COMPUTER FORENSICS AND

INVESTIGATIONS AS A
PROFESSION

Lecture 1a – 1b
 2

Objectives
• Define digital forensics
• Describe how to prepare for computer investigations and
explain the difference between law enforcement agency
and corporate investigations
• List the roles of digital forensics investigator
Expected
• Attend labs
• Ask if you do not know
• Read lecture notes (E-lecture), reference book
(before coming for labs)
• Do the review questions at the end of lecture.
• Get interested in this subject.

3
Assumptions:
• Basic Computer background
• Basic knowledge on Windows and Linux Operating System
• Binary, Hex number system

Appreciate if you answer mobile call outside the lab / Lecture

 Points to note
• You are expected to be independent and resourceful,
• What you learned and gained from the subject is more
important than your grade,
http://www.youtube.com/watch?v=D1R-jKKp3NA Duration:00:50 – 05:18
• Please do not ask 
• Got to remember this X for the exam or not?
• Can give model answer to X, leh.
• Submit like this can get A grade/Pass or not?
• Good to ask 
• Why NTFS using B-tree algorithm, hmm? Bubble sort algo cannot
meh.

5
Academic - plagiarism issue
•no Certified Copying And
Paste (CCNP) from Internet
or Google and among
students

6
Teaching Team

• Mr. Jason Ng (Subject Leader)

• [email protected]
• 6780 6913
• Mr. Lim Chee Yong
• [email protected]
• 6780 5275

7
 8

Professional digital examiner or

extractor
• So you have the desire to explore the green pastures of
digital forensics. Generally, there are two distinct breeds
of professional in digital forensics arena.
• Professional digital forensics examiner
• Good knowledge in the usage of commercial digital forensics tools: FTK,
EnCase and Nuix.
• Able to explain the process of forensics examination – even manually
reproduce or locate artifacts.
• Able to produce and submit forensics report for Court proceedings.
• Professional digital forensics extractor – aka Buttons
Pusher
• Only Affluent in the usage of commercial digital forensics tools: FTK,
EnCase and Nuix. Commonly known as Professional Buttons Pusher (PBP)
• Might not be able to explain the process of forensics examination
• Able to produce and submit forensics report for Court proceedings. Good for
volume and surface-examinations.
 9

Understanding Digital Forensics

• Digital forensics
• Involves obtaining and analyzing digital information as evidence in civil, criminal, or
other cases.

• Computer forensics
• Investigates data that can be retrieved from a computer’s hard disk or other storage
media

• Mobile forensics
• Investigates data that can be retrieved from a mobile handset’s storage media

• Multimedia forensics
• Investigates data that can be retrieved from a multimedia such as Closed-circuit television
(CCTV)
 10

Understanding Digital Forensics

• Network forensics
• Information about how a perpetrator or an attacker gained access
to a network
• Data recovery
• Recovering information that was deleted by mistake
• Or lost during a power surge or server crash
• Typically you know what you’re looking for

• Investigator Team - often work as a team (Computer,

Mobile, Multimedia) with unique discipline across multiple
platforms (E.g. Operating System, File System)
 11

Understanding Digital Forensics

• E-discovery
• Discovery in investigations which deals with the exchange of
information in electronic format (Email, Invoice)
• Vulnerability assessment and risk management group
• Tests and verifies the integrity of standalone workstations and
network servers
• Professionals in this group have skills in network intrusion
detection and incident response
Digital Forensics Future Trends - A Survey
• 450 participants completed the Digital Forensics
Survey sponsored by Guidance Software.

Source: http://tinyurl.com/ndr4jff
Virtual Systems and network
• Virtual machine provider
• VMware, Citrix, Huawei and Microsoft
• Methods of VM forensics
• Through host machine (lnk files)
• Through native application’s files (.vmem)
• Normal viewing through mounting from forensics software

Source: http://www.forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf
http://www.fedtechmagazine.com/article/2011/02/digital-forensics-virtualized-environment
Business application in the cloud (mobile)
• The total market for cloud-based applications in the
mobile space is predicted to grow from $400 million
back in 2009 to an estimated $9.5 billion by 2014 (and
nearly $39 billion by 2016)
• Forever changing landscape for mobile devices
• Both iOS and Android mostly use remote resources
• Proper forensics understanding of platform apps
• Mobile platforms, or Mobile Enterprise Application
Platforms (MEAP)
• Logical or physical

