Digital Forensics Unit 1

• Overview of digital forensics:

• Digital forensics is de ned as "[t]he application of computer science and investigative
procedures for a legal purpose involving the analysis of digital evidence (information of
probative value that is stored or transmitted in binary form) after proper search authority,
chain of custody, validation with mathematics (hash function), use of validated tools,
repeatability, reporting and possible expert presentation" (Forensic Magazine, 2007).

• The evolution of digital forensics has been driven by the need to secure and analyze digital
information for legal purposes.

• Ken Zatyko de ned digital forensics as the application of computer science and
investigative procedures for legal purposes, involving the analysis of digital evidence.

• Digital forensics encompasses specialties like computer forensics, network forensics, and
video forensics.

• Incident response and research are also part of digital forensics, not necessarily concerned
with prosecution.

• Standardization of digital forensics processes is crucial due to the ubiquitous nature of

digital evidence.

• The International Organization for Standardization (ISO) rati ed ISO 27037 to standardize
digital forensics procedures.

• The Federal Rules of Evidence (FRE) and various state laws govern the admissibility of
digital evidence in legal proceedings.

• The Fourth Amendment protects against unreasonable searches and seizures, impacting the
collection of digital evidence.

• Case law, like Commonwealth v. Copenhefer, establishes precedents regarding the

admissibility of digital evidence.

• Digital evidence laws vary between states, provinces, and countries.

• Digital forensics involves examining and analyzing data from computer storage media for
legal purposes.

• The National Institute of Standards and Technology (NIST) de nes digital forensics as
applying science to identify, collect, examine, and analyze data while preserving integrity
and maintaining chain of custody.

• Digital forensics investigates data on computer storage media, including retrieving hidden
or deleted information, and presenting it in court.

• It differs from data recovery, which focuses on retrieving accidentally deleted or lost data.

• Digital forensics often involves working as part of a team to secure an organization's

computers and networks.
fi
fi
fi
fi
• The Investigations Triad:

The investigations triad is a framework consisting of three key functions: vulnerability/threat

assessment and risk management, network intrusion detection and incident response, and digital
investigations. Let's delve into each component in detail:

1. Vulnerability/Threat Assessment and Risk Management: This function involves assessing

and managing risks related to system vulnerabilities and potential threats. Professionals in this
domain, often referred to as penetration testers, test the integrity of standalone workstations and
network servers. They evaluate physical security measures as well as the security of operating
systems (OSs) and applications. Their tasks include identifying vulnerabilities in OSs and
applications used in the network and conducting authorized attacks to assess weaknesses. These
individuals typically have extensive experience in system administration and are adept at
uncovering weaknesses in networks to help organizations better prepare for real-world attacks.

2. Network Intrusion Detection and Incident Response: This function focuses on detecting
and responding to intrusions into the network. Automated tools are utilized to detect intruder
attacks, and network rewall logs are monitored to identify suspicious activities. When an
external attack is detected, the incident response team tracks, locates, and identi es the intrusion
method while preventing further access to the network. In the event of an attack causing damage,
this team collects evidence for potential civil or criminal litigation against the intruder and
implements measures to prevent future intrusions. They may also assist in locating internal users
engaged in illegal acts or policy violations within the network.

3. Digital Investigations: This function entails conducting forensic analysis of systems

suspected of containing evidence related to an incident or crime. Digital investigators manage
investigations and perform detailed forensic analysis on digital devices, retrieving and analyzing
fi
fi
data to uncover evidence. In complex cases, they may collaborate with personnel from other
functions within the investigations triad. While vulnerability/threat assessment and incident
response focus on proactive and reactive measures to secure networks and respond to intrusions,
digital investigations concentrate on the detailed analysis of digital evidence to support legal
proceedings.

Overall, the investigations triad combines complementary functions to address various aspects of
digital technology investigation comprehensively. By integrating vulnerability assessment,
incident response, and digital forensic analysis, organizations can effectively manage risks, detect
and respond to security incidents, and gather evidence for potential litigation. This collaborative
approach ensures that all aspects of digital security and forensic investigation are covered,
enhancing the organization's ability to protect its assets and respond to security threats
effectively.

• Understanding Data Recovery Workstations and Software

• Digital forensics involves examining and analyzing data from computer storage media for
legal purposes, often conducted in a digital forensics lab.

• Data recovery differs from digital forensics in that data recovery focuses on retrieving data,
while digital forensics involves retrieving hidden or deleted data for legal purposes.

• A forensic workstation, specially con gured with additional bays and forensics software, is
necessary for conducting investigations and analysis.

