TOOLS & TECHNOLOGIES FOR

What is DIGITAL FORENSICS ?

Digital Forensics is defined as the process of preservation, identification, extraction, and documentation
of computer evidence which can be used in a court of law.

It is the science of finding evidence from digital media like a computer, mobile phone, server, or
network. It provides the forensic team with the best techniques and tools to solve complicated
digital-related cases.

Digital Forensics helps the forensic team to analyzes, inspect, identifies, and preserve the digital
evidence residing on various types of electronic devices.
 What is DIGITAL EVIDENCE ?
- Digital evidence is information stored or transmitted in binary form that may be relied on in
court. It can be found on a computer hard drive, a mobile phone etc, among other places.
- Digital evidence or electronic evidence is defined as information and data of value to an
investigation, that is stored on, received or transmitted by an electronic device. This evidence can
be acquired when electronic devices are seized and secured for examination.
- Digital evidence is commonly associated with electronic crime, or e-crime, such as child
pornography or credit card fraud. However all crimes have digital evidence today.
 Sources of DIGITAL EVIDENCE
- Storage media
- Computing Devices
- Applications
- Cloud
- Mobile Devices
- Digital/Video Camera
- Internet of Things (IoT)
 Examples of Digital Evidence
- E-Mails
- Digital Photographs
- ATM Transaction Logs
- Word Processing Documents
- Instant Message Histories
- Files saved from accounting programs
- Spreadsheets
- Internet browser histories
- Databases
- The contents of computer memory
 OBJECTIVES
- To recover, analyze, and preserve computer and related materials in such a manner that it helps the
investigation agency to present them as evidence in a court of law.
- To postulate the motive behind the crime and identity of the culprit(s).
- Designing procedures at a suspected crime scene which helps to ensure that the digital evidence
obtained is not corrupted.
- Data acquisition and duplication: Recovering deleted files and deleted partitions from digital media to
extract the evidence and validate them.
- To identify the evidence quickly, and also allows you to estimate the potential impact of the malicious
activity on the victim
- Producing a computer forensic report which offers a complete report on the investigation process.
- Preserving the evidence by following the chain of custody.
Process of DIGITAL FORENSICS

Data is isolated, secured and preserved

1. Identification
It is the first step in the forensic process. The identification process mainly includes things like
what evidence is present, where it is stored, and lastly, how it is stored (in which format).
Electronic storage media can be personal computers, Mobile phones, PDAs, etc.

2. Preservation
In this phase, data is isolated, secured, and preserved. It includes preventing people from using the
digital device so that digital evidence is not tampered with.

3. Documentation
In this process, a record of all the visible data must be created. It helps in recreating the crime
scene and reviewing it. It Involves proper documentation of the crime scene along with
photographing, sketching, and crime-scene mapping.
4. Analysis
In this step, investigation agents reconstruct fragments of data and draw conclusions based on
evidence found. However, it might take numerous iterations of examination to support a specific
crime theory.

5. Presentation
In this last step, the process of summarization and explanation of conclusions is done.

However, it should be written in a layperson's terms using abstracted terminologies. All abstracted
terminologies should reference the specific details.
 Types of Crime
Email bombing - Email bombing is a form of an abuse
consisting of sending huge volumes of email to a single address
or recipient in an attempt to overflow the mailbox.

Spamming - Spamming is sending an unsolicited message,

especially to promote a product or services, as well as sending
messages repeatedly through a communication medium.

Spear phishing - Spear phishing is an email-spoofing attack

that targets a specific organization or individual, seeking
unauthorized access to sensitive information.

Job Frauds - It involves deceiving people seeking employment

by giving them the false hope of earning high salaries or extra
income.
Digital stalking - Digital stalking is a criminal practice in which attacker use internet and other electronic
devices to persistently harass victims.

Software piracy - Software piracy is the unauthorised use and distribution of computer software.

Digital pornography - Digital pornography is defined as the act of using cyberspace to create, view,
distribute, import, or publish pornography or obscene materials.

Digital extortion - Digital extortion is the act of cyber-criminals demanding payment through the use of or
threat of some form of malicious activity against a victim, such as data compromise or denial of service
attack.

Domain name hijacking - Domain hijacking or domain theft is the act of changing the registration of a
domain name without the permission of its original registrant.

