Digital Evidence

and Forensic
Digital
Evidence

2
 What is Digital Evidence
• Latent, like fingerprints or DNA
• Extremely fragile & resilient; can be altered,
damaged or destroyed easily
• Some of the common practices – curiosity
may destroy digital evidence.
• Direct analysis make it unacceptable in a
court of law

3
 What is Digital Evidence
Digital Evidence
Digital evidence is defined as information or data stored on, transmitted or received
by an electronic device/electronic communication device (ECD) in binary form,
which is of value to a crime investigation and is relied upon in court.

Digital evidence is acquired when

electronic communication device
(ECD) reported or suspected to
be involved in a crime is seized
and is examined by a cyber
forensic examiner (CFE)

4
Comparison between Digital Evidence and Physical Evidence
Digital Evidence Physical Evidence
It can be duplicated and the duplicated copy It cannot be duplicated like the digital
can be used in the place of the original evidence

Any tampering or modification of its

Any tampering or modification cannot
contents can be identified in comparison
be identified.
with the original using appropriate software

It cannot be deleted easily and can be It cannot be can be recovered if

recovered even if deleted it is
deleted
It can be reproduced if the duplicated copy It
is destroyed intentionally cannot be reproduced if
it is destroyed
It is less tangible in nature intentionally

It is more tangible in 5
 Types of Digital Evidence
Volatile Evidence Non volatile
Evidence
It refer to the frequently changing It refer to the contents that can be
information which are usually lost recovered or not loss when the power
when the power is off. is off
E.g. RAM, Temporary files, Swap E.g. ROM, Flash Memory, Hard Disk,
Space, Cache Memory Optical Disk etc.

6
Digital Forensics
Overview

7
Digital Forensics
• Digital forensics is legal and ethical
science- based professional practices of:
• Safeguarding,
• Retrieving
• Investigating and
• Objective Reporting of digital data.
• The forensics process, data and reporting is
interest in administrative, civil or criminal
issues

8
 Digital Forensics
• Computer Forensics is not
investigationjust of computers, it
is essentially
about:
• Correct process of investigation
• Rules of evidence
• Imaging & integrity of evidence
• Analysis of image of evidence
• Clear and concise
reporting of
factual information

9
Digital Forensics
• Forensic of
Investigation
Computers provides
• Recovery of deleted emails
• Investigation of a
system suspected post
termination
for
• Recovery of
employment
evidence
from a
formatted hard drive
• Analysis of a suspected system,
which has been used by multiple
users e.g. cyber cafe

10
 Digital Forensics
Methodology &
Process

11
Collection
Forensics Process
Analysis
Identifying, labelling, recording and Analysing the results of the examination, using
acquiring data from the possible sources of legally justifiable methods and techniques, to
relevant data. derive useful information

Examination Reporting
Forensically processing collected data using Reporting the results of the analysis, which may
a combination of automated and manual include describing the actions used, explaining how
methods and assessing and extracting data tools and procedures were selected, determining
of interest. what other actions need to be performed.

12
 Digital Forensics Procedure
Procedure to be done in Forensic Laboratories Evaluators may Preserve the
be expected to storage media
defend their intact till the
Scene of Crime methods of final verdict by
• Compare Process
handling the the court.
hash
value of methodically
• Forensic with the
generated examining digital evidence being
duplicate of the data
that was backed media presented.
media is created to proof for
• Identification • Done by evidence Preservatio
• Capturing that files
of Digital have
chang not n
• What
Devices
evidence is suspect evidence using Write Presentation
collection • Process
Blocker Imaging e
present, Where it
• Generating hash Analysis
is stored
and
How it is stored value.
Authentication

Acquisition
Seizure &
Hashing
Identification

13
 Who is First
Responder?
Essentially the first person notified and reacting to the security incident. First responder
may be a network administrator, law enforcement officer or investigating officer

