Digital Forensics

Lecture 1
Introduction to Digital Forensics
 COURSE INFORMATION
This module provides students with an
introduction to Digital Forensic Science and the
systematic process of acquiring, identifying,
analysing and reporting digital evidence.
Additionally, we will cover the topics of
eDiscovery, Data Retention, Data Disposal,
Litigation, Internal Investigations and Incident
Response will also be discussed within the
context of Digital Forensics.
 COURSE INFORMATION
The module covers a variety of topics:
• Introduction to basic concepts of digital forensic
science
• Exploration of mobile, network and memory
forensics
• Examining the role of digital forensics in public
and private investigations
• Examining the potential benefits, limitations and
risks of digital forensics
• Increasing awareness of managerial issues
raised by the use of digital forensics
• Introduction to commercial and open-source
forensic tools
 COURSE INFORMATION
• Textbook:
Guide to Computer Forensics and Investigations:
Processing Digital Evidence, 5th Ed, Cengage, B.
Nelson, A. Phillips, and C. Steuat, 2019
• Assignments:
There are two assignments designed to help reinforce
the material that has been covered in the lecture.
• Exams:
There will be an exam.
 Objectives
• Define computer crime
• Define digital forensics and describe the
phases of a forensic investigation
• Describe ways in which corporations use
digital forensics
 Introduction
• Computers are involved in crime in two
ways
– As the targets of misdeeds
– As weapons or tools of misdeeds
• Computer crimes can be committed
– Inside the organization
– Outside the organization
Overview of a Computer Crime
• Computer crime – a crime in which a computer,
or computers, play a significant part in the
execution of the crime.
• Computers can contain information that helps
law enforcement determine:
– Chain of events leading to a crime
– Evidence that can lead to a conviction
Overview of a Computer Crime
• Law enforcement officers should follow proper
procedure when acquiring the evidence
– Digital evidence can be easily altered by an
overeager investigator
• A potential challenge: information on hard disks
might be password protected so forensics tools
may be need to be used in your investigatio
Examples of Computer Crimes
 Types of Computer Crime
• Identity Theft
Phishing
Spyware
Discarded information
• Hacking
SQL injection
Password cracking (E.g., Ophcrack)
• Cyberstalking and Harassment
 Types of Computer Crime
(Cont.)
• Fraud
Investment offer
Privacy and intellectual property
• Non-Access Computer Crime
DoS and DDoS
Viruses
Logic bombs
• Cyberterrorism
Crimes in Which Computers
Usually Play a Part
 Types of Malware
• Malware – software designed to harm you
computer or computer security
– Viruses
– Worms
– Misleading e-mail
• Types of Malware
– Denial-of-service attacks
– Web defacing
– Malware bots
 Viruses
• Computer virus (virus) – software that
was written with malicious intent to cause
annoyance or damage
• Worm – a computer virus that replicates
and spreads itself from computer to
computer
The Love Bug Worm
 Stand-Alone Viruses

• Spoofing – forging of return address on

e-mail so that it appears to come from
someone other than sender of record
• Klez family of worms
– Introduced spoofing of sender and recipient
 Trojan Horse Viruses
• Trojan horse virus – hides inside other
software, usually an attachment or
download
• Examples:
– Key logger (key trapper) software –
program that, when installed on a computer,
records every keystroke and mouse click
– Ping-of-Death DoS attack designed to crash
Web sites
 Malware Bots

• Bot – a computer program that runs

automatically.
• Malware bots – bots that are used for
fraud, sabotage, denial-of-service attacks,
or some other malicious purpose
• Zombies (or drones) –
malware-bot-infected computers
 Botnets and Rootkits

