Cyber Security

Week 13:Digital Forensic Investigation Methods-Report

Writing- Management of Evidence

Course Co-Ordinator Content Reviewer Content Writer

Dr. Padmavathi Ganapathi Dr. Senthil Kumar T Dr. Digvijaysinh M. Rathod
Professor-Department of Associate Professor, ComputerAssistant Professor ( Senior
Computer Science Science, School of Scale), Institute of Forensics
Avinashilingam Institute for Engineering, Science,
Home Science and Amrita Viswa VidyaPeetham, Gujarat Forensic Sciences
Higher Education for Women Coimbatore University,
(Deemed-to-be-University), [email protected] Sector - 9, Gandhinagar,
Coimbatore +919842977522. Gujarat (India) 38 2007.
padmavathi.avinashilingam@ [email protected]
gmail.com +919723619183,
9486772744 +917069077503

1
 Objectives
• Provide the learners with the need to perform digital
forensic investigation, the prerequisites required
• Explain the process mechanism and various
models available along with computer forensic tools
• Present the importance of report writing explaining
the characteristics of a good report and the
guideline for preparing it
• Introduce the ways of obtaining, preserving and
managing of forensics evidences

2
 Learning Outcomes
• Analyze the importance of conducting digital forensic
investigation.
• Explain the digital forensics process models.
• Recognize various computer forensic tools that are
available currently.
• Define the need for writing reports.
• Examine the characteristics of a good report and the
key points to be considered while writing reports.
• Illustrate various ways in obtaining a forensic
evidence and tips for collecting them.
• Elucidate the process of digital evidence
examination.
• Delineate the ways of preserving the digital forensic
3
evidences and storing them.
 Brief Outline and Structure
S.No Topic
13.1 Digital Forensic Investigation
13.1.1 Why investigate?
13.1.2 Prerequisites for an Effective Investigation
13.1.3 The digital forensic process
13.1.4 Process Models of Computer Forensics Investigation
13.1.5 Digital Forensic Investigation Model
13.1.6 Phases involved in Carrying out Computer Forensics
Investigations
13.1.7 Maintaining Professional Conduct
13.1.8 Computers Forensic Tools
4
 Brief Outline and Structure

S.No Topic
13.2 Report Writing
13.2.1 Introduction to Report Writing
13.2.2 Characteristics of a good report
13.2.3 Key points in writing a Report
13.2.4 Report Writing for High-Tech Investigations

5
 Brief Outline and Structure

S.No Topic
13.3 Management of Evidence
13.3.1 Ways to Obtain Evidence Forensically
13.3.2 What we need to know while maintaining Evidence?
13.3.3 Tips for Evidence Collection
13.3.4 Evidence storage
13.3.5 Preservation of digital evidence
13.3.6 Digital Evidence Examination
13.3.7 Other analysis techniques of acquiring Evidences
13.4 Conclusion
6
 Introduction to Digital Forensics
Investigation
• As digital technologies are continuously emerging,
there has been increase in the crimes associated
with the computer
• Law enforcement agencies and corporate security
officers are appointed to realize the value of digital
forensic evidences stored in various digital devices
• For this purpose, digital forensics investigation
processes are carried out to obtain the digital
evidences legally

7
 Digital Forensics Investigation

• Definition

Digital forensics is described as “The practice of scientifically

derived and proven methods towards the identification,
analysis, collection, interpretation, validation, preservation,
documentation and presentation of digital evidence to facilitate
or further preserve them in criminal event reconstruction or to
anticipate unauthorized actions that becomes disruptive in
case of the planned operations”.

