Module 2

Digital Forensics Fundamentals

Part 2
By
Oyendrila Samanta
 Digital Evidence
 Digital evidence, also identified as electronic evidence, is data or
info that exists in digital format, that “can prove” or “reveal the
truth” about a crime and can be trusted upon and used in a
court of law.

 Digital evidence is any information or data of value to an

investigation that is stored on, received by, or transmitted by an
electronic device.

 This type of evidence encompasses a wide range of sources,

including but not limited to computers, mobile devices, servers,
social media, emails, digital images, videos, and more. Text
messages, emails, pictures and videos, and internet searches
are some of the most common types of digital evidence.
 Digital Evidence
With the increasing reliance on digital technologies in various
aspects of our lives, digital evidence has become a crucial
component in investigations and court cases.

There are different types of digital evidence offering unique types

of information. They are broadly branded into two groups:

(1) Evidence from data at rest (attained from any device that
stores digital information)

(2) Data intercepted while being conveyed (interception of data

transmission and communications).
 Sources of Digital Evidence
Some of the dissimilar sources of digital evidence is discussed below:

1. Internet:
 Evidence gained from the internet contains information collected
from website communications, emails, message boards, chat rooms,
file sharing networks etc.

 Message boards and chat rooms cover mountains of info both in real
time as well as in records. Though sourced may easily be tracked and
recognized, there are many more difficulties posed by the internet
today.

 The offenders may be outside the authority of the courts. Also, some
websites are intended for user anonymity making identification of
offenders more difficult.
 Sources of Digital Evidence
2. Computers:
 Computers are a origin of information with evidence attained using
singular removal methods.

 Though measurable may overlap with internet sources, computers

deliver many exclusive and notable portions of evidence counting
time stamps, IP addresses, info about VPNs and MAC addresses.

3. Portable Devices:
 These contain information sourced from smartphones, tablets
and other handheld devices or gadgets.

 Since of the dependency society has on portable devices, these

have developed the lead source of digital evidence in numerous
court case.
 Rules of Digital Evidence
 Rule of evidence is also called as law of evidence.

 It surrounds the rules and legal principles that govern all the
proof of facts.

 This rule helps us to determine what evidence must or must not

be considered by a trier of fact.

 The rule of evidence is also concerned with the amount, quality

and type of proof which helps us to prove in a litigation.

 The rules may vary according to the criminal court, civil court etc.
 Rules of Digital Evidence
The rules must be:

1. Admissible:
This is the most basic rule and a measure of evidence validity
and importance. The evidence must be preserved and gathered in
such a way that it can be used in court or elsewhere. Many errors
can be made that could cause a judge to rule a piece of evidence as
inadmissible. For example, evidence that is gathered using illegal
methods is commonly ruled inadmissible.

2. Authentic:
The evidence should act positively to an incident. The
forensic examiner must be responsible for the origin of the
evidence.
 Rules of Digital Evidence
3. Complete:
When evidence is presented, it must be clear and
complete and should reflect the whole story. It is not enough to
collect evidence that just shows one perspective of the incident.
Presenting incomplete evidence is more dangerous than not
providing any evidence at all, as it could lead to a different
judgment.

4. Reliable:
Evidence collected from the device must be reliable.
This depends on the tools and methodology used. The
techniques used and evidence collected must not cast doubt on
the authenticity of the evidence. If the examiner used some
techniques that cannot be reproduced, then the evidence is not
 Rules of Digital Evidence
considered unless they were directed to do so. This would
include possible destructive methods such as chip-off extraction.

