Unit 1

Introduction
“If the law has made you a witness, remain a man (woman) of science. You have
no victim to avenge, no guilty or innocent person to ruin or save — you must
bear testimony within the limits of science.”
— Dr. P.C.H. Brouardel
19th-Century French Medico-Legalist
 Understanding of forensic science
 The word forensic comes from the Latin word forensic: public, to the forum or public
discussion; argumentative, rhetorical, belonging to debate or discussion.
 A relevant, modern definition of forensic is: relating to, used in, or suitable to a court of
law. Any science used for the purposes of the law is a forensic science.
 The forensic sciences are used around the world to resolve civil disputes, to justly
enforce criminal laws and government regulations, and to protect public health.
 Forensic scientists may be involved anytime an objective, scientific analysis is needed to
find the truth and to seek justice in a legal proceeding.
What Do Forensic Scientists Do?
 A forensic scientist is first a scientist. When a scientist's knowledge is used to help
lawyers, juries, and judges understand the results of scientific tests, the scientist
becomes a forensic scientist.
 Because the work of a forensic scientist is intended to be used in court and because
scientific evidence can be very powerful, the forensic scientist must be accurate,
methodical, detailed, and above all, unbiased.
Analyse Information and Document Findings
 In most cases, the item or items in question are provided to the forensic scientist for
examination and analysis. In other cases, they may need to go to the scene to conduct
an on-site analysis, gather evidence, or document facts for later analysis.
 Having been provided or having gathered the relevant information, the forensic scientist
then has to decide which examinations, tests, or analyses are appropriate – and relevant
– to the issue(s) in dispute. (Is that powder cocaine or not? Did a defect in the road
surface cause the crash?).
 They must conduct the most appropriate tests/analyses and document the process to
interpret the results and document the steps followed to reach this conclusion or opinion.
Testify in Court as an Expert Witness

 The forensic scientist will, at some point, have to testify. Testimony is the verbal statement of a
witness, under oath, to the judge or jury.
 Forensic scientists are "expert" witnesses as opposed to ordinary or "fact" witnesses. Expert
witnesses are permitted to testify not just about what the results of testing or analysis were
("facts"), but also to give an opinion about what those results mean.
 For example, a forensic scientist may testify about the observed, factual results of a chemical drug
analysis and that, in their expert opinion, the results show that the tested substance is a specific
drug, such as cocaine or heroin.
 To qualify as an expert witness, the forensic scientist must have a solid, documented background
of education, training, and experience in the scientific discipline used to conduct the examinations,
testing, or analyses about which the forensic scientist wants to testify.
 A party to a court case may challenge whether the scientist performed the tests correctly; whether
the scientist interpreted the results accurately; or, whether the underlying science is valid and
reliable. A party to a court case may additionally challenge whether the scientist is properly
qualified to render an expert opinion or question the scientist's impartiality.
Digital Sciences
 Today, law enforcement and labs are dealing with crimes (and, thus, evidence) that
didn’t exist decades ago.
 This means the field of forensics will continue to evolve as technology changes, and the
area of digital sciences is one of those ever-changing areas.
 According to AFS(Academy of Forensic Sciences), forensic professionals in this discipline
examine hardware tools, software applications, and digital files (audio, text, image,
video, etc.) to find and analyse evidence.
 A key word here is “find” because, often, there are terabytes of data, and hours of
footage (say from security or traffic cameras) to sort through before finding anything
meaningful or relevant.
 digital investigation is procedures and techniques related to crimes like fraud, stalking,
and identity theft.
Digital Forensics
 Branch of forensic science which includes the identification, collection, analysis and reporting
any valuable digital information in the digital devices related to the computer crimes, as a part
of the investigation.
 Digital Forensics is the process of identifying, preserving, analysing and presenting digital
evidences.
 Digital Forensics is defined as the process of preservation, identification, extraction, and
documentation of computer evidence which can be used by the court of law. It is a science of
finding evidence from digital media like a computer, mobile phone, server, or network. It
provides the forensic team with the best techniques and tools to solve complicated digital-
related cases.
 Digital Forensics helps the forensic team to analyses, inspect, identifies, and preserve the
digital evidence residing on various types of electronic devices.
 The first computer crimes were recognized in the 1978 Florida computers act and after this,
the field of digital forensics grew pretty fast in the late 1980-90’s.
