0% found this document useful (0 votes)
166 views41 pages

CF Lecture 03-Digital Evidence and Forensic Investigation Process

The document provides an overview of digital forensics and the forensic investigation process. It discusses (1) how a typical forensic investigation occurs when evidence is seized, imaged, analyzed, and reported, (2) the role of the forensic investigator in determining damage, gathering evidence, analyzing data, and presenting in court, and (3) types of digital evidence like volatile and non-volatile data that can be found.

Uploaded by

Faisal Shahzad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
166 views41 pages

CF Lecture 03-Digital Evidence and Forensic Investigation Process

The document provides an overview of digital forensics and the forensic investigation process. It discusses (1) how a typical forensic investigation occurs when evidence is seized, imaged, analyzed, and reported, (2) the role of the forensic investigator in determining damage, gathering evidence, analyzing data, and presenting in court, and (3) types of digital evidence like volatile and non-volatile data that can be found.

Uploaded by

Faisal Shahzad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

Dr.

Zunera Jalil
Email: [email protected]
Today’s Agenda 2

• Demo for Hashing Tools


 By Arsalan Abid (Course TA)
• Quiz # 1
• Lecture on Digital Evidence and Investigation
process
A Typical Forensic Investigation Case 3

1. An incident occurs in XYZ company and company’s server has been


compromised.
2. A user contacts company’s legal/ security department for advice
3. Legal advisor suggest to get services of a forensic investigator
(internal or external?)
4. Forensic investigator seizes the evidence at the crime scene and
transports it back to forensic lab.
5. The forensic investigator creates a bit-stream images of the file
A Typical Forensic Investigation Case 4

6. Then creates an MD5 hash of the files


7. Examines the evidence for proof of crime
8. Prepares a report concluding investigation finding
9. Keeps report securely
10.Legal advisor/advocate studies report and see the
charges/penalties that may apply (may present in court of
law)
11.Investigator destroys all evidences
What an Investigator does? 5

 Determines the extent of damage


 Gathers evidence in a forensically sound
manner
 Analyzes the evidence data and protect It
from tampering/damage
 Prepares analysis report
 Presents acceptable evidence in court
Digital Evidence
Digital Evidence 7

 Digital evidence is information stored or transmitted


in binary form that may be relied on in court.
 It can be found on a computer hard drive, a mobile
phone, among other places.
 Is fragile in nature

National Institute of Justice: https://nij.ojp.gov/digital-evidence-and-forensics


Local’s Exchange Principal 8

In the commission of a crime, the


perpetrator leaves something at the crime scene,
and takes away with him something from the
crime scene.

These "somethings" are evidence.


season 9, episode 5 of the TV detective show Death in Paradise, broadcast on 6 February 2020.
final episode of the 2018 drama, Queen of Mystery 2.
Local’s Exchange Principal 9

Wherever he steps, wherever he touches, whatever he leaves, even


without consciousness, will serve as a silent witness against him, his
fingerprints or his footprints, but his hair, the fibers from his clothes, the glass
he breaks, the tool mark he leaves, the paint he scratches, the blood or
semen he deposits or collects. All of these and more, bear mute witness
against him. This is evidence that does not forget. It is not confused by the
excitement of the moment. It is not absent because human witnesses are.
It is factual evidence. Physical evidence cannot be wrong, it cannot
perjure itself, it cannot be wholly absent. Only human failure to find it, study
and understand it, can diminish its value.
— Paul L. Kirk. 1953.
Your Footprints 10

Visiting a website: Suppose you visit amazon.com and login there. What evidence of
this "visit" do you leave at the amazon.com webserver? An entry in the webserver log, of
course! What evidence do you take with you?
• First of all a cookie from the amazon.com server.
• Second of all, your browser caches a copy of the webpages you visit
• Third of all, your browser keeps a history of all the pages you've visited
Login attempts: Every attempt you make to login to a system is logged!
Recently accessed files
Networks you've been on
Metadata in documents What else?
Types of Digital Evidence(1) 11

• Volatile Data
• Any data that is stored in memory, or exists in transit, that will
be lost when the computer loses power or is turned off.
• Volatile data resides in registries, cache, and random access
memory (RAM).
• Examples: logged on users, open files, process information, command, history
etc.

• The investigation of this volatile data is called “live forensics”


Types of Digital Evidence (2) 12

• Non-volatile Data
• A type of digital information that is persistently stored within a file
system on some form of electronic medium that is preserved in a
specific state when power is removed
 Examples: hidden files, slack space, registry settings, event logs, etc.
Digital Evidence 13

Admissible Authentic

Complete Reliable

Believable
Sources of Evidence 14
Where Evidence can be found? 15

• User files
• Address books, database file, Documents, Bookmarks. Saved web pages,
messages, passwords

• User protected files


• Encrypted files, hidden files, compressed files etc.

