EVIDENCE COLLECTION AND FORENSICS TOOLS

Processing Crime and Incident Scenes – Digital Evidence

1. Introduction to Digital Evidence Digital evidence refers to information
stored or transmitted in binary form that can be used to prove or disprove
facts related to criminal activity or incidents. This includes everything from
computer files, emails, and databases to images, text messages, and more.
Digital evidence plays a crucial role in criminal investigations, cybersecurity
incidents, and corporate security breaches.
• Sources of Digital Evidence
• Digital evidence can be found in numerous locations and can take several
forms, each requiring specialized handling:
• Computer Hard Drives: The most common source, containing files,
applications, system logs, and other user data.
• Mobile Devices: Smartphones, tablets, and laptops may contain
communication logs, application data, images, location data, etc.
• Network Devices: Routers, switches, and servers may hold logs, traffic data, or
records that help trace criminal activity.
• Cloud Storage: Many organizations and individuals store data remotely in cloud
services, such as Google Drive, Dropbox, etc.
• External Storage Devices: USB drives, memory cards, external hard drives, and
other removable media may carry evidence.
• IoT Devices: Smart devices such as cameras, fitness trackers, and even smart
thermostats can generate evidence.
• Working with File Systems
• File systems structure the way data is stored and retrieved from storage
devices. When processing digital evidence, understanding the underlying file
systems is crucial for proper handling:
• File Allocation Table (FAT): Common in older devices and removable storage,
the FAT file system provides an index for storing files. Investigators may recover
deleted files by analyzing unallocated clusters.
• New Technology File System (NTFS): Common in Windows systems, NTFS
stores metadata such as timestamps, permissions, and file attributes. It also
allows for the creation of volume shadow copies, which can be useful in
evidence gathering.
• HFS+ / APFS: Used in macOS systems, these file systems also store metadata
and timestamps, and modern APFS systems support encryption.
• ext3/ext4: Commonly used in Linux systems, these file systems store file
metadata, permissions, and other system information.
When handling a file system, forensic investigators must focus on:
• Physical and Logical Acquisition: Obtaining a copy of the storage media (either
physical or logical).
• Preserving Evidence: Ensuring no alteration of data, using techniques like
write-blockers and imaging.
• File Carving: The process of recovering files or fragments of files that may no
longer be indexed or present in the file system.
• The Windows Registry
• The Windows Registry is a hierarchical database used by the Windows
operating system to store configuration settings, user preferences, and system
data. It can be a rich source of forensic evidence. The Registry contains
information about installed applications, system operations, user activities, and
more. Specific areas of interest in the Registry include:
• HKEY_LOCAL_MACHINE (HKLM): Contains system-wide settings such as
installed software, hardware configurations, and user profiles.
• HKEY_CURRENT_USER (HKCU): Contains settings specific to the currently
logged-in user, including recent documents and network connections.
• HKEY_CLASSES_ROOT (HKCR): Contains information about file associations and
application-related settings.
• HKEY_USERS (HKU): Contains data for each user on the system, including their
preferences and settings.
Forensic investigators will analyze the Registry for:
• User Activity: Recent documents, internet history, etc.
• System Activity: Installed programs, system logs, etc.
• Persistent Data: Information related to malware, hidden files, and
unauthorized software.
Artifacts in Digital Forensics
• Artifacts are traces left behind by digital systems that can be analyzed to infer
user behavior or system events. Some common artifacts include:
• Internet Browsing History: Web browser cache, cookies, and history can reveal
websites visited and online activities.
• Document Metadata: Files often contain metadata such as creation and
modification dates, author names, and file paths.
• Log Files: Operating system, application, and security logs can help trace user
actions, network traffic, and even unauthorized activities.
• Prefetch Files: These files store information about recently run applications
and can provide insight into the programs executed on a system.
• Thumbnail Cache: Stores thumbnail images of files and folders, potentially
revealing image files even if they have been deleted.
• Windows Event Logs: These logs record system, security, and application
events that can be critical in determining when a specific activity occurred.
Software Tools
• EnCase: A comprehensive forensics suite used to acquire, analyze, and report
on digital evidence. It supports a wide range of devices and file systems.
• FTK (Forensic Toolkit): Provides capabilities for data analysis, file recovery, and
evidence management, supporting both live and dead box (powered off)
examinations.
• X1 Social Discovery: Used for the investigation of social media and web data,
allowing investigators to collect and analyze posts, messages, and interactions.
• Autopsy: An open-source digital forensics platform that allows for investigation
of hard drives, mobile devices, and cloud services.
• Sleuth Kit: A collection of command-line tools that can be used to analyze disk
images and other digital evidence.
• Cellebrite UFED: Primarily used for mobile forensics, this tool helps in
extracting data from mobile phones, including text messages, app data, and call
logs.
Hardware Tools
• Write Blockers: Devices that prevent data from being written to a storage
device, ensuring that evidence remains unaltered during acquisition.