Digital bullying - It is a form of offense committed by using virtual communication medium like e-mail,
social media, SMS, messengers, forums etc., to harass, threaten, embarrass, and humiliate victims.
 Classification of DIGITAL FORENSICS
DISK FORENSICS:
Disk forensics is the science of extracting forensic information from digital storage media like Hard disk,
USB devices, Firewire devices, CD, DVD, Flash drives, Floppy disks etc.
We carry out disk forensics across operating systems, hardware and storage devices including recovery of the
data from physically or logically damaged devices. In the examination of disk forensics we are capable of
collecting forensic artifacts in the form of:
1. Disk imaging,
2. Metadata
3. Data files and folders
4. Deleted files and folders
5. Hidden files and folders,
6. Registry logs, etc.
NETWORK FORENSICS:
Network forensics analyzes the network traffic and monitors data packets transferred over the internet for
intrusion and malware detection. It involves collecting and recording data, analyzing the issue, determining
the best troubleshooting response, and implementing it.
Network forensics experts collect data from different websites and network equipment, including intrusion
detection systems (IDS) and firewalls, to analyze network traffic data. Moreover, network forensics can
also be used for monitoring, preventing, and analyzing potential attacks.
EMAIL FORENSICS:

It is used to study the source and content of email message as evidence, identifying the actual sender,
recipient date and time it was sent, or to collect credible evidence to take action against a criminal.
Technique used for email investigation:

Header Analysis:
Email headers are lines of Metadata (Data about data) attached
to each Email that contain lots of useful information for a
forensic investigator. about the sender or the path along which
the message has traversed. Some of these may be spoofed to
conceal the identity of the sender. A detailed analysis of these
headers and their correlation is performed in header analysis.
MOBILE FORENSICS:

It mainly deals with the examination and analysis of mobile devices.Crimes do not happen in isolation from
technological tendencies; therefore, mobile device forensics has become a significant part of digital
forensics. It helps us to retreive:

- Incoming, outgoing, missed call history

- Phonebook or contact lists
- Internet browsing history, content, cookies, search history, analytics information
- Pictures, videos, and audio files and sometimes voicemail messages
- SMS text, application based, and multimedia messaging content
- System files, usage logs, error messages
- To-do lists, notes, calendar entries, ringtones
- User dictionary content
- Deleted data from all of the above
Malware Forensics:
This branch deals with the identification of malicious code, to study their payload, viruses, worms, etc.

It is a way of finding, analyzing & investigating various properties of malware to seek out the culprits and
reason for the attack. the method also includes tasks like checking out the malicious code, determining its
entry, method of propagation, impact on the system, ports it tries to use etc. investigators conduct forensic
investigation using different techniques and tools.

Type of Malware:

- Backdoor
- Botnet
- Worm
- Trojan
- Ransomware
- Spyware
CLOUD FORENSICS:

Cloud forensics is the application of digital forensics in cloud computing as a subset of network forensics to gather
and preserve evidence in a way that is suitable for presentation in a court of law.

A criminal can also keep secret files such as child pornography, terrorist documents, etc. in cloud storage to remain
clean. To investigate such crimes involved in the cloud, investigators have to carry out forensic investigations in the
cloud environment. This arises the need for cloud forensics, which is a subset of network forensics.

Cloud forensics is an application of scientific principles, practices, and methods to reorganize the events through
identification, collection, preservation, examination, and reporting of digital evidence. Evidence can reside anywhere
in the cloud and it is more complex to identify the traces located in the cloud server.
 Digital Forensic Tools
- Field Forensic Kit
- Cell Site Analyzer Tool
- CDR/TDR/IPDR/ISD/SDR and Gateway Analysis Tool
- Write Blockers
- Disk Imaging Hardware Tool
- Forensic Workstation
- Mobile Forensic Tools
- Disk Forensics Tools
- Social Media Analysis Tool
- GPS Forensic Tool
- Password Recovery Tool
- DVR Extractor Tool
- Image & Video Forensic Tool
- Image Authentication Tool
- Face Forensic Software
 Field Forensic Kit
Digital Evidence Seizure Kit (D.E.S.K)

