Course Objectives

1. To emphasize the fundamentals and importance of digital forensics.

2. To learn different techniques and procedures that enables them to
perform a digital investigation 3.
3. To conduct a digital investigation in an organized and systematic way 4.
4. To learn open-source forensics tools to perform digital investigation and
understand the underlying theory behind these tools. 5.
5. To emphasize theoretical and practical knowledge, as well as current
research on Digital Forensics 6.
6. To learn programming for Computer Forensics.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 1

 Course Outcomes
On completion of the course, students will be able to:-
1.Understand basic software and hardware requirement for digital
forensics..
2.Describe the representation and organization of data and metadata
within modern computer systems.
3.Understand the trade off and differences between various forensic tools.
.
4.Analyze network based evidence and mobile network forensic..
5.Investigate software reverse engineering.
6.Demonstrate forensics of hand held devices.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 2

 Books to Refer. .
• 1.Digital Forensics with Open Source Tools. Cory Altheide and Harlan
Carvey, ISBN: 978-1-59749- 586-8, Elsevier publication, April 2011.
• 2.Guide to Computer Forensics and Investigations (4th edition). By B. Nelson,
A. Phillips, F. Enfinger, C. Steuart. ISBN 0-619-21706-5, Thomson, 2009
• 3.Computer Forensics and Cyber Crime: An Introduction (3rd Edition) by
Marjie T. Britz, 2013.
• 5.File System Forensic Analysis. By Brian Carrier. Addison-Wesley
Professional, March 27, 2005.
• 6.NIST Computer Forensic Tool Testing Program (www.cftt.nist.gov/)
7.Computer Forensics: Investigating Data and Image Files (Ec-Council Press
Series: Computer Forensics).

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 3

 RoadMap..
Unit 1:- Introduction to Digital Forensics
Unit 2:-Data recovery and Digital evidence controls
Unit 3:- Computer Forensics analysis and validation
Unit 4:-Network Forensic
Unit 5:- Software Reverse Engineering
Unit 6:- Computer crime and Legal issues

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 4

 Unit 1:- Introduction to Digital Forensics

• Digital Forensics: Definition, Process,

• Locard’s Principle of Exchange,
• Branches of Digital Forensics,
• Handling Digital Crime Scene,
• Important documents and Electronic Evidence,
• Introduction to Evidence Acquisition: Identification, Acquisition,
Labeling and Packaging, Transportation, Chainof-Custody.
• Structure of storage media/devices: windows/Macintosh/ Linux --
registry,
• boot process, file systems, file metadata.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 5

 Unit 2:-Data recovery and Digital evidence controls
• Data recovery: identifying hidden data,
• Encryption/Decryption, Steganography,
• recovering deleted files.
• Digital evidence controls: uncovering attacks that evade Detection
by Event Viewer,
• Task Manager, and other Windows GUI tools,
• data acquisition, disk imaging, re
• covering swap files, temporary &cache files.
• Data Privacy, Data privacy usages, Data privacy usages tools.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 6

 Unit 3:- Computer Forensics analysis and validation
• Computer Forensics analysis and validation: Determining what data
to collect and analyze,
• validating forensic data, addressing data-hiding techniques.
• Network Forensics: Network forensics overview, performing live
acquisitions,
• developing standard procedures for network forensics,
• using network tools, examining the honeynet project.
• Computer Forensic tools(Case Study): Encase, Helix, FTK, Autopsy,
Sleuth kit Forensic Browser, FIRE, Found stone Forensic ToolKit,
WinHex, Linux dd and other open source tools

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 7

 Unit 4:-Network Forensic
• Network Forensic: Collecting and analyzing network-based evidence,
• reconstructing web browsing,
• e-mail activity, and windows registry changes,
• intrusion detection, tracking offenders.
• Mobile Network Forensic: Introduction,
• Mobile Network Technology,
• Investigations, Collecting Evidence,
• Where to seek Digital Data for further Investigations,
• Interpretation of Digital Evidence on Mobile Network.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 8

 Unit 5:- Software Reverse Engineering
• Software Reverse Engineering: Defend against software targets for
viruses,
• worms and other malware,
• improving third party software library,
• identifying hostile codes-buffer overflow,
• provision of unexpected inputs.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 9

 Unit 6:- Computer crime and Legal issues
• Computer crime and Legal issues: Intellectual property.
• privacy issues.
• Criminal Justice system for forensic.
• audit/investigative.
• situations and digital crime procedure/standards for extraction,
preservation, and deposition of legal evidence in a court of law.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 10