8
 Why investigate?
• The purpose of investigation varies based on
corporation and the type of civil or criminal case
countered
• The factors that require warrant from the officials to
carry out the investigation process are:
• Exceeding the maximum Internet usage limit
• Inappropriate usage of e−mail
• Unofficial use of Internet, e−mail, or PC
• Information Theft
• Security policy or procedure violation
• Intellectual property infringements
• Tampering of Electronic documents
9
 Prerequisites for an Effective
Investigation
• In prior to the examination process, the
investigator distinguishes the expertise level of
the officials involved in the instance
• For this purpose, the examiner should have
undergone the Department of Enterprise Services
(DES) training
• Other sufficient case information, required to
carry out effective inquiry must accomplish the
computer forensics facets
• The essential resources and tools used in
acquiring and analyzing evidences during
investigation process must be cross-checked
10
 Process Models of Computer
Forensics Investigation
• The investigations are conducted and the evidences
are stored in a safe place known as the computer
forensics lab
• This lab is physically highly secured preventing the
evidences from being destroyed or corrupted
• There were large attempts carried out by forensic
investigators to develop a universally accepted
process model
• These models were unsuccessful as they failed to
apply in global forensics field
• The existing models covered only definite extents of
computer forensics such as law enforcement, cloud
forensics, or mobile forensics 11
Process Models of Computer
Forensics Investigation

The Systematic Digital

Forensics Investigation
Model

Framework for Digital Investigations

The Enhanced Digital Investigations Process

Model

An Extended Model of Cybercrime Investigations

12
 Digital Forensic Investigation
Model
• A digital forensic investigation model generally
involves five steps namely
• Investigation Preparation,
• Seizure and Isolation,
• Acquisition,
• Examination and analysis, and
• Reporting
• Of these the most basic steps involved in all
computer forensic model are search and seizure,
acquisition, analysis, and reporting.

13
Digital Forensic Investigation
Model

Investigation Preparation

Seizure and Isolation

Acquisition

Examination and Analysis

Reporting

14
 Investigation Preparation
• This phase begins once when the request is
received from the person(s) or law enforcement
agencies
• It involves the paperwork and forms required to
document chain of custody, documents related to
case with probable keywords
• This helps the investigator to find evidences after
the acquisition phase
• In this phase investigating officer also collects
documents related to ownership of the electronic
gadgets, device model, its purpose and information
that requester is seeking.

15
 Seizure and Isolation
• Once the investigation officer reaches the crime
scene, one must ensure that their action does not
accidently modify the evidences
• The investigation officer applies various techniques
for collecting or recovering evidences from
• Computers or laptops
• Varieties of network devices and
• Mobile devices which are involved in the
cybercrime

16
 Acquisition
• Refers to the extraction and imaging of data from
electronic devices
• This phase deals with the collection of acquiring
bitwise copies (images) of all media suspected to
contain evidences
• The type of media is not limited to Hard Drive,
USB device, physical RAM, CDs/DVDs and SD
cards

17
 Acquisition
• Images can be created using two different
techniques as shown below
Images

Physical imaging/ Bit Logical imaging/

stream imaging Backup

• Creates bit-for-bit image

regarding the suspected media
• Copies the files and folders from
• Includes deleted files and
the logical volume only
folders, data present in the
• Do not capture any data which
slack space and other contents
was deleted or present in the
available on media
slack space
• Also referred to as disk cloning
or disk imaging
18
 Examination and Analysis
• Examines collected or recovered evidences from
the acquisition phase
• Investigator uses various tools and technologies to
find potential evidence as per the case requirement
• For example, in the case of hard drive, investigator
has to examine file system, operating system,
partition and files
• For this purpose scientific tools like autopsy,
Forensic Tool Kit (FTK) and Encase are used

19
 Examination and Analysis
• There are two methodologies that are used to find
the digital evidences as shown below
Methodologies to
find Digital Evidence

Keyword search File Carving

• Evidences are searched from
processed volatile or non-volatile
memory based on keyword
• These keywords are related to
cybercrime case like name, mobile
number, email id, address etc.,
• These may be recorded by the
investigation officer on the basis of the
nature of the crime
• Extracts file from raw memory image
from volatile or non-volatile memory
without the assistant of file system
• Process of reassembling or recreating
records by scanning the original disk
bits
• Forensic expert use Hex editor to
analyze raw data or every bit
information or data

20
 Reporting
• A collection of all findings of each phase and the final
outcome of the investigation phases forms a report
Starting date and time of the examination with brief case
description