- This is a portable kit that can be carried to the incident location and can help in
documenting digital evidence seizures as per Indian Law and producing appropriate
seizure memos.
- It also supports seizing, authenticating, documenting & transporting the evidence in a
tamper proof manner.
- The toolkit includes:
○ Write Blocker
○ Camera
○ Laptop
○ Screwdriver Kit
○ Cables
D.E.S.K is a first responder evidence
collection kit allowing the Investigating
Officer to seize electronic Evidence,
Produce Seizure Memo's as per Indian
Law and Document, Acquire,
Photograph and Transport digital
evidence seized at the scene of the
crime/incident.
 Cell Site Analyzer Tool
The Cell Site Analyzer (CSA) is a hardware device that can be vehicle
mounted or physically carried to the crime scene to simultaneously
map the cellular coverage of multiple ZG/3G/4G/LTE networks.

The CSA is a force multiplier that is used to map cell tower coverage
along escape or getaway routes as well as determining coverage and
signal strength at the crime scene. This helps law enforcement request
relevant data from service providers to determine who was present at
the scene and time of the crime.
- It allows the investigators to identify the identity of Cell Tower ID’s covering an incident area or
route travelled by suspect area or target.
- It allows investigators to record various parameters like Cell-ID, LAC, Signal strength upto 6
neighbouring cell ID’s along with the position of the investigator via a built in GPS.
- It helps investigators to collect these parameters from various sources of interest like crime scene,
prison area, international border, etc.
CDR/TDR/IPDR/ISD/SDR and
Gateway Analysis Tool

“Finding Needles in a Billion haystacks”

Big Data – Telecom Log Analytics
 Call Detail Analysis and Management System (CDAMS)

CDAMS is a powerful tool to search for leads in telecom logs both from a post incident and a prevention
perspective. It handles massive data- effectively and efficiently . It has a bunch of present queries but also
allow the investigator to ask his/her own questions to convert information into actionable intelligence.

Different modules of CDAMS are:

1.CDR Analysis
2.TDR Analysis
3. IPDR Analysis
4.ISD Analysis
5.Gateway CDR Analysis
6. Forensics Extraction
7.SDR Import
 CDR
Analysis
 INTELLIGENT ANALYTICS…
Presence at crime Friends he might Where does he

Behavior
Associations
Locations
scene? hide with? sleep at night?
Places he usually Family he is Type of phone
visits? usually in touch devices he
Places common with? carries?
with other Girl friends / Changes SIM’s ?
criminals? wives? Communicates
Travel Route? Gang Members? with Calls/ Text
Local/ National/ Messages?
International? Etc etc.
 CDR Analysis Challenges
- Huge Volumes of data – requiring too much time and effort to parse through manually/
IPDRs etc
- Multiple Service Providers
- Use of “throw away” phones
- Each provider has multiple formats
- Large Volume Subscriber data records for cross verification
- Inter Circle Roaming
- Cell No. Portability
 How does it work?

Individual Call/Billing Data

IMEI Scan

Tower/Mast Dump

ISD Dumps

Subscriber Data

Mobile Forensic
Extraction Input
Data
Telecom Data Formats
Types
 Tabular Reports

IBM i2 Analyst
Notebook Identified
Suspect

Graphical
Reports
 Different Data Inputs that the CDAMS Tool Uses

Tower (antenna) Landline Phone

Detail Call Detail
Cell Phone Call
Detail (call records) (billing records)
IPDR/GPRS Call
(billing records) Details

SIM card
Telephone extraction details
Interception
Records/ IMSI
TMSI Location
etc
Cellphone Forensic Tools Subscriber ILD/Gateway Data
XRY, UFED, Tarantula Details Details
(national
phonebook
records)
Geo-fencing – Identifying Calls To &
From Sensitive Locations
Social Network Analytics
 Write Blockers

Write Protect-DESKTOP Tableau Forensic SATA/IDE

Bridge (T35u)
 What are write blockers?
A write blocker is any tool (Hardware or Software) that permits read-only access to data
storage devices without compromising the integrity of the data. A write blocker, when
used properly, can guarantee the protection of the data chain of custody.

Write blocking requirements hold that:

- The tool shall not allow a protected drive to be changed.
- The tool shall not prevent obtaining any information from or about any drive.
- The tool shall not prevent any operations to a drive that is not protected.
The WriteProtect-DESKTOP provides digital forensic professionals with fast, secure, read-only
write-blocking of suspect hard drives. The only portable write-blocker that provides support for 6 different
interfaces in one device, the WriteProtect is the ideal write-block solution for lab or field acquisitions.