 It includes the area of analysis like storage media, hardware, operating system, network and
applications.
Digital forensic scientist’s duties
 Determining if a digital image has been altered.
 Analysing acoustics of a recording.
 Finding out what devices connected to a system.
 Determining if files have been deleted from a drive or device.
 Locating a remote system or user.
 Finding a victim or suspect based on data.
History of Digital forensics
 Hans Gross (1847 -1915): First use of scientific study to head criminal investigations.
 FBI (1932): Set up a lab to offer forensics services to all field agents and other law
authorities across the USA.
 In 1978 the first computer crime was recognized in the Florida Computer Crime Act.
 Francis Galton (1982 – 1911): Conducted first recorded study of fingerprints.
 In 1992, the term Computer Forensics was used in academic literature.
 1995 International Organization on Computer Evidence (IOCE) was formed.
 In 2000, the First FBI Regional Computer Forensic Laboratory established.
 In 2002, Scientific Working Group on Digital Evidence (SWGDE) published the first book
about digital forensic called “Best practices for Computer Forensics”.
 In 2010, Simson Garfinkel identified issues facing digital investigations.
Crime Lab History
 First police crime lab in the world was established in France in 1910 by Edmond Locard.
 First police crime lab in the U.S. opened in 1923 in Los Angeles.
 The Scientific Crime Detection Lab was founded in Evanston, Illinois in 1929.
 The first FBI (Federal Bureau of Investigation) crime lab opened in 1932.
Objectives of computer forensics
 It helps to recover, analyse, and preserve computer and related materials in such a
manner that it helps the investigation agency to present them as evidence in a court of
law.
 It helps to predict the motive behind the crime and identity of the main culprit.
 Designing procedures at a suspected crime scene which helps you to ensure that the
digital evidence obtained is not corrupted.
 Data acquisition and duplication: Recovering deleted files and deleted partitions from
digital media to extract the evidence and validate them.
 Helps you to identify the evidence quickly, and also allows you to estimate the potential
impact of the malicious activity on the victim.
 Producing a computer forensic report which offers a complete report on the investigation
process.
 Preserving the evidence by following the chain of custody.
Branches of Digital Forensics
 Media forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of audio, video and image evidences during the
investigation process.
 Cyber forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a
cyber crime.
 Mobile forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a
crime committed through a mobile device like mobile phones, GPS device, tablet, laptop.
 Software forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a
crime related to software's only.
Process of Digital forensics
 The digital forensic process is intensive.
 First, investigators find evidence on electronic devices and save the data to a safe drive. Then, they
analyse and document the information. Once it's ready, they give the digital evidence to police to help
solve a crime or present it in court to help convict a criminal.
 Process consists of 5 steps:
 Identification of evidence:
 It includes of identifying evidences related to the digital crime in storage media, hardware, operating
system, network and/or applications. It is the most important and basic step.
 The identification process mainly includes things like what evidence is present, where it is stored, and
lastly, how it is stored (in which format).
 Electronic storage media can be personal computers, Mobile phones, PDAs, etc.
 Collection/Preservation:
 It includes preserving the digital evidences identified in the first step so that they doesn’t degrade to
vanish with time. Preserving the digital evidences is very important and crucial.
 data is isolated, secured, and preserved. It includes preventing people from using the digital device so
that digital evidence is not tampered with.
Process of Digital forensics…
 Analysis: It includes analysing the collected digital evidences of the committed computer crime
in order to trace the criminal and possible path used to breach into the system.
 investigation agents reconstruct fragments of data and draw conclusions based on evidence
found. However, it might take numerous iterations of examination to support a specific crime
theory.
 Documentation: It includes the proper documentation of the whole digital investigation, digital
evidences, loop holes of the attacked system etc. so that the case can be studied and analysed
in future also and can be presented in the court in a proper format.
 a record of all the visible data must be created. It helps in recreating the crime scene and
reviewing it. It Involves proper documentation of the crime scene along with photographing,
sketching, and crime-scene mapping.
 Presentation: It includes the presentation of all the digital evidences and documentation in the
court in order to prove the digital crime committed and identify the criminal.
 the process of summarization and explanation of conclusions is done.
 However, it should be written in a layperson’s terms using abstracted terminologies. All
abstracted terminologies should reference the specific details.
Digital Forensics Process…
Types of Digital Forensics
 Disk Forensics: It deals with extracting data from storage media by searching active, modified, or
deleted files.