Images of the device and other specific components

Physical condition of the device

Condition of the device when received suns on or off

Specification of device

Procedure tools and technology used for adopting digital forensics

device

Data documented during the examination

Outcome of statement of opinion

21
 Phases involved in Carrying out
Computer Forensics Investigations

Policy and procedure development

Evidence assessment

Evidence acquisition

Evidence examination

Documenting and reporting

22
 Policy and Procedure Development
• It becomes difficult for the investigators to create and
follow firm strategies and measures to preserve digital
evidences
• Some of the procedures are:
• Standard time at which the computer forensics
investigators have the potential of authorized
access to recover the digital evidence,
• Proper measures on how to prepare systems for
retrieving evidences,
• Storage area to be used after retrieving the
evidence, and
• Methods on documenting the activities thereby
ensuring the data authenticity
23
 Evidence Assessment
• It is the significant factor involved in cybercrime
investigation process
• The classification of cybercrimes and the details
regarding the case are obtained through effective
evidence processing
• This method is applied to any identity related crime
• The investigator uses appropriate methods to
preserve the retrieved evidences from specific
platforms in particular data formats
• The source and truthfulness of the data are
determined before transforming it into evidence

24
 Evidence Acquisition
• It is the most serious phase of computer forensic
investigation
• Because extensive document compilation is required
before, during, and after the evidence attainment
procedure
• It contains details regarding hardware and software
specifications, type of system involved in the inquiry,
and the victim investigative system
• The truthfulness of the potential evidence is
preserved in this stage using various policies
• Both deliberate and legal actions are required in
acquiring digital evidences
25
 Guidelines for Preserving Evidence
• Removing physical storage devices,
• Using precise boot discs to recover subtle
information
• Ensuring suitable functionality methods during
copy and transfer of digital evidences to the
investigator’s system

26
 Evidence Examination
• Recovering, replicating, and storing evidence within
specific databases are essential in effective
investigation of potential evidence
• Investigators propose various methods and
approaches to analyze and examine data from
designated archives
• This examining process includes searching huge
data archives
• The investigators easily identify suspicious
programs or files which are hidden or encrypted
with the help of the time stamped data

27
 Evidence Examination
• By analyzing the file names one can identify
specific data like the date of creation, download or
upload along with the location
• Digital evidences are validated by matching online
filenames with the directories on a suspect’s
storage drive
• This stage also works in association with criminal
detectives, attorneys, and other higher officials
• This helps them to understand the case and the
type of evidences to take permissible investigative
actions

28
 Documenting and Reporting
• A precise document of all activities regarding the
investigation process is maintained by the
Computer forensic investigators
• The complete document of the entire investigation
must be completely accounted in computerized
form
• This documentation helps in ensuring the legitimacy
of any verdicts
• It also permits the cybersecurity professionals to
accurately know when, where, and how the
evidence was retrieved
• This helps in confirming the evidence validation by
comparing the similarity of the digitally recorded
document prepared by the investigator
29
 Maintaining Professional Conduct
• The integrity of the computer forensics investigator
is determined based on the Professional conduct
• It encompasses the ethical conduct and legal
moralities of the investigator
• The investigator must stick to legal ideologies to
achieve the maximum level of ethical behavior
during the investigation process

30
Guidelines for Maintaining Professional
Conduct
• Maintaining the confidentiality of information gathered
during an investigation
• Maintaining the ultimate objective throughout the
investigation by the examiner
• Continuously expanding the technical knowledge
• Maintaining the integrity of the investigation process
and facts
• A thorough consideration of all the available facts
must be done before rushing into conclusions
• The examiner must be conscious of the latest
investigation practices and mechanisms
31
 Computers Forensic Tools
• The criminal detectives make use of
comprehensive forensic software tools to
accumulate, index and feature the analysis.
• Some of the commonly used forensic software tools
are displayed below:
Encase
Forensic
Edition

X-Ways
Linux
Forensic
DD
Computer Addition
Forensics
Tools

Forensic
ToolKit
(FTK) Paraben
32
 Computers Forensic Tools
• The forensic investigation process begins through
the analysis of data traffic using a packet analyzer or
Wireshark sniffer tool
• These gather the forensic information
• The network traffic can be intercepted and logged on
for future analysis with the help of packet analyzer
• An alternate for Wireshark tool is the NetworkMiner
which is a Network Forensic Analysis Tool (NFAT)
• It extracts or recovers files on whole and contains
forensics capabilities such as executing analysis on
the stored network traffic

