DIGITAL

AND
MOBILE
FORENSIC
S
 UNIT I
INTRODUCTION TO
DIGITAL FORENSICS
Forensic Science – Digital Forensics – Digital
Evidence – The Digital Forensics Process –
Introduction – The Identification Phase – The
Collection Phase – The Examination Phase –
The Analysis Phase – The Presentation Phase –
Forensics and social networking sites.
 Introduction
There are almost 5.18 billion Internet users in the world as of
April 2023
The Internet is a network of networks consisting of competing
and concurrent technologies with users from different
organizations and countries.
Unfortunately for the investigator, the Internet was designed
for robustness and redundancy, rather than security and
traceability. This increases the complexity and uncertainty of
digital investigations and represents a formidable challenge for
digital forensics practitioners.
Forensic Science: The application of scientific methods to establish factual answers to legal
problems.
Locard’s Exchange Principle: “when a person or object comes in contact with another person or
object, a cross-transfer of materials occurs”
“Whenever two objects come into contact with one another, there is an exchange of materials
between them”
Crime Reconstruction: Crime reconstruction is the determination of the actions and events
surrounding the commission of a crime.
Investigations: An investigation is a systematic examination, typically with the purpose of
identifying or verifying facts.
Evidence dynamics: It refers to any influence that adds, changes, relocates, obscures,
contaminates, or obliterates evidence, regardless of intent.
 5WH
5WH defines the objectives of an investigation as who, where, what, when, why, and how.
The 5WH formula sets the following objectives (Stelfox, 2013):
Who: Persons involved in the investigation, including suspects, witnesses, and victims
Where: The location of the crime and other relevant locations
What: Description of the facts of the crime in question
When: The time of the crime and other related events
Why: The motivation for the crime and why it happened at a given time
How: How the crime was committed.
 Digital Forensics
The use of scientifically derived and proven methods toward the
preservation, collection, validation, identification, analysis,
interpretation, documentation, and presentation of digital evidence
derived from digital sources for the purpose of facilitating or furthering
the reconstruction of events found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to planned operations.
Most legal cases today have an aspect of digital forensics, involving for
example mobile phones, credit card transactions, email systems, Internet
logs, and GPS systems.
As many types of digital evidence can be volatile and easily manipulated,
the trusted preservation of evidence through the use of standardized
forensic tools and methods has become essential.
 Digital Devices, Media and
Objects
A digital device is a physical object, such as a laptop,
a smartphone, or a car. A digital device necessarily
contains one or more storage media, such as a hard
drive or memory, referred to as digital media.
The digital media contain data, stored in binary
format, referred to as digital data.
Forensic analysts often work with discrete
collections of digital data, referred to as digital
objects
 Forensically Sound
An investigation is forensically sound if it
adheres to established digital forensics
principles, standards, and processes
 Two fundamental principles –
Evidence integrity and chain of custody
Evidence integrity refers to the preservation of evidence in a
complete form without any intentional or unintentional changes.
While evidence integrity is an ideal in digital forensics, it is
often not achievable, as data inevitably changes in live
computer systems and networks during investigations.
Due to this, documentation of all steps in the investigation is
an important objective. This is referred to as the chain of
custody
Chain of custody refers to the documentation of acquisition,
control, analysis, and disposition of physical and electronic
evidence.
 Crime Reconstruction in Digital
Forensics
Crime reconstruction can help test hypotheses about a possible chain of events.
It leverages the five-step process for event-based crime scene reconstruction as
proposed by Carrier and Spafford.
1) Evidence examination: Identify and characterize evidence relevant to an
incident.
2) Role classification: Examine the role of the evidence as a cause or effect of
an event.
3) Event construction and testing: Identify events and assess whether they are
possible.
4) Event sequencing: Combine events into event chains.
5) Hypothesis testing: The hypothesis is tested using the scientific method.
 Digital Evidence
Digital evidence is defined as any digital data
that contains reliable information that can support
or refute a hypothesis of an incident or crime
In digital forensics, we aim to process and store
digital evidence in a way that is consistent with
the principles of evidence integrity and chain of
custody. A number of digital evidence storage and
exchange formats have been developed to support
this
Layers of Abstraction
It refers to the practice, used in all areas of computing, of hiding
implementation details of higher layers of abstraction in order to
reduce complexity.
A forensic analyst has to analyze and reconstruct data at all layers of
abstraction to be able to extract and explain relevant digital
evidence.
For example, a forensic analyst may have to analyze data at the
binary level of a disk drive to reconstruct a text file that contains an
email with content relevant to the investigated case.
A well-known example from computer networks is the Open Systems
Interconnection (OSI) reference model, which divides network
protocols into seven layers of abstraction.
