Analysis of Digital Evidences

Unit 8
 Imaging of Digital Evidence
• Imaging is the process of creating a bit-for-bit copy of digital
evidence, such as a hard disk or USB drive, for investigation
purposes. This ensures that the original evidence is
preserved and not altered during the examination.
• Imaging captures all data, including deleted files, hidden
files, and unallocated space.To create a forensic image, the
original evidence is connected to a write blocker, which
allows read-only access and prevents any changes to the
data. A destination disk is also connected to the write
blocker, and the imaging software is used to create the
image. Multiple images are typically created for redundancy
 Hashing of Digital Evidence
• Hashing is the process of applying a mathematical algorithm to digital
evidence to generate a unique alphanumeric value called a hash value. The
same input will always produce the same hash value, but any change to the
original evidence will result in a different hash value
• Common hashing algorithms used in digital forensics include MD5 (Message
Digest) and SHA-1 (Secure Hashing Algorithm). The generated hash value
serves as a digital fingerprint or electronic signature of the evidence.Hashing
is crucial for verifying the integrity of digital evidence, as it ensures that the
evidence has not been altered during the investigation process. The hash
value is recorded and compared at various stages, such as when the evidence
is seized, imaged, and presented in court.
• imaging creates a forensic copy of digital evidence, while hashing generates a
unique identifier to verify the integrity of the evidence. Both techniques are
essential in digital forensics to preserve and authenticate evidence for legal
proceedings
 Duplication and preservation of digital
evidence

1. Duplication: Duplication involves creating a copy of digital evidence for analysis,

examination, or presentation purposes. This process ensures that investigators can
work with the evidence without altering or compromising the original data.
Duplication can be achieved through imaging, as mentioned earlier, where a bit-for-
bit copy of the storage device is created using specialized forensic software. It's
crucial that duplication is done forensically soundly, meaning it preserves all
relevant metadata and maintains the integrity of the original evidence.

2. Preservation: Preservation involves safeguarding digital evidence to prevent tampering,

loss, or unauthorized access. Preservation starts with the initial identification of
evidence and continues throughout the entire investigation process, including
analysis, reporting, and potential legal proceedings. Proper preservation techniques
ensure that the evidence remains authentic, admissible, and reliable in court. This
includes maintaining a secure chain of custody, documenting all actions taken with
the evidence, and protecting it from physical and digital threats.
• Both duplication and preservation are essential for
the integrity of digital evidence and maintaining the
credibility of forensic investigations. They ensure that
the evidence remains unchanged and verifiable,
allowing investigators to draw accurate conclusions
and present compelling findings in legal proceedings.
Without proper duplication and preservation
measures, digital evidence may be susceptible to
challenges regarding its authenticity and
admissibility, potentially undermining the
investigative process and the outcomes of legal cases.
Understanding Storage Formats
for Digital Evidences
• The sources provided offer detailed information on the storage formats
for digital evidence in the field of digital forensics. Here are key points
extracted from the sources regarding the understanding of storage
formats for digital evidence:

• - Raw Format: This format enables writing bit-stream data to files,

allowing for fast data transfers and the ability to ignore minor data read
errors on the source drive. However, it requires as much storage as the
original disk or data and may not collect marginal (bad) sectors.

• - Proprietary Formats: Most forensic tools have their own formats with
features like the option to compress image files, split images into
smaller segments, and integrate metadata. However, these formats
have limitations, such as the inability to share images between different
tools and file size restrictions for segmented volumes.
 cont
• - Advanced Forensics Format (AFF): Developed to address the need for a standard
format for storing and transmitting digital evidence, AFF aims to facilitate
interoperability between different organizations and analysis tools. It provides benefits
like easy import into multiple analysis tools, storage of metadata with evidence, and
increased reliability of evidence.