33
 Computers Forensic Tools
• A valuable tool that tracks down real-time network
intruders is Snort
• A tool that is used to identify the files deleted
during incident response and identification can be
recovered using Forensic ToolKit or FTK.
• EnCase is tool that is apt for forensic, cyber-
security and e-discovery use

34
 Introduction to Report Writing
• A crucial activity that accompanies the first four steps
of the investigation process is contemporaneous
note-taking
• It contains the documentation of all the essential and
sufficient details with respect to the crime and the
suspect
• It plays a vibrant role in digital forensic cases
• A moral report convinces the judge in giving proper
justice to the victim

35
 Report Writing
• Report documents includes the authentication of
assertions
• The report should be properly written in an
organized manner including all necessary log
files and pictures
• It should be presented as a witness evidence
along with the expert's service charges
• It must be in PDF format and in contagious form
• There should be no conventions considered
while writing the report

36
 Report Writing
• The report should be brief with
• No grammar and spelling mistakes,
• The avoidance of word repetition and usage of
difficult or slang words
• A list of auxiliary resources should be contained
within the report like
• Printouts of precise evidence objects,
• Its digital replicas, and
• chain of custody citations

37
 Characteristics of a Good Report
• The name and the data regarding the Reporting
intervention
• Enclosure of Case identifier or submission
number
• Identity of both the submitter and the investigator
involved in the case along with their signatures
• The date of receiving and reporting
• A prescribed explanation of assembling and
investigation actions
• A Vivid outline of objects submitted for inspection
along with consecutive number and model

38
 Characteristics of a Good Report
• A brief explanation of examining methods and
stages engaged
• Attachment of indefinite and error analysis
• Explanation of results
• An inclusion of all log files engendered by forensic
tools
• A detailed precise of findings

39
 Characteristics of a Good Report
• The details of verdicts should define the outcomes of
the investigation that includes:
• Definite documents regarding the findings
• Type of search used such as String search, keyword
search or text string search
• Network-correlated evidence
• Explicit image analysis
• Ownership indicators
• Data analysis and report of appropriate programs on
the observed objects
• Procedures used to hide or mask data, such as
encryption, Steganography, hidden attributes, hidden
partitions, and file name anomalies 40
 Key Points in Writing a Report
• The report writing offers a method to address the
threats for cyber security stranded in risk
management
• It detects various values and real practices to be
considered by the organization
• It realizes the non-existence of one-size-fits-all
method to cybersecurity

41
 Key Points in Writing a Report
• Inclusion of a sound governance basis with robust
guidance
• A good report must document the phases of the risk
assessments mechanisms
• It should consist of various technical controls that
serves as a central component in an organization’s
cybersecurity program during specific situations
• Every organization must progress, apply and
examine incident response strategies
• Every organization must manage a report that
exposes various cybersecurity risk measures taken
throughout the investigation process
• A well-trained staff must be employed to obtain an
effective and successful report
42
 Report Writing for High-Tech
Investigations
• A well-organized and structured report enables the
reader’s to have a clear understanding of the
information present in it
• This information may be the type of investigation
carried out with other related data
• The report’s supporting material should follow a
regular numbering scheme and labels for every
tables and figures
• There should not be usage of any vague wording,
slang or idioms

43
 Ways to Obtain Evidence Forensically
• The traditional methods used in computer forensic
investigations is exploration of data at rest on hard
drives
• There are two methods employed to obtain
evidences. They are:
• Dead Analysis – used when computer systems
are out of power or during rest condition
• Also termed as dead forensic acquisition or static
acquisition
• Live-analysis – gathers data from the system
before it shuts down
• Provides quick and up-front evidence at the
crime-scene thereby initiating immediate
investigations
44
 Questions raised while maintaining
Evidence
• Where the evidence is?
• What the evidence means?
• How to put it all together?
• How - determine how the system brake in happened
• What - determine what damage was done to the
system
• Who- determine the suspect
• When- determine the time of system break-in
• Where- determine the entry point of the suspect
• Why the attacker was able to successfully attack the
target?
45
 Tips for Evidence Collection
• Acquiring the evidence at the earliest through
lawful practices
• Encrypting the evidences through cryptographic
methods
• Seizing the originals under constrained protection
• Seizing the latest copy of the evidence when
originals are not available
• Analyzing only the duplicates
• Using trustworthy and reliable tools
• Documenting all the tasks carried out

