MODULE 5

UNDERSTANDING COMPUTER FORENSICS

Computer forensics is the application of investigation and analysis techniques to gather

and preserve evidence.
Forensic examiners typically analyse data from personal computers, laptops, personal
digital assistants, cell phones, servers, tapes, and any other type of media. This process
can involve anything from breaking encryption, to executing search warrants with a law
enforcement team,to recovering and analysing files from hard drives that will be critical
evidence in the most serious civil and criminal cases.

The forensic examination of computers, and data storage media, is a complicated and
highly specialized process. The results of forensic examinations are compiled and
included in reports. In many cases, examiners testify to their findings, where their skills
and abilities are put to ultimate scrutiny.

Historical Background of Cyberforensics

Computer is either the subject or the object of cybercrimes or is used as a tool to commit a
cybercrime. Computer intrusion and fraud committed with the help of computers were the
first crimes to be widely recognized as a new type of crime.

 The application of computer for investigating computer-based crime has led to

development of a new field called computer forensics. Sometimes, computer forensics is
also referred to as "digital forensics.” Computer forensics/digital forensics has existed for
as long as people have stored data inside computers.

 Computer forensics experts need digital evidence in cases involving data acquisition,
preservation, recovery, analysis and reporting, intellectual property theft, computer
misuse, corporarte policy violation, mobile device (PDA, cell phone) data acquisition
and analysis, malicious software/application, system intrusion and compromise,
encrypted, deleted and hidden files recovery, pornography, confidential information
leakage, etc.

 Computer forensics is still a relatively new discipline in the domain of computer security.
It is a rapid growing discipline and a fast growing profession as well as business. The
focus of computer forensics is to find out digital evidence - such evidence required to
establish whether or not a fraud or a crime has been conducted.
 There is a difference between computer security and computer forensics. Although
"computer forensic' often associated with "computer security," the two are different.

Prof. Likhitha, Dept of CSE Page 1

 Computer forensics is primarily concerned with the systematic "identification,"
"acquisition," "preservation" and "analysis" of digital evidence, typically after an
unauthorized access to computer or unauthorized use of computer has taken place.
 Computer security is the prevention of unauthorized access to computer systems as well
as maintaining "confidentiality," "integrity" and "availability" of computer systems.
 There are two categories of computer crime: one is the criminal activity that involves
using a computer to commit a crime, and the other is a criminal activity that has a
computer as a target.
 Forensics means a "characteristic of evidence" that satisfies its suitability for admission
as fact and its ability to persuade based upon proof (or high statistical confidence level).
 An alternative definition for digital forensics science is: the use of scientifically derived
and proven methods toward the preservation, collection, validation, identification,
analysis, interpretation, documentation and presentation of digital evidence derived from
digital sources for the purpose of facilitating or furthering the reconstruction of events
found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive
to planned operations.

Digital Forensics Science

Digital forensics is the application of analyses techniques to the reliable and unbiased
collection, analysis, interpretation and presentation of digital evidence.
The objective of "cyber forensics" is to provide digital evidence of a specific or general
activity. Following a two more definitions worth considering:

1. Computer forensics: It is the lawful and ethical seizure, acquisition, analysis, reporting and
safeguarding of data and metadata derived from digital devices which may contain
information.
In other words, it is the collection of techniques and tools used to find evidence it computer.

2. Digital forensics: It is the use of scientifically derived and proven methods toward the
preservation, collection, validation, identification, analysis, interpretation, documentation and
presentation of aged evidence.

The role of digital forensics is to:

1. Uncover and document evidence and leads.

2. Corroborate evidence discovered in other ways.
3. Assist in showing a pattern of events.
4. Connect attack and victim computers.
5. Reveal an end-to-end path of events leading to a compromise attempt, successful or not.
6. Extract data that may be hidden, deleted or otherwise not directly available.

Using digital forensics techniques, one can:

Prof. Likhitha, Dept of CSE Page 2

1. Corroborate and clarify evidence otherwise discovered.
2. Generate investigative leads for follow-up and verification in other ways.
3. Provide help to verify an intrusion hypothesis.
4. Eliminate incorrect assumptions.

The Need for Computer Forensics

The media, on which clues related to cybercrime reside, would vary from case to case. There
are many challenges for the forensics investigator because storage devices are getting
miniaturized due to advances in electronic technology; for example, external storage devices
such as mini hard disks (pen drives) are available in amazing shapes.

