Foundations of

Digital Forensics

1
 Outline
 Forensic and Digital Forensic Definitions

 Digital Evidence

 Digital Forensic Model

 Digital Forensic Process

 Need and Benefits of Digital Forensic

 Applications of Digital Forensic

 Skills required and Challenges faced by Digital Forensic 2

 What is forensic?
 Collection and analysis of evidence

 Using scientific test or techniques

 To establish facts against crime

 For presenting in a legal proceeding

method of
gathering and examining information about the past
which is then used in court of law
 Therefore forensic science is a scientific

3
 What is digital forensic?
• Digital Forensics is the use of scientifically derived and proven
methods toward:
 the preservation, collection, validation, identification, analysis,
interpretation, documentation, and presentation of digital
evidence derived from digital devices

 for the purpose of facilitation or furthering the reconstruction of

events found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to planned operations.
4
 Branches of Digital Forensics
• The technical aspect of an investigation is divided into
several sub-branches, relating to the type of digital devices
involved:
 Computer forensics, Firewall Forensics, Database Forensics,
Network forensics, Forensic data analysis and Mobile device
forensics.

• The typical forensic process encompasses the seizure,

forensic imaging and analysis of digital media and the
production of a report into collected evidence.
5
Examples of Digital Forensic Devices

6
 Digital Evidence
• Evidence
 A piece of information that supports a conclusion

• Digital evidence
 Any data that is recorded or preserved on any medium in or
by a computer system or other similar digital device, that
can be read or understood by a person or a computer
system or other similar device.

7
 Characteristics of Digital Evidence
• An evidence must be:
 Admissible

 Conformity with the

common law and
legislative rules
 Authentic

 In linking data to
specific individuals and
events
 Fragile

 Easily altered,
– To proving
damaged, or destroyed
8
 Accurate
 Examples of Digital Evidence

 e-mails,  the contents of computer memory,

 digital photographs,  computer backups, computer printouts,
 ATM transaction logs,  Global Positioning System tracks,
 word processing documents,  logs from a hotel’s electronic door locks, and
 Instant message histories,  digital video or audio files
 files saved from accounting program,
 spreadsheets,
 internet browser histories,
 databases,

9
 Types of Digital Evidence
• Persistant data
 Meaning data that remains intact when the digital device is
turned off. E.g. hard drives, disk drives and removable
storage devices (such as USB drives or flash drives).

• Volatile data
 Which is data that would be lost if the digital device is
turned off. E.g. deleted files, computer history, the computers
registry, temporary files and web browsing history.
10
 Location for Evidence
 Internet History Files

 Temporary Internet Files

 Slack/Unallocated Space

 Buddy lists, personal chat room records, P2P, others saved areas

 News groups/club lists/posting

 Settings, folder structure, file names

 File Storage Dates

 Software/Hardware added

 File Sharing ability

11
 Digital Forensic Model

• Because digital forensics is a new discipline:

 there is little standardization and consistency

 across the courts and industry

12
 Different Digital Forensic Models Published
No. Digital Forensic Model or framework No of phases

1 Computer forensic process (M.Politt, 1995) 4 processes

2 Generic Investgative Process (Palmer, 2001) 7 Clases

3 Abstract model of Digital forensic procedure (Reith, Carr, & 9 Proceses
Gumsch, 2002)
4 An integrated digital investigation proceses (Carrier & 17 Process
Spafford, 2003)
5 End to End Digital Investigation (Stephenson, 2003) 9 Steps

6 Enhenced Integrated Disgital Investigation Process 21 Phases

(Baryamureeba & Tushabe, 2004)
13
 Different Digital Forensic Models
7
Published…
Entended Model of CiberCrime investigation Ciardhuain, (2004) 13 Activities

8 Hierachical, Objective – bases Framework (Beebe & Clark, 2004) 6 Phases

9 Event based Digital Forensic Investigation framework (Carier and 16 Phases

Spafford, 2004)
10 Forensic Process (Kent K, Chevalier, Grance & Dang, 2006) 4 Proceses

11 Investigation framework (Kohn, Eloff, & Oriva 2006) 3 Stages

12 Computer forensic field Triage Process Model (K.Rogers, Goldman, 4 phases
Mislan, Wdge, & Debrota, 2006)
13 Investigative Process Model ( Freiling & Schawittay, 2007) 4 phases

14
Digital Forensic Basic Model

15
 Digital Forensic Process
• Broad process steps:

 Identification

 Preservation

 Analysis

 Documentation
16
 Identification
• The first step in the forensic process:
 What evidence is present
 Where it is stored and
 How it is stored

• Electronic stores can be:

 Person computers
 Mobile phones
 PDAs
 Smart cards

• Key parameters in identification:

 Type of information
 format 1
7
 Preservation

 Isolate, secure and preserve the state of physical and

digital evidence.