- Fast Superspeed USB3.0 host connection

- Supports SAS, SATA, FireWire, USB3.0, IDE source drives
- Supports PCIe SSDs (M.2 SATA/AHCI/NVMe), PCIe and mini-PCIe express cards with optional
adapters
- Browser-based user interface for drive preview, software updates, HPA/DCO management
- Connect and image multiple source drives simultaneously with your forensic imaging software
 Tableau Forensic SATA/IDE Bridge

The Tableau Forensic SATA/IDE Bridge is a portable write-blocker that enables forensic
acquisition of SATA and IDE solid-state-drives.

FEATURES

- Suitable for both the field and lab

- USB 3.0 host computer connection
- Seven LEDs provide status on power, IDE media detection, SATA media detection, host
connection, write-block status, and activity
- Read/write mode capability via internal DIP switch
- Free Tableau firmware updates
 Disk Imaging Hardware Tool

Tableau Forensic Imager Forensic Imager

 What is Disk Imaging ?
A disk image, in computing, is a computer file containing the contents and structure of a disk volume
or of an entire data storage device, such as a hard disk drive, tape drive, floppy disk, optical disc, or
USB flash drive. A disk image is usually made by creating a sector-by-sector copy of the source
medium, thereby perfectly replicating the structure and contents of a storage device independent of the
file system.
The file format may be an open standard, such as the ISO image format for optical disc images, or a
disk image may be unique to a particular software application.
The size of a disk image can be large because it contains the contents of an entire disk.
 Falcon®-NEO
- Extreme speed, imaging at surpassing 50GB/min*. Clone
PCIe to PCIe at speeds over 90GB/min.
- Image & verify from up to 5 source to up to 9 destination
drives for ultra-efficient imaging.
- Concurrent Image+Verify feature. It supports MD5, SHA1,
SHA256 and dual-hash authentication.
- Recognize source drives and partitions that are possibly
encrypted.
- Cloud storage acquisition software renewable option
provides convenient capture of OneDrive, Google Drive, and
Dropbox files.
- Capture from mobile devices including Apple® iPhones,
iPads, Android phones and tablets with an optional renewable
software package.
- Multi-task. Perform image, wipe, hash tasks simultaneously.
Little or no speed degradation when imaging from three
sources to three destinations
- The Forensic Imager TX1, with a color touchscreen interface, provides forensic write blocking for
IDE, SATA, SAS, USB3, and Firewire devices.
- Images SATA, USB 3, PCIe, SAS, FireWire 800, IDE (with optional IDE Adapter), and network
shares.
- Outputs to SATA, USB 3, SAS, and network shares supports up to two active "forensic" jobs at a
time (simultaneous imaging).
- Up to four destinations per source with the ability to mix clone/image duplication and local/network
destinations
- Status LED provides device status information
- Job queuing option for efficiency.
 ACE Forensic Workstation
Ace Computers is a leader in the forensic workstation market. Our
experts build highly customized versions that take advantage of the
many hardware and software features available.

ACE is a ISO 9001-2015 certified

ACE is registered in EPEAT (Electronic product Environmental

Tool) Standard
 FEATURES
- Custom configuration with components that are exclusively high end, powerful, and energy efficient.
- Multiple write-blocked tray/trayless docks for target drive imaging.
- Designed for maximum I/O throughput and fastest data imaging speed.
- Write protection data bridge for safe imaging of SAS/SATA/IDE, PCI Express SSDs, and flash media
- Integrated Forensic Media Card Reader - read-only.
- Choice of internal data drive setup or internal RAID configuration.
- Trusted platform module and SMARTcard reader standard.
- Built in gigabit LAN and wireless LAN (wireless is removable).
- Anti-vibration and acoustically dampened low noise output
 Mobile Forensic Tools

MD-NEXT is a forensic software for data extraction from diverse

mobile and digital devices. It supports physical and logical
extraction methods for Android, iOS, Windows OS, Tizen OS,
and other mobile OS.