 Books & References
• T1. Horowitz and Sahani, “Fundamentals of Computer Algorithms”,
University Press.
• T2.Gills Brassard and Paul Bartly, “Fundamentals of Algorithmic”, PHI, New
Delhi.
• T3. . A.V.Aho., “The Design and Analysis of Algorithms” Pearson Education,
NewDelhi.
• E1:Robert Sedgewick and Kevin Wayne, ”algorithms” Princeton
University. .https://bank.engzenon.com/tmp/5e7f6ee5-d4dc-4aa8-9b0a-42d3c0feb99b/6062caf3-
c600-4fc2-b413- 4ab8c0feb99b/Algorithms-4th-Edition.pdf
• E3: Junhui deng, “Data structures and algorithms specialization”, tsinghua
University, Beijing. https://www.coursera.org/specializations/data-structures-algorithms-tsinghua

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 11

 Sanjivani Rural Education Society’s
Sanjivani College of Engineering, Kopargaon-423 603
(An Autonomous Institute, Affiliated to Savitribai Phule Pune University, Pune)
NAAC ‘A’ Grade Accredited, ISO 9001:2015 Certified

Department of Computer Engineering

(NBA Accredited)

Subject- Digital Forensics (DF) [CO 315A)]

Unit 1 :- Introduction to Digital Forensics

Prof. Abhijit S. Bodhe

Assistant Professor
Department of Computer Engineering
E-mail :
[email protected]
Contact No: 7709 340 570
 Unit 1:- Introduction to Digital Forensics

• Digital Forensics: Definition, Process

• Locard’s Principle of Exchange
• Branches of Digital Forensics
• Handling Digital Crime Scene
• Important documents and Electronic Evidence
• Introduction to Evidence Acquisition: Identification, Acquisition,
Labelling and Packaging, Transportation, Chain of-Custody.
• Structure of storage media/devices: windows/Macintosh/ Linux --
registry, boot process, file systems, file metadata.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 13

 Digital Forensics- Definition
• Digital Forensics is defined as, the process of preservation,
identification, extraction, and documentation of computer evidence
which can be used by the court of law.
• It is a science of finding evidence/s from digital media like a
computer, mobile phone, server, or network.
• Digital Forensics, helps the forensic team to analyzes, inspect,
identifies, and preserve the digital evidence residing on various types
of electronic devices.

• https://www.guru99.com/digital-forensics.html

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 14

 Digital Forensics- A Process
• Digital forensics
entails the
following steps:
1.Identification
2.Preservation
3.Analysis
4.Documentation
5.Presentation

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 15

 Locard’s Principle of Exchange
• Locard's Exchange Principle' in forensic science holds that, the
“perpetrator of a crime will bring something to the crime scene and
will leave with something from it.”
• perpetrator :- a person who commits a crime.
• This principle is one of the founding concepts in forensics.
• This basic principle is that “every contact leaves a trace”. Thus NO
perpetrator can leave the scene without leaving a trace. Fingerprints,
gunshot residue or any other material relevant digital media can be
the main evidence, which is involuntarily/bymistake left behind at the
crime scene.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 16

 Branches of Digital Forensics
• It is concerned with data from other digital devices such as tablets,
smartphones, flash drives, and even cloud computing.
• we can break digital forensics into five branches:
1.Computer forensics
2.Mobile device forensics
3.Network forensics
4.Forensic data analysis
5.Database forensics

• https://www.upguard.com/blog/digital-forensics
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 17
 Computer Forensics
• It is a branch of digital forensics concerned with evidence found in
computers and digital storage media.
• The goal of computer forensics is to examine digital data with the aim
of identifying, preserving, recovering, analyzing and presenting facts
and opinions about the digital information.
• It is used in both computer crime and civil proceedings.
• The discipline has similar techniques and principles to data recovery,
with additional guidelines and practices designed to create a legal
audit trail with a clear chain of custody.
• Evidence from computer forensics investigations is subjected to the
same guidelines and practices as other digital evidence.
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 18
 Mobile Device Forensics
• Mobile device forensics is a branch of digital forensics focused on the
recovery of digital evidence from mobile devices using forensically sound
methods.
• It can relate to any device that has internal memory and communication
ability including PDA devices, GPS devices, and tablets.
• The growing need for mobile device forensics is driven by: Use of mobile
phones to store and transmit personal and corporate information and use of
mobiles in online financial transactions.
• Mobile device forensics is particularly challenging due to: Storage capacity
growth; Rapid Changes/updates in mobile phone:- operating systems, data
storage, services, peripherals, and even pin connectors and cables.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 19

 Network Forensics
• Focused on monitoring and analyzing computer network traffic for
information gathering, legal evidence, or intrusion detection.
• Unlike other branches of digital forensics, network data is volatile and
dynamic. Once transmitted, it is gone so network forensics is often a
proactive investigation.
• Network forensics has two general uses\aim:
1.Monitoring a network for anomalous traffic and identifying intrusions.
2.Law enforcement may analyze capture network traffic as part of
criminal investigations.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 20

