DIGITAL FORENSICS

CERTIFICATE COURSE ON FORENSIC

ACCOUNTING AND FRAUD DETECTION BATCH
AT KOLKATA.
Outline

 Forensic and Digital Forensic Definitions.

 Difference between Digital Forensic and Computer Forensic.
 Branches of Digital Forensics.
 Digital Evidence.
 Characteristics of Digital Evidence.
 Examples of Digital Evidence
 Types of Digital Evidence.
 Locations for Evidence.
 Digital Forensic Model.
 Digital Forensic Process.
 Chain-of-custody and Documentation.
 Need of Digital Forensic.
 Benefits of Digital Forensic.
 Applications of Digital Forensic.
 Challenges faced by Digital Forensic.
 Skills required for Digital Forensics.
 Computer Forensics Methodology
 Computer crime fighting with Digital Forensics.
 Future for Digital Forensics.
 Criteria for selecting Best tools for Digital Forensics and Cybersecurity.
 Digital Forensic Software Tools.
 Conclusion.
What is Forensic?

Forensic is the:-
 Collection and analysis of evidence
 Using scientific test or techniques to establish facts against crime for presenting in a legal
proceeding.

Therefore forensic science is a scientific method of gathering and examining information about the past
which is then used in court of law.

What is Digital Forensics?

Digital Forensics is the use of scientifically derived and proven methods toward:-

 the preservation, collection, validation, identification, analysis, interpretation, documentation, and

presentation of digital evidence derived from digital evidences

 for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or
helping to anticipate unauthorized actions shown to be disruptive to planned operations.

Digital forensics, also known as digital forensic science is a branch of forensic science encompassing the
recovery and investigation of material found in digital devices, often in relation to computer crime. The
term digital forensics was originally used as a synonym for computer forensics but has expanded to cover
investigation of all devices capable of storing digital data. With roots in the personal computing revolution
of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it
was not until the early 21st century that national policies emerged.

Digital forensics investigations have a variety of applications. The most common is to support or refute a
hypothesis before criminal or civil courts. Forensics may also feature in the private sector; such as during
internal corporate investigations or intrusion investigation.

The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital
devices involved, computer forensics, network forensics, forensic data analysis and mobile device
forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis
of digital media and the production of a report into collected evidence.
As well as identifying direct evidence of a crime, digital forensics can be used to attribute evidence to
specific suspects, confirm alibis or statements, determine intent, identify sources (for example, in copyright
cases), or authenticate documents. Investigations are much broader in scope than other areas of forensic
analysis (where the usual aim is to provide answers to a series of simpler questions) often involving complex
time-lines or hypotheses.

Difference between Digital Forensic and Computer Forensic.

 Technically the term Computer Forensics refers to the investigation of Computers. Digital
Forensics includes not only computers but also any digital device, such as digital networks, cell
phones, flash drives and digital cameras.
 The purpose of Computer and Digital Forensics is to determine if a device was used for illegal
purposes, ranging from computer hacking to storing illegal pornography or records of other illegal
activity.

Branches of Digital Forensics

Branches of Digital Forensics include:-

 Computer Forensics
 Firewall Forensics
 Database Forensics
 Network Forensics
 Forensic Data analysis
 Mobile Device Forensics.

The names of the different branches speaks to the different areas which they focus on. The typical forensic
process encompasses the seizure, forensic imaging and analysis of digital media and the production of a
report into collected evidence.

Digital Evidence

Evidence is a piece of information that supports a conclusion. Digital evidence is any data that is recorded
or preserved on any medium in or by a computer system or other similar digital device, that can be read or
write by any person or a computer.
Thus, Digital Evidence or electronic evidence is any probative information stored or transmitted in digital
form that a party to a court case may use at trial. Before accepting digital evidence a court will determine
if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the
original is required.

Characteristics of Digital Evidence

An evidence must be:-

 Admissible
 Conformity with the common law and legislative rules
 Authentic
 In linking data to specified individuals and events
 Fragile
 Easily altered, damaged, or destroyed
 Accurate
 Believed and is consistent
 Complete
 With a full story of particular circumstances
 Convincing to juries
 To have probative value, subjective an practical test of presentation
 To proving beyond doubt

Examples of Digital Evidence

Many court have allowed the use of:-

 E-mails
 Digital photographs
 ATM transactions logs
 Word processing documents
 Instant message histories
 Files saved from accounting program
 Spreadsheets
 Internet browser histories
 Databases
  The contents of computer memory
 Computer backups
 Computer printouts
 Global positioning system tracks
 Logs from a hotel’s electronic door locks, and
 Digital video or audio files

Types of Digital Evidence

 Persistant Data
 Meaning data that remains intact when the digital device is turned off. E.g. hard drives,
disk drives and removable storage devices (such as USB drives or flash drives).
 Volatile Data
 Which is data that would be lost if the digital device is turned off. E.g. deleted files,
computer history, the computers registry, temporary files and web browsing history.

