Beruflich Dokumente
Kultur Dokumente
Forensic is the:-
Collection and analysis of evidence
Using scientific test or techniques to establish facts against crime for presenting in a legal
proceeding.
Therefore forensic science is a scientific method of gathering and examining information about the past
which is then used in court of law.
for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or
helping to anticipate unauthorized actions shown to be disruptive to planned operations.
Digital forensics, also known as digital forensic science is a branch of forensic science encompassing the
recovery and investigation of material found in digital devices, often in relation to computer crime. The
term digital forensics was originally used as a synonym for computer forensics but has expanded to cover
investigation of all devices capable of storing digital data. With roots in the personal computing revolution
of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it
was not until the early 21st century that national policies emerged.
Digital forensics investigations have a variety of applications. The most common is to support or refute a
hypothesis before criminal or civil courts. Forensics may also feature in the private sector; such as during
internal corporate investigations or intrusion investigation.
The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital
devices involved, computer forensics, network forensics, forensic data analysis and mobile device
forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis
of digital media and the production of a report into collected evidence.
As well as identifying direct evidence of a crime, digital forensics can be used to attribute evidence to
specific suspects, confirm alibis or statements, determine intent, identify sources (for example, in copyright
cases), or authenticate documents. Investigations are much broader in scope than other areas of forensic
analysis (where the usual aim is to provide answers to a series of simpler questions) often involving complex
time-lines or hypotheses.
Technically the term Computer Forensics refers to the investigation of Computers. Digital
Forensics includes not only computers but also any digital device, such as digital networks, cell
phones, flash drives and digital cameras.
The purpose of Computer and Digital Forensics is to determine if a device was used for illegal
purposes, ranging from computer hacking to storing illegal pornography or records of other illegal
activity.
The names of the different branches speaks to the different areas which they focus on. The typical forensic
process encompasses the seizure, forensic imaging and analysis of digital media and the production of a
report into collected evidence.
Digital Evidence
Evidence is a piece of information that supports a conclusion. Digital evidence is any data that is recorded
or preserved on any medium in or by a computer system or other similar digital device, that can be read or
write by any person or a computer.
Thus, Digital Evidence or electronic evidence is any probative information stored or transmitted in digital
form that a party to a court case may use at trial. Before accepting digital evidence a court will determine
if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the
original is required.
Persistant Data
Meaning data that remains intact when the digital device is turned off. E.g. hard drives,
disk drives and removable storage devices (such as USB drives or flash drives).
Volatile Data
Which is data that would be lost if the digital device is turned off. E.g. deleted files,
computer history, the computers registry, temporary files and web browsing history.
Location of Evidence
Internet history files
Temporary Internet files
Slack/ Unallocated space
Buddy lists, personal chat room records, P2P, others saved areas
News groups/ club lists/ posting
Settings, folder structure, file names
File storage Dates
Software/ Hardware added
File sharing ability
Because digital forensics is a new discipline, there is little standardization and consistency across the courts
and industry.
Acquire Authenticate Analyze
Evidence Evidence Data
Identification
This is the first step in the forensic process.
What evidence is present
Where it is stored
How it is stored
Electronic stores can be:-
Personal computers
Mobile phones
PDAs
Smart cards
Key parameters in identification
Type of information
Format
Preservation
Isolate, secure and preserve the state of physical and digital evidence.
This includes preventing people from using the digital device or allowing other electromagnetic
devices to be used within an affected radius.
Analysis
Determine significance, reconstruct fragments of data and draw conclusions based on evidence
found.
It may take several iterations of examination and analysis to support a crime theory.
Documentation
A record of all visible data must be created, which helps in recreating the scene and reviewing it
any time.
Involves proper documentation of the crime scene along with photographing, sketching and crime-
scene mapping.
Presentation
Documentation is essential to the investigation. For evidence to be reliable in court, integrity has
to be preserved. Safe storage and tamper protection is needed, so is also the documenting of
handling, i.e. who has accessed the evidence while it was in custody.
Chain of custody prevents accusation in court that the evidence has been tempered with.
Evidence need to be identified and labelled as soon as it is collected.
All actions performed by the investigator should be documented, including the reasons for doing
so. In digital forensics, this means logging all actions and integrity checks.
Need of Digital Forensics
Financial Fraud
This pertains to anything that uses fraudulent solicitation of victims information to conduct
fraudulent transactions.
Criminal Prosecution
Child pornography
The increase of PC’s and internet access has made the exchange of information quick and
inexpensive.
Easy availability of hacking tools.
Lack of physical evidence makes crime harder to prosecute.
The large amount of storage space available to suspects, up to over 10 Terabytes.
The rapid technological changes requires constant upgrade or changes to solutions.
