ETI U-III Notes
ETI U-III Notes
Content:
3.1 Digital forensics Introduction to digital forensic History of forensic Rules of digital forensic
Definition of digital forensic Digital forensics investigation and its goal
3.2 Models of Digital Forensic Investigation Digital Forensic Research Workshop Group (DFRWS)
Investigative Model Abstract Digital Forensics Model (ADFM) Integrated Digital
Investigation Process (IDIP) End to End digital investigation process (EEDIP) An extended
model for cybercrime investigation UML modeling of digital forensic process model
(UMDFPM)
3.3 Ethical issues in digital forensic General ethical norms for investigators Unethical norms for
investigation
https://www.gunwantmankar.com 1
Unit-III Basics of Digital Forensic| ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
https://www.gunwantmankar.com 2
Unit-III Basics of Digital Forensic| ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
1. Handle and locate certain amount of valid data from large amount of files stored in
computer system.
2. It is viable that the information has been deleted, I such situation searching inside the
file is worthless.
3. If the files are secured by some passwords, investigators must find a way to read the
protected data in an unauthorized manner.
4. Data may be stored in damaged device but the investigator searches the data in working
devices.
5. Major obstacle is that, each and every case is different identifying the techniques and
tools will take long time.
6. The digital data found should be protected from being modified. It is very tedious to
prove that data under examination is unaltered.
7. Common procedure for investigation and standard techniques for collecting and
preserving digital evidences are desired.
https://www.gunwantmankar.com 3
Unit-III Basics of Digital Forensic| ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
https://www.gunwantmankar.com 4
Unit-III Basics of Digital Forensic| ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
https://www.gunwantmankar.com 5
Unit-III Basics of Digital Forensic| ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
Operations Readiness phase
Infrastructure Readiness phase
2. Deployment phase The purpose is to provide a mechanism for an incident to be detected
and confirmed. It includes two phases:
Detection and Notification phase; where the incident is detected and then
appropriate people notified.
Confirmation and Authorization phase; which confirms the incident and obtains
authorization for legal approval to carry out a search warrant.
3. Physical Crime Investigation phase The goal of these phases is to collect and analyze the
physical evidence and reconstruct the actions that took place during the incident. It includes
six phases:
Preservation phase; which seeks to preserve the crime scene so that evidence can
be later identified and collected by personnel trained in digital evidence
identification.
Survey phase; that requires an investigator to walk through the physical crime scene
and identify pieces of physical evidence.
Documentation phase; which involves taking photographs, sketches, and videos of
the crime scene and the physical evidence. The goal is to capture as much
information as possible so that the layout and important details of the crime scene
are preserved and recorded.
Search and collection phase; that entails an in-depth search and collection of the
scene is performed so that additional physical evidence is identified and hence
paving way for a digital crime investigation to begin.
Reconstruction phase; which involves organizing the results from the analysis done
and using them to develop a theory for the incident.
Presentation phase; that presents the physical and digital evidence to a court or
corporate management
4. Digital Crime Investigation phase The goal is to collect and analyze the digital evidence
that was obtained from the physical investigation phase and through any other future
means. It includes similar phases as the Physical Investigation phases, although the primary
focus is on the digital evidence. The six phases are:
https://www.gunwantmankar.com 6
Unit-III Basics of Digital Forensic| ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
Preservation phase; which preserves the digital crime scene so that evidence can
later be synchronized and analyzed for further evidence.
Survey phase; whereby the investigator transfers the relevant data from a venue out
of physical or administrative control of the investigator to a controlled location.
Documentation phase; which involves properly documenting the digital evidence
when it is found. This information is helpful in the presentation phase.
Search and collection phase; whereby an in-depth analysis of the digital evidence
is performed. Software tools are used to reveal hidden, deleted, swapped and
corrupted files that were used including the dates, duration, log file etc. Low-level
time lining is performed to trace a user’s activities and identity.
Reconstruction phase; which includes putting the pieces of a digital puzzle together,
and developing investigative hypotheses.
Presentation phase; that involves presenting the digital evidence that was found to
the physical investigative team. It is noteworthy that this DFPM facilitates
concurrent execution of physical and digital investigation.
5. Review phase this entails a review of the whole investigation and identifies areas of
improvement. The IDIP model does well at illustrating the forensic process, and also
conforms to the cyber terrorism capabilities which require a digital investigation to address
issues of data protection, data acquisition, imaging, extraction, interrogation,
ingestion/normalization, analysis and reporting. It also highlights the reconstruction of the
events that led to the incident and emphasizes reviewing the whole task, hence ultimately
building a mechanism for quicker forensic examinations.
https://www.gunwantmankar.com 7
Unit-III Basics of Digital Forensic| ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
3. The collection phase includes documentation of the physical scene and replication of
the digital evidence using approved standard procedure.
4. Examination phase involves obtaining and studying the digital evidence .Method of
extraction is used for reconstructing data from the media.
5. In the analysis phase the vitally of the documented evidence is explored and conclusions
are drawn by integrating chunk of data.
6. The presentation phase involves summarizing the evidences found in the process of
investigation.
Phases of EMCI: The EMCI follows waterfall model as every activity occurs in sequence. The
sequence of examine, hypothesis, present, and prove/defend are bound to be repeated as the
evidence heap increases during the investigation.
1. Awareness is the phase during which the investigator are informed that a crime has
taken place; the crime is reported to some authority. An intrusion detection system may
also triggered such awareness.
https://www.gunwantmankar.com 8
Unit-III Basics of Digital Forensic| ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
2. Authorization is the stage where the nature of investigation has been identified and the
unplanned authorization may be required to proceed and the authorization is obtained
internally or externally.
3. Planning is impacted by information from which and outside the organization that will
affect the investigation. Internal factors are the organization policies, procedures, and
former investigative knowledge while outside factors consist of legal and other
requirements not known by the investigators.
https://www.gunwantmankar.com 9
Unit-III Basics of Digital Forensic| ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
Phases of UMDFPM:
Kohn and Oliver made use of UML and case diagram (Figure 2.6) to demonstrate all the phases
and its interaction with all investigators. Two processes have been added to the activity diagram
to club with Kohn framework. These are “prepare” in the preparation phase and “present” in
presentation phase.
1. The whole process is trigged by criminal activity, which constitutes of starting point.
Prepare is the first step. The rest of the processes follow logically from prepare to
collect, authenticate, examination and the analyze
2. Authentication is introduce between examination and collection phase to make sure that
the data integrity of the data before the examination is started is preserved.
3. Examination can alter the contents of data such as in the case of compressed files,
hidden files and other forms of data incomprehension.
The primary investigator will consider whether to analyze more data or to extract more data
from the original source. After reaching this decision points an evidence report is compiled as
part of the report procedure. Whole document is compiled during the investigation phase. The
evidence document is the output of investigation phase.
https://www.gunwantmankar.com 10
Unit-III Basics of Digital Forensic| ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
https://www.gunwantmankar.com 11
Unit-III Basics of Digital Forensic| ETI-22618
By Prof. Gunwant Mankar
Youtube: https://www.youtube.com/c/GunwantMankar
https://www.gunwantmankar.com 12