46
Evidence Collection Form

47
Evidence Collection Form

48
 Evidence storage
• Storing the evidence is managed by the 2+1
Rule
• Keeping the evidence safe is best accomplished
by using the 2 + 1 rule
• This call for 2 physical locks and 1 electronic
locks on all evidence
• Locked in the forensic Lab = 1 physical lock
• Locked in an evidence safe = 1 physical lock
• Password protect evidence = 1 electronic lock

49
 Planning for a Successful Investigation
of Digital Evidence
• Acquire the evidence from the suspect or crime scene
• Complete an evidence form and establish a chain of
custody
• Transport the evidence to computer forensics lab
• Place the evidence in an approved secure container
• Prepare a forensic workstation
• Retrieve the evidence from the secure container
• Make a forensic copy of the evidence drive
• Return the evidence drive to the secure container
• Process the copied evidence drive with computer
forensics tools
50
 Preservation of Digital Evidence
• Preserving critical electronic evidence during on-
site investigation and threat eradication paves way
to a successful incident analysis
• The certified and trained forensic experts strictly
preserve each related data captured from damage
during on-site investigations
• It takes place by means of different standards
following every rules
• In order to get a clear idea of the type of incident
encountered and to carry out necessary response,
forensically sound methods are used

51
 Types of Data Preserved in Digital
Evidence
• Data that are available on the Email servers
• Data captured during Network sharing
• Data present in Desktop or laptop computers,
handheld and portable devices
• Data rolled through Backup media

52
 Digital Evidence Examination
• The reconstruction of the crime scene is done through
digital evidence examination by locating, extracting
and analyzing them
• Extraction - process of recovering data from its source
• Analysis - interpretation of the recovered data into a
logical and useful format
• Evidence examination involves the use of techniques
to find and interpret the significant data
• This helps in preserving the integrity of evidence and
chain of custody during submission in court
• The process of examination varies with respect to the
type of cases
53
Steps in Digital Evidence Examination

Reconstruction
Locating Extracting
Preparation of Extracted
Evidence Evidence
data

54
 Preparation
• A separate working directory must be created for
storing the extracted and recovered evidentiary
files and data
• After that preparation of lab evidence log must
be made from the case management system
• This records examination details and the state of
evidence at arrival

55
 Locating Evidence
• Making a checklist of all the evidence details
effectively helps in the examination process
• The evidence are located based on the case and
the operating system type used
• Based on the type of case, the evidences are
searched and gathered in specific areas and files
• The evidences can be located from various
operating systems like
• Windows Operating System
• Linus/ Unix Operating System

56
Locating Evidence - Windows Operating
System
• Files and file system
• Hidden files
• Detect unusual or hidden files
• Slack space
• Windows registry
• Windows print spooler and enhanced metafiles

57
 Locating Evidence - Linux/ Unix
Operating System
• Mount the restored imaged working copy
• Contents of the disk
• List of all files along with access times
• List unknown file extensions and changed file
appearance
• Syslog
• File access time
• Detect unusual or hidden files, compressed files,
Misnamed files, Encrypted files and Password-
protected files
58
Locating Evidence – Both Windows and
Linux/ Unix Operating System

• Temporary internet files, cookies and batch files

• Memory
• Swap files
• Unallocated clusters, unused partitions, hidden
partitions, HPA and DCO
• Destroyed or deleted partitions, files and data
• E-mail evidence
• Scan for backdoors and network sniffers
• Locate root kits or viruses

59
 Extracting Evidence

Extracting Evidence

Physical Extraction Logical Extraction

Extraction of the data from the

Extraction of the data from the
drive occurs at the physical level
drive is based on the file
regardless of file systems
system(s) present on the drive
present on the drive

60
 Physical Extraction Methods

• Keyword searching [make a list of keyword

search]
• File carving
• Extraction of the partition table and unused
space on the physical drive
• Examining the partition structure that identifies
the file systems present and determine if the
entire physical size of the hard drive is accounted
for investigation