Role of First Responder

Identifying and protecting the crime scene

Collecting as much
information about the incident as possible

Document all the findings

Preserving temporary and fragile evidence

Packaging and transporting the electronics evidence

14
First Responder’s Toolkit
First Responder Toolkit
A first responder toolkit is a set of tools that helps first responders
collect genuine and presentable evidence

It helps first responder to understand the limitations and

capabilities of electronic evidence at the time of collection

First responders have to select the trusted computer forensics

tool that gives output specific information

15
 Evidence Collecting Tools and Equipment
Evidence Collecting Tools
First responder should have general crimes scene processing tools (e.g., cameras, notepads,
sketchpads, evidence forms, crime scene tape, and makers)

Disassembly & removal

Package and Transport Documentation Tools
Tools
Supplies  Cable Tags
 Flat-blade and
 Antistatic bags  Indelible felt tip markers
Philips- type
 Antistatic bubble wrap  Stick on labels
screwdrivers
 Cable ties
 Standard Pliers and wire
 Evidence bags Other Tools
cutter
 Evidence tape  Gloves & Hand Truck
 Specialized screwdrivers
 Label tag  Magnifying Glass
 Hex-nut drivers
 Packing materials and tape  Printer Paper
 Needle-nose pliers
 Sturdy boxes of various  Seizure Disk
 Secure-bit drivers
sizes  Small Flashlight
 Small tweezers
 Star-type nut drivers

16
Evidence Collecting Tools and Equipment(Cont’d)
Hardware Tools
Notebook /Computers  Paraben Forensics
 Licensed Software Hardware
 Bootable CD  Digital Intelligence Forensic
 External Hard Drives Hardware
 Network cables  Tableau Hardware
Accelerator
 Wiebetech Forensics
Software Tools Hardware Tools
  Logicube Forensic
Encase Forensics
 Forensic Tool Kit (FTK) Hardware Tools
 ProDiscover
 Hex Workshop
 X-Ways Forensics
 Etc…

17
 Initial Search of the Scene
Isolated Computer System
Isolated Computer System (Workstation, standalone, or network server) and
other media devices that can contain digital evidence

Include Evidence Logs

Include search and Seizure evidence logs, which contains brief descriptions
of all computers, devices or media located during the search for evidence

Make a Note
Make a note of the locations on the crime scene sketch as well.

Photographs the Crime Scene

Photographs and sketch the crime scene along with a detailed accounting
of all computer evidence

18
 Digital Forensics
Process -
Collection

19
Steps in Digital Forensic investigation

• Identifying and securing the

crime
scene
• ‘as is where is’
documentation of the scene
of offence
• Collection
from of evidence
Switched-off Systems
• Procedure
• Procedure for gathering
for evidence
evidences gathering
from live systems

20
 Steps in Digital Forensic Investigation

• Forensic duplication
• Conducting interviews
• Labeling and, documenting of the evidence
• Packaging, and transportation of the evidences

21
 Seizure

Process of capturing suspect computer or

storage media for evidence collection

Collection may involve removing the electronic

device(s) from the crime or incident scene and
taking photos, documentation etc.

*Important Note*: As collection begins, those persons doing the collecting should keep the Chain of Custody in mind.

22
 Incident and Seizure (Collection)
• An incident in the context of information technology
is a presumptive or observed adverse event (s) that
impact on expected and proper services, data integrity
or confidentiality of use for a digital system.
• The legal or administrative requirement to preserve,
protect and produce extracts of digital data concerning
users and users of a particular digital system

23
Measures for Seizure
• Enumerated list of data, devices and
associated media
• Verified data extraction of logical and
physical evidence – Hash and authoritative
time/data
• Chain-of-Custody
• Transfer documentation
• Administrative records
• The collection team may or may not
perform further forensics processes i.e.
Examination – Analysis - Reporting

24
 Chain of
• When you are givenCustody
an original copy of
media to deal with you need to
document the
handling of it,
• Where it was stored
• Who had access to it
• What was done to it
• Whenisit was
• This doneas a
known of custody,
chain
provides documentation to show it that the
integrity of the data was preserved and not
open to alteration, inadvertent modification,
“state” interference or perhaps spoliation.