• System generated files


• Log files, cookies, swap files, temporary files, configuration files, etc.
Rules of Evidence 16

• Rules of evidence defines when, how and for what purpose


a proof of a case may be presented.
• It may be presented before a judge, a jury, a committee for
trial, depending on type of crimes and investigation
requirements.
• Best Rule Evidence:
• established any alteration of evidence (intentionally or unintentionally)
Federal Rules of Evidence 17

The Federal Rules of Evidence are a set


of rules that governs the introduction of
evidence at civil and criminal trials in
United States federal trial courts.

• Rule 1002: Requirement of Original


• Rule 1003: Admissibility of Duplicates
• Rule 1004: Admissibility of other
evidence of content
Rule 804. Hearsay Exceptions; Declarant Unavailable 18

(a) Criteria for Being Unavailable. A declarant is considered to be


unavailable as a witness if the declarant:
 (1) is exempted from testifying about the subject matter of the declarant’s statement
because the court rules that a privilege applies;
 (2) refuses to testify about the subject matter despite a court order to do so;
 (3) testifies to not remembering the subject matter;
 (4) cannot be present or testify at the trial or hearing because of death or a then-
existing infirmity, physical illness, or mental illness; or
 (5) is absent from the trial or hearing and the statement’s proponent has not been
able, by process or other reasonable means
Forensic Readiness
Forensic Readiness 20

• Ability of an organization to make best use of digital evidence


within a limited time and with minimum cost
• Can be developed with good Incidence Response Planning
• Define processes to:
• Identify potential evidence
• Identify source
• Define policy to extract evidence
• Check investigation requirements
• Train staff to handle evidence
• Define documentation process
• Form a legal advisor board or Jury
Legal Issues In Computer Forensics
Privacy Issues In Computer Forensics

• When acquiring evidence from an electronic device,


investigator must be cautious to avoid charges against
unlawful search and seizure i.e. they need to comply with
fourth Amendment of the US constitution
• Fourth amendment states that the government agents may
not search or seize areas or things in which a person has a
reasonable expectation of privacy, without a search
warrant.
• Dealing with evidence from all sources, investigator need
preserve other user’s anonymity
Other Rules 23
Forensics Tools

Computer Forensics Computer Forensics Software


Hardware Operating system
Specialized cables Acquisition tools
Write-blockers Image analyzers
Drive Duplicators Recovery tools
Drive duplicators Hashing tools
Password breaking tools
Image, audio and video viewers
Security tools
Forensics Hardware

Tableau Forensic Duplicator


Forensics Software
Forensics Softwares
Evidence Acquisition

• Static Acquisition
• Copying a hard drive from powered off system
• Does not alter the data, so its repeatable
 Live Acquisition
• Copying data from a running system
• Can not be repeated exactly- alters the data
• RAM data has no timestamp but may reveal
very useful information
Evidence Acquisition
Preserving Digital Evidence (Handheld Devices)

Handheld devices such as mobile phones, tablets, and


cameras.
• If the device is off, do not turn it on.
• If the device is on, leave it on and take picture of its
screen from any other device/camera
• Label and collect all devices and cable.
• Transport device to forensic lab.
Chain of custody

 A legal document that demonstrate the possession of


evidence as it travels from original evidence location to the
forensics laboratory.
Packaging Electronic Evidence
Original Evidence Should NEVER be used for
analysis.

WHY?
Duplicate Data aka IMAGING
Verify Image Integrity

• Calculate hash value of original data and the forensic image


generated
• If there is a match, it means the image is an exact replica of
original data
• Tools for calculating hash value:
• HashCalc
• MD5Calculator
• HashMyFiles
HashCalc
MD5 Calculator
HashMyFiles
Recovery Tools

• Used to recover lost or deleted data.


• Criminals usually tries to delete their footprints and
relevant data after committing a crimes
Examples:
• RecoverMyFiles
• Recuva
• EASEUS Data Recovery
• UndeletePlus
• Advanced Disk Recovery
• Forecover
Reading Task 40

• https://www.nist.gov/news-events/news/2020/06/nist-digital-
forensics-experts-show-us-what-you-got
• Cwalker:
 Computer Forensics: Bringing the Evidence to Court
• Martin Noval:
 NEW APPROACHES TO DIGITAL EVIDENCE ACQUISITION AND ANALYSIS
ANY QUESTIONS

You might also like