5. Believable:
A forensic examiner must be able to explain, with clarity
and conciseness, what processes they used and the way the
integrity of the evidence was preserved. The evidence presented
by the examiner must be clear, easy to understand, and
believable by jury.
 Types of Digital Evidence
There are many types of digital evidence, each with their own
specific or unique characteristics. Some of the major types of
evidences are as follows :

1. Illustrative Evidence / Demonstrative Evidence

2. Electronic Evidence / Digital Evidence
3. Documented Evidence
4. Explainable evidence / Exculpatory Evidence
5. Substantial Evidence / Physical Evidence
6. Testimonial Evidence
 Types of Digital Evidence
1. Illustrative Evidence / Demonstrative Evidence:
An object is considered to be demonstrative evidence when
it directly demonstrates a fact. It’s a common and reliable kind of
evidence. Examples of this kind of evidence are photographs, video
and audio recordings, charts, x-rays, maps, drawing, graphics,
simulations, sculptures and models.

2. Electronic Evidence :
Electronic evidence is nothing but digital evidence. It is
known to us that the use of digital evidence in trials has greatly
increased. The evidences or proof that can be obtained from an
electronic source is called as digital evidence. This includes emails,
text messages, instant message logs, files and documents extracted
 Types of Digital Evidence
from hard drives, word-processing documents, cell phone logs,
financial transactions, audio files, video files etc. Electronic
evidence can be found on any server or device that stores data,
including some lesser-known sources such as home, video game
consoles, GPS sport watches and internet enabled devices used in
home automation.

3. Documented Evidence :
Documented evidence is similar to demonstrative evidence.
However, in documentary evidence, the proof is presented in
writing (viz., contracts, letters, wills, invoices etc). It can also
includes other types of media. Such documentation can be
recorded and stored (viz., photographs, recordings, films, printed
emails etc).
 Types of Digital Evidence
4. Explainable Evidence / Exculpatory Evidence:
This type of evidence is typically used in criminal cases in
which it supports the dependent either partially or totally removing
their guilt, in the case.

5. Substantial Evidence:
A proof that is introduced in the form of a physical object,
whether whole or in a part, is referred to as substantial evidence.
Such evidence might consist of dried blood, fingerprints and DNA
samples, casts of footprints or tries at the scene of crime.

6. Testimonial Evidence:
One of the most common forms of evidence, this is either
spoken or written evidence given by a witness under oath. It can be
gathered in court, at a deposition or through an affidavit.
 Characteristics of Digital
Evidence
Some key characteristics of digital evidence include:

1. Electronic Nature: Digital evidence is in electronic form, stored

as binary data on various devices or platforms. This electronic
nature makes it susceptible to easy replication, alteration, or
deletion, emphasizing the importance of maintaining its integrity.

2. Volatility: Digital evidence can be volatile, meaning it can be

easily modified or lost if not handled properly. Actions such as
turning off a computer or disconnecting a device can result in the
loss of volatile data, underscoring the need for prompt and careful
preservation.
 Characteristics of Digital
Evidence
3. Metadata: Digital evidence often comes with metadata, which is
additional information about the data itself. This metadata can
include details like creation dates, modification history, and
authorship, providing valuable context for analysis.

4. Timestamps: Many digital artifacts come with timestamps

indicating when the data was created, modified, or accessed.
Timestamps are crucial for establishing timelines and sequences of
events in investigations.

5. Ease of Replication: Digital data can be easily copied, making it

necessary to establish the authenticity of the original evidence.
Proper chain of custody procedures and forensic techniques are
 Characteristics of Digital
Evidence
employed to ensure that the presented evidence is reliable and has
not been tampered with.

6. Complexity: Digital evidence often involves complex technical

details and requires specialized knowledge in areas such as digital
forensics, cybersecurity, and information technology. This
complexity underscores the importance of involving experts in the
collection and analysis of digital evidence.