• Botnet – a network of malware-bot

infected computers
• Rootkit – software that gives you
administrator rights to a computer or
network and whose purpose is to allow you
to conceal processes, files, or system data
from the operating system
 Web Defacing
• Web defacing – maliciously changing
another’s Web site
• Electronic equivalent of graffiti
 Cyber Criminals
• Hackers – knowledgeable computer users who
use their knowledge to invade other people’s
computers
• Thrill-seeker hackers – break into computer
systems for entertainment
• White-hat (ethical) hackers – computer security
professionals who are hired by a company to
uncover vulnerabilities in a network
• Black hat hackers – cyber vandals. They’re the
people who exploit or destroy information
 Cyber Criminals
• Crackers – hackers for hire, are the people who
engage in electronic corporate espionage
– Social engineering – acquiring information
that you have no right to by means of
deception
• Hacktivists – politically motivated hackers who
use the Internet to send a political message
• Cyberterrorists – those who seek to cause harm
to people or destroy critical systems or
information
 Protecting Cyberspace

• Targets on Outside-In threats

• Possible threats
Invalid access
Malicious software
• Means of protection
Build fences and walls
Guard the gates
Enforce identity and access management
Hide the information
 Digital Forensics
• Digital forensics – the scientific examination and
analysis of evidence held on or retrieved from
computer storage media for the purposes of
presentation in a court of law.
• The objective is to analyse the contents of a
computer in such a way that any information
obtained is suitable and acceptable for use as
evidence in a court of law
 Digital Forensics
Forensic Computing
• Gathering and analysing data in a manner that is
totally free from distortion or bias and as
transparent as possible to reconstruct data or
obtain information on what has happened in the
past on a particular system.
• The use of an established and accepted process
to identify, preserve, and recover digital
information critical to an investigator.
 Digital Forensics
Forensic Computing
• Certain legal considerations must be made when
performing a digital forensic analysis to ensure
that
– No laws are broken that would subject the investigator
to criminal or economic liability
– The evidence obtained is admissible in court
Forensic Investigation Process
Digital Forensic Research Workshop
(DFRWS, 2001)
• Identification
• Collection/Acquisition
• Preservation
• Examination & Analysis
• Presentation
Forensic Investigation Process
 Forensic Types –
Computer Forensics
• process of acquiring and analysing data
stored on some form of physical storage
media.
– Includes the recovery of hidden and deleted data.
– Includes file identification, which is the process
used to identify who created a particular file or
message, when it was created, modified and
accessed.
 Forensic Types –
Mobile Forensics
• Mobile forensics is the science of
recovering digital evidence from a mobile
devices under forensically sound
conditions using accepted methods.
 Network Forensics
• Network forensics is the process of
examining network traffic and data.
– Analysis of transaction logs
– More on incident response
– Real-time analysis via network
monitoring
• Compromise systems
• Sniffers
• Real-time tracing

31
 Forensic Types –
Email Forensics
• E-mail forensics is the study of source and
content of electronic mail as evidence.
– It includes the process of identifying the actual
sender and recipient of a message, the date and time
it was sent, and where it was sent from.
– E.g. Outlook Express 4 - *.mbx
Outlook Express 5 & 6 – *.dbx
Microsoft Outlook - *.pst
Netscape – check inbox
Eudora Mail - *.mbx

32
 Forensic Types –
Internet/Social Media Forensics
•Internet or Web Forensics is the process of
piecing together where and when a user
has been on the Internet.
– For example, it is used to determine whether
the download of pornography was accidental
or not.
– The information can be obtained from web
browser cache and history
• Index.dat

33
 Digital Evidence
• Digital evidence is any information stored
or transmitted in binary form that may be
relied on in court.
• Real: HD, USB, etc.
• Documentary: Word files, emails, etc
– Testimonial: System log files, history , etc.
• Demonstrative: Chart, pictures, etc
• ISO 27037 Information technology -- Security
techniques -- Guidelines for identification,
collection, acquisition and preservation of digital
evidence
 Volatility of Digital Evidence
Evidence that is only present while the computer is
running is called volatile evidence and must be
collected using live forensic methods.
This includes evidence that is in the system's RAM
(Random Access Memory), such as a program that
only is present in the computer's memory.
• Registers and cache
• Routing table
• ARP (Address Resolution Protocol) cache
• Process table
• Kernel statistics and modules
• Main memory
• Temporary file systems
• Secondary memory
• Router configuration
• Network topology
 Information Security Principles

The “CIA” Principle:

⚫ Confidentiality
◦ Only authorized users can view information.
⚫ Integrity
◦ Internally consistent.
◦ Freedom from unauthorized changes.
⚫ Availability
◦ Resource is available for use when needed.
 Computer Forensics Principles
Investigative Philosophy
Treat every incident as if it will end up in a criminal
prosecution.