 This includes preventing people from using the digital

device or allowing other electromagnetic devices to be
used within an affected radius.

1
8
 Analysis
 Determine significance, reconstruct fragments of
data and draw conclusions based on evidence found.

 I t may take several iterations of examination and

analysis to support a crime theory.

1
9
 Documentation

 A record of all visible data must be created, which

helps in recreating the scene and reviewing it any time

 Involves proper documentation of the crime scene along

with photographing, sketching and crime-scene
mapping.

2
0
 Presentation

• Summarize and provide explanation of

conclusions.
 This should be written in a layperson’s
terms
using abstracted terminologies.
 All abstracted terminologies should
reference
the specific details.
2
1
 Need for Digital
Forensics
 To ensure the integrity of digital system.
 To focus on the response to hi-tech offenses, started to
intervene the system.

 Digital forensics has been efficiently used to track down the

terrorists from the various parts of the world.

 To produce evidence in the court that can lead to the 2

2
 The Benefits of Digital
Forensics
Digital Forensics help to protect from and solve
cases
involving:
•Theft of intellectual property

 This pertains to any act that allows access to patents, trade

secrets, customer data, and any confidential information.

•Financial Fraud

 This pertains to anything that uses fraudulent solicitation

of victims information to conduct fraudulent transactions.
2
3
 The benefits of digital
forensics ...
• Hacker system penetration
 Taking advantage of vulnerabilities of systems or
software using tools such as rootkits and sniffers.

• Distribution and execution of viruses and worms

 These are the most common forms of cyber crime and often
cost the most damage.

2
4
 Applications of Digital Forensics
• Financial Fraud Detection

• Criminal Prosecution
 Child pornography (Michael Jackson case)

• Civil Litigation (evidence in court cases and proceedings)

 Perjury (false swearing) (Clinton - Lewinsky case)

• Corporate Security Policy and Acceptable Use Violations

 Embezzlement (Misuse, fraud, cheating etc.)
 Email threats data theft-industrial espionage (spying, intelligence units)
2
5
 Challenges faced by Digital
Forensics
• The increase of PC’s and internet access has made
the
exchange of information quick and inexpensive.
 Easy availability of Hacking Tools.

 Lack of physical evidence makes crimes harder to prosecute.

• The large amount of storage space available to suspects

 The rapid technological changes requires constant upgrade

2
6
 Skills required for Digital Forensics
 Application of Programming or computer-related experience

 Broad understanding of operating systems and applications

 Strong analytical skills

 Strong computer science fundamentals

 Strong system administrative skills

 Knowledge of the latest intruder tools

 Knowledge of cryptography and steganography

2
 Strong understanding of the rules of evidence and evidence
7
 Digital Forensic Software
Tools
• BACKTRACK 5R3 (Linux operating system)-This OS has
many forensic tools to analyze any compromised system or
find security holes
 I n that a large amount of open source bundled packages
are installed in this OS.

• Kali Linux is a Debian-derived Linux distribution

designed for digital forensics and penetration testing
 I t was developed through the rewrite of Backtrack 5, 2
8
 Conclusion

Digital forensics is important for solving
crimes

with digital devices

against digitial devices

against people where evidence may reside in a device


Several sound tools and techniques exist to search and
analyse digital data


Regardless of existing tools, evolving digital age and
development of technology requires heavier research in
digital forensics
 References
 www.accessdata.com.(2006).

 http//www.logicubeforensics.com/.(2008).

 http://www.dibsusa.com/.

 http://www.computerforensicshq.com. (n.d.). Panagiotis, K. (2006).

 Digital Crime and Forensic Science in Cyberspace. USA: Idea Group Publishing.
Wiles Jack, C. K. (2007).
 The Best Damn Cybercrime and Forensics Book Period. USA: Syngress Publishing.

 www.zawya.com. (n.d.).

3
0
END OF THE PRESENTATION

Thank You

3
1