Information lost or deleted from computers will be able to be uncovered or restored and be used as
evidence.
Digital Forensics will allow the tracing of criminal activities and personnel online.
Perpetrators can now be investigated and brought to justice regardless of their geographical
location.
Various measures can now be put into place so that crimes such as espionage can be recognized
easily and swift action to be undertaken.
There is an increasing wide array of tools used to preserve and analyze digital evidence.
The single approach to utilize single evidence such as hard drives will change as there is increasing
size of hundreds of Gigabytes and Terabytes to be used.
Huge targets will require more sophisticated analysis techniques and equipment.
There will also be better collaborative functions to allow forensics investigators to perform
investigations a lot more efficiently that they do presently.
Criteria for selecting Best tools for Digital Forensics and Cybersecurity.
Affordability: - Price may not be an indicator of quality, but collaborative peer reviews can be.
Most of the tools below are open sourced, and all are free and maintained by a community of
dedicated developers.
Accessibility: - Unlike some proprietary brands which only sell to law enforcement entities, all
of these are available to individuals.
Accountability: - Either through open source projects or real world testimonials, these
technologies have been thoroughly vetted by experts.
Autopsy
Autopsy is as digital forensics platform and graphical interface that forensic investigators
use to understand what happened on a phone or computer. It aims to be an end to end,
modular solution that is intuitive out of the box. Select modules in Autopsy can do timeline
analysis, hash filtering, and keyword search. They can extract web artifacts, recover deleted
files from unallocated space, and find indicators of compromise. All of this can be done
relatively rapidly.
Autopsy runs background jobs in parallel so that even if a full search takes hours, a user
will know within minutes whether targeted keywords have been found. Investigators
working with multiple devices can create a central repository through Autopsy that will
flag phone numbers, email addresses, or other relevant data points.
Kali Linux
It is a Debian derived Linux distribution designed for digital forensics and penetration
testing. It was developed through the rewrite of Backtrack 5, their previous forensics Linux
distribution.
OPHCRACK
This tool use to crack the hashes which are generated by same files of windows. This tools
uses rainbow tables to crack the hashes.
Logicube
It was created in 1993. It is one of the leading digital forensic hard drive data recovery
technology and is widely used by cybercrime experts and corporate security personnel. It
provides mainly hardware based solutions but do have software solutions.
AccessData
It is pioneer in digital investigations since 1987. It provides state of the art cyber security,
password cracking, eDiscovery and decryption solutions.
Bulk Extractor
Bulk Extractor scans a file, directory, or disk image and extracts information without
parsing the file system or file system structures, allowing it to access different parts of the
disk in parallel, making it faster that the average tool.
The second advantage of Bulk Extractor is that it can be used to process practically any
form of digital media i.e. hard drives, camera cards, smartphones, SSDs, and optical drives.
The most recent version of Bulk Extractor can perform social network forensics as well.
This software is available for free for windows and Linux systems.
DumpZilla
Dumpzilla performs browser analysis, specifically of Firefox, Iceweasel, and Seamonkey
clients. It allows for the visualization and customized search and extraction of cookies,
downloads, history, bookmarks, cache, add-ons, saved passwords, and session data.
Developed in Python, it work under Linux and Windows 32/64 bit systems, and it is
available for free from the developer’s website. While this was created as a standalone tool,
its specific nature and lean packaging make it a strong component of future digital forensics
suites.
Wireshark
Wireshark is the World’s most used network protocol analysis tool, implemented by
governments, private corporations, and academic institutions across the world. As the
continuation of a project that began in 1998, Wireshark lets a user see what is happening
on a network at the microscopic level. By capturing network traffic, users can then scan
for malicious activity.
Captured network data can be viewed on a graphical user interface on windows, Linux,
OSx, and several other Operating systems. The data can be read from Ethernet Bluetooth,
USB, and several others, while the output can be exported to XML, PostScript, CSV, or
plain text.
ExifTool
ExifTool is a platform independent system for reading, writing, and editing metadata across
a wide range of file types. Of particular interest to the digital investigator is the reading of
metadata, which can be achieved through command line processes or a simple GUI.
Investigators can drag and drop different files, such as a PDF, or a JPEG, and learn when
and where the file was created- a crucial component in establishing a chain of evidence.
The software itself is lightweight and quick, making it an ideal inclusion in future forensics
suites, and easy to use. ExifTool is available for both Windows and OSx and is available
from the developer’s website.
CONCLUSIONS
Digital forensics is important for solving crimes with digital devices against digital devices against
people where evidence may reside in a device.
Several sound tools and techniques exist to search and analyze digital data.
Regardless of existing tools, evolving digital age and development of technology requires heavier
research in digital forensics.