ANALYSIS AND VALIDATION

Validating Forensics Data

Integrity Checks: Ensuring the data has not been altered. Techniques like hashing (e.g., MD5,
SHA1) are used to generate a unique value for the data at the time of acquisition. If the data
changes, the hash value will differ, indicating potential tampering.

Chain of Custody: Proper documentation is maintained from the time the evidence is collected
until it is presented in court. It ensures that evidence is securely handled and remains unaltered.

Data Provenance: Tracing the origin and history of the data, ensuring that it came from a
legitimate source and is complete.

Bitstream Copy: Creating a bit-by-bit copy of the data, also known as a forensic image, ensures
the exact replica of the original data is preserved, which is essential for the integrity of digital
evidence.
Data Hiding Techniques
Data hiding refers to techniques used to conceal or hide data within digital systems. Common
techniques include:
•Steganography: Concealing data within other non-suspicious data (e.g., hiding text in images or
audio files).
•File System Slack Space: Storing hidden data in the unused portions of a disk.
•Encrypted Files: Using encryption to obscure the content of files, making it harder for
investigators to access data.
•Alternate Data Streams (ADS): Used in NTFS file systems, where additional data can be hidden
in a file’s alternate data stream.
•Tunneling: Encapsulating data in a way that makes it look like legitimate communication (e.g.,
HTTP tunnels).
Detection of hidden data often involves:
•File Signature Analysis
•Hash Verification
•Deep Analysis of Metadata
Performing Remote Acquisition
Remote acquisition refers to the process of collecting digital evidence from a remote location or
device over a network. Key aspects include:
•Remote Access Tools: Using specialized software or protocols to acquire evidence remotely.
Tools like FTK Imager, X1 Social Discovery, or even command-line interfaces (CLI) might be used
for acquisition.
•Network Forensics: Examining network traffic between devices to collect digital evidence from
remote systems. Network forensics tools can capture and analyze traffic, such as Wireshark or
tcpdump.
•Considerations: Ensuring no data alteration during remote acquisition and maintaining the
integrity of the evidence through proper documentation and hashing.
Network Forensics
Network forensics involves the monitoring and analysis of network traffic to uncover digital
evidence. It deals with:
•Traffic Capture: Using packet sniffers or analyzers (Wireshark, tcpdump) to capture live network
traffic.
•Traffic Analysis: Investigating traffic patterns to identify malicious activity, unauthorized access,
or data exfiltration.
•Log Analysis: Reviewing firewall, router, server, and intrusion detection system (IDS) logs to
track activity and uncover evidence of cybercrimes.
•Incident Response: Involves identifying, responding to, and analyzing security incidents like
data breaches, DoS attacks, or malware infections.
Network forensics focuses on:
•Analyzing Protocols: TCP/IP, HTTP, FTP, DNS, etc.
•Packet Analysis: Examining packets for hidden commands, payloads, or information leakage.
•Session Reconstruction: Rebuilding the full communication session from packets.
Email Investigations
Email forensics involves the examination of email data to identify criminal activity or understand
events. Key tasks include:
•Header Analysis: Examining email headers for metadata, including the sender's and receiver's
IP addresses, timestamps, and mail servers involved.
•Content Analysis: Analyzing the message body, attachments, and any embedded links or files
for potential evidence.
•Tracking Email Trajectories: Mapping the route an email takes from sender to recipient by
examining relay servers and email metadata.
•Spoofing Detection: Identifying fake email addresses or manipulated headers to track
cybercriminal activities.
•Legal Aspects: Email content can be used as evidence in court, so it must be properly validated
to ensure authenticity and prevent tampering.
Cell Phone and Mobile Devices Forensics
Mobile device forensics focuses on extracting, preserving, and analyzing data from
smartphones, tablets, or other mobile devices. The process involves:
•Acquiring Data: Mobile devices often store vast amounts of data (SMS, calls, apps, media files,
etc.). Extraction can be done through physical (direct hardware access) or logical (via software)
methods.
•Types of Data: SMS and chat logs, emails, location data (GPS), multimedia files, app data
(WhatsApp, social media), and contacts.
•Data Decryption: Extracting encrypted data, especially from apps or locked devices, may
require specialized tools like Cellebrite, Oxygen Forensics, or XRY.
•SIM Card Analysis: Investigating the SIM card for messages, contacts, and call history.
•Mobile Malware and App Analysis: Identifying malicious apps, malware, or tracking tools used
for spying.
•Challenges: Mobile forensics faces issues with data encryption, evolving operating systems, and
cloud storage access.
Analysis of Digital Evidence
The analysis of digital evidence involves evaluating the data collected from various sources. The
steps include:
•Data Recovery: Retrieving data from damaged or corrupted storage media using specialized
tools (e.g., EnCase, FTK).
•File Carving: Extracting deleted files or parts of files by searching for file signatures or patterns.
•Log Analysis: Reviewing system and application logs for traces of events, user activity, and
potential criminal behavior.
•Timeline Analysis: Constructing a timeline of events based on file timestamps, system logs, or
email messages.
•Pattern Recognition: Identifying patterns in data that indicate malicious activity or criminal
behavior, such as unusual file access or network traffic.
Admissibility of Evidence
In any criminal investigation, the evidence gathered must be admissible in court. The following
criteria ensure that digital evidence can be admitted:
•Relevance: Evidence must be relevant to the case.
•Authenticity: Evidence must be shown to be genuine and not tampered with, typically proven
through hashing and chain of custody.
•Reliability: The methods used to collect and analyze the evidence must be reliable and
accepted in the forensic community.
•Proper Documentation: Clear and thorough documentation of how the evidence was obtained,
preserved, and analyzed.
•Expert Testimony: Digital forensics experts may need to testify about the methods and findings
during investigations.