COMPUTER FORENSICS AND

CYBER SECURITY
MSC DCT Course Outline
 Course outline
• Forensic artifacts created in modern digital life:
(AMK)
– web browsing,
– email and other activities;
• Digital Evidence (EA)
– Requirements for digital evidence
– Admissibility of electronic evidence
– Preparing for collection of digital evidence
– Forensic examination of computers and digital
electronic media
 Computer Forensics
• Computer forensics:
– Definition: The application of scientific methods
and techniques in order to recover data from
electronic / digital media.
– Involves the preservation, identification,
extraction, documentation and interpretation of
computer media for evidence and/or root cause
analysis in a legally acceptable manner.
 Computer Forensics
• Computer forensics:
– Is a science.
– Evidence is preserved, identified, documented and
presented similar to the “other” forensic sciences.
• DNA, Entomology (bugs), Serology (body
fluids), etc.
– Best conducted in a controlled environment.
– The expansion of network/cloud storage is forcing
the evolution of digital evidence collection (dead-
box vs. live acquisition).
 Computer Forensics
• Expertise
 Issues with Computer Forensics
• Computer forensics is relatively new hence laws
dictating the validity of evidence are sketchy and
not widely-known.
• Evidence is needed to fully prosecute the
attacker.
• This evidence has to come from the information
security administrator who must ensure the
validity of the evidence.
• The information security administrator must
know the rules that govern the admissibility of
evidence in the territory of jurisdiction (Kenya).
 Evidence
• Definition:
– (Simple)Proof of a fact about what did or did not
happen
– Is presented to a judge for use to support or
refute the allegations of a crime or civil wrong
– Is presented to persuade belief in a claim or to
refute it.
– Must be reliable and relevant to the case in order
to be legally admissible.
 Digital Investigators
• Role:
– To present supporting facts and probabilities.
– Present objective unbiased truth.
– Not to be an advocate.
– Not to take sides with the person who pays.
– Keep bias, emotion and greed out as much as
possible.
– Court depends on trustworthiness of investigators.
– Accurate, clear, factual and objective
 Digital Evidence (DA)
• Is technical information found in a bunch of 1s
and 0s.
 Digital Evidence (DA)
• Definition:
– Encompasses any and all digital data that can
establish that a crime has been committed or can
provide a link between a crime and its victim or a
crime and its perpetrator
– Evidence must pass the test of admissibility and
weight.
 Admissibility of Evidence
• A measure of whether the evidence is safe to
be put before a jury to be used as foundation
of making decision
– Is a set of legal rules applied by a judge to assess
the item of evidence.
– For instance unauthenticated emails could not
admitted as anyone could create a false email.
– These rules are extensive:
• Relevance, authenticity, not hearsay, best evidence, not
unduly prejudicial.
 Admissibility of evidence
• Improper handling and illegal search can prevent
evidence being admissible.
• Digital evidence must be gathered with search
warrants. Warrants have expiry time.
• To obtain a warrant, probable cause must be
established:
– A crime has been committed
– Evidence of crime is in existence
– Evidence is likely to exist at the place to be searched.
• If suspect consented to the search, no need for search
warrant, provided that consent can be substantiated.
 Admissibility of evidence
• Evidence collected outside of warrant time
limit is not admissible.
• Evidence collected outside of the scope of the
warrant is not admissible.
 Weight of Digital Evidence
• Weight is a measure of the validity and
importance.
– Essentially whether the judge or jury believes the
evidence.
– There are few guidelines except what is convincing
and well presented.
– Evidence must be authentic, accurate, and
complete for it to pass any standard of weight.
 Challenges with forensics
• Technical Challenges
• Legal Issues
 Technical challenges
• Expansion of data storage systems
– 1994 a 540 MB hard drive = 385 floppy disks
– 1996 a 2 GB hard drive = 1,463 floppy disks
– 1998 a 4 GB hard drive = 2,926 floppy disks
– 2001 a 40 GB hard drive = 29,269 floppy disks
– 2002 a 80 GB hard drive = 58,538 floppy disks
– 2003 a 160 GB hard drive = 117,077 floppy disks
– A Terabyte (TB) of hard drive space = 731,734 floppy disks.
 Technical challenges
• The growth of “cloud” computing/storage:
iCloud, Box (50GB free), Carbonite, etc.
 Legal Issues
• In the law enforcement world, forensic
examiners will be called to testify in court.
• At a minimum, you must know:
1. The law (clauses and statute)
2. “Best Practices”
3. Your policies and procedure
4. Evolving technology
 Requirement of Digital Evidence
• Computer evidence is just like any other
evidence in the sense that it must be:
– Authentic
– Accurate
– Complete
– Convincing to Juries
– In conformity with common law and legislative
rules (admissible)
 Authenticity
• Answers the question:
– Does the evidence (material) come from where it
purports?
