Unit I to V
Unit I to V
Syllabus:
Forensic Science – Digital Forensics – Digital Evidence – The Digital Forensics Process –
Introduction – The Identification Phase – The Collection Phase – The Examination Phase – The
Analysis Phase – The Presentation Phase
1. Forensic Science :
● Forensic science emerged as a distinct discipline during the 19th and early 20th centuries.
● Pioneers like Mathieu Orfila, Alphonse Bertillon, Francis Galton, Hans Gross, Alberts S.
Osborn, Leone Lattes, and Edmond Locard made significant contributions to its
development.
● Their work in toxicology, anthropometry, fingerprinting, document examination, blood
analysis, and crime scene investigation laid the foundation for modern forensic
techniques.
● Edmond Locard's exchange principle asserts that whenever someone or something comes
into contact with another person or object, there is an exchange of materials between
them.
● This principle underpins much of forensic science, as it suggests that evidence can be
transferred between individuals, objects, or locations during a criminal act, providing
valuable clues for investigators.
Crime Reconstruction:
1
● By analyzing physical evidence, witness statements, and other relevant information,
investigators can reconstruct the actions and events leading up to and following the
commission of a crime.
● Crime scene reconstruction helps investigators understand how and why a crime
occurred, aiding in the identification of suspects and the presentation of evidence in
court.
Investigations:
Evidence Dynamics:
● Evidence dynamics refer to the changes and interactions that occur with physical or
digital evidence over time.
● These dynamics can include additions, alterations, relocations, contamination, or
destruction of evidence, whether intentional or unintentional.
● Understanding evidence dynamics is essential for preserving the integrity of evidence and
accurately interpreting its significance in an investigation or legal proceeding.
2. Digital Forensics :
● Digital forensics involves the use of scientifically derived methods for the preservation,
collection, analysis, and interpretation of digital evidence from various sources. Its
primary aim is to reconstruct criminal events or anticipate unauthorized actions that
disrupt planned operations.
● Terms like network forensics, device forensics, and Internet forensics are used to denote
specialized areas within digital forensics, reflecting the diverse range of digital sources
and technologies involved.
2
● The ubiquity of digital technology in society has elevated the importance of digital
forensics, as evidenced by its increasing relevance in legal cases involving mobile
devices, financial transactions, emails, Internet activities, and GPS systems.
● Digital archaeology refers to traces of human behavior in computer systems, while digital
geology pertains to traces generated by the inherent processes of computer systems
themselves.
● Understanding both digital archaeology and digital geology is crucial for interpreting
digital evidence accurately and comprehensively.
● Forensic scientists play a vital role in establishing factual answers to legal problems
through the rigorous processing and analysis of digital evidence.
● This responsibility necessitates adherence to strict standards and procedures to ensure the
integrity of the investigation and the reliability of its conclusions.
● Digital forensics is applicable in both criminal law and private law contexts, serving as a
crucial tool for law enforcement agencies investigating crimes and organizations
addressing incidents such as policy violations.
● Incidents in digital forensics encompass digital events or sequences of events, with the
scene of the incident analogous to a traditional crime scene.
3
● Crime reconstruction in digital forensics involves a five-step process for event-based
reconstruction, including evidence examination, role classification, event construction
and testing, event sequencing, and hypothesis testing.
● This method can be applied using physical or virtual testbeds to simulate experiments and
validate hypotheses in digital forensic investigations.
3. Digital Evidence:
● Digital evidence encompasses any digital data containing reliable information that can
either support or refute hypotheses regarding an incident or crime.
Layers of Abstraction:
● Digital evidence analysis often involves navigating through layers of abstraction, where
higher layers conceal implementation details to reduce complexity.
● Forensic analysts must be capable of analyzing data at various layers of abstraction to
extract relevant evidence effectively.
Metadata:
● Understanding and addressing error, uncertainty, and loss are essential for forensic
scientists, as they can significantly impact the interpretation of digital evidence.
● Factors like timestamp inaccuracies, geographical location uncertainties, and data
ownership complexities must be carefully considered to avoid misinterpretation.
● The SpyEye case serves as a comprehensive real-world example of online bank fraud,
illustrating the complexity and scale of such cybercrimes.