• The choice of operating system for a forensic workstation depends on the speci c needs of the
investigation, ranging from MS-DOS to modern Windows, Linux, and MacOSX.

• Operating systems can alter evidence disks by writing data during startup, potentially
corrupting evidence integrity.

• Write-blockers, both hardware and software, are used to prevent writing data to evidence
drives during acquisition.

• Hardware write-blockers connect to USB or FireWire ports and are offered by various
vendors, while software write-blockers typically require a bootable DVD or USB ash drive.

• Windows products are available for disk forensics, but Linux is often preferred due to its
capabilities.

• Skills in using various tools and operating systems are necessary for effective digital
investigations, as no single tool or OS can recover everything.
fi
fi
fl
- Setting up your workstation for digital forensics :

• Conducting an Investigation:
You have created a plan for the investigation, set up your forensic workstation, and installed the
necessary forensic analysis software you need to examine the evidence. The type of software to
install includes your pre- ferred analysis tool, such as ProDiscover, EnCase, FTK, or X-Ways
Forensics; an of ce suite, such as LibreOf ce; and a graphics viewer, such as IrfanView. To
begin conducting an investigation, you start by copying the evidence, using a variety of methods.
No single method retrieves all data from a disk, so using several tools to retrieve and analyze
data is a good idea.

Start by gathering the resources you identi ed in your investigation plan. You need the fol-
lowing items:

• Original storage media

• Evidence custody form

• Evidence container for the storage media, such as an evidence bag

• Bit-stream imaging tool; in this case, the ProDiscover Basic acquisition utility
fi
fi
fi
 • Forensic workstation to copy and examine the evidence

• Secure evidence locker, cabinet, or safe

Steps:

Gathering the Evidence:

To acquire George Montgomery’s storage media from the IT Department and then secure the
evidence, you perform the following steps:

1. Arrange to meet the IT manager to interview him and pick up the storage media.

2. After interviewing the IT manager, ll out the evidence form, have him sign it, and then
sign it yourself.

3. Store the storage media in an evidence bag, and then transport it to your forensic facility.

4. Carry the evidence to a secure container, such as a locker, cabinet, or safe.

5. Complete the evidence custody form.As mentioned, if you’re using a multi-evidence

form, you can store the form in the le folder for the case. If you’re also using single-
evidence forms, store them in the secure container with the evidence. Reduce the risk of
tampering by limiting access to the forms.

6. Secure the evidence by locking the container.

Understanding Bit-Stream Copies:

• A bit-stream copy, also known as a forensic copy, is an exact duplicate of the original drive
or storage medium, created on a bit-by-bit basis.

• Acquiring a bit-stream copy is essential for preserving evidence on a disk, as it ensures the
highest chance of successfully retrieving necessary evidence.

• Unlike simple backup copies made by backup software, bit-stream copies include all data
on the disk, including deleted les, e-mails, and le fragments.

• A bit-stream image refers to the le containing the bit-stream copy of the disk, often simply
referred to as an "image" or "image le."

• When creating an exact image of an evidence disk, it's preferable to copy the image to a
target disk that's identical to the original, including manufacturer, model, size in bytes, and
sectors.

• Some image acquisition tools can accommodate target disks of different sizes than the
original, but maintaining identical characteristics is preferable.
fi
fi
fi
fi
fi
fi
 • Older digital forensics tools designed for MS-DOS work only on copied disks, while
current GUI tools can work on both disk drives and copied data sets known as "image
saves.”

Acquiring an Image of Evidence Media:

After you retrieve and secure the evidence, you’re ready to copy the evidence media and
analyze the data. The rst rule of digital forensics is to preserve the original evidence.
Then con- duct your analysis only on a copy of the data—the image of the original
medium. Several vendors provide MS-DOS, Linux, and Windows acquisition tools.
Windows tools, however, require a write-blocking device (discussed in Chapter 3) when
acquiring data from FAT or NTFS le systems.

Using ProDiscover Basic to Acquire a USB Drive:

Read from book steps(page 67)

Analyzing Your Digital Evidence:

Read from book steps(page 70)

Completing the Case:

• After analyzing the disk, deleted les, e-mails, and purposefully hidden items were retrieved
and analyzed in Chapters 8, 9, and 11.

• Key questions to be answered for the nal report include how George's manager acquired the
disk, whether George conducted work on a personal laptop, the timing of his usage of non-
work-related les, relevant company policies, and any additional considerations.

• The nal report will detail the steps taken and ndings, including the ProDiscover report le to
document the investigation.

• The capability for repeatable ndings is crucial in computing investigations to ensure the
validity of the work product as evidence.

• It's advised to maintain a written journal of all actions taken, as these notes can be used in
court.

