Scribd
Upload
59 views19 pages

Lecture 01 - Fundamentals of Digital Forensics

The document discusses the fundamentals of digital forensics. It defines computer forensics as the preservation, identification, extraction, and documentation of digital evidence from computing devices according to standard procedures that ensure the evidence is acceptable in a court of law. The document provides a brief history of the field from the 1970s to the early 1990s and the development of early forensic tools. It also outlines the key steps involved in a forensic investigation, from initial response to seizing evidence to analyzing, reporting, and potentially testifying in court.

Uploaded by

it20250560 Rajapaksha R.M.P.S
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
59 views19 pages

Lecture 01 - Fundamentals of Digital Forensics

The document discusses the fundamentals of digital forensics. It defines computer forensics as the preservation, identification, extraction, and documentation of digital evidence from computing devices according to standard procedures that ensure the evidence is acceptable in a court of law. The document provides a brief history of the field from the 1970s to the early 1990s and the development of early forensic tools. It also outlines the key steps involved in a forensic investigation, from initial response to seizing evidence to analyzing, reporting, and potentially testifying in court.

Uploaded by

it20250560 Rajapaksha R.M.P.S
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 19

IE4062 - Cyber Forensic and Incident Response

Lecture – 01
Fundamentals of Digital Forensics
Mr. Amila Senarathne
Forensic Science
“Application of physical sciences to law in the search for truth in civil, criminal and social
behavioral matters to the end that injustice shall not be done to any member of society.”

(Source: Handbook of Forensic Pathology College of American Pathologists 1990)

 Why Forensic Science?


To determine the evidential value of a crime scene and related evidence.

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 2


Definition of Computer Forensics
“A methodical series of techniques and procedures for
gathering evidence, from computing equipment and various
storage devices and digital media, that can be presented in a
court of law in a coherent and meaningful format.”
- Dr. H.B. Wolfe

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 3


Definition of Computer Forensics
“The preservation, identification, extraction, interpretation, and
documentation of computer evidence, to include the rules of
evidence, legal processes, integrity of evidence, factual
reporting of the information found, and providing expert
opinion in a court of law or other legal and/or administrative
proceeding as to what was found.”
- CSI

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 4


Definition of Computer Forensics
 "Forensic Computing is the science of capturing, processing
and investigating data from computers using a methodology
whereby any evidence discovered is acceptable in a Court of
Law.”

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 5


Who needs Computer Forensics?
• The Victim
• Law Enforcement
• Insurance Carriers
• Ultimately the Legal System

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 6


Victims
• Private Business
• Government
• Private Individuals

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 7


Reasons for a Forensic Analysis
• ID the perpetrator.
• ID the method/vulnerability of the network that allowed the
perpetrator to gain access into the system.
• Conduct a damage assessment of the victimized network.
• Preserve the Evidence for Judicial action.

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 8


A Brief History of Computer Forensics
 By the 1970s, electronic crimes were increasing, especially in the
financial sector
– Most law enforcement officers didn’t know enough about computers to ask the
right questions
Or to preserve evidence for trial
 1980s
– PCs gained popularity and different OSs emerged
– Disk Operating System (DOS) was available
– Forensics tools were simple, and most were generated by government
agencies

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 9


A Brief History of Computer Forensics
 Mid-1980s
– Xtree Gold appeared on the market
 Recognized file types and retrieved lost or deleted files
– Norton DiskEdit soon followed
 And became the best tool for finding deleted file
 1987
– Apple produced the Mac SE
A Macintosh with an external EasyDrive hard disk with 60 MB of storage

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 10


A Brief History of Computer Forensics

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 11


A Brief History of Computer Forensics

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 12


A Brief History of Computer Forensics
 Early 1990s
– Tools for computer forensics were available
– International Association of Computer Investigative
Specialists (IACIS)
 Training on software for forensics investigations
– IRS created search-warrant programs
– ExpertWitness for the Macintosh
 First
commercial GUI software for computer forensics
 Created by ASR Data

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 13


A Brief History of Computer Forensics
 Early 1990s (continued)
– ExpertWitness for the Macintosh
 Recovers deleted files and fragments of deleted files
 Large hard disks posed problems for investigators
 Other software

– iLook
– AccessData Forensic Toolkit (FTK)

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 14


Preparing for Computer Investigations
 Computer investigations and forensics falls into two distinct categories
– Public investigations
– Private or corporate investigations

 Public investigations
– Involve government agencies responsible for criminal investigations and
prosecution
– Organizations must observe legal guidelines
 Law of search and seizure
– Protects rights of all people, including suspects

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 15


Preparing for Computer Investigations (continued)

 Private or corporate investigations


– Deal with private companies, non-law-enforcement government
agencies, and lawyers
– Aren’t governed directly by criminal law
– Governed by internal policies that define expected employee
behavior and conduct in the workplace
 Private corporate investigations also involve litigation
disputes
 Investigations are usually conducted in civil cases

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 16


Digital Forensics
The use of scientifically unexpressed and proven methods towards
•Preserving

•Collecting

•Confirming

•Identifying

•Analyzing

•Recording

•Presenting

Digital evidence extracted from digital sources

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 17


Key Steps in Forensic Investigations
 Step 1: Computer crime is suspected
 Step 2: Collect preliminary evidence

 Step 3: Obtain court warrant for seizure (if required)

 Step 4: Perform first responder procedures

 Step 5: Seize evidence at the crime scene

 Step 6: Transport them to the forensic laboratory

 Step 7: Create 2 bit stream copies of the evidence

 Step 8: Generate MD5 checksum on the images

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 18


Key Steps in Forensic Investigations
 Step 9: Prepare chain of custody
 Step 10: Store the original evidence in a secure location

 Step 11: Analyze the image copy for evidence

 Step 12: Prepare a forensic report

 Step 13: Submit the report to the client

 Step 14: If required, attend the court and testify as expert

witness

IE4062 | Cyber Forensic and Incident Response | Lecture 01 | Amila Senarathne 19

You might also like