Category of Digital Evidence

• Hardware
• Software
• Data
• Programs

10/28/2020 1
Digital Evidence
• Definition
• Digital data that can establish that a crime has been committed or can
provide a link between a crime and its victim or a crime and its perpetrator.
(source: Casey, Eoghan, Digital Evidence and Computer Crime: Forensic Science, Computer
and the Internet,Academic Press, 2000.)
• Categories
• Text
• Audio
• Image
• Video

10/28/2020 2
Where Evidence Resides
• Computer systems
• Logical file system
• File system
• Files, directories and folders, FAT, Clusters, Partitions, Sectors
• Random Access memory
• Physical storage media
• magnetic force microscopy can be used to recover data from overwritten area.
• Slack space
• space allocated to file but not actually used due to internal fragmentation.
• Unallocated space

10/28/2020 3
Where Evidence Resides (continued)
• Computer networks.
• Application Layer
• Transportation Layer
• Network Layer
• Data Link Layer

10/28/2020 4
Evidence on Application Layer
• Web pages, Online documents.
• E-Mail messages.
• News group archives.
• Archive files.
• Chat room archives.
•…

10/28/2020 5
 Evidence on Transport and
Network Layers

10/28/2020 6
 Evidence on the Data-link and Physical Layers

10/28/2020 7
Challenges of Computer Forensics
• A microcomputer may have 60-GB or more storage
capacity.
• There are more than 2.2 billion messages expected
to be sent and received (in US) per day.
• There are more than 3 billion indexed Web pages
world wide.
• There are more than 550 billion documents on line.
• Exabytes of data are stored on tape or hard drives.
• (Source: Marcella, Albert, et al, Cyber Forensic, 2002.)

10/28/2020 8
Challenges of Computer Forensics
(continued)
• How to collect the specific, probative, and case-
related information from very large groups of files?
• Link analysis
• Visualization
• Enabling techniques for lead discovery from very
large groups of files:
• Text mining
• Data mining
• Intelligent information retrieval

10/28/2020 9
Challenges of Computer Forensics
(continued)
• Computer forensics must also adapt quickly to new products and
innovations with valid and reliable examination and analysis
techniques.

10/28/2020 10
On Going Research Projects
• Search engine techniques for searching Web pages which contain
illegal contents.
• Malicious program feature extraction and detection using data mining
techniques.

10/28/2020 11
 References
• Bickers, Charles, 2001,”Cyberwar: Combat on the Web”, Far Eastern Economic
Review.
• Casey, Eoghan, Digital Evidence and Computer Crime: Forensic Science, Computer
and the Internet,Academic Press, 2000.
• Casey, Eoghan, 2002, Handbook of Computer Crime Investigation, Academic Press.
• Kovacich, G. L., and W. C. Boni, 2000, High-Technology Crime Investigatot’s
Handbook, Butterworth Heinemann.
• Lane, C., 1997, Naked in Cyberspace: How to find Personal Information Online,
Wilton, CT: Pemberton Press.
• Marcella, A. J., and R. S. Greenfield, 2002, Cyber Forensics, Auerbach Publications.
• Rivest, R., 1992, “Reqest for comments : 1321 (The MD5 Message-Digest
Algorithm)”, MIT Lab. for computer science and RSA data security, Inc.
• Saferstein, Richard, 1981, Criminalistics—An introduction to Forensic Science, 2nd
edition, Prentice Hall.
• Warren, G. Kruse II and Jay G. Heiser, 2002, Computer Forensics – Incident Response
Essentials, Addison Wesley

10/28/2020 12
 Cybertrail and Crime Scene

crime
scene
network
evidence

Cybertrail

10/28/2020 13
Cyberwar or Information Warfare
• Information warfare is the offensive and defensive use of information
and information systems to deny, exploit, corrupt, or destroy, an
adversary's information, information-based processes, information
systems, and computer-based networks while protecting one's own.
Such actions are designed to achieve advantages over military or
business adversaries. (Ivan K. Goldberg)

10/28/2020 14
Slack Space

Old file Old New file

10/28/2020 15
Evidence Recovery from RAMs on modern Unix
systems

10/28/2020 16