● The case involved the creation and distribution of malware infecting millions of
computers worldwide, compromising numerous bank accounts and causing substantial
financial losses.
● It highlights the multi-layered nature of cybercrime investigations, involving
4
collaboration between law enforcement agencies and cybersecurity experts to combat
sophisticated criminal operations.
The digital forensic process outlined in this textbook provides a normative framework for
conducting digital forensics investigations. It draws upon the structure of traditional physical
forensics investigations while encompassing all necessary phases. These phases span from the
initial notification of an incident through the reporting stage to the final presentation of findings.
Adherence to a defined process is crucial for identifying digital objects that reflect relevant facts,
whether in criminal or civil courts of law, or in corporate and private investigations. This process
functions as a component of a quality assurance system for digital forensics.
The process is delineated into five consecutive but iterative phases, each serving a distinct
purpose:
5. Introduction:
Evolution of Cybercrime:
● Over the past decade, cybercrime has undergone significant evolution driven by factors
such as technologically adept attackers, advanced technology, and strong incentives.
● Cybercriminals now execute sophisticated attacks exploiting extensive digital networks
and numerous endpoints simultaneously, leading to data breaches and disclosures.
● The prevalence of cybercrime underscores the necessity for well-defined forensic
investigation processes and appropriate tools to investigate incidents effectively.
● The uncertainties associated with digital evidence, stemming from both accidental and
deliberate factors, must be addressed in forensic investigations.
● Example 2.1 illustrates the complexities involved in determining the origin and
authenticity of digital evidence, highlighting the challenges investigators face.
● The dynamic nature of the digital landscape necessitates continual adaptation of digital
forensics practices.
● While cybercrimes may evolve in complexity, the tools available to investigators also
advance, aiding in the investigation process.
6
Principles of a Forensics Process:
● Digital evidence, defined in alignment with Carrier and Spafford (2004a, 2004c),
encompasses any digital data supporting or refuting hypotheses about incidents or crimes.
● The digital forensics process involves identifying potential evidence sources, collecting
digital raw data, examining and analyzing the data, and presenting findings to courts or
relevant entities.
● The digital forensics process is iterative, often requiring multiple iterations for different
potential evidence sources.
● Each source undergoes collection, examination, and analysis phases, with simultaneous
analysis of data from multiple sources to establish correlations and form conclusive
evidence.
Incidents come to light through various means such as complaints, alerts, or other indicators. The
identification phase, as defined in Definition 2.1, serves as the cornerstone for all subsequent
phases or activities during a digital investigation. It helps determine which evidence or objects to
focus on, leading to the formation of a hypothesis about the event or crime.
Preparations and Deployment of Tools and Resources Effective planning is essential to ensure
the efficiency and success of an investigation, regardless of its nature. This section emphasizes
the importance of proper preparation before an incident occurs. It highlights the need for a
well-trained investigative team and access to necessary resources and tools. Additionally,
guidelines for establishing a forensics laboratory and evaluating forensic tools' integrity and
7
compliance with evidence standards are discussed.
The First Responder The first responder, typically a police officer in criminal cases, plays a
crucial role in handling potential evidence, including digital devices, at the scene of an incident.
Standard operating procedures (SOPs) are essential to guide evidence identification activities and
maintain evidence integrity. Example 2.2 underscores the importance of adhering to proper
procedures to avoid compromising evidence, as demonstrated by a real-life case.
At the Scene of the Incident Understanding the characteristics of a digital crime scene and
ensuring proper preservation of evidence are key aspects discussed in this section. Whether in a
private home or a corporate setting, identifying and securing potential evidence sources is
crucial. The section also emphasizes the need for meticulous documentation throughout the
investigation process.
Dealing with Live and Dead Systems Differentiating between live and dead systems is vital in
digital forensics investigations. Special precautions must be taken to prevent data loss or
alteration, whether a system is powered on or off. Considerations for preserving evidence
integrity and minimizing the risk of unintended changes are discussed.
Chain of Custody Maintaining the chain of custody is paramount for ensuring the admissibility
of evidence in legal proceedings. Proper documentation of handling procedures, including who
handled the evidence, when and how it was acquired, and any changes made, is essential. The
section stresses the importance of integrity checks and timestamps to support the chain of
custody and mitigate the risk of evidence exclusion from a case.