Location of Evidence
 Internet history files
 Temporary Internet files
 Slack/ Unallocated space
 Buddy lists, personal chat room records, P2P, others saved areas
 News groups/ club lists/ posting
 Settings, folder structure, file names
 File storage Dates
 Software/ Hardware added
 File sharing ability

Digital Forensic Model

Because digital forensics is a new discipline, there is little standardization and consistency across the courts
and industry.
 Acquire Authenticate Analyze
Evidence Evidence Data

Digital Forensic Process

Broad process steps are:-

 Identification
 Preservation
 Analysis
 Documentation
 Presentation

Identification
This is the first step in the forensic process.
 What evidence is present
 Where it is stored
 How it is stored
Electronic stores can be:-
 Personal computers
 Mobile phones
 PDAs
 Smart cards
Key parameters in identification
 Type of information
 Format
Preservation

 Isolate, secure and preserve the state of physical and digital evidence.
 This includes preventing people from using the digital device or allowing other electromagnetic
devices to be used within an affected radius.

Analysis

 Determine significance, reconstruct fragments of data and draw conclusions based on evidence
found.
 It may take several iterations of examination and analysis to support a crime theory.

Documentation

 A record of all visible data must be created, which helps in recreating the scene and reviewing it
any time.
 Involves proper documentation of the crime scene along with photographing, sketching and crime-
scene mapping.

Presentation

 Summarize and provide explanation of conclusions.

 This should be written in a layperson’s terms using abstracted terminologies.
 All abstracted terminologies should reference the specific details.

Chain-of-custody and Documentation

 Documentation is essential to the investigation. For evidence to be reliable in court, integrity has
to be preserved. Safe storage and tamper protection is needed, so is also the documenting of
handling, i.e. who has accessed the evidence while it was in custody.
 Chain of custody prevents accusation in court that the evidence has been tempered with.
 Evidence need to be identified and labelled as soon as it is collected.
 All actions performed by the investigator should be documented, including the reasons for doing
so. In digital forensics, this means logging all actions and integrity checks.
Need of Digital Forensics

 To ensure the integrity of digital system.

 To focus on the response to hi-tech offenses, started to intervene the system.
 Digital forensics has been efficiently used to track down the terrorists from the various parts of the
world.
 To produce evidence in the court that can lead to the punishment of the criminal.

Benefits of Digital Forensics

Digital Forensics help to protect from and solve cases involving:-

 Theft of intellectual property

 This pertains to any act that allows access to patents, trade secrets, customer data, and any
confidential information.

 Financial Fraud
 This pertains to anything that uses fraudulent solicitation of victims information to conduct
fraudulent transactions.

 Hacker system penetration

 Taking advantage of vulnerabilities of systems or software using tools such as rootkits and
sniffers.

 Distribution and execution of viruses and worms

 These are the most common forms of cybercrime and often cost the most damage.

Applications of Digital Forensics

 Financial Fraud Detection

 Criminal Prosecution
  Child pornography

 Civil Litigation (evidence in court cases and proceedings)

 Perjury (false swearing)

 Corporate Security Policy and Acceptable Use violations

 Embezzlement (Misuse, fraud, cheating, etc.)
 Email threats, data theft, industrial espionage (spying, intelligence units)

Challenges faced by Digital Forensics

 The increase of PC’s and internet access has made the exchange of information quick and
inexpensive.
 Easy availability of hacking tools.
 Lack of physical evidence makes crime harder to prosecute.
 The large amount of storage space available to suspects, up to over 10 Terabytes.
 The rapid technological changes requires constant upgrade or changes to solutions.

Skills required for Digital Forensics

 Application of Programming or computer related experience.

 Broad understanding of operating systems and applications.
 Strong analytical skills.
 Strong computer science fundamentals
 Strong system administrative skills.
 Knowledge of the latest intruder tools.
 Knowledge of cryptography and steganography.
 Strong understanding of the rules of evidence and evidence handling.
 Ability to be an expert witness in a court of law.
Computer Forensics Methodology
 Shut down the computer.
 Document the hardware configuration of the system.
 Transport the computer system to a secure location.
 Make bit stream backups of Hard Disks and Floppy Disks.
 Mathematically verify data on all storage devices.
 Document the system date and time.
 Make a list of key search words.
 Evaluate the windows swap file.
 Evaluate file stack.
 Evaluate unallocated space (Erased files).
 Search files, files slack and unallocated space for key words.
 Document file names, dates and times.
 Identify file, program and storage anomalies.
 Evaluate program functionality.
 Document your findings.

Computer Crime Fighting with Digital Forensics

 Information lost or deleted from computers will be able to be uncovered or restored and be used as
evidence.
 Digital Forensics will allow the tracing of criminal activities and personnel online.
 Perpetrators can now be investigated and brought to justice regardless of their geographical
location.
 Various measures can now be put into place so that crimes such as espionage can be recognized
easily and swift action to be undertaken.