 Forensic Data Analysis
• Forensic data analysis (FDA) is a branch of digital forensics, that
examines structured data in regard to incidents of financial crime.
• The aim is to discover and analyze patterns of fraudulent activities.
Structured data is data from application systems or their databases.
• This can be contrasted to unstructured data that is taken from
communication, office applications, and mobile devices.
• Unstructured data has no overarching structure and analysis, therefore,
means applying keywords or mapping patterns.
• Analysis of unstructured data is usually done by advanced computer
forensics or mobile device forensics experts to higher level.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 21

 Database Forensics
• Database forensics is a branch of digital forensics related to databases and
their related metadata.
• The cached information may also exist in a server's RAM requiring live
analysis techniques.
• A forensic examination of a database may relate to timestamps that apply
to the update time of a row in a relational database that is being inspected
and tested for validity to verify the actions of a database user.
• Alternatively, it may focus on identifying transactions within a database
or application that indicate evidence of wrongdoing, such as fraud.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 22

 Jobs are Available in Digital Forensics
• Jobs in digital forensics have titles like an investigator, technician, or
analyst depending on specialization and seniority, with the majority of
jobs in the public sector such as law enforcement, state or national
agencies, or crime labs.
• Prevent and identify the causes of cyber attacks like
malware, ransomware like WannaCry, or social engineering attacks
like social media phishing.
• Help with vendor risk management and third-party risk
management. Third-party risk and even extended fourth-party risk.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 23

 Handling Digital Crime Scene/ Collecting Digital Evidence(5)

1. Maintain a well-documented Chain of custody. Chain of custody

verifies that evidence is authentic and was seized at the crime scene.
Every point of movement and location of the evidence must be recorded,
from the moment of discovery, and recovery, to analysis. Each
investigator or the person responsible for collecting evidence must
complete the labels of the sample container/bags and the chain of custody
forms to enable tracking of the sample
2. Understand how to preserve evidence from different devices.
Procedures for evidence collection from digital devices may vary. The
steps you take to preserve data on a mobile device will be different from
those on a computer or other data storage devices.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 24

 Handling Digital Crime Scene/ Collecting Digital Evidence(5)

3.Do not alter the original data collected- Obtaining copies of the original
data ensures that you are preserving any valuable metadata. Metadata includes
information such as author, file size, the date data was created, and keywords.
Other valuable metadata may include how files were accessed, shutdowns or
commands, and if copies were created.
4. Select an extraction method- Choice of extraction method may vary on the
amount of time that you have to retrieve the data or what data you are trying to
retrieve. Logical extraction involves the communication between the extraction
tool with the device using its own program. Live data can be acquired such as
messages, call logs, contacts, passwords to social media, photos and videos,
and data from apps. Physical extraction involves making a bit-by-bit copy of
the data contained on a device including any files that were hidden or deleted.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 25

 Handling Digital Crime Scene/ Collecting Digital Evidence(5)

5. Be equipped with the right digital forensic software tools- Time is

of the essence for many cases. Abilities such as previewing and screen
shooting will give you a better idea of which devices to focus on or
possibly submit to a lab for further analysis. Know the strengths and
limitations of your software to get the most out of it when you arrive on
the scene.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 26

 Important Documents and Electronic Evidence
• Important documents in digital forensics:-Documentation is a
continuous process throughout the investigation process. It is
important to precisely record location and status of computers, storage
media, other electronic devices, and traditional evidence, although
there are overlaps and similarities in the digital and physical forensic
investigation.
• Electronic Evidences:- The various categories of electronic evidence
such as CD, DVD, hard disk/ memory card data, website data, social
network communication, e-mail, instant chat messages, SMS/MMS
and computer generated documents, which poses unique problem and
challenges for proper authentication and subject to a different set of
views.
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 27
 Introduction to Evidence Acquisition
• Introduction to Evidence Acquisition: Evidence acquisition
is concerned with the collection of evidence from digital devices for
subsequent analysis and presentation.
• It is extremely important that the digital evidence is collected in a
forensically-sound manner using acquisition tools, that do not affect
the integrity of the evidence.
• Steps Involve are 1.Identification, 2.Acquisition, 3.Labelling and
Packaging, 4.Transportation, 5.Chain of-Custody of evidences.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 28

 1.Identification
• In the identification phase, preliminary information is obtained about
the cybercrime case prior to collecting digital evidence.
• The investigator seeks to answer the following basic questions:
• Who was involved?
• What happened?
• When did the cybercrime occur?
• Where did the cybercrime occur?
• How did the cybercrime occur?