• Basic report writing involves answering the six Ws: who, what, when, where, why, and how,
while also providing explanations for computer and network processes tailored to the reader's
level of understanding.

• Organizations may have templates for writing reports, and integrating digital forensics log
reports can enhance the nal report's comprehensiveness.

• In the Montgomery 72015 case, evidence is sought to demonstrate George's involvement in a

side business registering domain names, including client names, income, and correspondence
during work hours.
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
 • The evidence le will be presented to the supervisor or Steve, George's manager, for a decision
on further action.

Critiquing the Case:

• Developing Digital Forensics Resource:

Diverse Platform Familiarity:

• A successful digital forensics investigator should be well-versed in various

computing platforms, including older systems like DOS, Windows 9x, and
Windows XP, as well as contemporary ones like Linux, Macintosh, and current
Windows platforms.

Networking and Collaboration:

• Collaboration and networking with professionals in computing, networking, and

investigative elds are essential for supplementing one's knowledge and expertise.

• Joining computer user groups, both public and private, provides opportunities to
discuss challenges and exchange knowledge. Organizations like the Computer
Technology Investigators Network (CTIN), IACIS, and the High Technology
Crime Investigation Association offer valuable resources and training.

• Building a network of digital forensics experts and maintaining communication

through email and social media can facilitate information sharing and
collaboration.

Bene t of User Groups:

fi
fi
fi
 • User groups can be particularly helpful for obtaining information about obscure
operating systems or technical details. An example is provided where a user group
assisted in convicting a child molester by providing necessary information about
an outdated OS.

Expert Assistance:

• Seeking assistance from outside experts, such as Macintosh engineers, can provide
detailed information necessary for retrieving digital evidence. A case example
illustrates how collaboration with a Macintosh engineer helped retrieve crucial
evidence from a compressed and erased hard drive, leading to a murder conviction.

• Preparing for Digital Investigations:

public-sector investigations involve government agencies responsible for criminal
investigations and prosecution. Government agencies range from municipal, county, and
state or provincial police departments to federal law enforcement agencies. These
organizations must observe legal guidelines of their jurisdictions

Private-sector investigations focus more on policy violations, such as not adhering to

Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations.
However, criminal acts, such as corporate espionage, can also occur

Following Legal Process(public sector):

• a criminal case follows three stages: the complaint, the investigation, and the
prosecution.

• A criminal investigation generally begins when someone nds evidence of or witnesses

an illegal act. The witness or victim makes an allegation to the police, an accusation of
fact that a crime has been committed.

• A Digital Evidence First Responder (DEFR) has the skill and training to arrive on an
incident scene, assess the situation, and take precautions to acquire and preserve
evidence

• A Digital Evidence Specialist (DES) has the skill to analyze the data and determine when
another specialist should be called in to assist with the analysis.

• start by assessing the scope of the case, which includes the device’s OS, hardware, and
peripheral devices. You then determine whether resources are available to process all
the evidence. Determine whether you have the right tools to collect and analyze
evidence and whether you need to call on other specialists to assist in collecting and
processing evidence.
fi
• In a criminal or public-sector case, if the police of cer or investigator has suf cient
cause to support a search warrant, the prosecuting attorney might direct him or her
to submit an af davit

• after a judge approves and signs a search warrant, it’s ready to be executed, meaning a
DEFR can collect evidence as de ned by the warrant.

• The evidence can then be presented in court in a hearing or trial. A judge or an

administrative law judge then renders a judgment, or a jury hands down a verdict

When preparing a case, you can apply standard systems analysis steps, explained in
the following list, to problem solving. Later in this chapter, you apply these steps to
cases.

• Make an initial assessment about the type of case you’re investigating—To assess
the type of case you’re handling, talk to others involved in the case and ask
questions about the incident. Have law enforcement or company security of cers
already seized the computer, disks, peripherals, and other components? Do you
need to visit an of ce or another location? Was the computer used to commit a
crime, or does it contain evidence about another crime?

• Determine a preliminary design or approach to the case—Outline the general steps

you need to follow to investigate the case. If the suspect is an employee and you
need to acquire his or her system, determine whether you can seize the computer
during work hours or have to wait until evening or weekend hours. If you’re
preparing a criminal case, determine what information law enforcement of cers
have already gathered.

• Create a detailed checklist—Re ne the general outline by creating a detailed

checklist of steps and an estimated amount of time for each step. This outline helps
you stay on track during the investigation.

• Determine the resources you need—Based on the OS of the computer you’re

investigating, list the software you plan to use for the investigation, noting any
other software, tools, or expert assistance you might need.