61
 Logical Extraction Methods
• Extraction of the file system information
• Data reduction to identify and eliminate known files
• Extraction of files pertinent to the examination
• Recovery of deleted files and partitions
• Extraction of password-protected, encrypted, and
compressed data as well as file slack and
unallocated space
• Extract information from startup and configuration
files
• Determine data relevance
• Extract IDS, Router, Firewall, application and
authentication log files
• Extraction of e-mails and deleted e-mails
62
 Reconstruction of Extracted Data
• Used to reconstruct the crime to produce a clear
picture of the crime and identify the missing links in
the picture
• There are three fundamentals of reconstruction for
investigating crimes, they are:
• Temporal analysis - tries to discover factors such as
what happened and who are involved, etc
• Relational Analysis - facilitate the reconstruction by
correlating the actions of suspected victim
• Functional Analysis - discovers how the activities or
actions actually happened and discovers the
responsible factors
63
Other Analysis Techniques of
Acquiring Evidences

Time
frame
analysis

Data
Network
hiding
analysis
analysis

Techniques in
Acquiring
Evidences

Analysis Application
of email and file
messages analysis

Log file
analysis

64
 Timeframe Analysis
• It determines the occurrence of events in the
computer system that links the usage of an
individual
• There are two methods used in this analysis
process. They are:
• Reviewing the date and time stamps in the file
system metadata
• Includes last modified, last accessed, created,
change of status
• Links files of interest to the timeframes relevant
to the investigation
• Reviewing system logs and application logs
• Includes error logs, installation logs, connection
logs, security logs, etc 65
 Data Hiding Analysis
• Helps in recovering the sensitive information
regarding the knowledge or the ownership
• The methods used in data hiding analysis are:
• Linking the file header with its respective file
extension
• Analyzing each encrypted, compressed and
password-protected files
• Gaining access to Host Protected Area, that
attempts to conceal data created by the user

66
 Application and File Analysis
• The files that are identified by the examiner consists of
information related to the investigation process
• The name of the file relates to the contents present in
it making it evident
• The file contents are examined to determine the
presence of evidence or to determine the file owner
• Linking the files with the applications installed
• Examining the relationships that exists between
different files
• Analyzing the default storage location of the user
applications and other drive file structures
• Examining user-configuration settings, analyzing file
metadata, user created file contents
67
 Log Files Analysis
• Analyzing network traffic and packets in each
network
• Analyzing IDS logs and monitor security events
• Performing Protocol analysis and content
searching or matching for each network packet
• Investigating and analyzing Router logs, firewalls
and switch logs
• Investigating and analyzing Application server
logs
• Correlating log files to get an overview of network
attacks
68
 Analysis of e-mail Messages
• Viewing the e-mail header regarding the origin of
the email, sender’s address and the mechanisms
used
• Tracing the email for obtaining information of the
internet domain and the header source IP address
• Verifying the validation of e-mail path by checking
the router and firewall logs
• Analyzing logs from e-mail server
• Contacting the e-mail provider in case of web-
based e-mail [source] to reveal suspects
information

69
 Network Analysis
• Analyzing any abnormal system processes, port
files and services using system commands or with
any third-party network analysis tools
• Analyzing the startup files for identifying any
unauthorized system modification and unusual ports
listening for connections from other hosts
• Inspecting network configurations for unauthorized
entries
• Identifying initiating IP address, source port, service,
date and time
• Identifying unauthorized network trusts

70
 Conclusion
• The emergence of digital technologies are the
main reasons behind the cybercrimes or crimes
associated with the computer
• This has forced the Law Enforcement Agencies
and Security officers to take charge of conducting
the digital forensics investigation process
• The importance of forensic investigation process,
the prerequisites needed for conducting the
process, the different forensic investigation
process models available, phases involved in
forensic investigation and the tools to be used in
these processes are elaborated

71
 Conclusion
• Report writing is one of the best practices
followed by the forensic investigators during the
process of identifying the criminal
• Since digital forensics evidences play a major
role following are presented in this week:
• The various ways of obtaining the evidence,
• Importance of maintaining it,
• Tips to be followed in collecting and storing
them,
• The digital examination process and
• Other related techniques

72
Thank you

73