Introduction
The collection phase in digital forensics involves acquiring relevant data from electronic devices
using forensically sound methods. This phase is crucial for obtaining evidence for a forensic
investigation.
8
Key Points
1. Purpose of Collection Phase: The collection phase involves making a digital copy of
data using approved methods to ensure forensic soundness.
2. Metadata: Metadata about the case should be tied to potential evidence, including case
details, timestamps, and location information.
3. Example Case: The SpyEye online banking fraud case illustrates the variety of potential
evidence sources, including victim computers, bank records, malware evidence, server
logs, and network monitoring data.
4. Sources of Digital Evidence: Digital evidence can be found in various sources such as
hard drives, flash drives, memory, smartphones, computer networks, and the Internet.
5. Physical Location of Systems: In cases where systems cannot be moved, data must be
collected at their physical location.
6. Multiple Evidence Sources: Digital evidence is often distributed across multiple devices
and locations.
7. Evidence Reconstruction: Media storing data may be damaged intentionally or
unintentionally, requiring data recovery techniques.
8. Evidence Integrity: Maintaining evidence integrity is critical, achieved through
measures like write blockers and cryptographic hashes.
9. Order of Volatility: Prioritizing data collection based on the volatility of data sources
helps preserve critical evidence.
10. Dual-Tool Verification: Using multiple forensic tools to verify results enhances
confidence in the integrity of collected evidence.
11. Remote Acquisition: Remote forensic acquisition allows for faster investigation but
presents challenges such as data transmission over networks and reduced trust.
12. Global Cooperation: In multinational cases, collaboration between forensic units from
different countries is essential for successful investigations.
Conclusion
The collection phase is a fundamental step in digital forensics, involving the acquisition of data
from various sources using approved methods. Ensuring evidence integrity, prioritizing data
collection, and leveraging global cooperation are essential for successful investigations.
9
7. The Examination Phase :
The Examination Phase in digital forensics is a critical step in the process, where collected data
is carefully examined and prepared for analysis. Let's break down some key points from the text:
1. Purpose: The examination phase aims to retrieve relevant potential digital evidence from
collected data sources.
2. Preparation and Extraction: This phase involves preparing and extracting potential
digital evidence from the collected data sources. Digital forensics tools are often used to
automate these tasks, but manual examination is also important for experienced forensic
investigators.
3. Triage: Triage is crucial when dealing with large volumes of data, helping to identify the
most relevant data quickly based on the severity of the case and available resources.
4. Data Examination Techniques: Various techniques such as file hashing, keyword
searches, and metadata extraction are employed to structure and organize data for
analysis.
5. Forensic File Formats: Different file formats are used to store collected data, each with
its own impact on forensic analysis effectiveness. Formats like EnCase, SMART, AFF,
and Prodiscover add more information and flexibility to extracted data.
6. Data Recovery: Even deleted files can often be recovered from storage areas,
highlighting the importance of documenting actions to maintain evidence integrity.
7. Data Reduction and Filtering:
Techniques like hash lookup and known file databases help filter out irrelevant files,
reducing the total amount of data for analysis.
10
8. Timestamps: Recording correct timestamps aids in correlating data across multiple
sources, though adjustments may be needed for time zone differences.
9. Compression, Encryption, and Obfuscation: Compressed and encrypted files must be
handled appropriately during examination, which may involve decompression or
decryption. Obfuscation techniques like steganography add complexity to forensic
analysis.
10. Data and File Carving:
Tools and techniques are used to parse and carve unstructured and raw binary data,
helping to recover potentially valuable evidence from collected data sources.
11. Automation: Automation plays a significant role in the examination phase, reducing the
manual workload and improving efficiency through tasks such as file parsing and string
searches.
By following these steps and employing various techniques and tools, forensic investigators can
effectively examine and prepare digital evidence for further analysis and investigation.
The Analysis Phase in digital forensics is where forensic investigators delve deep into the
collected data to determine the digital evidence that supports or refutes a hypothesis regarding a
crime, incident, or event. Here's a breakdown of key points from the text:
11
1. Purpose: The analysis phase involves processing information to determine the facts
about an event, the significance of the evidence, and the person(s) responsible.