• To demonstrate that digital evidence is authentic:
– We must show that it was acquired from specific
computer and/or location,
– That a complete and accurate copy of digital evidence
was acquired, and
– That has remained unchanged since it was collected.
– Chain of custody and integrity documentation
(evidence has not been altered) are important.
 Reliability
• Answers the questions:
– Can the substance of the story the material tells
be believed and is consistent?
– Are there reasons for doubting the correct
working of the computer?
 Completeness
• Is the story that the material purports to tell
complete? Are there other stories that the
material also tells that might have a bearing
on the legal dispute or hearing?
 Crime reconstruction
• Is the determination of the actions or events
surrounding the commission of a crime.
• Depends on the evidence recovered from the
crime scene, a suspect or a victim “collected”
as part of the investigation.
• The quality of that evidence and the method
of evidence collection play important role.
• Evidence can be: artifact, Inculpatory or
exculpatory
 Artifcat Evidence
• Is any change in crime scene evidence or
addition to crime scene evidence that could
potentially cause the investigator to infer
incorrectly that the “evidence” is related to a
crime.
 Inculpatory evidence
• An evidence that either provides leads to
other evidence or corroborates other
evidence.
• Usually this type of evidence supports or helps
confirm a given theory.
 Exculpatory evidence
• Opposite of inculpatory
• Contradicts a given theory
 Direct Vs. Circumstantial evidence
• Direct evidence establishes a fact,
circumstantial suggests one.
– A computer log is a direct evidence that a given
account was used to log into a system.
– It is circumstantial evidence that the owner used
the computer to gain access.
 Classification of Digital Evidence
• Digital evidence can be classified based on:
– Contents – Example:
• Investigators use the contents of an e-mail message to
classify it and to determine which computer it came
from.
• Swap files and slack space contain a random
assortment fragments of digital data than can often be
classified and individualized.
 Classification of Digital Evidence
• Function –
– Investigators examine how a program functions to
classify it and sometimes individualize it.
– A program that appears to do something amusing
or useful but actually does something else, is
classified as a Trojan horse program.
 Classification of Digital Evidence
• Characteristics – file names, message digests,
and date stamps can be helpful in classifying
and individualizing digital evidence.
 Rules of Evidence
• A useful evidence must have the following
properties:
– Admissible
– Authentic
– Complete
– Reliable
– Believable
 Rules of Evidence
• Admissible:
– Evidence must be able to be used in court of law.
– Inadmissibility of evidence is the equivalent to
lack of evidence except the cost is higher.
 Rules of Evidence
• Authentic:
– Evidence must be tied to the incident in order to
prove something.
– The evidence must be shown to relate to the
incident in a relevant way.
 Rules of Evidence
• Complete:
– Not only should you collect evidence that can
prove the attacker’s actions, but also evidence
that could prove their innocence.
– Hence this implies that it’s not enough to collect
evidence that just shows one perspective of the
incident.
– This is called “exculpatory evidence” and it is
important in proving a case.
 Rules of Evidence
• Reliable :
– Evidence collection and analysis procedures must
not cast doubt on the evidence’s authenticity and
veracity.
 Rules of Evidence
• Believable
– The evidence should be clearly understood and
easy to believe by the judges.
– A binary dump of process memory??
 A general procedure of collecting
evidence
• Evidence collection generally involves:
– Identification of evidence
– Preservation of evidence
– Analysis of evidence
– Presentation of evidence
 A general procedure of collecting
evidence
• Identification of evidence:
– It must be possible to distinguish between
evidence and junk data.
– Evidence collector should know what the data is,
where it is located, and how it is stored.
 A general procedure of collecting
evidence
• Preservation of evidence:
– Evidence found must be preserved as close as
possible to its original state.
– Any changes made during this phase must be
documented and justified.
– All procedures used in the examination should be
auditable, i.e, a suitably qualified independent
expert appointed by the other side of a case
should be able to track all the investigations
carried out by the prosecution’s experts.
 A general procedure of collecting
evidence
• Analysis of evidence:
– The stored evidence must then be analyzed to
extract the relevant information and recreate the
chain of events.
 A general procedure of collecting
evidence
• Presentation of evidence:
– Refers to communicating the meaning of
evidence.
– You can’t do anything with your evidence unless
you can communicate what it means in a manner
that is understandable to a non-domain expert.
– Through every step of the procedure, it is crucial
to record and document everything that is done
and everything that is used.
– This ensures that the procedure is repeatable.