 Network Forensics: It is a sub-branch of digital forensics. It is related to monitoring and analysis of
computer network traffic to collect important information and legal evidence.
 Wireless Forensics: It is a division of network forensics. The main aim of wireless forensics is to
offers the tools need to collect and analyse the data from wireless network traffic.
 Database Forensics: It is a branch of digital forensics relating to the study and examination of
databases and their related metadata.
 Malware Forensics: This branch deals with the identification of malicious code, to study their
payload, viruses, worms, etc.
 Email Forensics: Deals with recovery and analysis of emails, including deleted emails, calendars,
and contacts.
 Memory Forensics: It deals with collecting data from system memory (system registers, cache,
RAM) in raw form and then carving the data from Raw dump.
 Mobile Phone Forensics: It mainly deals with the examination and analysis of mobile devices. It
helps to retrieve phone and SIM contacts, call logs, incoming, and outgoing SMS/MMS, Audio, videos,
etc.
Challenges faced by Digital Forensics
 The increase of PC’s and extensive use of internet access.
 Easy availability of hacking tools.
 Lack of physical evidence makes prosecution difficult.
 The large amount of storage space into Terabytes that makes this investigation job
difficult.
 Any technological changes require an upgrade or changes to solutions.
Example Uses of Digital Forensics
 Intellectual Property theft
 Industrial espionage
 Employment disputes
 Fraud investigations
 Inappropriate use of the Internet and email in the workplace
 Forgeries related matters
 Bankruptcy investigations
 Issues concern with the regulatory compliance
Advantages of Digital forensics
 To ensure the integrity of the computer system.
 To produce evidence in the court, which can lead to the punishment of the culprit.
 It helps the companies to capture important information if their computer systems or
networks are compromised.
 Efficiently tracks down cybercriminals from anywhere in the world.
 Helps to protect the organization’s money and valuable time.
 Allows to extract, process, and interpret the factual evidence, so it proves the
cybercriminal action’s in the court.
Disadvantages of Digital Forensics
 It is must be proved that there is no tampering so digital evidence accepted into court.
 Producing electronic records and storing them is an extremely costly affair.
 Legal practitioners must have extensive computer knowledge.
 Need to produce authentic and convincing evidence.
 If the tool used for digital forensic is not according to specified standards, then in the
court of law, the evidence can be disapproved by justice.
 Lack of technical knowledge by the investigating officer might not offer the desired
result.
Locard’s exchange principle
 Dr. Edmond Locard (13 December 1877 – 4 May 1966) was a French
criminologist, the pioneer in forensic science who became known as the
"Sherlock Holmes of France". He formulated the basic principle of forensic
science: "Every contact leaves a trace". This became known as Locard's
exchange principle.
 Locard Exchange Principle
 “Every contact leaves a trace.” It is generally understood as “with contact
between two items, there will be an exchange.”
 In forensic science, Locard's principle holds that the perpetrator of a crime will bring something into the crime
scene and leave with something from it, and that both can be used as forensic evidence.
 Dr. Edmond Locard formulated the basic principle of forensic science as: "Every contact leaves a trace". It is
generally understood as "with contact between two items, there will be an exchange." The principle as follows:
 Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent
witness against him. Not only his fingerprints or his footprints, but his hair, the fibres from his clothes, the glass
he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of
these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the
excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical
evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it,
study and understand it, can diminish its value.
 Fragmentary or trace evidence is any type of material left at (or taken from) a crime scene, or the result of
contact between two surfaces, such as shoes and the floor covering or soil, or fibres from where someone sat
on an upholstered chair.
 When a crime is committed, fragmentary (or trace) evidence needs to be collected from the scene. A team of
specialised police technicians goes to the scene of the crime and seals it off. They record video and take
photographs of the crime scene, victim/s (if there are any) and items of evidence. If necessary, they undertake
ballistics examinations. They check for foot, shoe, and tire mark impressions, plus hair as well as examine any
vehicles and check for fingerprints – whole or partial.
 Digital forensics has been defined as the use of scientifically derived and proven
methods towards the preservation, collection, validation, identification, analysis,
interpretation and presentation of digital evidence derived from digital sources for the
purpose of facilitating or furthering the reconstruction of events found to be criminal or
helping to anticipate the unauthorized actions shown to be disruptive to planned
operations.