25
Chain of Custody
Form

26
 Order of
Order of Volatility
Volatility
CFE should pay due attention and collects digital evidence without violating the
order of volatility.
The order is as follows:
• CPU, cache, and register content
• Routing table, ARP cache, process
table, kernel
• Memory
• Temporary file system or swap space
• Data on hard disk
• Remotely logged data
• Physical configuration and
network topology
• Data contained on archival media

27
 Procedure for Gathering Evidence from
Switched Off Systems
1. Secure and take control of the area
containing the equipment.
2. Allow any printers to finish printing.
3. Move people away from any computers
and power supplies.
4. Don’t, in any circumstances, switch
the
computer on.

28
 Procedure for Gathering Evidence from
Switched Off Systems
5. Make sure that the computer is switched off
– some screen savers may give the appearance
that the computer is switched off, but hard
drive and monitor activity lights may indicate
that the machine is switched on.
6. Remove the battery from laptop computers.

29
 Procedure for Gathering Evidence from
Switched Off Systems

7. Unplug the power and other devices from

sockets: a computer that is apparently
switched off may be in sleep mode and may
be accessed remotely, allowing the alteration
or deletion of files.

30
 Procedure for Gathering Evidence from
Switched Off Systems
8. Label and photograph (or video) all the
components and if no camera is available,
draw a sketch plan of the system.
9. Label the ports and cables so that the
computer may be reconstructed at a later
date.

31
Procedure for Gathering Evidence from
Switched Off Systems
10. Carefully remove the equipment and
record the unique identifiers – the
main unit, screen, keyboard and other
equipment will have separate
identifiers.
11. Ensure that all items have signed and
completed exhibit labels attached to
them as failure to do so may create
difficulties with continuity and cause
the equipment to be rejected by the
forensic examiners.

32
 Procedure for Gathering Evidence from
Switched Off Systems
12. Search area for diaries, notebooks or pieces
of paper with passwords on which are often
stuck to or close to the computer.
13. Consider asking the user if there are any
passwords and if these are given record
them accurately.

33
Procedure for Gathering Evidence from
Live System (Switched On Systems)
1. Secure the area containing the equipment &
move people away from computer and power
supply.
2. Disconnect the modem if attached.
3. Do not take advice from the owner / user of
the computer.

34
Procedure for Gathering Evidence from
Live System (Switched On Systems)
3. Label and photograph or video all
the components. If no camera is
available, draw a sketch plan of the
system and label the ports and
cables so that the computer may be
reconstructed at a later date.
4. Remove all other connection cables
leading from the computer to other
wall or floor sockets or devices.

35
Procedure for Gathering Evidence from
Live System (Switched On Systems)
5. Carefully remove the equipment and record the unique
identifiers – the main unit, screen, keyboards and other
equipment will have different numbers.
6. Ensure that all items have signed exhibit labels attached
to them as failure to do so may cause difficulty with
continuity and cause the equipment to be rejected by the
forensic examiners

36
Procedure for Gathering Evidence from
Live System (Switched On Systems)
7. Allow the equipment to cool down before removal
8. Search area for diaries, notebooks or pieces of paper with
passwords on which are often stuck to or close to the
computer.
9. Consider asking the user if there are any passwords and if
these are given record them accurately.

37
Procedure for Gathering Evidence from
Live System (Switched On Systems)
10. Record what is on the screen by photograph and by
making a written note of the content of the screen.
11. Take the help of technical expert to use live forensics tool to
extract the information that is present in the temporary storage
memory like RAM.

38
Procedure for Gathering Evidence from
Live System (Switched On Systems)
12. If no specialist advice is available, remove the power supply
from the back of the computer without closing down any
programs. When removing the power supply cable,
always remove the end attached to the computer and not
that attached to the socket, this will avoid any data being
written to the hard drive if an uninterruptible power
protection device is fitted.