2. Techniques Used: Techniques such as statistical methods, manual analysis, data format
understanding, data mining, and timelining are employed during analysis. Computational
methods and machine learning are also applied for automating analysis tasks and
recognizing patterns.
3. Iterative Process: The analysis phase is iterative, with investigators forming and testing
hypotheses about the case, often requiring the collection of additional data objects until
the results are sufficient for the investigation's purpose.
4. Layers of Abstraction: Different layers of data interpretation exist, such as what
end-user applications see, what the operating system sees, and what is stored in bits and
bytes on the storage device. Understanding these layers is crucial for accurate analysis.
5. Evidence Types: The type of evidence depends on the nature of the crime. Examples
include email communications, malicious applications, and data related to cybercrimes or
physical crimes.
6. String and Keyword Searches: String and keyword searches simplify analysis, allowing
investigators to search for specific information relevant to the case, such as names,
addresses, or sensitive data like Social Security or credit card numbers.
7. Anti-Forensics: Anti-forensics techniques are used to make forensic analysis more
challenging. Examples include computer media wiping, encryption, obfuscation, and
steganography.
8. Automated Analysis: Automation plays a significant role in analyzing large data
volumes and obfuscated malware. Computational forensics methods, data mining, and
forensic analytics are employed to identify and analyze relevant evidence.
9. Timelining of Events: Timelining helps in understanding the sequence of events,
especially useful in criminal investigations. File and system logs, along with physical and
digital events, contribute to creating timelines.
10. Graphs and Visual Representations: Graphs and visual representations help in
understanding relationships between data objects, individuals, and network interactions,
aiding in investigative analysis.
12
11. Link Analysis:
12. Link analysis is used to identify and visualize relationships among interconnected
objects, providing insights into complex networks of data. It's valuable in various
domains, including digital forensics, law enforcement, and intelligence.
By employing these techniques and tools, forensic investigators can effectively analyze digital
evidence to uncover crucial insights and facts about a case, helping to support or refute
hypotheses and identify responsible parties.
The Presentation Phase in digital forensics involves sharing the results of the analysis phase
through reports with interested parties, such as a court of law or corporate management. Here's a
breakdown of key points from the text:
13
1. Purpose: The presentation phase is about documenting and presenting the results of the
investigation, based on objective findings with a sufficient level of certainty. It involves
summarizing findings and describing all actions taken during the investigation in a clear
and understandable manner.
2. Final Reports: The final report should include relevant case management information,
such as roles and tasks assigned, executive summaries of information sources and
evidence, forensic acquisition and analysis details reflecting chain of custody and
evidence integrity, visualizations, tools used, and findings. While digital forensics tools
have reporting functionality, the investigator must ensure that the report is understandable
to a third party and sufficiently documents reproducibility.
3. Presentation of Evidence: Visual aids such as diagrams, graphics, and timelines are
valuable for presenting complex information in an accessible way. Visualizations help
identify patterns and information that may not be immediately obvious from text alone.
4. Chain of Custody: Documenting the chain of custody is crucial for maintaining the
integrity of the evidence presented in court. It ensures that all activities conducted during
the investigation are documented and can be verified. Failure to document the chain of
custody could compromise the trust in the authenticity and integrity of the evidence in
court.
5. Final Presentation: The documented evidence, methods used, and expert testimony form
the basis of the final presentation to a court of law or corporate audience, depending on
the context of the investigation.
14
UNIT II
DIGITAL CRIME AND INVESTIGATION
Syllabus:
Digital Crime – Substantive Criminal Law – General Conditions – Offenses – Investigation
Methods for Collecting Digital Evidence – International Cooperation to Collect Digital Evidence
The Cybercrime Convention categorizes criminal offenses into four main groups:
Additionally, the Convention addresses aiding, abetting, and attempt to commit offenses (Article
11) and corporate liability (Article 12), holding legal entities accountable for committing
offenses.