• - Best Acquisition Methods: The sources discuss various acquisition methods,

including static acquisitions and live acquisitions, and detail techniques like bit-stream
disk-to-image file, bit-stream disk-to-disk, and logical disk-to-disk data. These methods
vary based on factors like the size of the source disk, compression needs, and
verification through digital signatures.

• Understanding storage formats for digital evidence involves considerations of raw

formats, proprietary formats, and advanced forensic formats, each with its advantages
and limitations. Choosing the best acquisition method depends on factors like data
volume, time constraints, and the need for data integrity and interoperability.
Data Recovery Tools and
Procedures
 Data Recovery Tools
• Forensic Imaging Tools: These tools create bit-by-bit copies (forensic images) of
storage devices without altering the original data. Examples include FTK Imager,
EnCase, and dd (command-line tool).
• File Carving Tools: These tools search for and extract files from unallocated space,
fragmented data, or damaged filesystems based on file signatures or patterns.
Examples include PhotoRec, Scalpel, and Foremost.
• Disk Partitioning and Repair Tools: These tools help repair damaged or corrupted
disk partitions and filesystem structures. Examples include TestDisk, EaseUS
Partition Master, and GParted.
• Data Backup and Restore Tools: These tools automate the backup and restoration
of data to prevent loss and facilitate recovery in case of data loss. Examples include
Acronis True Image, Backup Exec, and Time Machine.
• Remote Data Recovery Tools: These tools allow for data recovery from remote or
inaccessible storage devices over a network connection. Examples include Remote
Desktop Software with file transfer capabilities, cloud-based data recovery services,
and remote backup solutions.
 Data Recovery Procedures
– Assessment and Planning: Evaluate the nature and extent of data loss, identify the
affected storage devices, and determine the appropriate recovery approach.
– Isolation and Preservation: Isolate the affected storage devices to prevent further data
loss or damage. Ensure proper preservation of evidence if the recovery is part of a
forensic investigation.
– Imaging and Analysis: Create forensic images of the storage devices using imaging tools.
Analyze the images to identify recoverable data and assess the integrity of the recovered
files.
– Recovery Execution: Use appropriate data recovery tools and techniques to recover lost
or deleted data. Follow best practices to minimize the risk of further data loss or damage
during the recovery process.
– Verification and Validation: Verify the integrity and completeness of the recovered data.
Validate the recovered files to ensure they are accessible, intact, and unaltered.
– Documentation and Reporting: Document all actions taken during the data recovery
process, including the tools used, procedures followed, and results obtained. Prepare a
detailed report summarizing the findings and recovery outcomes.
Importance of Log Analysis in
Forensic Analysis
• Log analysis plays a crucial role in forensic analysis by providing investigators with valuable insights into
security incidents and breaches. Here are the key points extracted from the provided sources regarding the
importance of log analysis in forensic analysis:

• - Chronological Record: Log analysis provides a chronological record of events, aiding investigators in
reconstructing what happened, how it happened, and who was involved in security incidents.
•
• - Root Cause Investigation: Log forensics allows security teams to drill down deep into security breaches,
enabling them to identify the root cause of cyberattacks. It provides essential information on the who,
when, where, and how of security incidents, empowering security teams to conduct digital forensic
investigations effectively[2].

• - Detection and Mitigation: Logs act as a vital source for detecting threats, mitigating attacks, and
conducting post-attack analysis. Log management, including log forensics, is essential for collecting, storing,
analyzing, and archiving log data to identify security incidents, attack patterns, and impacted data.

• - Insights and Analysis: Log analysis helps in understanding access logs, identifying attacks, and investigating
suspicious activities. By analyzing logs from various sources like web servers, application servers, and
network devices, investigators can gain insights into potential threats, insider attacks, and vulnerabilities
within the network.

• - Forensic Investigation: Log forensics is a combination of log analytics and computer forensics, aiding digital
forensic experts in untangling incidents and digital crimes. It helps in tracing hackers, detecting
vulnerabilities, and supporting disaster recovery efforts through detailed analysis of log data.