Looking for digital forensics evidence (DFE) is like looking for a needle in the haystack.
Here is a way to illustrate why there is always the need for forensics software on suspect
media - the capacity of a typical regular hard disk is 500 GB (gigabytes). In an A4 size page,
there are approximately 4, 160 bytes (52 lines × 80 Characters = 4,160 bytes assuming 1 byte
per character). This is equivalent to 4 KB (kilobytes). An A4 size of paper sheet has thickness
of 0.004 inches. Data of 4 MB (megabyte; 1,000 times of 4 KB) when printed on A4 size of
paper would be 4 inches thick. Data of 4 GB if printed on A4 sheet would be 4,000 inches,
that is, 1,000 times of
4 MB. This would turn out to be 4 inches thick. The printout of 500 GB would be 500,000
inches! It would be virtually impossible to "retrieve" relevant forensics data from this heap!!
There comes the help from forensics software- it helps sieve relevant data from the irrelevant
mass.

Cyberforensics and Digital Evidence

Cyber forensics can be divided into two domains:

1. Computer Forensics

Prof. Likhitha, Dept of CSE Page 3

 2. Network Forensics
As compared to the "physical" evidence, "digital evidence" is different in nature because it
has some unique characteristics.
First of all, digital evidence is much easier to change/ manipulate.
Second, "perfect digital copies can be made without harming original.

There are many forms of cybercrimes: sexual harassment cases - memos, letters, E-Mails;
obscene chats or embezzlement cases - spreadsheets, memos, letters, E-Mails, online banking
information; corporate espionage by way of memos, letters, E-Mails and chats; and frauds
through memos,
letters, spreadsheets and E-Mails. In case of computer crimes/cybercrimes, computer
forensics helps.
Computer forensics experts know the techniques to retrieve the data from files listed in
standard directory search, hidden files, deleted files, deleted E-Mail and passwords, login
IDs, encrypted files, hidden partitions, etc. Typically, the evidences reside on computer
systems, user created files, user protected files, computer created files and on computer
networks.

Computer systems have the following:

1. Logical file system that consists of

 File system: It includes files, volumes, directories and folders, file allocation tables
(FAT) as in the older version of Windows Operating System, clusters, partitions,
sectors.
 Random access memory.
 Physical storage media: It has magnetic force microscopy that can be used to recover
data from overwritten area.
(a) Slack space: It is a space allocated to the file but is not actually used due to
internal fragmentation and
(b) unallocated space.
2. User created files: It consists of address books, audio/video files, calendars, database files,
spreadsheets, E-Mails, Internet bookmarks, documents and text files.
3. Computer created files: It consists of backups, cookies, configuration files, history files,
log files, swap files, system files, temporary files, etc.
4. Compucer networks: It consists of the Application Layer, the Transportation Layer, the
Network Layer, and the Datalink Layer.

The Rules of Evidence

According to the "Indian Evidence Act 1872" , "Evidence" means and includes:
1. All statements which the court permits or requires to be made before it by witnesses, in
relation to matters of fact under inquiry, are called oral evidence.
2. All documents that are produced for the inspection of the court are called documentary
evidence.

Prof. Likhitha, Dept of CSE Page 4

It is only logical that the process used in the case of digital evidence mimic the process that is
used for paper evidence. As each step requires the use of tools or knowledge, the process
must be documented, reliable and repeatable. The process itself must be understandable to the
members of the court. Acquisition of digital evidence is both a legal and technical problem.
The law specifies what can be seized, under what conditions, from whom and from where. It
requires to determine what particular piece of digital evidence is required for examination,
that is, is it a particular file or a word processing document or an executable program, etc. It
may also require examination to determine where a particular piece of evidence is physically
located. Is the file on a local hard drive or is it on a server located in another place.

There are number of contexts involved in actually identifying a piece of digital evidence:
1. Physical context: It must be definable in its physical form, that is, it should reside on a
specific piece of media.
2. Logical context: It must be identifiable as to its logical position, that is, where does it
reside relative to the file system.
3. Legal context: We must place the evidence in the correct context to read its meaning. This
may require looking at the evidence as machine language, for example, American Standard
Code for Information Interchange (ASCII).

Following are some guidelines for the (digital) evidence collection phase:
1. Adhere to your sites security policy and engage the appropriate incident handling and law
enforcement personnel.
2. Capture a picture of the system as accurately as possible.
3. Keep detailed notes with dates and times, notes and printouts should be signed and dated.
4. Note the difference between the system clock and Coordinated Universal Time.
5. Be prepared to testify (perhaps years later) outlining all actions you took and at what times.
Detailed notes will be vital.