Source: The Juniper Research Blog at juniperresearch.com

The eForensics_Open_01_2013_P32_Cloud based Mobile at eForensics.com
Cloud-based data sharing / infrastructure
• Cloud-based data sharing – Drop box, Google Docs,
Sky Drive
• Proper forensics understanding of platform apps
• Cloud-based infrastructure – Amazon EC2
• Contact Cloud provider, screen captured or customized tools

Source: Trends in Digital Forensics Cloud Computing at JADsoftware

http://tinyurl.com/ndr4jff
How about eDiscovery?
• Yes, due to the ever-exponential growth ESI

Garnter magic quadrant for eDiscovery

Source: http://www.accessdata.com/gartner-2013/#.Us-On7TwglQ
 From academic point of view in DF

97 articles from 31 journals (from 2008 till 2013)

Source: Digital Forensic Trends and Future.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2(2): 48-76
 18

Public and private investigation

• Computer investigations and forensics falls into two distinct
categories
• Public investigations
• Private or corporate investigations
• Public investigations
• Involve government agencies responsible for criminal investigations and
prosecution
• Private or corporate investigations
• Involve entity of personal or corporate which act on possible violation of
corporate regulations or personal interests.
• Admissibility of expert evidence (Section 47, Evidence Act)
Opinions of experts
• 47.—(1) Subject to subsection (4), when the court is likely to derive assistance
from an opinion upon a point of scientific, technical or other specialised
knowledge, the opinions of experts upon that point are relevant facts.
• (2) An expert is a person with such scientific, technical or other specialised
knowledge based on training, study or experience.
 19

Preparing for Computer Investigations (continued)

• Private or corporate investigations

• Deal with private companies, non-law-enforcement government
agencies, and lawyers
• Governed by internal policies that define expected employee
behavior and conduct in the workplace
• Private corporate investigations also involve litigation
disputes
• Investigations are usually conducted in civil cases
 20

Understanding Law Enforcements Agency

Investigations
• In a criminal case, a suspect is tried for a criminal
offense
• Such as murder
• Computers and networks are only tools that can be used
to commit crimes in traditional crimes. For example:
“Cheating involving E-Commerce” and scams such as
“Credit-for-Sex” and “Internet Love”. Read “Singapore Police Force -
MID-YEAR CRIME BRIEF FOR JANUARY TO JUNE 2015” .

• Singapore law on Computer Misuse and Cybersecurity

Act, Chapter 50A. Read “Computer Misuse and Cybersecurity Act”
• What happens if the victims were in Singapore while the bad guys
were in other countries?
 21

Understanding Law Enforcements Agency

Investigations (continued)
• Following the legal process Criminal case follows three
broad stages
• The complaint, the investigation, and the prosecution
 22

Roles of forensics Investigator

• Enhance your professional conduct by continuing your
training
• Record your fact-finding methods in a journal
• Attend workshops, conferences, and vendor courses
• Membership in professional organizations adds to your
credentials
• Achieve a high public and private standing and maintain
honesty and integrity
 23

Digital forensics sources

• Computer – Desktop computer, laptop, Server, Datacenter
Server
• Other storage media – digital camera, thumb drive, SD
Card, DVD or CD
• There are lots of digital evidence in the crime scene.
• Do we recover every single digital evidence?
• Scope of search
• Read Page 1 to 12 from “A Guide for First Responders”
 24

Digital forensics sources

• CCTV
• Closed-Circuit Television
• Video format :
• Resolution:
• Encode/Decode:
• Singapore standard of CCTV
• Read “VIDEO SURVEILLANCE SYSTEM (VSS) STANDARD FOR BUILDINGS”
• Social media
Facebook, WeChat, Twitter
Challenge: How to forensically collect artifacts from local or Server?
• Email
• Gmail, Hotmail, Corporate Exchange
• Challenge: How to forensically collect email (pst, eml) from local or Server?
• Cloud
• iCloud, Google Drive
• Challenge: How to forensically collect artifacts from local or Server?