• Maintaining Chain of Custody

– Make sure evidence are properly preserved
• Integrity of findings
– Documentation and report of the findings.

37
 Computer Forensics Principles
• Evidential Integrity
– What is examined must be an exact copy of
the original.
– Use disk imaging techniques.
• Continuity of Evidence
– Requires that all actions taken during an
investigation be recorded.

38
Computer Forensics Principles
• Ability to re-produce evidence.
– Any copy created must be the same with
original evidence.
– Used Cyclical Redundancy Check (CRC) or
Message Digest (MD) to confirm.

©2004 NISER Computer 39

Forensics
 Rules of Digital Evidence
• Authenticity: Does the material come from where
it purports to come from?
• Reliability:
– Is it believable
– Is it consistent
• Completeness: Is the story complete?
• Freedom from interference and contamination:
Are the levels of interference and contamination
acceptable?
 Daubert Standard
The “Daubert Standard” provides a systematic
framework for a trial court judge to assess the
reliability and relevance of expert witness
testimony before it is presented to a jury.

1. Empirical testing: the theory or technique must

be falsifiable, refutable, and testable.
2. Subjected to peer review and publication.
3. Known or potential error rate and the existence
4. The existence and maintenance of standards
and controls concerning its operation.
5. Degree to which the theory and technique is
generally accepted by a relevant scientific
community.
 Daubert and Digital Forensics
Selection of your forensic analysis tools and techniques
should be made with the Daubert factors in mind:

• Testing:
– Has this software tool/procedure been tested?
• Error Rate:
– Is there a known error rate of the procedure?
• Tool Implementation Error is from bugs in the code or from
using the wrong specification.
• Publication:
– Has the tool/procedure been published and subject to peer
review?
– Is this a commercially offered tool/technique or something
developed in house?
– OpenSource vs. proprietary software
• Acceptance:
– Is this tool technique used by experts in the field?
 Digital Forensics and Other
Related Disciplines
• Investigating digital devices includes:
– Collecting data securely
– Examining suspect data to determine details such as
origin and content
– Presenting digital information to courts
– Applying laws to digital device practices
• Digital forensics is different from data
recovery
– Which involves retrieving information that was deleted
by mistake or lost during a power surge or server
crash
 Digital Forensics and Other
Related Disciplines
• Forensics investigators often work as part
of a team, known as the investigations
triad
 Investigations Triad

• Vulnerability/threat assessment and risk

management
– Tests and verifies the integrity of stand-along workstations and
network servers
• Network intrusion detection and incident
response
– Detects intruder attacks by using automated tools and
monitoring network firewall logs
• Digital investigations
– Manages investigations and conducts forensics analysis of
systems suspected of containing evidence
 Who needs Digital Forensics
Investigators?
• Digital forensics is used in
– The military for national and international
investigations
– Law enforcement, to gather electronic
evidence in criminal investigations
– Corporations and not-for-profits for internal
investigations
– Consulting firms that special in forensics
 Organisations Use Digital
Forensics in Two Ways
1. Proactive education to educate
employees
2. Reactive digital forensics for incident
response
Proactive Education to Educate
Employees
• Proactive Education for Problem
Prevention
– What to do and not to do with computer
resources such as
• The purposes for which e-mail should be used
• How long it may be saved
• What Internet sites are may be visited
 Reactive Digital forensics for
Incident Response
• What to do if wrong-doing is suspected
and how to investigate it
– Encouraged by the Cyber and Data Protection
Act (2021), which expressly requires
implementation of policies to prevent illegal
activity and to investigate allegations promptly
 Challenges to Digital
Forensics
• System complexity
HW, SW, OS, mobile, etc.
• Large volumes of data
Pictures, A/V, documents, etc.
• Distributed crime scenes
The Internet
• Law and Policy
International cooperation
• Limited resources
Digital forensics specialists
 Techniques used
• Recovering data
Undeleting
Rescuing damaged media
• Uncovering hiding and scrambling
information
Steganography
Cryptography
• Email forensics
Email files
Tracing Email
 Techniques used
• Computer forensics
Logs, directories, and Windows registry
Windows/Shell commands
• Mobile forensics
SIM/micro-SD cloning
• Network forensics
Sniffer: Wireshark
Port scanning: Nmap
Web proxy analysis: Splunk
 Anti-Forensics
• Data destruction: Tools and defragment
• Data hiding: Dark data stored in hidden
partition
• Data transformation: Encryption or
steganography
• Data contraception: Data
stored in virtual memory
• Data fabrication
• File system alteration
• Anonymity surfing
 Anti-Forensics