7. Encryption and Security Measures: Digital evidence may be

encrypted or protected by various security measures. Decryption or
overcoming security features may be necessary to access and
analyze the information, adding an additional layer of complexity to
digital forensic processes.
 Principles of Digital Evidence
1. Locard’s Exchange Principle:-
According to Edmond Locard’s principle, when two items
make contact, there will be an interchange. The Locard principle is
often cited in forensic sciences and is relevant in digital forensics
investigations.
When an incident takes place, a criminal will leave a hint
evidence at the scene and remove a hint evidence from the scene.
This alteration is known as the Locard Exchange principle.
Many methods have been suggested in conventional
forensic sciences to strongly prosecute criminals. Techniques used
consist of blood analysis, DNA matching and fingerprint verification.
These techniques are used to certify the existence of a suspected
person at a physical scene. Based on this principle, Culley suggests
that where there is a communication with a computer system, clues
will be left.
 Principles of Digital Evidence
2. Digital Stream of bits:-
Cohen refers to digital evidence as a bag of bits, which in
turn can be arranged in arrays to display the information. The
information is continuous bits will rarely make sense and tools are
needed to show these structures logically so that it is readable.
The circumstances in which digital evidence are bound
also helps the investigator during the inspection. Metadata is
used to portray data more specifically and is helpful in
determining the background of digital evidence.
 Digital Evidence vs. Physical
Evidence
Characteristic Digital Evidence Physical Evidence
Electronic, stored as binary
Form Tangible, touchable
data

Volatility Volatile, easily modified or lost Generally less volatile

Replicability Easily replicated Not easily replicated

Ubiquitous, found on various Specific crime scenes or

Location
devices/platforms incident locations
Material properties
Characteristics Metadata, timestamps
(texture, composition)
Requires specialized technical Varied, may require
Complexity
knowledge specialized expertise
Encryption, digital security Physical safeguards (locks,
Security Measures
measures controlled environments)
 Challenges in Evidence Handling
The challenges faced in evidence handling must be properly
understood by all investigators. Investigators should also understand
how to meet these challenges.

1. Authentication of evidence:
The laws of many state jurisdictions define data as “written-
words” and “record-keeping”. Before introducing them as evidence,
documents and recorded material must be authenticated.
The evidences those are collected by any person/investigator
should be collected using authenticate methods and techniques
because during court proceedings these will become major
evidences to prove the crime. The evidences collected must have
some sort of internal documentation that record the manner of
collected information.
 Challenges in Evidence Handling
2. Chain of Custody:
The challenge of chain of custody requirements in any
organization is maintaining positive control of all the collected best
evidence until the evidences are carried or shipped to evidence
custodians for proper storage. As evidences should not be
accessible to anyone other than the appointed evidence custodian,
the best evidence of the organization must be stored within a safe
or storage room. “Evidence safe” is nothing but the storage area.
The evidence custodians must control and record all the “checked-
in” and “checked-out” of the evidence.
 Challenges in Evidence Handling
3. Evidence Validation:
The challenge is to ensure that providing or obtaining the data
that one has collected is similar to the data provided in the court.
Duration between the collection of evidence and production of
evidence at a judiciary proceeding may be sometime several years.
To meet the challenges of validation, it is necessary to ensure that
the original media matches the forensic duplication by using MD5
hashes. The verify function within the Encase application can be
used while duplicating a hard drive with Encase. To perform a
forensic duplication using dd, one must record a MD5 hash for both
the original evidence media and binary files or the files which
compose the forensic duplication.
 Incidence Response
 Incidence Response is an associate degree organized
approach to speaking and handling the aftermath of a safety
breach or cyber attack, also known as an IT incident,
computer incident or security incident.

 The primary goal of incidence response is to handle the

condition in a way that limits damage and reduces recovery
time and costs.

 Preferably, incident reply actions are conducted by an

government’s computer security incidence response team
(CSIRT), a group that has been before selected to include
information security and overall IT staff as well as C-suite
level members.
 Goals of Incidence Response
The goals of the incidence response are as follows:

1. To prevent a disconnected, no cohesive response.

2. Confirms or dispels whether an incident happened.
3. Promotes gathering of accurate information
4. Establishes controls for proper retrieval and handling of evidence
5. Protects privacy rights established by law and policy
6. Minimizes damage to business and network operations.
7. Allows for criminal and civil action against culprits
8. Provide accurate reports and useful recommendations.
9. Provides quick detection and containment
10. Minimizes exposure and compromise of proprietary data.
11. Protects your organization’s reputation and assets.
12. Educates senior management
13. Promotes quick detection and/or prevention of such incidents in
future.
 Computer Security Incidence
Response Team (CSIRT)
 Computer Security Incidence Response Team (CSIRT) is an
interdisciplinary team whose members work together to resolve
an incident. CSIRT has the appropriate legal, technical and other
expertise necessary.