Prof. Likhitha, Dept of CSE Page 5

6. Minimize changes to the data as you are collecting it. This is not limited to content
changes; avoid updating file or directory access times.
7. Remove external avenues for change.
8. When confronted with a choice between collection and analysis you should do collection
first and analysis later.
9.Your procedures should be implementable. As with any aspect of an incident response
policy, procedures should be tested to ensure feasibility, particularly, in a crisis. If possible,
procedures should be automated for reasons of speed and accuracy.
10. For each device, a systematic approach should be adopted to follow the guidelines laid
down in your collection procedure. Speed will often be critical; therefore, where there are a
number of devices requiring examination, it may be appropriate to spread the work among
your team to collect the evidence in parallel. However, on a single given system collection
should be done step by step.
11. Proceed from the volatile to the less volatile; order of volatility is as follows:
 Registers, cache (most volatile, i.e., contents lost as soon as the power is turned OFF)
 Routing table, Address Resolution Protocol (ARP) cache, process table, kernel
statistics, memory.
 Temporary file systems.
 Disk.
 Remote logging and monitoring data that is relevant to the system in question.

 Physical configuration and network topology.

 Archival media (least volatile, i.e., holds data even after power is turned OFF).

12. You should make a bit-level copy of the systems media. If you wish to do forensics
analysis out should make a bit-level copy of your evidence copy for that purpose, as your
analysis will almost certainly alter file access times. Try to avoid doing forensics on the
evidence copy.

Digital Forensics Life Cycle

Digital evidence is present in nearly every crime scene. That is why law enforcement must
know how to recognize, seize, transport and store original digital evidence to preserve it for
forensics examination.
The cardinal rules to remember are that evidence
1. is admissible;
2. is authentic;
3. is complete;
4. is reliable;
5. is understandable and believable.

The Digital Forensics Process

Prof. Likhitha, Dept of CSE Page 6

The digital forensics process needs to be understood in the legal context starting from
preparation of the evidence to testifying.
 Digital forensics evidence consists of exhibits, each consisting of a sequence of bits,
presented by witnesses in a legal matter to help jurors establish the facts of the case
and support or refute legal theories of the case. The tie between technical issues
associated with the digital forensics evidence and the legal theories is the job of
"expert witnesses."
 Testimony is presented to establish the process to identify, collect, preserve, transport,
store, analyze, interpret, attribute, and/ or reconstruct the information contained in the
exhibits and to establish, to the standard of proof required by the matter at hand, that
the evidence reflects a sequence of events that is asserted to have produced it.
 People involved in the "chain of custody" need to testify a number of aspects relating
to the evidence - the testimony would typically include the processes used for
creating, handling and introducing the evidence, the method used for collecting the
exhibit (i.e. the evidence artifacts) as well as the manner in which the exhibit is
brought to court.
 Non-experts can make statement about evidence to the extent that they can clarify
non-scientific issues by stating what they observed. Digital forensics evidence can be
challenged by establishing that, by intent or accident, content, context, meaning,
process, relationships, ordering, timing, location, corroboration and/or consistency are
made or missed by the other side, and that this produced false positives or false
negatives in the results presented by the other side.
 Once the forensics experts know the landscape of the computers and other artifacts
involved, they formulate a cost proposal governing all needed activities in the
forensics search and analysis. the data acquisition, also known as "imaging; of the
subject computers must be flawless and defensible in substance and technique.
Forensics examiners are trained to follow a carefully developed set of protocols for
acquisition of electronic evidence designed to ensure authenticity and diligent chain
of custody.

Prof. Likhitha, Dept of CSE Page 7

Prof. Likhitha, Dept of CSE Page 8
The Phases in Computer Forensics/Digital Forensics

The investigator must be properly trained to perform the specific kind of investigation that is
at hand. Tools that are used to generate reports for court should be validated. There are many
tools to be used in the process.
One should determine the proper tool to be used based on the case. Broadly speaking, the
forensics life cycle involves the following phases:
1. Preparation and identification;
2. Collection and recording;
3. Storing and transporting;
4. examination/investigation;
5. Analysis, interpretation and attribution;
6. Reporting;
7. Testifying.

To mention very briefly, the process involves the following activities:

1. Prepare: Case briefings engagement terms, interrogatories, spoliation prevention,
disclosure and discovery planning, discovery requests.
2. Record: Drive imaging, indexing, profiling, search plans, cost estimates, risk analysis.
3. Investigate: Triage images, data recovery, keyword searches, hidden data review,
communicate, iterate.
4. Report: Oral vs. written, relevant document production, search statistic reports, chain of
custody reporting, case log reporting.
5. Testify: Testimony preparation, presentation preparation, testimony.