39
 Acquisition
 Acquisition or, as it is better known, data acquisition,
is the process of creating a forensic copy of the
electronic evidence (exhibit) such as hard disk,
thumb drive or server in the form of an image file or
files. The process is know as Imaging

 Imaging is carried out by using imaging tools such

FTK, Encase, trueback etc. and write blocker etc..

 Write Blocker- hardware or software which enables

data to be acquired from disk without modifying data
on the source disk

 The original drive is then returned to secure storage

to prevent tampering.

40
 Data Acquisition Method
Bit-stream disk-to-image file Bit-stream disk-to-disk
 It is the most common method used by all  Because of software or hardware errors or
forensic investigators incompatibilities, it is sometimes not possible to
 With this method, one or many copies of the create a bit-stream disk-to-image file
suspect drive can be generated  To solve the problem, create a disk-to-disk bit
 The copies are bit-for-bit replication of the stream copy of the suspect drive using tools such
original drive as Encase, SafeBack, and Norton Ghost
 Tools such as ProDiscover, Encase, FTK, The  These programs can alter the target disk’s
Sleuth Kit, X-Ways Forensics, ilook Investigator geometry (its head, cylinder, and track
etc. can be used to read the most common types configuration) such that the copies data matches
of disk-to-image files generated to the original suspect drive.

41
 Suspected disk (Source) Sterile disk (Target)

Newfile.doc
Test. oc
d

trainee.ppt Copyin
Search &seizure .pdf g of
Disk

Active file files Deleted files

42
 Suspected disk (Source) Sterile disk (Target)

Newfile.doc ooc
Newfile.doTT
eecst.st.d c

trainee.pp
trainee.ppt
t
Imaging
Search &seizure .pdf
&seizure .pdf
of
Disk

Active file files Deleted files

43
 Data Acquisition Format
Imaging Format
The data that an acquisition tool collects is stored in one of three formats
• Raw format
• Proprietary
• Advanced Forensic Format

44
 Raw Format
Raw Format
• Output of flat file
• Fast data transfers and capable
of
ignoring minor data read errors
• Can be read by most forensic tools
• Requires as much storage space as
the original disk
• Might not collect bad sectors on source
drive

45
46
 Integrity of Digital Evidence
• Digital data is vulnerable to intentional or
unintentional alteration
digital fingerprint is used
• Integrity of digital evidence is required to to authenticate
be maintained, starting from seizure till
Messag
analysis e
• Forensic examiners have to ensure that Test.do Hasher Digest
00F0C7E92A1
c
digital evidence is not compromised 847548C006C
during the computer forensic (MD5) 180165DFB1
after
process analysis modification
Messag
• Due
. to these reasons, to ensure the e
integrity of the digital evidence, a unique Test.do Digest
6FB3938D027
c
digitized tag is required 1301C6C4AC8
• A fingerprint of the digital evidence 47908AB26D
could be its digest digital fingerprint, is used to authenticate

47
 Data Hash and
• Hash Checksum
values, hash codes, checksums, message digest or
simply hashes Like a fingerprint of a file
• Can not provide any detail of the evidence
• If evidence is altered in anyway, its hash value will also change.
• MD5 (128 bit), SHA-1 (160 bit), SHA2 (256 bit)

48
Digital Forensics Tools

49
Disk Imaging Hardware
Equipment
• TrueImager (C-DAC)
• Talon (Logicube)
• Dossier (Logicube)
• Tableau
• HardCopy 3 (Voom)

• H/w based drive imaging equipments

are
faster; save time.

50
 Software Imager Tools
Software Imager Tools

Encase Forensic Imager

FTK Imager

CDAC Trueback

51
 Tools for Integrity verification
Tools for Integrity Verification

md5sum (DOS, Linux)

HashMyFiles (win)

Md5summer (win)

Hashcalc (win)

Built-in facility
in most of the
drive imaging 52
Questions and Queries