Metadata
• Metadata is a valuable source of
evidence in digital forensics that will
be thoroughly discussed in this
textbook. Metadata, or data about
data, contains information about data
objects.
• For example, the metadata
associated with a digital photograph
can contain the time of taking the
photo, the geographical location, and
the camera used.
• The analysis of metadata is an
important activity throughout the
Online Bank Fraud – A Real-
World Example
 The Identification Phase
Incidents can be identified based on complaints,
alerts, or other indications.
The identification of an incident or a crime leads to
the formation of a hypothesis about what might have
happened.
The questions defined by the 5WH model should
always be raised during the identification phase.
The task of detecting, recognizing, and determining
the incident or crime to investigate.
 The Identification Phase
Preparations and Deployment of Tools and
Resources
The First Responder
Scene of an incident – Preservation Tasks
Dealing with Live and Dead Systems – Post
mortem analysis
Chain of Custody
 The Collection Phase
In a digital forensics investigation, the collection phase refers
to the acquisition or copying of the data.
This is when a forensic investigator gains access to the
electronic device(s) containing raw data that has been identified
as relevant for the specific case.
The collection phase of the digital forensics process is common
to most literature and scientific research in digital forensics.
The majority of literature that discusses the forensics process
uses the term collection, whereas more technically oriented
literature refers to an acquisition and/or extraction.
 The Collection Phase
Sources of Digital Evidence
Systems Physically Tied to a Location
Multiple Evidence Sources
Reconstruction
Evidence Integrity and Cryptographic Hashes
Order of Volatility
Dual-Tool Verification
Remote Acquisition
External Competency and Forensics Cooperation
 Cryptographic Hash
A cryptographic hash
function is a nonreversible
mathematical function that
takes an arbitrary amount of
data as input and returns a
fixed-size string as output.
The result is a hash value,
and it is mathematically
infeasible to find two
different files that create
the same hash.
 Order of Volatility (OOV)
Collect the most volatile data first – this increases the
possibility to capture data about the incident in question.
But, as you capture data in one part of the computer,
you’re changing data in another
The Heisenberg Principle of data gathering and system
analysis: It’s not simply difficult to gather all the
information on a computer, it is essentially impossible.
Prioritization of the potential evidence source to be
collected according to the volatility of the data.
Examples of OOV
 The Examination Phase
Preparation and extraction of potential digital evidence from
collected data sources.
All data collected must be examined and prepared for later
analysis as part of the examination phase.
As with all phases in the digital forensics process, it is important
to document your actions and handling of the data to support the
chain of custody.
The examination often requires restructuring, parsing, and
preprocessing of raw data to make it understandable for a forensic
investigator in the upcoming analysis.
To facilitate this phase, an analyst typically uses forensic tools and
techniques appropriate for extracting relevant information.
 The Examination Phase
Initial Data Source Examination and Preprocessing
Forensic File Formats and Structures
Data Recovery
Data Reduction and Filtering
Timestamps
Compression, Encryption and Obfuscation
Data and File Carving
Automation
Illustration of filtering using
known good file datasets
 File carving with database read
and search in a digital device for
relevant files
 The Analysis Phase
In the analysis phase, forensic investigators determine the
digital objects to be used as digital evidence to support or refute
a hypothesis of a crime, incident, or event.
The processing of information that addresses the objective of
the investigation with the purpose of determining the facts
about an event, the significance of the evidence, and the
person(s) responsible.
 Statistical methods, manual analysis, techniques for
understanding protocols and data formats, linking of multiple
data objects (e.g., through the use of data mining), and
timelining are some of the techniques that are used for analysis.
 The Analysis Phase
Layers of Abstraction
Evidence Types
String and Keyword Searches
Anti-Forensics
 Computer Media Wiping
 Analysis of Encrypted and Obfuscated Data

Automated Analysis
Timelining of Events
Graphs and Visual Representations
Link Analysis
Image as seen by users, by the
operating system, and in
hardware
Graphical representation of
connected entities in digital
evidence with Maltego
 The Presentation Phase
The process by which the examiner shares results from the analysis
phase in the form of reports to the interested party or parties.
The presentation phase involves the final documentation and
presentation of the results of the investigation to a court of law or
other applicable audiences, such as a corporation’s top management
or crisis management team.
The presentation is based on objective findings with a sufficient level
of certainty, based on the analysis of digital evidence.
It is important that the findings are summarized and that all actions
performed during the investigation are accounted for and described
in a fashion understandable by the audience.
 The Presentation Phase
The Final
Reports
Presentation of
Evidence and
Work Conducted
The Chain of
Custody Circle
Closes