 To properly prepare for and address incidents across the

organization, a centralized incidence response team should be
formed.

 This team is responsible for analysing security breaches and

taking any necessary responsive measures, but they should not
be exclusively responsible for addressing security threats. It’s
member decide whether to apply incidence response or not
based on the seriousness of the incident.
 CSIRT Roles and Responsibilities

Role of the CSIRT:

The role of the CSIRT is to serve as the first responder to computer

security incidents within the Department and to perform vital
functions in identifying, mitigating, reviewing, documenting and
reporting findings to management. The CSIRT coordinates with the
Chief Technology Officer (CTO), but is accountable directly to the
Secretary.
 CSIRT Roles and Responsibilities
Responsibilities of the CSIRT:

The CSIRT will be responsible for the following activities:

(1) Classifying Department security incidents

(2) Meeting upon notification of a reported computer security

incident dependent upon the incident severity level

(3) Conducting a preliminary assessment to determine the root

cause, source, nature and extent of damage of the suspected
computer security incident with recommended responses as
deemed appropriate

(4) Selecting additional support members and subject matter experts

as necessary for the reported incident
 CSIRT Roles and Responsibilities
(5) Maintaining confidentiality and need to know of information
related to computer security incidents

(6) Assisting with recovery efforts and providing reports to

management

(7) Performing and documenting all incidents and as appropriate

include a root cause analysis and lessons learned

(8) Reporting incidents to the Florida Digital Services and the

Cybercrime Office

(9) Maintaining awareness of, and implementing procedures for, an

effective response to computer security incidents
 People involved in Incidence
Response process
 The CSIRT team consist of:
1. Incident Response Manager/Team Leader:
The manager coordinates all team actions and ensures the
team focuses on minimizing damages and recovering quickly.
Prioritizes actions during the isolation, analysis and containment of
an incident. Oversees all actions and guides the team about the
special requirements during high severity incidents.

2. Security Analysts:
The manager is assisted by a team of security analysts who work
across departments to isolate and rectify flaws in the organization’s
security systems, solutions and applications. They recommend
specific measures to improve the overall security posture.
 People involved in Incidence
Response process
3. Lead Investigator:
The manager isolates root cause, analyses all evidences,
manages other security analysts and conducts rapid systems and
service recovery.

4. Threat Researcher:
They provide the context of an incident and threat
intelligence. They use this information and records of previous
incidents to create a database of internal intelligence.

5. Management:
Management buy-in is necessary for provision of resources,
funding and time commitment for incidence response planning and
execution.
 People involved in Incidence
Response process
6. Human Resources:
HR is called upon when an employee is discovered to be
involved with an incident.

7. Audit and Risk Management Specialists:

These specialists help to develop threat metrics and
vulnerability assessments while encouraging best practices across the
organization.

8. Communications Lead:
They used to communicate with all audiences inside and
outside the company, including management, internal stakeholders,
legal, press and customers.
 People involved in Incidence
Response process
9. Documentation and Timeline Lead:
Documents team investigation, discovery and recovery efforts
and creates a timeline for each stage of the incident so that the
Next generation Security Information and Event Management(SIEM)
systems are able to generate documentation and incidence timeline
automatically.

10. General Council:

An attorney ensures that any evidence collected maintains
its forensic value in the event that the company chooses to take
legal action.
 Methodology of Incidence
Response
• icc
 Roles of CSIRT in handling
Incident
• i
The End