Prof. Likhitha, Dept of CSE Page 9

Preparing for the Evidence and Identifying the Evidence

In order to be processed and applied, evidence must first be identified as evidence. It can
happen that there is an enormous amount of potential evidence available for a legal matter,
and it is also possible that the vast majority of the potential evidence may never get
identified.
Evidence of an activity that caused digital forensics evidence to come into being might be
contained in a time stamp associated with a different program in a different computer on the
other side of the world that was offset from its usual pattern of behaviour by a few
microseconds.
If the evidence cannot be identified as relevant evidence, it may never be collected or
processed at all, and it may not even continue to exist in digital form by the time it is
discovered to have relevance.

Collecting and Recording Digital Evidence

Digital evidence can be collected from many sources.
 Obvious sources include computers, cell phones, digital cameras, hard drives, CD-
ROM, USB memory devices and so on.
 Non-obvious sources include settings of digital thermometers, black boxes inside
automobiles, RFID tags and webpages .
Special care must be taken when handling computer evidence, most digital information is
easily changed, and once changed it is usually impossible to detect that a change has taken
place (or to revert the data back to its original state) unless other measures have been taken.
For this reason, it is common practice to calculate a cryptographic hash of an evidence file
and to record that hash elsewhere, usually in an investigator's notebook, so that one can
establish at a later point in time that the evidence has not been modified as the hash was
calculated.
Figures 7.6 and 7.7 show the media that typically holds digital evidence.

Prof. Likhitha, Dept of CSE Page 10

Collecting volatile data requires special technical skills. If the machine is still active, any
intelligence that can be gained by examining the applications currently open is recorded. If
the machine is suspected of be used for illegal communications, such as terrorist traffic, not
all of this information may be stored on hard drive. If information stored solely in random
access memory (RAM) is not recovered before powering down, it may be lost.
Embedded flash memory falls under the family of solid state non-volatile memory; it is used
in thumb drives (USB stick), cell phones, game console, secure digital cards (SD cards) and
multimedia cards (MMC).

Storing and Transporting Digital Evidence

The following are specific practices that have been adopted in the handling of digital
evidence:
1. Image computer media using a write-blocking tool to ensure that no data is
added to the suspect device;
2. Establish and maintain the chain of custody.
3. Document everything that has been done.
4. Only use tools and methods that have been used and evaluated to validate their
accuracy and reliability.
In storage, digital media must be properly maintained for the period of time required for the
purposes of trial.
Many things can go wrong in storage, including decay over time; environmental changes
resulting in the presence or absence of a necessary condition for preservation; direct
environmental assault on the media; fires, floods and other external events reaching the
evidence; loss of power to batteries and other media-preserving mechanisms; and decay over
time from other natural and artificial sources.
Sometimes evidence must be transported from place to place and it is often copied and sent
electronically. Original copies are normally kept in secure location as it acts as legal
proceedings.

Prof. Likhitha, Dept of CSE Page 11

Examining/Investigating Digital Evidence
In an investigation in which the owner of the digital evidence has not given consent to have
his or her media examined (as in some criminal cases) special care must be taken to ensure
that the forensics specialist has the legal authority to seize, copy and examine the data.
Sometimes authority stems from a search warrant.
One reason is that many current attacks against computer systems leave no trace on the
computer's hard drive; the attacker only exploits information in the computer's memory.
Another reason is the growing use of cryptographic storage.
The process of creating an exact duplicate of the original evidentiary media is often called
"Imaging" Computer forensics software packages make this possible by converting an entire
hard drive into a single searchable file - this file is called an "image." Using a stand-alone
hard drive duplicator or software imaging tools such as DCFLdd, IXimager or Guymager, the
entire hard drive is completely duplicated.

