COMPUTER CRIME & DIGITAL

FORENSIC
CHAPTER TWO : DIGITAL FORENSIC TOOLS AND DATA ACQUISITION PROCESS

INSTRUCTOR : SAMUEL TAMIRAT

PhD candidate
MAIN POINT

• Computer hardware
• Digital Forensic hardware & Tools
• Digital Forensic Software's
• Processing Scenes
• Chain of custody
• Data storage, structure and Aquzition
• Data recovery
• File system
COMPUTER HARDWARE BASICS
COMPUTER HARDWARE BASICS
 DIGITAL FORENSIC HARDWARE /TOOLS

• Forensic hardware: Refers to specialized tools and devices designed for use in digital
forensics investigations.
• These hardware devices are crucial for acquiring, analyzing, and preserving electronic evidence
from various digital sources.
DIGITAL FORENSIC HARDWARE /TOOLS
(CONT.…)
1. Write Blocker
• Purpose: Prevents any write operations to the evidence media, ensuring the integrity of
the original data during acquisition.
• Examples:
• Tableau Write Blockers
• WiebeTech Write Blockers
DIGITAL FORENSIC HARDWARE /TOOLS
(CONT.…)
2. Imaging Device
• Purpose: Creates forensic images of storage devices to preserve original data for
analysis without altering the source.
• Examples:
• Forensic Disk Duplicators
• Portable Forensic Imaging Devices
DIGITAL FORENSIC HARDWARE /TOOLS
(CONT.…)
3. Portable Forensic workstation
• Purpose: Compact and portable systems equipped with forensic software for on-site
analysis.
• Examples:
• Forensic laptops configured with specialized software
• Portable workstations with built-in write-blockers
DIGITAL FORENSIC HARDWARE /TOOLS
(CONT.…)
4. Digital forensic Field kits
• Purpose: Comprehensive kits containing a range of tools for on-site forensic
investigations.
• Examples:
• Write-blockers
• Imaging devices
• Forensic laptops
• Cables, adapters, and accessories
DIGITAL FORENSIC SOFTWARE'S

• Disk Imaging and Analysis:

• EnCase Forensic:
• A widely used forensic tool for acquiring, analyzing, and reporting on digital evidence. It supports disk imaging, file recovery, and
advanced analysis.

• AccessData Forensic Toolkit (FTK):

• A comprehensive forensic platform that includes features for disk imaging, data recovery, and advanced analysis of digital evidence.

• Memory Forensics:
• Volatility
• An open-source framework for memory forensics. It helps analyze the volatile memory (RAM) of a computer for evidence of running
processes and system state.

• Rekall:
• Another open-source memory forensics tool that allows for the analysis of memory dumps.
DIGITAL FORENSIC SOFTWARE'S (CONT.…)

• Networks Forensic
• Wireshark:
• A widely used network protocol analyzer that captures and inspects data on a network. It's commonly used
for network forensics.
• NetworkMiner:

• A widely used network protocol analyzer that captures and inspects data on a network. It's commonly used
for network forensics.

• Mobile Forensics:
• Cellebrite UFED (Universal Forensic Extraction Device):
• A tool for extracting and analyzing data from mobile devices, including smartphones and tablets.
DIGITAL FORENSIC SOFTWARE'S (CONT.…)

• Forensic Analysis Suites:

• Autopsy:
• An open-source digital forensics platform that offers a graphical interface for the Sleuth Kit, allowing
investigators to conduct in-depth analyses.

• SANS SIFT (SANS Investigative Forensic Toolkit):

• A collection of open-source tools for digital forensics analysis.
PROCESSING THE SCENE

• Before acquiring digital evidence, it's essential to process the scene where the evidence is
located.
• This involves
• Documentation: Record detailed information about the location of the digital evidence, the devices
present, and the overall scene conditions.
• Photography and Videography: Capture images and videos of the scene to provide a visual record of
the environment.
• Chain of Custody: Establish and maintain a chain of custody for all seized devices and evidence. This
documentation tracks the handling, transfer, and storage of evidence from the scene to the forensic lab.
• Seizure and Labeling: Properly seize and label all digital devices, ensuring that each device is uniquely
identified for later reference.
CHAIN OF CUSTODY

• Chain of custody: is a record list of all

persons who come in possession of an item
of evidence.
• The goal is to maintain a document that
includes exactly what happened to the
evidence from the time it was found to the
time it is presented to court.
REQUIREMENT OF CHAIN OF CUSTODY

• List of evidence
• The location the item is stored
• Signature of the individual releasing the evidence to other individual or location.
• The signature of the individual receiving the evidence from another individual or location.
• Reason for the transfer.
DATA STORAGE

• Digital data are basically a combination of 1 & 0.