 One important element of digital forensics is the credibility of the digital evidence.
Digital evidence includes computer evidence, digital audio, digital video, cell phones,
digital fax machines etc. The legal settings desire evidence to have integrity,
authenticity, reproductivity, non-interference and minimization.
 Computer and network forensics methodologies consist of three basic components that
refer to as the three As of computer forensics investigations.
 These are: acquiring the evidence while ensuring that the integrity is preserved;
authenticating the validity of the extracted data, which involves making sure that it is as
valid as the original and analyzing the data while keeping its integrity.
 Some process models that put the three factors into consideration include the Forensics
Process Model, the Abstract Digital Forensics Model and the Integrated Digital
Investigation Model.
The Computer Forensic Investigative Process Model [5]
 The U.S. Department of Justice published a process model in the Electronic Crime Scene
Investigation: A guide to first responders[5] that consists of four phases: –
 1. Collection; which involves the evidence search, evidence recognition, evidence
collection and documentation.
2. Examination; this is designed to facilitate the visibility of evidence, while explaining its
origin and significance. It involves revealing hidden and obscured information and the
relevant documentation.
3. Analysis; this looks at the product of the examination for its sign
 ificance and probative value to the case.
4. Reporting; this entails writing a report outlining the examination process and pertinent
data recovered from the overall investigation.
 The analysis phase of this model is improperly defined and ambiguous. It for instance
emerges as an interpretation of the results from the examination phase, and in the
process confuses analysis with interpretation despite these being two distinct processes.
The Digital Forensic Research Workshop model (DFRWS)
 The first DFRWS was held in Utica, New York (2001).
 The group created a consensus document that drew out the state of digital forensics at that
time.
 The group agreed and among their conclusions was that digital forensic was a process with
some agreed steps.
 They outline processes such as identification, preservation, collection, examination, analysis,
presentation and decision. (Palmer 2001).
 Advantages
 1. It provides a standard and consistent forensic framework
 2. Serve as a framework on which other forensic models are developed
 3. Ease of use and easily comprehensible by both technical and non – technical users
 Disadvantages
 Due to its general nature, it becomes relatively difficult to test and implement. Moreover, it
appears to be a bit rigid.
The Abstract Digital Forensics Model [6]
The Abstract Digital Forensics Model
 The Abstract Digital Forensics model [6] proposes a standardized digital forensics process that consists of
nine components:
 1. Identification; which recognizes an incident from indicators and determines its type.
2. Preparation; which entails the preparation of tools, techniques, search warrants, and monitoring
authorizations and management support.
3. Approach strategy; that develops a procedure to use in order to maximize the collection of untainted
evidence while minimizing the impact to the victim.
4. Preservation; which involves the isolation, securing and preservation of the state of physical and digital
evidence.
5. Collection; that entails the recording of the physical scene and duplicate digital evidence using
standardized and accepted procedures.
6. Examination; which involves an in-depth systematic search of evidence relating to the suspected crime.
7. Analysis; which involves determination of the significance, reconstructing fragments of data and drawing
conclusions based on evidence found.
8. Presentation; that involves the summary and explanation of conclusions.
9. Returning evidence; that ensures physical and digital property is returned to proper owner.
 Although this model is generally a good reflection of the forensic process, it is open to at least one criticism.
Its third phase (the approach strategy) is to an extent a duplication of its second phase (the preparation
phase). This is because at the time of responding to a notification of the incident, the identification of the
appropriate procedure will likely entail the determination of techniques to be used.
The Integrated Digital Investigation Model(IDIP)
[7]
Phases of the IDIP Model..
 1. Readiness phases
 The goal of this phase is to ensure that the operations and infrastructure are able to fully
support an investigation. It includes two phases:
 1. Operations Readiness phase; which ensures that human capacity is fully trained and
equipped to deal with an incident when it occurs.
2. Infrastructure readiness phase; that ensures that the underlying infrastructure is
sufficient enough to deal with incidents that come. For example equipment like video
cameras and card readers being there and in good 3 working condition.
 2.Deployment phases
 The purpose is to provide a mechanism for an incident to be detected and confirmed. It
includes two phases:
 1. Detection and Notification phase; where the incident is detected and then appropriate
people notified.
2. Confirmation and Authorization phase; which confirms the incident and obtains
authorization for legal approval to carry out a search warrant.
