Dr.

Zunera Jalil
Email: [email protected]
 Today’s Agenda 2

• Demo for Hashing Tools

 By Arsalan Abid (Course TA)
• Quiz # 1
• Lecture on Digital Evidence and Investigation
process
 A Typical Forensic Investigation Case 3

1. An incident occurs in XYZ company and company’s server has been

compromised.
2. A user contacts company’s legal/ security department for advice
3. Legal advisor suggest to get services of a forensic investigator
(internal or external?)
4. Forensic investigator seizes the evidence at the crime scene and
transports it back to forensic lab.
5. The forensic investigator creates a bit-stream images of the file
 A Typical Forensic Investigation Case 4

6. Then creates an MD5 hash of the files

7. Examines the evidence for proof of crime
8. Prepares a report concluding investigation finding
9. Keeps report securely
10.Legal advisor/advocate studies report and see the
charges/penalties that may apply (may present in court of
law)
11.Investigator destroys all evidences
 What an Investigator does? 5

 Determines the extent of damage

 Gathers evidence in a forensically sound
manner
 Analyzes the evidence data and protect It
from tampering/damage
 Prepares analysis report
 Presents acceptable evidence in court
Digital Evidence
 Digital Evidence 7

 Digital evidence is information stored or transmitted

in binary form that may be relied on in court.
 It can be found on a computer hard drive, a mobile
phone, among other places.
 Is fragile in nature

National Institute of Justice: https://nij.ojp.gov/digital-evidence-and-forensics

 Local’s Exchange Principal 8

In the commission of a crime, the

perpetrator leaves something at the crime scene,
and takes away with him something from the
crime scene.

These "somethings" are evidence.

season 9, episode 5 of the TV detective show Death in Paradise, broadcast on 6 February 2020.
final episode of the 2018 drama, Queen of Mystery 2.
 Local’s Exchange Principal 9

Wherever he steps, wherever he touches, whatever he leaves, even

without consciousness, will serve as a silent witness against him, his
fingerprints or his footprints, but his hair, the fibers from his clothes, the glass
he breaks, the tool mark he leaves, the paint he scratches, the blood or
semen he deposits or collects. All of these and more, bear mute witness
against him. This is evidence that does not forget. It is not confused by the
excitement of the moment. It is not absent because human witnesses are.
It is factual evidence. Physical evidence cannot be wrong, it cannot
perjure itself, it cannot be wholly absent. Only human failure to find it, study
and understand it, can diminish its value.
— Paul L. Kirk. 1953.
 Your Footprints 10

Visiting a website: Suppose you visit amazon.com and login there. What evidence of
this "visit" do you leave at the amazon.com webserver? An entry in the webserver log, of
course! What evidence do you take with you?
• First of all a cookie from the amazon.com server.
• Second of all, your browser caches a copy of the webpages you visit
• Third of all, your browser keeps a history of all the pages you've visited
Login attempts: Every attempt you make to login to a system is logged!
Recently accessed files
Networks you've been on
Metadata in documents What else?
 Types of Digital Evidence(1) 11

• Volatile Data
• Any data that is stored in memory, or exists in transit, that will
be lost when the computer loses power or is turned off.
• Volatile data resides in registries, cache, and random access
memory (RAM).
• Examples: logged on users, open files, process information, command, history
etc.

• The investigation of this volatile data is called “live forensics”

 Types of Digital Evidence (2) 12

• Non-volatile Data
• A type of digital information that is persistently stored within a file
system on some form of electronic medium that is preserved in a
specific state when power is removed
 Examples: hidden files, slack space, registry settings, event logs, etc.
 Digital Evidence 13

Admissible Authentic

Complete Reliable

Believable
Sources of Evidence 14
 Where Evidence can be found? 15

• User files
• Address books, database file, Documents, Bookmarks. Saved web pages,
messages, passwords

• User protected files

• Encrypted files, hidden files, compressed files etc.