• The data should be interpreted into human can make sense of.
• In computer data is represented into different layers
• Physical Layer
• Hard disk, RAM
• The image copy will be Bit by Bit copy
• Logical Layer
• Partition /Volumes (C drive, D Drive)
• The image copy will be what is there in the partition only
• File System
• A method to store date
• Installed in the partition
• File system types (FAT32,exFAT, NTFS, HFS)
DATA STRUCTURE

• Data stored in a physical location (Hard Disk, RAM)

• Recovering the data for forensic require to organize data in known way and store it in
known location
• A physical disk image is a bit by bit copy (exactly identical)
• Data structure is a representation of data
• Rules applied to a group of data in order to understand what the data means
DATA STRUCTURE

Binary Representation
Hex decimal Representation
DATA ACQUISITION

• Once write-blocking is ensured, the next step is to create a forensic image of the storage
media.
• This involves making a bit-for-bit copy of the entire contents of the storage device,
including both allocated and unallocated space.
• The forensic image serves as a duplicate of the original evidence for analysis, leaving the
original device untouched.
DATA ACQUISITIONS (CONT.…)

• Common tools used for hard drive acquisitions include

• Autopsy: An open-source digital forensics platform that offers a graphical interface for the
Sleuth Kit, allowing investigators to conduct in-depth analyses.
• EnCase Forensic: This tool allows forensic analysts to create forensic images, analyze digital
evidence, and generate reports.
• AccessData Forensic Toolkit (FTK): FTK is a comprehensive forensic platform that
includes features for imaging, analysis, and reporting.
• dd (Linux/Unix Command): A command-line tool that can be used to create a bit-for-bit
copy of a disk or partition.
DATA ACQUISITIONS (CONT.…)

• Consideration
• How can we
• Get the best copy of the data
• Preserve all the data
• ensure the acquired data is correct
• Ensure the acquired data can be verified by third party
DATA ACQUISITION STEPS

• Identify what to acquire and how

• HD, SSD, RAM
• How to copy the data
• Forensically sound way (Write blocker)
• How to save data
• Forensic disk image
• Ensure the copy is exactly the same as the original
• Cryptographic hashing algorithms (MD5, SHA1)
DATA RECOVERY

• It is an attempt to pull out as much information from the data as possible.

• Deleted file
• Hidden partitions/ files
• File fragments
• To recover the data
• Examine the known structure
• Find where the structure starts and ends
• Try to recover the missing values
• PhotoRec: An open-source file carving tool designed to recover lost files including videos, documents,
and archives from hard disks, CD-ROMs, and lost pictures from camera memory.
FILE SYSTEM

• File System: Provide a way how data is stored and organized on a storage device.
• FAT 32
• Supports individual file sizes up to 4 GB.
• Supports volumes up to 2 terabytes (TB) in size.
• Widely compatible with various operating systems, including Windows, macOS, Linux, and others.
• Uses a simple file and directory structure.
• Limited to a maximum partition size of 32 GB when formatting in Windows.
• Provides basic file security through read and write permissions.
• Suitable for smaller storage devices like USB drives, memory cards, and older systems.
FILE SYSTEM (CONT.…)

• extFAT
• The Extended File System has gone through several versions, with ext2, ext3, and ext4 being the most
widely used.
• Address size limitation of FAT32
• exFAT supports very large file sizes, much larger than the 4 GB limit imposed by FAT32.
• exFAT supports larger volumes than FAT32, allowing for storage capacities beyond what FAT32 can
handle.
• suitable for high-capacity storage devices like external hard drives.
• exFAT is supported by various operating systems, including Windows, macOS, and Linux.
FILE SYSTEM (CONT.…,)

• NTFS
• Supports individual file sizes up to 16 Exabyte (EB).

• Supports volumes up to 256 terabytes (TB) in size.

• Primarily used with Windows operating systems. Limited native support in non-Windows systems.

• Features a more advanced file and directory structure with support for features like compression, encryption, and disk
quotas.

• No practical limit on partition size when formatting in Windows.

• Provides advanced security features, including file-level encryption, access control lists (ACLs), and more
• Suitable for modern Windows operating systems and high-capacity storage devices. NTFS is the default file system for
Windows.
FILE SYSTEM (CONT.…,)

• HFS (Hierarchical File System):

• HFS, also known as Macintosh File System, was the original file system used by Apple for Macintosh
computers
• HFS organized files and directories in a hierarchical tree structure

• HFS Plus (HFS+):

• HFS Plus, introduced with Mac OS 8.1 in 1998, was an extension of the original HFS.
• HFS+ addressed some limitations of the original HFS, such as the maximum file and volume sizes.
• It supported larger files and volumes, and it introduced features like Unicode support for file names.