Analysis, Interpretation and Attribution

Analysis, interpretation and attribution of evidence are the most difficult aspects encountered
by most Forensic analysts. In the digital forensics arena, there are usually only a finite
number of possible event sequences that could have produced evidence.
The common digital analysis types include:
1. Media analysis: It is analysis of the data from a storage device. This analysis does not
consider any partitions or other operating system (OS)-specific data structures. If the storage
device uses a Fixed size unit, such as a sector, then it can be used in this analysis.
2. Media management analysis: It is analysis of the management system used to organize
media.
3.Fiie system analysis: It is the analysis of the file system data inside a partition or disk. This
typically Evolves processing the data to extract the contents of a file or to recover the
contents of a deleted file.
4. Application analysis: It is the analysis of the data inside a file. Files are created by users
and applications. The format of the contents is application-specific.
5. Network analysis: It is the analysis of data on a communications network. Network packets
can be examined using the OSI Model to interpret the raw data into an application-level
stream.
Some of the most common ones are as follows:
 OS analysis: An OS is an application, although it is a special application because it is
the first one that is run when a computer starts. This analysis examines the
configuration files and output data of the OS to determine what events may have
occurred.
 Executable analysis: Executables are digital objects that can cause events to occur and
they are frequently examined during intrusion investigations because the investigator
needs to determine what events the executable could cause.
6. Image analysis: It was mentioned that the "image" is a single searchable file. Digital
images are the target of many digital investigations because some are contraband. This type

Prof. Likhitha, Dept of CSE Page 12

of analysis looks for information about where the picture was taken and who or what is in the
picture
7. Video analysis: Digital video is used in security cameras and in personal video cameras
and webcams.

Reporting
Once the analysis is complete, a report is generated. The report may be in a written form or
an oral testimony or it may be a combination of the two. Finally, evidence, analysis,
interpretation and attribution must ultimately be presented in the form of expert reports,
depositions and testimony.
The following are the broad-level elements of the report:
1. Identity of the reporting agency;
2. Case identifier or submission number;
3. Case investigator;
4. Identity of the submitter;
5. Date of receipt;
6. Date of report;
7. Descriptive list of items submitted for examination, including serial number, make and
model;
8. Identity and signature of the examiner;
9. Brief description of steps taken during examination, such as string searches, graphics
image searches and recovering erased files;
10. results/conclusions.

Testifying
This phase involves presentation and cross-examination of expert witnesses. Depending on
the country and legal frameworks in which a cybercrime case is registered, certain standards
may apply with regard to the issues of expert witnesses. Digital forensics evidence is
normally introduced by expert witnesses except in cases where non-experts can bring clarity
to non-scientific issues by stating what they observed or did.
A witness qualified as an expert by knowledge, skill, experience, training or education may
testify in the form of an opinion or otherwise if
(a) The testimony is based on sufficient facts or data,
(b) The testimony is the product of reliable principles and methods,
(c) The witness has applied the principles and methods reliably to the facts of the case.

Precautions to be Taken when Collecting Electronic Evidence

So far we have established how important the digital/computer evidence is for cyber
forensics. Therefore, collection of the evidence must happen with due care. Special measures
should be taken while conducting a forensics investigation if it is desired for the results to be
used in a court of law.

Prof. Likhitha, Dept of CSE Page 13

One of the most important measures is to ensure that the evidence has been accurately
collected and that there is a clear chain of custody right from the scene of the crime to the
investigator and ultimately to the court.
In order to comply with the need to maintain the integrity of digital evidence, certain rules
must be complied with.
In general, the following principles are applicable:
1. Principle 1: No action taken by law enforcement agencies or their agents should change
data held on a computer or storage media, which may subsequently be relied upon in court.
2. Principle 2: In exceptional circumstances, where a person finds it necessary to access
original data held on a computer or on storage media that person must be competent to do so
and be able to give evidence explaining the relevance and the implications of his/her actions.
3. Principle 3: An audit trail or other record of all processes applied to computer-based
electronic evidence should be created and preserved. An independent third party should be
able to examine those processes and achieve the same result.
4. Principle 4: The person in-charge of the investigation (the case officer) has overall
responsibility for ensuring that the law and these principles are adhered to.

Chain of custody Concept

Chain of custody is the central concept in cyber forensics/digital forensics investigation.
 A chain of custody is the process of validating how many kinds of evidences have
been gathered, tracked and protected on the way to a court of law. It is essential to get
in the habit of protecting all evidences equally so that they will hold up in court.
 The purpose of the chain of custody is that the proponent of a piece of evidence must
demonstrate that it is what it purports to be.
 The chain of Custody is a chronological written record of those individuals who have
had custody of the evidence from its initial acquisition until its final disposition.
 A chain of custody begins when an item of relevant evidence is collected, and the
chain is maintained until the evidence is disposed off. The chain of custody assumes
continuous accountability.
 This accountability is important because, if not properly maintained, an item (of
evidence) may be inadmissible in court.

Network Forensics
Network forensics is the study of network traffic to search for truth in civil, criminal and
administrative matters to protect users and resources from exploitation, invasion of privacy
and any other crime fostered by the continual expansion of network connectivity.

Prof. Likhitha, Dept of CSE Page 14