The document discusses digital forensics. It defines digital forensics as the restoration and inspection of material detected in digital devices, often related to cybercrime. The major goal is to duplicate original data and preserve evidence while reconstructing past events. Rules of digital forensics include making a copy of evidence without modifying original media and maintaining a clear chain of custody. Types of digital forensics discussed include computer, network, mobile device, and memory forensics. Ethical issues and norms are also outlined.
Download as PPTX, PDF, TXT or read online on Scribd
0 ratings0% found this document useful (0 votes)
45 views
Chapter 2 DF
The document discusses digital forensics. It defines digital forensics as the restoration and inspection of material detected in digital devices, often related to cybercrime. The major goal is to duplicate original data and preserve evidence while reconstructing past events. Rules of digital forensics include making a copy of evidence without modifying original media and maintaining a clear chain of custody. Types of digital forensics discussed include computer, network, mobile device, and memory forensics. Ethical issues and norms are also outlined.
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22
DIGITAL FORENSICS
DR. NILAKSHI JAIN
Email ID: [email protected] 2.1 Digital Forensic 2.2 Need 2.3 Rules of Digital Forensic CHAPTER TWO 2.4 Types 2.5 Ethical Issues 2.6 Investigations 1 2.7 Digital Evidences Introduction to Digital 2.8 Rules of Digital Evidence Forensics and Digital 2.9 Characteristics 2.10 Types of Evidence Evidences 2.11 Challenges in Evidence Handling Introduction to Digital Forensic 2.1 Digital Forensic 2.2 Need • Forensic science is a well-established science that plays a 2.3 Rules of Digital Forensic critical role in criminal justice systems. 2.4 Types • Forensic science is often referred to as forensics. 2.5 Ethical Issues • Digital forensics is also referred to as digital forensic science, a 2.6 Investigations branch of computer forensic science that includes the 1 2.7 Digital Evidences restoration and inspection of material detected in digital devices, often in relation to a cybercrime. 2.8 Rules of Digital Evidence • Digital Forensic is a series of steps to uncover and analyze 2.9 Characteristics electronic data through scientific method.The major goal of the 2.10 Types of Evidence process is to duplicate original data and preserve original 2.11 Challenges in Evidence evidence then performing the series of the investigation by collecting, identifying and validating the digital information for Handling the purpose of reconstructing past events. Need of Digital Forensic 2.1 Digital Forensic 2.2 Need 2.3 Rules of Digital Forensic • The meaning of the word “forensics” is “to bring to the 2.4 Types court”. 2.5 Ethical Issues • It is necessary for network administrator and security staff 2.6 Investigations of networked organizations to practice computer forensics 1 2.7 Digital Evidences and should have knowledge of laws, because rate of cyber 2.8 Rules of Digital Evidence crimes is increasing greatly. • the major goal of computer forensics is to recognize, 2.9 Characteristics gather, protect and examine data in such a way that 2.10 Types of Evidence protects the integrity of the collected evidence to use it 2.11 Challenges in Evidence efficiently and effectively in a case. Handling 2.1 Digital Forensic Rules of Digital Forensic 2.2 Need 2.3 Rules of Digital Forensic Rule 1. An examination should never be performed on the original 2.4 Types media. 2.5 Ethical Issues Rule 2. A copy is made onto forensically sterile media. New media should always be used if available. 2.6 Investigations Rule 3. The copy of the evidence must be an exact, bit-by-bit copy 1 2.7 Digital Evidences (Sometimes referred to as a bit-stream copy). 2.8 Rules of Digital Evidence Rule 4. The computer and the data on it must be protected during the 2.9 Characteristics acquisition of the media to ensure that the data 2.10 Types of Evidence is not modified (Use a write blocking device when 2.11 Challenges in Evidence possible). Rule 5. The examination must be conducted in such a way as to prevent Handling any modification of the evidence. Rule 6. The chain of the custody of all evidence must be clearly maintained to provide an audit log of whom might have accessed the Types of Digital Forensic 2.1 Digital Forensic 1. Computer Forensics – the identification, preservation, collection, analysis and 2.2 Need reporting on evidence found on computers, laptops, and storage media in 2.3 Rules of Digital Forensic support of investigations and legal proceedings. 2. Network Forensics – the monitoring, capture, storing, and analysis of network 2.4 Types activities or events in order to discover the source of security attacks, 2.5 Ethical Issues intrusions or other problem incidents, that is, worms, virus, or malware attacks, abnormal network traffic and security breaches. 