• Anti-forensics - destroying anything that may be

potential evidence
• Hackers may use specialized malware for defeating
evidence collection
• Additional methods for anti-forensics:
– Inserting malware programs in other files
– Using encryption to obfuscate malware programs
activated through other malware programs
– Using data-hiding utilities that append malware to
existing files
 Anti-Forensics

• Other techniques affect file metadata by changing

the modify and last access times
• Changing timestamps can make it difficult to
develop a timeline of a hacker’s activities
• Calculating hash values of files and comparing the
results with known good files’ hash values can help
identify files that might have been altered
 Trends and Future
Directions
• Hardware
Mobile devices, cameras, Copiers, Network
Equipment, GPS, Vehicle recorder, etc.
• Software
File formats, SaaS, big data, software defined
networing etc.
• Technology evolution
Cloud computing, drones, etc.
• Legal environment
Regulation, location, ownership, etc.
 Understanding Case Law
• Existing laws can’t keep up with the rate of
technological change
• When statutes don’t exist, case law is used
– Allows legal counsel to apply previous similar cases
to current one in an effort to address ambiguity in
laws
• Examiners must be familiar with recent court
rulings on search and seizure in the electronic
environment
 Preparing for Digital
Investigations
• Digital
investigations
fall into two
categories:
– Public-sector
investigations
– Private-sector
investigations
 Understanding Law Enforcement
Agency Investigations
• When conducting public-sector
investigations, you must understand laws
on computer-related crimes including:
– Standard legal processes
– Guidelines on search and seizure
– How to build a criminal case
 Understanding Private-Sector
Investigations
• Private-sector investigations involve private
companies and lawyers who address company
policy violations and litigation disputes
– Example: wrongful termination
• Businesses strive to minimize or eliminate litigation
• Private-sector crimes can involve:
– E-mail harassment, falsification of data, gender and
age discrimination, embezzlement, sabotage, and
industrial espionage
• Line of authority - states who has the legal right to
initiate an investigation, who can take possession of
evidence, and who can have access to evidence
 Understanding Private-Sector
Investigations (Cont.)
• During private investigations, you search
for evidence to support allegations of
violations of a company’s rules or an
attack on its assets
• Three types of situations are common:
– Abuse or misuse of computing assets
– E-mail abuse
– Internet abuse
• A private-sector investigator’s job is to
minimize risk to the company
 Preparing a Digital Forensics
Investigation
• The role of digital forensics professional is to
gather evidence to prove that a suspect
committed a crime or violated a company policy
• Collect evidence that can be offered in court or
at a corporate inquiry
– Investigate the suspect’s computer
– Preserve the evidence on a different computer
• Chain of custody
– Route the evidence takes from the time you find it
until the case is closed or goes to court
 Procedures for Private-Sector
High-Tech Investigations
• As an investigator, you need to develop
formal procedures and informal checklists
• Cases of investigation
– Employee termination
– Internet abuse
– Email abuse
– Attorney-client privilege
– Industrial espionage
– Interview and interrogations in hi-tech
 Data Recovery Workstations
and Software Guidelines
• Investigations are conducted on a computer
forensics lab (or data-recovery lab)
– In data recovery, the customer or your company just
wants the data back
• Computer forensics workstation
– A specially configured PC
– Loaded with additional bays and forensics software
• To avoid altering the evidence use:
– When you start any OS while you are examining a
hard disk, the OS alters the evidence disk
– Use write-blockers devices
• Enable you to boot to Windows without writing data to the
evidence drive
Thank you!