MD-NEXT supports data extraction from

MD-READER(Chip-off memory), MD-BOX(JTAG board),
USIM reader, SD memory reader, OS backup protocol, agent app,
and new cutting-edge extraction methods
 Mobile Forensic Tools

MD-RED is a forensic software for recovery, decryption,

visualization, analytic data mining, and reporting of
evidence data extracted via MD-NEXT or other tools.

All the results of the analysis can be exported as the forensic

reports for the investigation of crimes and accidents. Also,
the analysis module of the latest mobile apps is quickly
updated by continuous research.
 Mobile Forensic Tools

MD-LIVE is a mobile live data forensics product with easy to use

user interface and logical extraction and quick data analysis. It
also supports automatic smartphone detection, smartphone
display mirroring and capturing with camera to capture the
evidence image or to record video in the field. This is best for
Mobile Triage in the field environment.
 Mobile Forensic Tools

MD-BOX is the forensic hardware for extracting data directly

from the mainboard using JTAG interface. When the mobile
device has damage on the external parts but the mainboard still
works, the examiner can connect the mainboard to MD-BOX
through JTAG interface. Then, the data can be extracted at the
menu of JTAG Extraction in MD-NEXT program.

Product Highlights
• Physical extraction for the mainboard with JTAG
• Applicable to the damaged mobile devices
• Write protection and evidence integrity
 Mobile Forensic Tools

MD-READER is the forensic hardware for extracting data from

chip-off memory.After detaching the memory chip from the
board by manual work or rework machine, the examiner can
mount it into one of the memory sockets included. Then, the data
extraction can be done at Chip-Off menu in MD-NEXT program.

Product Highlights
• Applicable to the heavily damaged phones
• Data extraction for chip-off memory
• Data image file save with MD-NEXT
• Excellent extraction performance
• Write protection and evidence integrity
 Mobile Forensic Tools
UFED 4PC
UFED is a new generation solution that empowers law enforcement, military, intelligence, personnel to capture
critical forensic evidence from Android and iOS mobile devices.

UFED enables you to:

- Perform physical, file system, and logical extraction of device
data and passwords.
- Extract vital data such as call logs, phonebook entries, text
messages (SMS), pictures, videos, audio files, ESN IMEI,
ICCID and IMSI information and more, from a wide range of
mobile devices.
- Extract data from the widest selection of operating systems,
such as Apple iOS, Blackberry, Android, Symbian, Microsoft
Mobile, and Palm OS.
Disk Forensics Tools
Encase is the product of Opentext which is the worldwide known brand for digital forensic
investigation. Opentext established in early 1998.

Opentext provide several product designed for forensic, cyber security, security analytics and
e-discovery use.

EnCase Forensic Across Your Investigation Lifecycle

Encase Product Portfolio
EnCase Forensic (EnCase) provides examiners/investigators with a single tool for conducting large-scale
and complex examinations/investigations from beginning to end. It features superior analytics, enhanced
email/Internet support, and a powerful scripting engine.

With EnCase you can:

- Acquire data in a forensically sound manner using software with an unparalleled record
in courts worldwide
- Investigate and analyze data from multiple platforms—Windows, Linux, AIX, OS X, Solaris, and
more—using a single tool.
- Find information despite efforts to hide, cloak, or delete.
- Easily manage large volumes of computer evidence, viewing all relevant files, including
deleted files, file slack, and unallocated space.
- Transfer evidence files (files representing data on media to be examined) directly to
colleagues, attorneys, or supervisors as necessary.
- Review options that allow non-technical individuals to review evidence with ease.
- Use reporting options for quick report preparation
 Best features provides by Encase Forensic
- Network Preview
- Disk View
- Enscript
- Pathways
- Carving Hashing & Hashset Library
- Signature Analysis
- Entropy
- Bookmark & Tagging
- Keyword Searching (RAW Searching & INDEX Searching)
- Inbuilt Write-Blocker (FastBloc SC)
Encase Interface
 Disk Forensics Tools

Belkasoft Evidence Center X

All-in-one digital forensic and incident response software from Belkasoft:-

• Covers major digital forensic branches

- Mobile Forensics
- Computer Forensics
- Memory Forensics
- Cloud Forensics
• For corporate customers:
- Incident Investigations
• Acquires, examines, analyzes, and presents digital evidence in a forensically sound manner
• Especially great in iOS and Windows forensics, in-depth SQLite analysis, automatic artifact recovery
• Combines low level forensics (Hex, SQLite, registry) with high level examinations (artifacts, Connection
Graph, Timeline)
• Visually beautiful
• Simplified yet powerful workflow
• Quick and smart
Interface of Belkasoft Evidence Center X
 Social Media Analysis Tool