Phases of the IDIP Model..
 3. Physical Crime Scene Investigation phases
 The goal of these phases is to collect and analyze the physical evidence and reconstruct the
actions that took place during the incident. It includes six phases:-
 1. Preservation phase; which seeks to preserve the crime scene so that evidence can be later
identified and collected by personnel trained in digital evidence identification.
2. Survey phase; that requires an investigator to walk through the physical crime scene and
identify pieces of physical evidence.
3. Documentation phase; which involves taking photographs, sketches, and videos of the
crime scene and the physical evidence. The goal is to capture as much information as possible
so that the layout and important details of the crime scene are preserved and recorded.
4. Search and collection phase; that entails an in-depth search and collection of the scene is
performed so that additional physical evidence is identified and hence paving way for a digital
crime investigation to begin.
5. Reconstruction phase; which involves organizing the results from the analysis done and
using them to develop a theory for the incident.
6. Presentation phase; that presents the physical and digital evidence to a court or corporate
management.
Phases of the IDIP Model..
 4 Digital Crime Scene Investigation phases
 The goal is to collect and analyze the digital evidence that was obtained from the physical investigation
phase and through any other future means. It includes similar phases as the Physical Investigation
phases, although the primary focus is on the digital evidence. The six phases are:-
 1. Preservation phase; which preserves the digital crime scene so that evidence can later be
synchronized and analysed for further evidence.
2. Survey phase; whereby the investigator transfers the relevant data from a venue out of physical or
administrative control of the investigator to a controlled location.
3. Documentation phase; which involves properly documenting the digital evidence when it is found.
This information is helpful in the presentation phase.
4. Search and collection phase; whereby an in-depth analysis of the digital evidence is performed.
Software tools are used to reveal hidden, deleted, swapped and corrupted files that were used including
the dates, duration, log file etc. Low-level timelining is performed to trace a user’s activities and identity.
5. Reconstruction phase; which includes putting the pieces of a digital puzzle together, and developing
investigative hypotheses.
6. Presentation phase; that involves presenting the digital evidence that was found to the physical
investigative team.
Phases of the IDIP Model..
 5. Review phase
 This entails a review of the whole investigation and identifies areas of improvement. The IDIP model does well at
illustrating the forensic process, and also conforms to the cyber terrorism capabilities [8] which require a digital
investigation to address issues of data protection, data acquisition, imaging, extraction, interrogation,
ingestion/normalisation, analysis and reporting. It also highlights the reconstruction of the events that led to the
incident and emphasizes reviewing the whole task, hence ultimately building a mechanism for quicker forensic
examinations.
 However, the IDIP model is open to some criticisms.
 First, despite encompassing all the earlier models, there is reason to question the IDIP model’s practicality. It for
instance depicts the deployment phase which consists of confirmation of the incident as being independent of
the physical and digital investigation phase.
 In practice however, it seems impossible to confirm a digital or computer crime unless and until some preliminary
physical and digital investigation is carried out. Secondly, it does not offer sufficient specificity and does not, for
instance, draw a clear distinction between investigations at the victim’s (secondary crime) scene and those at
the suspect’s (primary crime) scene. Neither does it reflect the process of arriving at the latter. Since a computer
can be used both as a tool and as a victim , it is common for investigations to be carried out at both ends so that
accurate reflections are made. the primary crime scene as the place where the first criminal act occurred. The
process of tracing back to it can be challenging when dealing with larger networks and in particular, the Internet.
References..
 [5] National Institute of Justice.(July 2001) Electronic Crime Scene Investigation A Guide
for First Responders. http://www.ncjrs.org/pdffiles1/nij/187736.pdf.
 [6] Mark Reith, Clint Carr and Gregg Gunsch.(2002)An Examination of Digital Forensic
Models International Journal of Digital Evidence, Fall 2002,Volume 1, Issue 3.
 https://www.geeksforgeeks.org/abstract-digital-forensic-model/
 [7] Brian Carrier and Eugene H Spafford,(2003) Getting Physical with the Investigative
Process International Journal of Digital Evidence, Fall 2003,Volume 2, Issue 2.
 https://www.geeksforgeeks.org/integrated-digital-investigation-process/
 https://www.forensicfocus.com/articles/the-enhanced-digital-investigation-process-model/
 https://resources.infosecinstitute.com/topics/digital-forensics/digital-forensics-models/