• System generated files

• Log files, cookies, swap files, temporary files, configuration files, etc.
 Rules of Evidence 16

• Rules of evidence defines when, how and for what purpose

a proof of a case may be presented.
• It may be presented before a judge, a jury, a committee for
trial, depending on type of crimes and investigation
requirements.
• Best Rule Evidence:
• established any alteration of evidence (intentionally or unintentionally)
 Federal Rules of Evidence 17

The Federal Rules of Evidence are a set

of rules that governs the introduction of
evidence at civil and criminal trials in
United States federal trial courts.

• Rule 1002: Requirement of Original

• Rule 1003: Admissibility of Duplicates
• Rule 1004: Admissibility of other
evidence of content
Rule 804. Hearsay Exceptions; Declarant Unavailable 18

(a) Criteria for Being Unavailable. A declarant is considered to be

unavailable as a witness if the declarant:
 (1) is exempted from testifying about the subject matter of the declarant’s statement
because the court rules that a privilege applies;
 (2) refuses to testify about the subject matter despite a court order to do so;
 (3) testifies to not remembering the subject matter;
 (4) cannot be present or testify at the trial or hearing because of death or a then-
existing infirmity, physical illness, or mental illness; or
 (5) is absent from the trial or hearing and the statement’s proponent has not been
able, by process or other reasonable means
Forensic Readiness
 Forensic Readiness 20

• Ability of an organization to make best use of digital evidence

within a limited time and with minimum cost
• Can be developed with good Incidence Response Planning
• Define processes to:
• Identify potential evidence
• Identify source
• Define policy to extract evidence
• Check investigation requirements
• Train staff to handle evidence
• Define documentation process
• Form a legal advisor board or Jury
Legal Issues In Computer Forensics
 Privacy Issues In Computer Forensics

• When acquiring evidence from an electronic device,

investigator must be cautious to avoid charges against
unlawful search and seizure i.e. they need to comply with
fourth Amendment of the US constitution
• Fourth amendment states that the government agents may
not search or seize areas or things in which a person has a
reasonable expectation of privacy, without a search
warrant.
• Dealing with evidence from all sources, investigator need
preserve other user’s anonymity
Other Rules 23
 Forensics Tools

Computer Forensics Computer Forensics Software

Hardware Operating system
Specialized cables Acquisition tools
Write-blockers Image analyzers
Drive Duplicators Recovery tools
Drive duplicators Hashing tools
Password breaking tools
Image, audio and video viewers
Security tools
 Forensics Hardware

Tableau Forensic Duplicator

Forensics Software
Forensics Softwares
 Evidence Acquisition

• Static Acquisition
• Copying a hard drive from powered off system
• Does not alter the data, so its repeatable
 Live Acquisition
• Copying data from a running system
• Can not be repeated exactly- alters the data
• RAM data has no timestamp but may reveal
very useful information
Evidence Acquisition
 Preserving Digital Evidence (Handheld Devices)

Handheld devices such as mobile phones, tablets, and

cameras.
• If the device is off, do not turn it on.
• If the device is on, leave it on and take picture of its
screen from any other device/camera
• Label and collect all devices and cable.
• Transport device to forensic lab.
 Chain of custody

 A legal document that demonstrate the possession of

evidence as it travels from original evidence location to the
forensics laboratory.
Packaging Electronic Evidence
Original Evidence Should NEVER be used for
analysis.

WHY?
Duplicate Data aka IMAGING
 Verify Image Integrity

• Calculate hash value of original data and the forensic image

generated
• If there is a match, it means the image is an exact replica of
original data
• Tools for calculating hash value:
• HashCalc
• MD5Calculator
• HashMyFiles
HashCalc
MD5 Calculator
HashMyFiles
 Recovery Tools

• Used to recover lost or deleted data.

• Criminals usually tries to delete their footprints and
relevant data after committing a crimes
Examples:
• RecoverMyFiles
• Recuva
• EASEUS Data Recovery
• UndeletePlus
• Advanced Disk Recovery
• Forecover
 Reading Task 40

• https://www.nist.gov/news-events/news/2020/06/nist-digital-
forensics-experts-show-us-what-you-got
• Cwalker:
 Computer Forensics: Bringing the Evidence to Court
• Martin Noval:
 NEW APPROACHES TO DIGITAL EVIDENCE ACQUISITION AND ANALYSIS
ANY QUESTIONS