X1 SOCIAL DISCOVERY
- X1 Social Discovery is the industry-leading solution for anyone who needs to collect and search data
from social networks and the internet.
- X1 Social Discovery saves customers vast amounts of time and money through the automated – and
simultaneous – collection of data from multiple social media accounts.
- X1 Social Discovery is designed to effectively address social media content from the leading social
media networking sites, websites and email including:
● Facebook
● Twitter
● Instagram
● YouTube
● Tumblr
● Web pages & websites
● Gmail
● Yahoo Mail
● Outlook.com
Interface of X1
GPS Forensic Tool
Blackthorn is the leading GPS Forensics tool used by forensic examiners and investigations
for acquiring, examining and analyzing data from aviation, maritime, portable automotive, and
hand held GPS devices.
 Features
- Supports over 3500 different device profiles
- Acquisition via logical, physical, file import, and flash memory decodes
- Create custom reports and in html, xml, Word, Excel, or PDF formats
- Online/Offline mapping with annotation tools
- Native Hex, Strings, xml, and SQLite data viewers
- Export data in common formats: csv, txt, xlsx, xml, kml, kmz, or gdb
- Built-in analytical reports for geo locations, common activity location and time
- Robust search function: key words, hash value, file type and geo location
- User based and global watch list capabilities
 Password Recovery Tool

Passware Kit Forensic discovers all password-protected items on a computer and decrypts them.
The software recognizes 280+ file types and works in batch mode to recover their passwords.
Many types of files are decrypted instantly, while other passwords are recovered through Dictionary
and Brute-force methods using GPU acceleration and distributed computing (for Windows, Linux, and
Amazon EC2).
Passware Kit Forensic Overview
 What PASSWARE can do ?

- Detect encrypted files and containers

- Recover a file password
- Extract passwords from a memory image
- Decrypts a Keychain
- Decrypts a VeraCrypt container
- Use a custom dictionary
- Customize password recovery settings
 DVR Extractor Tool

It supports CCTV, Black-box and media storages and supports

many kind of know file systems and DVR vendors’ filesystems.
MPEG-4, H.264, H.265 and smartphone-specific codecs. Replay
of all video and reassemble of the frames recovered.

Product Highlights
• Recovery and analysis of video data
• Enhanced performance of recovery speed
• Intuitive user interface
• Data retrieval and report generation
Image & Video Forensic Tool
 A Forensic Video Enhancement
Software
AMPED FIVE provides a complete and
unique solution to process and analyze
digital images and video data in a simple,
fast and precise way through processing and
analyzing both still and video images, then
utilizing a clear workflow to present
evidence. It can help to dramatically reduce
the time required to process data and
improves the success rate of various cases,
from the restoration of low-quality CCTV
video to fingerprint analysis.
 Image and Video Enhancement

Enhancement of image
and video from CCTV and
other sources
 Image Authentication Tool
Amped Authenticate
It is a software package for forensic image authentication and tamper detection on digital photos.
Authenticate provides a suite of different tools to,
○ Determine the authenticity of an image
○ Discover tampered areas of a photo
○ Image ballistics tools to verify the camera used to shoot the image

Identification of tampered areas Detection of cloned objects

 Face Forensic Software

Face Forensics Image Recognition Suite

Face Forensics’ f2 is a highly advanced face recognition system which provides both one-to-many and
one-to-one matching, as a complete application, an SDK, or as a web service. It will:

● Search a database to identify an unknown face

● Check an entire database, or multiple databases, for multiple records of the same person using different
names
● Detect and recognize faces in a video stream in a controlled environment
● Verify that an individual is who they claim to be
● Identify an individual from part of their face in a forensics or investigations environment
Let's take an example

Partial Face Recognition

Tattoo Recognition
For a copy of the Presentation….use link below...

https://bit.ly/ppt-request
 Thank You

Samir Datt
Founder & CEO, ForensicsGuru
www.linkedin.com/in/samirdatt
[email protected]
9811818000

www.ForensicsGuru.com