2.6 Investigations 3. Mobile Devices Forensics – the recovery of electronic evidence from mobile 1 2.7 Digital Evidences phones, smartphones, SIM cards, PDAs, GPS devices, tablets, and game consoles. Mobile device forensics involves the recovery of digital evidence or data 2.8 Rules of Digital Evidence from mobile devices. 2.9 Characteristics 4. Digital Image Forensics – the extraction and analysis of digitally acquired photographic images to validate their authenticity by recovering the metadata 2.10 Types of Evidence of the image file to ascertain its history 2.11 Challenges in Evidence 5. Digital Video/Audio Forensics – the collection, analysis, and evaluation of sound and video recordings. The science is the establishment of authenticity as to Handling whether a recording is original and whether it has been tampered with,either maliciously or accidentally. 6. Memory forensics – the recovery of evidence from the RAM of a running computer, also called live acquisition. 2.1 Digital Forensic Ethical Issues 2.2 Need 2.3 Rules of Digital Forensic • “Ethics” is derived from the ancient Greek word ethikos, meaning 2.4 Types “moral, showing moral character”. Ethics in digital forensics field 2.5 Ethical Issues can be defined as a set of moral principles that regulate the use of 2.6 Investigations computers; some common drawbacks of computer forensics 1 2.7 Digital Evidences include intellectual property resources, privacy concerns, and the impact of computers on the society. 2.8 Rules of Digital Evidence • Ethical decision-making in digital forensics work comprises of one 2.9 Characteristics or more of the following: 2.10 Types of Evidence 1. Honesty toward the investigation. 2.11 Challenges in Evidence 2. Prudence means carefully handling the digital evidences. Handling 3. Compliance with the law and professional norms. General Ethics Norms for Investigator in Digital 2.1 Digital Forensic Forensic Field 2.2 Need 2.3 Rules of Digital Forensic 2.4 Types Before starting the investigation in the digital forensic field, the 2.5 Ethical Issues investigator should satisfy the following points. 2.6 Investigations 1. Should contribute to the society and human being. 1 2.7 Digital Evidences 2. Should avoid harm to others. 3. Should be honest and trustworthy. 2.8 Rules of Digital Evidence 4. Should be fair and take action not to discriminate. 2.9 Characteristics 5. Should honor property rights, including copyrights and 2.10 Types of Evidence patents. 2.11 Challenges in Evidence 6. Should give proper credit to intellectual property. 7. Should respect the privacy of others. Handling 8. Should honor confidentiality. 2.1 Digital Forensic Unethical Norms for Digital Forensic Investigation 2.2 Need 2.3 Rules of Digital Forensic The investigator should not: 2.4 Types 1. Uphold any relevant evidence. 2. Declare any confidential matters or knowledge learned in an 2.5 Ethical Issues investigation without an order from a court of competent 2.6 Investigations jurisdiction or without the client’s consent. 1 2.7 Digital Evidences 3. Express an opinion on the guilt or innocence belonging to any 2.8 Rules of Digital Evidence party. 4. Engage or involve in any kind of unethical or illegal conduct. 2.9 Characteristics 5. Deliberately or knowingly undertake an assignment beyond his 2.10 Types of Evidence or her capability. 2.11 Challenges in Evidence 6. Distort or falsify education, training or credentials. Handling 7. Display bias or prejudice in findings or observations. 8. Exceed or outpace authorization in conducting examinations. Digital Forensic Investigations 2.1 Digital Forensic 2.2 Need 2.3 Rules of Digital Forensic • Digital investigations, DFIs, forensic examination, and forensic investigations have been used to describe an investigation where 2.4 Types a digital device forms part of the incident. 2.5 Ethical Issues • A DFI is thus a special type of investigation wherever scientific 2.6 Investigations procedures and techniques used can permit the results, that is, the 1 2.7 Digital Evidences digital proof, to be allowable in a court of law. 2.8 Rules of Digital Evidence • The results of a DFI should have a legal basis. Proof cannot be directly read, and a few tools are employed to look at the state of 2.9 Characteristics the information. 2.10 Types of Evidence • Digital forensic investigation or DFI is a special type of 2.11 Challenges in Evidence investigation where the scientific procedures and techniques used Handling will be allowed to view the results – digital evidence – to be admissible in a court of law. Introduction to Digital Evidences 2.1 Digital Forensic 2.2 Need 2.3 Rules of Digital Forensic • Digital evidence is any information or data of 2.4 Types value to an investigation 2.5 Ethical Issues that is stored on, received 2.6 Investigations by, or transmitted by an 1 2.7 Digital Evidences electronic device. • Evidence can be stated as 2.8 Rules of Digital Evidence any information that can 2.9 Characteristics be confident or trusted and 2.10 Types of Evidence can prove something 2.11 Challenges in Evidence related to a case in trial, Handling that is, indicating that a certain substance or condition is present. Introduction to Digital Evidences 2.1 Digital Forensic 2.2 Need The Best Evidence Rule: • The best evidence rule is that the original or true writing or recording 2.3 Rules of Digital Forensic must be confessed in court to prove its contents without any expectations. 