• Forensic Duplicators: Devices like the Tableau TD3 are used to create bit-by-bit
copies (imaging) of digital storage devices without altering the original media.
• Mobile Device Forensics Kits: Hardware solutions designed to extract data
from mobile phones, including SIM cards, internal memory, and cloud data.
• Chip-Off Forensics: A hardware technique where memory chips are removed
from a device (such as a smartphone) to extract data when the device is
damaged or locked.
• Forensic Suite Overview
• A Forensic Suite refers to the set of tools and techniques employed to perform
forensic analysis on electronic devices. It typically includes both hardware and
software solutions to acquire, analyze, and preserve evidence.
• Key Components of a Forensic Suite:
• Forensic Workstation: A dedicated, secure computer system with necessary
tools to analyze evidence without compromising its integrity.
• Forensic Software Tools: Software that helps in acquiring, analyzing, and
presenting digital evidence.
• Storage Media: Devices like write-blockers, hard drives, and other storage
media used to safely store acquired evidence.
• Acquisition of Evidence from Computers and Mobile Devices
• Acquiring evidence from digital devices involves the following key steps:
• A. Preparation for Acquisition
• Pre-Acquisition Assessment: The investigator first assesses the device to understand
its structure and data potential. Information like operating system type, storage
capacity, and encryption status is considered.
• Forensic Imaging: A copy of the entire data (including deleted files) is created to
preserve the original evidence. The copy must be exact, bit-by-bit, and should include
all data, even if it’s hidden or deleted.
• B. Seizure and Data Collection
• Data Acquisition: There are two primary types of data acquisition:
• Live Acquisition: When the device is still powered on. This is usually necessary for volatile data
(RAM, active processes, etc.). Tools such as FTK Imager and X1 Social Discovery are used for
this purpose.
• Dead Acquisition: When the device is powered off. A device can be safely transported to a
forensic lab for acquisition. Tools like EnCase and Helix can be used to extract data in a
forensically sound manner.
• Forensic Imaging Tools
• Write Blockers: Hardware or software tools that prevent any modification of
the device’s data during the imaging process. This ensures the integrity of the
evidence.
• Cloning and Imaging Software: Examples of software tools that allow for bit-
level cloning of the device’s storage include:
• FTK Imager
• EnCase Forensic
• X1 Social Discovery
• Cellebrite UFED (for mobile devices)
• Mobile Device Acquisition
• Forensic acquisition from mobile devices (smartphones, tablets, etc.) presents
unique challenges:
• Device Locking: Many devices have passwords, encryption, or biometric locks.
Overcoming these security measures while adhering to legal standards is
critical.
• Mobile Forensic Tools:
• Cellebrite UFED: A widely used mobile forensic tool that allows for extraction of data
from smartphones, even from locked or encrypted devices.
• XRY: Another tool used for extracting data from mobile phones, including deleted
content.
• Oxygen Forensics: Can access data from smartphones, including data from apps, cloud,
and deleted information.
• Data Extraction Techniques
• Physical Extraction: Extracts all data from the device’s memory, including
deleted or hidden data.
• Logical Extraction: Extracts available data through the device’s operating
system interface, which may omit hidden or deleted data.
• File System Extraction: Targets specific files on a device by searching its file
system.
• Chip-Off: Involves physically removing the device’s storage chip to access raw
data. This is a complex technique, typically used for heavily locked or damaged
devices.
• Chain of Custody
• The Chain of Custody refers to the documented history of an item of evidence
from its seizure to its presentation in court. Proper chain of custody ensures
that the evidence is not tampered with, lost, or altered.
• Key Elements of Chain of Custody:
• Documentation: Every instance of handling or transfer of evidence must be
carefully documented, including who handled the evidence, when it was
handled, and the purpose of the handling.
• Seals and Signatures: Evidence is typically sealed and signed to prevent
tampering.
• Custodian: A designated person responsible for maintaining the integrity of the
evidence
• Process of Chain of Custody:
1.Seizure: When evidence is taken from a crime scene or suspect, it must be
logged with detailed information, including the make, model, and serial
numbers of devices.
2.Transportation: The evidence is carefully packaged and transported, ensuring
it is not exposed to any unnecessary risks of tampering.
3.Storage: Evidence is stored in a secure environment with restricted access to
maintain its integrity.
4.Examination: When evidence is analyzed, the forensic examiner’s actions must
be documented, and their findings must be reproducible.
5.Court Presentation: The final evidence must be traceable back to its original
source and must be presented in a manner that proves its authenticity and
integrity.
• Challenges in Digital Forensics
• Encryption: Encrypted data can be difficult to access, especially when
password protection is involved. Legal and technical challenges must be
overcome to bypass encryption.
• Cloud Storage: Cloud storage complicates digital forensics, as data can be
distributed across various locations, requiring specialized tools to access cloud-
based information.
• Volatility: Some digital data is volatile, such as in RAM, and can be lost if not
captured immediately.