Question: Could the forensics examiner access the web data across the national
border without the user consent ?
 25

Process of extracting and preserving digital evidence

• Tools and materials for collecting digital evidence

• Securing the scene
• Documenting the Scene
• Evidence Collection
• Situation when computer is powered-on or powered-off
• Packaging, Transportation, and Storage of Digital
Evidence
• Read Page 19 to 34 from “A Guide for First Responders”
 26

Common mobile Operating System in

South-East Asia market
• Worldwide Smartphone Sales to End Users by Vendor in
4Q14
Company 4Q14 4Q14
Thousands Market 4Q14
Units Share
Apple
(%) 20%

Apple 74,832 20.4 Others

42%
Samsung 73,032 19.9
Lenovo 24,300 6.6
Samsung
Huawei 21,038 5.7 20%

Xiaomi 18,582 5.1

Others 155,701.6 42.4 Xiaomi
5%
Huawei
Lenovo
7%
6%
Total 367,484.5 100.0

Source: http://www.gartner.com/newsroom/id/2996817
 27

Common mobile Operating System in

South-East Asia market
Worldwide Smartphone Sales to End Users by Operating
System in 2014

Operating 2014 2014 2013 2013

2014
System Thousan Market Thousan Market
ds Share (%) ds Share BlackBerry
Other OS
Windows
iOS
Units Units (%) 15%
3%0%
1%

1,004,67
Android 5 80.7 761,288 78.5
iOS 191,426 15.4 150,786 15.5
Windows 35,133 2.8 30,714 3.2 Android
81%
BlackBerry 7,911 0.6 18,606 1.9
Other OS 5,745 0.5 8,327 0.9
1,244,89
Total 0 100.0 969,721 100.0

Source: http://www.gartner.com/newsroom/id/2996817,
http://fortune.com/2014/03/13/a-mobile-os-war-looms-in-asia
Source: http://www.gartner.com/newsroom/id/2996817,
 28

Forensics for models from China market

Smart Mobile phone market in China ailed analysis of leading

domestic handset OEMs, original design manufacturers (ODMs),
and handset independent design houses (IDHs) 
Million
  units Percent % Phone market
Xiaomi 60.8 14.98% Others Xiaomi
Samsun ZTE 10% 15%
4%
g 58.4 14.38% OPPO
Lenovo 47.3 11.65% 6%
vivo
Samsung
14%
Apple 46.6 11.48% 7%
Huawei 41.3 10.17%
Coolpad 40.1 9.88% Coolpad
10%
vivo 27.3 6.72% Lenovo
12%
OPPO 25.5 6.28% Huawei
Apple
10%
ZTE 18.2 4.48% 11%
Others 40.5 9.98%
Total 406 100.00%

Source: https://technology.ihs.com/458951/mobile-phones-electronics-report-china-h2-2014
Source: https://technology.ihs.com/458951/mobile-phones-electronics-report-china-h2-2014
 29

Introduction to mobile devices forensics

Mobile devices landscape

Cell phones
 30

Introduction to mobile devices forensics

Mobile devices components
1) Subscriber Identity Module (SIM) card
MicroSIM, NanoSim
Last call numbers
Call duration
SMS messages, possible detailed messages
International Mobile Subscriber Identity (IMSI)
 Integrated Circuit Card ID (ICCID)  unique serial number

2) External memory card

Secure digital card (SD), MiniSD, MicroSD
Not for iPhone, iPad
 Perform imaging as hard disk
 Examination on the imaged file with forensics tool such as EnCase
 Pictures, Videos and Chats with deleted data
 31

Introduction to mobile devices forensics

3. Mobile phone handset
with Internal Memory Storage
iPhone / iPad
 iPhone 4 : Can perform physical extraction, and parsing of
data using third party software such as Internet Evidence
Finder
 iPhone 4S and above: Logical extraction for Contacts,
Call logs, SMS, iMessage, Pictures
 32

Introduction to mobile devices forensics

4. Mobile phone handset
with Internal Memory Storage
Android mobile devices
 Logical extraction : Call Logs, Pictures, contacts, chats, email
 Physical extraction: Call Logs, Pictures, contacts, chats, email with
deleted data
 Could perform further examination with forensics tools such as
EnCase
 33

Introduction to mobile devices forensics

• So what is mobile devices forensics?
• Mobile forensics – Mobile devices are always updating
• Difficult to obtain a bit-to-bit image
• Agent might need to upload into mobile devices
• Possible of remote wipe

• Mostly repeatable ??
• Nokia mobile phone – date and time setting, call logs lost
• BlackBerry – kept emails for the past number of days
• Password / Passcode protected
• How is computer forensics different from mobile
forensics?
 34

Summary
• Computer forensics applies forensics procedures to digital
evidence
• To be a successful computer forensics investigator, you
must know more than one computing platform
• Public and private computer investigations are different