• Obtain and copy an evidence drive—In some cases, you might be seizing multiple
computers along with CDs, DVDs, USB drives, mobile devices, and other
removable media. (For the examples in this chapter, you’re using only USB
fi
fi
fi
fi
fi
fi
fi
fi
 drives.) Make a forensic copy of the disk.

• Identify the risks—List the problems you normally expect in the type of case
you’re handling. This list is known as a standard risk assessment. For example, if
the suspect seems knowledgeable about computers, he or she might have set up a
logon scheme that shuts down the computer or overwrites data on the hard disk
when someone tries to change the logon password.

• Mitigate or minimize the risks—Identify how you can minimize the risks. For
example, if you’re working with a computer on which the suspect has likely
password-protected the hard drive, you can make multiple copies of the original
media before starting. Then if you destroy a copy during the process of retrieving
information from the disk, you have additional copies.

• Test the design—Review the decisions you’ve made and the steps you’ve
completed. If you have already copied the original media, a standard part of testing
the design involves comparing hash values (discussed in Chapters 3 and 4) to
ensure that you copied the original media correctly.

• Analyze and recover the digital evidence—Using the software tools and other
resources you’ve gathered, and making sure you’ve addressed any risks and
obstacles, examine the disk to nd digital evidence.

• Investigate the data you recover—View the information recovered from the disk,
including existing les, deleted les, e-mail, and Web history, and organize the les
to help nd information relevant to the case.

• Complete the case report—Write a complete report detailing what you did and
what you found.

• Critique the case—Self-evaluation and peer review are essential parts of

professional growth. After you complete a case, review it to identify successful
decisions and actions and determine how you could have improved your
performance.
fi
fi
fi
fi
fi
• Evidence Custody Form:
evidence custody form, also called a chain-of-evidence form, which helps you document
what has and has not been done with the original evidence and forensic copies of
the evidence. Depending on whether you’re working in law enforcement or private
security, you can create an evidence custody form to t your environment. This form
should be easy to read and use. It can contain information for one or several pieces of
evidence. Consider creating a single-evidence form (which lists each piece of evidence on a
separate page) and a multi-evidence form (see Figure 1-9), depending on the administrative
needs of your investigation.

An evidence custody form usually contains the following information:

• Case number—The number your organization assigns when an investigation is

initiated.

• Investigating organization—The name of your organization. In large corporations

with global facilities, several organizations might be conducting investigations in
different geographic areas.

• Investigator—The name of the investigator assigned to the case. If many

investigators are assigned, specify the lead investigator’s name.

• Nature of case—A short description of the case. For example, in the private- sector
environment, it might be “data recovery for corporate litigation” or “employee
policy violation case.”

• Location evidence was obtained—The exact location where the evidence was
collected. If you’re using multi-evidence forms, a new form should be created for
each location.

• Description of evidence—A list of the evidence items, such as “hard drive, 250
GB” or “one USB drive, 8 GB.” On a multi-evidence form, write a description for
each item of evidence you acquire and possibly include photos.

• Vendor name—The name of the manufacturer of the computer component. List a

250 GB hard drive, for example, as a “Maxtor 250 GB hard drive,” or describe
a USB drive as a “SanDisk 8 GB USB drive.” In later chapters, you see how
differences among manufacturers can affect data recovery.
fi
 • Model number or serial number—List the model number or serial number (if
available) of the computer component. Many computer components, including
hard drives, memory chips, and expansion slot cards, have model numbers but not
serial numbers.

• Evidence recovered by—The name of the investigator who recovered the evidence.
The chain of custody for evidence starts with this information. If you insert your
name, for example, you’re declaring that you have taken control of the evidence.
It’s now your responsibility to ensure that nothing damages the evidence and no
one tampers with it. The person placing his or her name on this line is responsible
for preserving, transporting, and securing the evidence.

• Date and time—The date and time the evidence was taken into custody. This
information establishes exactly when the chain of custody starts.

• Evidence placed in locker—Speci es which approved secure container is used to

store evidence and when the evidence was placed in the container.

• Item #/Evidence processed by/Disposition of evidence/Date/Time—When you or

another authorized investigator retrieves evidence from the evidence locker for
processing and analysis, list the item number and your name, and then describe
what was done to the evidence.

• Page—The forms used to catalog all evidence for each location should have page
numbers. List the page number, and indicate the total number of pages for this
group of evidence. For example, if you collected 15 pieces of evidence at one
location and your form has only 10 lines, you need to ll out two multi-evidence
forms. The rst form is noted as “Page 1 of 2,” and the second page is noted as
“Page 2 of 2.”
fi
fi
fi