2.4 Types • We define best evidence as the most complete copy or a copy which 2.5 Ethical Issues includes all necessary parts of evidence, which is closely related to the original evidence. 2.6 Investigations • It states that multiple copies of electronic files may be a part of the 1 2.7 Digital Evidences “original” or equivalent to the “original”. 2.8 Rules of Digital Evidence Original Evidence: 2.9 Characteristics • we define original evidence as the truth or real(original) copy of the 2.10 Types of Evidence evidence media which is given by a client/victim. 2.11 Challenges in Evidence • We define best incidence as the most complete copy, which includes all the necessary parts of the evidence that are closely related to the original Handling evidence. • There should be an evidence protector which will store either the best evidence or original evidence for every investigation in the evidence safe. Rules of Digital Evidence 2.1 Digital Forensic 2.2 Need • Rule of evidence is also called as law of evidence. 2.3 Rules of Digital Forensic • It surrounds the rules and legal principles that govern all the proof of facts. 2.4 Types • The rules must be: 2.5 Ethical Issues 1. Admissible: The evidence must be usable in the court. 2.6 Investigations 2. Authentic: The evidence should act positively to an incident. 1 2.7 Digital Evidences 3. Complete: A proof that covers all perspectives. 4. Reliable: There ought to be no doubt about the reality of the 2.8 Rules of Digital Evidence specialist’s decision. 2.9 Characteristics 5. Believable: The evidence should be understandable and believable 2.10 Types of Evidence to the jury. 2.11 Challenges in Evidence Rule 103: Rule of evidence Handling 1. Maintaining a claim of error. 2. No renewal of objection or proof. 3. Aim an offer of proof. 4. Plain error taken as notice. Rules of Digital Evidence 2.1 Digital Forensic • Evidence collection should always be performed to ensure that it will 2.2 Need withstand legal proceedings. Key criteria for handling such evidence are 2.3 Rules of Digital Forensic outlined as follows: 2.4 Types 1. The proper protocol should be followed for acquisition of the evidence irrespective of whether it physical or digital. Gentle handling should be 2.5 Ethical Issues exercised for those situations where the device may be damaged (e.g., dropped 2.6 Investigations or wet). 2. Special handling may be required for some situations. For example, when the 1 2.7 Digital Evidences device is actively destroying data through disk formatting, it may need to be 2.8 Rules of Digital Evidence shut down immediately to preserve the evidence. On the other hand, in some situations, it would not be appropriate to shut down the device so that the 2.9 Characteristics digital forensics expert can examine the device’s temporary memory. 2.10 Types of Evidence 3. All artifacts, physical and/or digital should be collected, retained, and transferred using a preserved chain of custody. 2.11 Challenges in Evidence 4. . All materials should be date and time stamped, identifying who collected the Handling evidence and the location it is being transported to after initial collection. 5. . Proper logs should be maintained when transferring possession. 6. . When storing evidence, suitable access controls should be implemented and tracked to certify the evidence has only been accessed by authorized individual. Characteristics of Digital Evidence 2.1 Digital Forensic 2.2 Need 1. Locard’s Exchange Principle : 2.3 Rules of Digital Forensic • According to Edmond Locard’s principle, when two items 2.4 Types make contact, there will be an interchange. • When an incident takes place, a criminal will leave a hint 2.5 Ethical Issues evidence at the scene and remove a hint evidence from the 2.6 Investigations scene. This alteration is known as the Locard exchange 1 2.7 Digital Evidences principle. 2.8 Rules of Digital Evidence 2. Digital Stream of Bits 2.9 Characteristics • Cohen refers to digital evidence as a bag of bits, which in 2.10 Types of Evidence turn can be arranged in arrays to display the information. 2.11 Challenges in Evidence • The information in continuous bits will rarely make sense, Handling and tools are needed to show these structures logically so that it is readable. 2.1 Digital Forensic Types of Evidence 2.2 Need 2.3 Rules of Digital Forensic 2.4 Types There are many types of evidence, each with their own 2.5 Ethical Issues specific or unique characteristics. Some of the major types 2.6 Investigations of evidence are as follows: 1 2.7 Digital Evidences 1. Illustrative evidence 2. Electronic evidence 2.8 Rules of Digital Evidence 3. Documented evidence 2.9 Characteristics 4. Explainable evidence 2.10 Types of Evidence 5. Substantial evidence 2.11 Challenges in Evidence 6. Testimonial Handling Types of Evidence 2.1 Digital Forensic 1.Illustrative Evidence: 2.2 Need Illustrative evidence is also called as demonstrative evidence. It is generally a 2.3 Rules of Digital Forensic representation of an object which is a common form of proof. For example, photographs, videos, sound recordings, X-rays, maps, drawing, graphs, charts, 2.4 Types simulations, sculptures, and models. 