Future for Digital Forensics

 There is an increasing wide array of tools used to preserve and analyze digital evidence.
 The single approach to utilize single evidence such as hard drives will change as there is increasing
size of hundreds of Gigabytes and Terabytes to be used.
 Huge targets will require more sophisticated analysis techniques and equipment.
 There will also be better collaborative functions to allow forensics investigators to perform
investigations a lot more efficiently that they do presently.
Criteria for selecting Best tools for Digital Forensics and Cybersecurity.

 Affordability: - Price may not be an indicator of quality, but collaborative peer reviews can be.
Most of the tools below are open sourced, and all are free and maintained by a community of
dedicated developers.

 Accessibility: - Unlike some proprietary brands which only sell to law enforcement entities, all
of these are available to individuals.

 Accountability: - Either through open source projects or real world testimonials, these
technologies have been thoroughly vetted by experts.

Digital Forensics Software Tools

 BACKTRACK 5R3 (Linux Operating System)

 This Operating System has many forensic tools to analyze any compromised system or find
security holes. A large amount of open source bundled packages are installed in this
Operating System.

 Autopsy
 Autopsy is as digital forensics platform and graphical interface that forensic investigators
use to understand what happened on a phone or computer. It aims to be an end to end,
modular solution that is intuitive out of the box. Select modules in Autopsy can do timeline
analysis, hash filtering, and keyword search. They can extract web artifacts, recover deleted
files from unallocated space, and find indicators of compromise. All of this can be done
relatively rapidly.
 Autopsy runs background jobs in parallel so that even if a full search takes hours, a user
will know within minutes whether targeted keywords have been found. Investigators
working with multiple devices can create a central repository through Autopsy that will
flag phone numbers, email addresses, or other relevant data points.
 Kali Linux
 It is a Debian derived Linux distribution designed for digital forensics and penetration
testing. It was developed through the rewrite of Backtrack 5, their previous forensics Linux
distribution.

 OPHCRACK
 This tool use to crack the hashes which are generated by same files of windows. This tools
uses rainbow tables to crack the hashes.

 Logicube
 It was created in 1993. It is one of the leading digital forensic hard drive data recovery
technology and is widely used by cybercrime experts and corporate security personnel. It
provides mainly hardware based solutions but do have software solutions.

 DIBS®RAID- Rapid Action Imaging Device

 It was initiated in the early nineties. It has hardware and software, specifically designed to
copy, analyze and present computer data in a forensically sound manner.

 AccessData
 It is pioneer in digital investigations since 1987. It provides state of the art cyber security,
password cracking, eDiscovery and decryption solutions.

 Bulk Extractor
 Bulk Extractor scans a file, directory, or disk image and extracts information without
parsing the file system or file system structures, allowing it to access different parts of the
disk in parallel, making it faster that the average tool.
 The second advantage of Bulk Extractor is that it can be used to process practically any
form of digital media i.e. hard drives, camera cards, smartphones, SSDs, and optical drives.
 The most recent version of Bulk Extractor can perform social network forensics as well.
This software is available for free for windows and Linux systems.

 DumpZilla
 Dumpzilla performs browser analysis, specifically of Firefox, Iceweasel, and Seamonkey
clients. It allows for the visualization and customized search and extraction of cookies,
downloads, history, bookmarks, cache, add-ons, saved passwords, and session data.
  Developed in Python, it work under Linux and Windows 32/64 bit systems, and it is
available for free from the developer’s website. While this was created as a standalone tool,
its specific nature and lean packaging make it a strong component of future digital forensics
suites.

 Wireshark
 Wireshark is the World’s most used network protocol analysis tool, implemented by
governments, private corporations, and academic institutions across the world. As the
continuation of a project that began in 1998, Wireshark lets a user see what is happening
on a network at the microscopic level. By capturing network traffic, users can then scan
for malicious activity.
 Captured network data can be viewed on a graphical user interface on windows, Linux,
OSx, and several other Operating systems. The data can be read from Ethernet Bluetooth,
USB, and several others, while the output can be exported to XML, PostScript, CSV, or
plain text.

 ExifTool
 ExifTool is a platform independent system for reading, writing, and editing metadata across
a wide range of file types. Of particular interest to the digital investigator is the reading of
metadata, which can be achieved through command line processes or a simple GUI.
Investigators can drag and drop different files, such as a PDF, or a JPEG, and learn when
and where the file was created- a crucial component in establishing a chain of evidence.
 The software itself is lightweight and quick, making it an ideal inclusion in future forensics
suites, and easy to use. ExifTool is available for both Windows and OSx and is available
from the developer’s website.

CONCLUSIONS

 Digital forensics is important for solving crimes with digital devices against digital devices against
people where evidence may reside in a device.
 Several sound tools and techniques exist to search and analyze digital data.

 Regardless of existing tools, evolving digital age and development of technology requires heavier
research in digital forensics.