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 29

 2.Acquisition
• Different approaches to performing acquisition exist. The approach
taken depends on the type of digital device.
• For example, the procedure for acquiring evidence from a computer
hard drive is different from the procedure required to obtain digital
evidence from mobile devices, such as smartphones.
• The seized digital devices are considered as the primary source of
evidence.
• SWGDE (Scientific Working Group on Digital Evidence) set Best
Practices for Computer Forensic Acquisitions

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 30

 3.Labelling and Packaging-Preservation
• Evidence preservation seeks to protect digital evidence from
modification.
• As the integrity of digital evidence should be maintained in each phase
of the handling of digital evidence (ISO/IEC 27037Process:- ISO/IEC
27037 is an international standard providing guidelines).
• Digital devices should be placed in antistatic packaging such as paper
bags or envelopes and cardboard boxes. Plastic should be avoided as it
can convey static electricity or allow a buildup of condensation or
humidity.
• Place CSI(Crime Scene investigator) or investigator's initials, date, case
name and number on evidance container.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 31

 4.Transportation
• Improper handling/transpotation of digital evidence can call into question
investigators' credibility in a case.
• Computers and other devices should be handled with gloved hands and placed in
anti-static packaging.
• When it is being transported, exposure to the elements harmful to evidence
should be avoided.
• The chain of custody should also be documented so it can be traced throughout
the investigation.
• Mobile devices, like smartphones, are typically shut off as soon as possible to
preserve the data present. If left on, remote commands to wipe a device clean could
eliminate evidence from the device before you ever have a chance to examine it.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 32

 5.Chain of-Custody of evidences

• The chain of custody is "the process by which investigators preserve the

crime (or incident) scene and evidence throughout the life cycle of a case.
• It includes information about who collected the evidence, where and how the
evidence was collected, which individuals took possession of the evidence,
and when they took possession of it.
• In the chain of custody, the names, titles, and contact information of the
individuals who identified, collected, and acquired the evidence should be
documented.

• https://www.unodc.org/e4j/zh/cybercrime/module-6/key-issues/handling-of-
digital-evidence.html

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 33

 Structure of storage media/devices
• windows/Macintosh/ Linux –
• registry, boot process, file systems, file metadata
• https://www.kernel.org/doc/html/next/filesystems/vfs.html
• https://www.baeldung.com/linux/metadata-fsck-process
• https://www.javatpoint.com/linux-file-system

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 34

 Linux-registry
• A registry, according to the Merriam Webster dictionary, is defined
as a place where official records are kept, or a book or system for
keeping an official record of items. Registry data items can be people,
e.g. volunteers, on-call nurses, people with access and functional
needs.
• In Linux you have system-wide configuration files in the /etc directory
and each user has a local configuration file in their home directory -
these directories and config files usually begin with a '. ' so they are
not normally displayed when you ask the system to list your files and
directories.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 35

 Linux-registry
• A registry is a service for storing and accessing Docker images.
Docker Hub and Docker Store are the best-known hosted registries,
which you can use to store public and private images. You can also run
your own registry using the open-source Docker Registry, which is a
Go application in a Alpine Linux container.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 36

 Linux-Boot process

• https://www.youtube.com/watch?app=desktop&v=XpFsMB6FoOs
DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 37
 Linux-file systems
• Linux uses a hierarchical file system that is organized in a tree-like structure. The
topmost directory in any Linux file system is the root directory. There are different
types of file systems available in Linux,
• Regular file, Directory file, Link file, Character special file, Block special file,
Socket file, and Named pipe file.
• Linux offers many file systems such as Ext, Ext2, Ext3, Ext4, JFS, ReiserFS,
XFS, btrfs, and swap.

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 38

 Linux-Metadata
• Metadata summarizes basic information about data, making it easier to find, use and reuse or
recreate that particular instance of data. It can be information about data or objects, including images,
sounds, databases, and computer files.
• examples of metadata in Linux:
1.its file type, e.g., directory, link, data file
2.timestamps like the date it was created, last access, and modification
3.location on the file system
4.size (in bytes)
5.its physical location (i.e., the addresses of the blocks of storage containing the file’s data on a disk)
6.ownership, including User and Group IDs
7.access permissions (i.e., read, write, and execute) and file type

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 39

 windows/Macintosh/ Linux –
• windows/Macintosh:-
1.Registry,
2.Boot process,
3. File systems,
4. File metadata

Indivisual case stuides. .discuss in class as CIA 1 Problem solving

DEPARTMENT OF COMPUTER ENGINEERING, Sanjivani COE, Kopargaon 40