2.5 Ethical Issues 2.6 Investigations 2. Electronic Evidence: 1 Electronic evidence is nothing but digital evidence. As we know, the use of 2.7 Digital Evidences digital evidence in trials has greatly increased. The evidences or proof that can 2.8 Rules of Digital Evidence be obtained from an electronic source is called as digital evidence (viz., 2.9 Characteristics emails, hard drives, word-processing documents, instant message logs, ATM transactions, cell phone logs, etc.) 2.10 Types of Evidence 2.11 Challenges in Evidence 3. Documented evidence: Handling Documented evidence is similar to demonstrative evidence. However, in documentary evidence, the proof is presented in writing (viz., contracts, wills, invoices, etc.). It can include any number of medias. Such documentation can be recorded and stored (viz., photographs, recordings, films, printed emails, etc.). Types of Evidence 2.1 Digital Forensic 2.2 Need 2.3 Rules of Digital Forensic 4. Explainable Evidence (Exculpatory): This type of evidence is typically used in criminal cases in which it 2.4 Types supports the dependent, either partially or totally removing their guilt in 2.5 Ethical Issues the case. It is also referred to as exculpatory evidence. 2.6 Investigations 5. Substantial Evidence: 1 2.7 Digital Evidences A proof that is introduced in the form of a physical object, whether whole 2.8 Rules of Digital Evidence or in part, is referred to as substantial evidence. It is also called as physical 2.9 Characteristics evidence. Such evidence might consist of dried blood, fingerprints, and DNA samples, casts of footprints, or tires at the scene of crime. 2.10 Types of Evidence 2.11 Challenges in Evidence 6. Testimonial Evidence: It is a kind of evidence spoken by a spectator under oath, or written Handling evidence given under oath by an official declaration, that is, affidavit. This is one of the common forms of evidence in the system. Challenges in Evidence Handling 2.1 Digital Forensic 2.2 Need 2.3 Rules of Digital Forensic 2.4 Types 1. Authentication of Evidence 2.5 Ethical Issues The evidences that are collected by any person/investigator 2.6 Investigations should be collected using authenticate methods and techniques because during court proceedings these will become major 1 2.7 Digital Evidences evidences to prove the crime. In other words, for providing a 2.8 Rules of Digital Evidence piece of evidence of the testimony, it is necessary to have an 2.9 Characteristics authenticated evidence by a spectator who has a personal 2.10 Types of Evidence knowledge to its origin. 2.11 Challenges in Evidence Handling 2.1 Digital Forensic Challenges in Evidence Handling 2.2 Need 2.3 Rules of Digital Forensic 2. Maintaining the chain of custody means that the evidences collected 2.4 Types should not be accessed by any 2.5 Ethical Issues unauthorized individual and must be 2.6 Investigations stored in a tamper-proof manner. For 1 2.7 Digital Evidences each item obtained, there must be a 2.8 Rules of Digital Evidence complete chain of custody record. Chain of custody is nothing but the 2.9 Characteristics requirement that you may be able to 2.10 Types of Evidence trace the location of evidence from 2.11 Challenges in Evidence the moment it was collected to the Handling moment it was presented in a judicial proceeding 2.1 Digital Forensic Challenges in Evidence Handling 2.2 Need 2.3 Rules of Digital Forensic 3. Evidence Validation 2.4 Types The challenge is to ensure that providing or obtaining the data that you 2.5 Ethical Issues have collected is similar to the data provided or presented in the court. Several years pass between the collection of evidence and the 2.6 Investigations production of evidence at a judiciary proceeding, which is very 1 2.7 Digital Evidences common. To meet the challenge of validation, it is necessary to ensure 2.8 Rules of Digital Evidence that the original media matches the forensic duplication by using MD5 2.9 Characteristics hashes. The evidence for every file is nothing but the MD5 hash values 2.10 Types of Evidence that are generated for every file that contributes to the case. The verify function within the Encase application can be used while duplicating a 2.11 Challenges in Evidence hard drive with Encase. To perform a forensic duplication using dd, you Handling must record a MD5 hash for both the original evidence media and binary files or the files which compose the forensic duplication. DR. NILAKSHI JAIN Email ID : • Thank you [email protected]
(Cambridge Intellectual Property and Information Law) Cambridge University Press - Digital Data Collection and Information Privacy Law. 54-Cambridge University Press (2020)
(Cambridge Intellectual Property and Information Law) Cambridge University Press - Digital Data Collection and Information Privacy Law. 54-Cambridge University Press (2020)