lifecycle of the
investigation, from collection to presentation in court.
Digital Photos:
• Digital photos of the evidence should be taken during the collection
process to document the physical state of the evidence and its location.
These photos are often included as part of the evidence record.
Evidence Tag:
• An evidence tag is placed on the physical evidence to uniquely identify
it. It typically contains details such as the evidence number, description,
and date of collection.
Evidence Label:
• An evidence label includes information that uniquely identifies the
evidence, including a description, serial number, and other pertinent
information. The label ensures that the evidence can be easily tracked
and managed.
Evidence Storage:
• Digital evidence must be stored securely to prevent tampering, theft, or
loss. This often involves physical security (locked storage or safes) as well
as logical security (encryption and access control for digital storage).
Evidence Log:
• An evidence log is used to record every action taken with the evidence,
including who handled it, when, and why. This is essential to maintaining
an unbroken chain of custody.
Working Copies:
• A working copy refers to a duplicate of the original digital evidence.
Investigators work with these copies to analyze and process the data,
preserving the integrity of the original evidence.
Evidence Backup:
• Evidence backups should be made during the collection process to
ensure that the data is preserved in case of corruption or loss during
analysis.
Evidence Disposition:
 • Evidence disposition refers to the proper handling or disposal of
evidence after the investigation is complete, which may include returning
it to its owner, storing it for future use, or destroying it if no longer
needed.
Evidence Custodial Audit:
• Evidence custodial audits are regular checks to ensure that the evidence
is being properly stored and accounted for. Audits are vital for verifying
the integrity and security of digital evidence.
Evidence Safe:
• An evidence safe is a secure physical or digital storage location used to
store evidence. Digital evidence might be stored in encrypted drives or
on secure servers.
Shipping Evidence Media:
• When evidence needs to be transported, proper procedures must be
followed to ensure it is protected during shipment. This may include
physical packaging, encryption of digital files, and documentation to
maintain the chain of custody.
3.8 Ethical Issues/Legal Principles of Digital Evidence:
Circumstantial and Hearsay Nature of Digital Evidence:
• Digital evidence can sometimes be circumstantial, meaning it may
suggest a conclusion but does not directly prove the fact. Similarly,
hearsay issues may arise when digital evidence refers to statements or
data not directly observed or verified by the investigator.
Authorization to Conduct Digital Forensics Investigation:
• Investigators must have proper legal authorization (e.g., a warrant or
consent) to conduct digital forensics investigations. Unauthorized access
to systems or data can result in the evidence being inadmissible and
possible legal consequences for the investigator.
Authenticity of Digital Evidence:
• The authenticity of digital evidence must be established to ensure that
the evidence is original and has not been tampered with. Digital
 signatures, hashing algorithms, and other techniques are used to
validate authenticity.
Scientific Method:
• The scientific method requires that forensic investigations be objective,
systematic, and reproducible. This means investigators must use
validated forensic tools and methods and document every step of their
analysis to ensure the reliability and validity of the evidence.
3.9 Digital Evidence and Metadata:
• Metadata refers to data about data. In the context of digital evidence,
metadata can include information such as the file's creation date,
modification date, author, and file size. This metadata is often crucial in
forensic investigations as it can help establish timelines, ownership, and
possible alterations or tampering with files