Digital Forensics

Module 5
Computer Forensics Analysis and Validation

Dr. Nagaraj S V & Prof Seshu Babu Pulagara, VIT

Chennai
 2

Scope creep
 Scope creep happens when investigation expands beyond the original
description
 Occurs when unanticipated evidence is found
 May be caused because attorneys want more exploration to be done by
the investigators
 Increases time and effort
 In criminal cases more detailed examination is often needed before trial
 3

Exercise
 List the basic steps to be taken for all digital forensics investigations.
Hints:
Use formatted disks/ media free of malware
Observe the state of the impounded computer
Make a list of hardware on the suspect’s computer
Work on the drive’s contents in an orderly fashion, according to logical
reasoning etc.
 4

 Give examples of situations where it may be needed to alter and /or

fine-tune a plan for investigation
 Explain the importance of validating forensic data. Mention the tools
that can be used for this purpose
 List the benefits of hashing for digital forensics
 5

Dealing with hidden data

 Cyber criminals often try to hide data
 Common techniques include
1. Altering file extensions
2. Setting up password protection for files
3. Using encryption
4. Using steganography
5. Fixing file attributes to hidden
6. Hiding entire disk partitions
7. Shifting bits
 6

 File header and footer information helps in determining file extensions

 The Windows diskpart remove letter command can be used to hide disk
partitions
 The diskpart assign letter command can reverse the above process
 There are many tools for partitioning disks e.g. Partition Magic,
Partition Master, and Linux Grand Unified Bootloader (GRUB)
 7

 Answering for all disk space when analyzing an evidence drive can help
detect hidden partitions
 Analyzing disk areas containing space that cannot be reported can also help
detect hidden partitions
 A data-hiding technique used in FAT file systems is placing secret or
criminative data in free or slack space on disk partition clusters
 Good clusters can be marked as bad clusters to make them appear
unusable
 8

 Encrypted files are hard to work with unless passwords, passphrases

or key escrows are available
 Key escrow is an arrangement in which the keys needed to decrypt 
encrypted data are held in escrow so that, under certain
circumstances, an authorized third party may gain access to those
keys.
 9

Exercise
 Study some encryption algorithms
 Read about BitLocker - a full volume encryption feature included
with Microsoft Windows versions
https://en.wikipedia.org/wiki/BitLocker
 Study the Encrypting File System
https://en.wikipedia.org/wiki/Encrypting_File_System
 Explore steganography https://en.wikipedia.org/wiki/Steganography
 10

 Explore how tools such as OSForensics can be used to perform forensic

analysis on various file systems
 Explore the use of hexadecimal editors for validation
https://en.wikipedia.org/wiki/Hex_editor
 Explore how tools can be used to perform validation
 Explore how to deal with data hidden using steganography
 11

References
 Nelson, Amelia Philips, Christopher Steuart, “ Guide to Computer
Forensics and Investigations”, Fifth Edition, 2015
 Wikipedia