Article 13 mandates that crimes must be punishable by effective, proportionate, and dissuasive
sanctions, including deprivation of liberty. The national legal provisions prescribe maximum
penalties for each offense, ensuring consistency in sentencing practices. However, actual
punishment may vary between jurisdictions due to differences in legal principles, social and
cultural traditions. To address disparities, some jurisdictions develop sentencing guidelines or
appoint advisory bodies to suggest standard rates for certain offenses.
3. General Condition:
To secure a conviction for a criminal offense, certain conditions must be met, encompassing both
objective and subjective elements:
15
1. Objective Conditions of the Offense:
○ The act must be defined as criminal by law, specifying its scope and parameters.
○ This includes the "When, Where, and How" aspects of the offense.
2. Subjective Conditions of Intent:
○ The individual must have acted with intent (dolus), signifying awareness and
volition.
○ Intent is inferred from words like knowingly, intentionally, or forsett.
○ It must cover all objective conditions and pertains to the "Why" aspect of the
offense.
3. Criminal Capability:
○ The individual must meet age and mental capacity requirements determined by
law.
○ Primarily addresses the "Who" aspect of the offense.
4. Absence of Legal Justifications:
○ No circumstances should render an otherwise criminal act lawful, such as
emergency situations.
○ Concerns the "When, Where, How, and Why" of the offense.
5. Moment of Committing the Act:
○ All conditions must be fulfilled by the perpetrator at the time of committing the
crime.
○ Time frame ranges from split-second actions to prolonged behaviors.
6. Subjective Condition and Interpretations:
○ Unintentional actions do not lead to criminal liability.
○ Good intentions do not negate criminal intent.
○ Error regarding relevant facts negates intent.
○ Proof of intent is crucial for establishing liability.
7. Attempt, Aiding, and Abetting:
○ Attempt requires action with intent to complete the crime.
○ Aiding and abetting involve intentionally assisting or encouraging the main
perpetrator.
○ Organized crime liability can extend beyond direct involvement.
8. Individual Judgment and Punishment:
○ Each suspect is judged based on their actions and intent.
○ Punishment is individually determined but tends to be uniform for similar
offenses.
9. Legal Application and Jurisdictional Variations:
○ Legal provisions vary across jurisdictions, impacting the elements required for
conviction.
○ Evidence must align with the specific legal requirements of the jurisdiction trying
the case.
Understanding and applying these conditions systematically is essential for building a case and
16
ensuring the proper adjudication of criminal offenses.
4. Offenses:
The Cybercrime Convention aims to address offenses against the confidentiality, integrity, and
availability of computer data and systems. Here's a summary of key points regarding these
offenses:
1. Focus on Data Protection: The convention prioritizes the protection of computer data
rather than physical equipment. Computer data is broadly defined to include any
representation of facts, information, or concepts processed by a computer system.
2. Definition of Computer Data and System: Computer data encompasses user-generated
content and program files, while a computer system includes any device or group of
interconnected devices that automatically process data.
3. Illegal Access and Interception: Offenses such as illegal access and interception are
addressed by the convention. Illegal access refers to gaining unauthorized access to a
computer system, often by circumventing security measures. Illegal interception involves
capturing non-public transmissions of computer data without authorization.
4. Security Measures: National legislation may require offenses to involve the
infringement of security measures for them to be considered illegal access.
Circumvention of security measures can occur through password intrusion or exploiting
system vulnerabilities.
5. Protection of Communication: Illegal interception protects private communications,
whether they occur between different systems or within a computer system itself. This
includes safeguarding against keystroke loggers and other methods used to intercept
sensitive information.
6. Protection Levels: Articles 2 and 3 of the convention provide different levels of
protection. Article 2 protects against illegal access to computer systems, while Article 3
protects against the interception of non-public data during transmission.
7. Completion of Offenses: An offense under Article 2 is completed once access has been
gained, whereas an offense under Article 3 is completed when interception succeeds.
Both articles may apply to successive steps of criminal activity, along with Article 5,
which covers system interference.
8. Information Fencing: While Articles 2 and 3 do not directly protect property rights to
data, the concept of information fencing has developed in national legal systems.
Information fencing involves dealing unlawfully with stolen or copied data, especially if
it has economic value.
9. Password Intrusion vs. Identity Theft: Password intrusion differs from identity theft, as
it involves breaching computer security rather than interfering with the right to private
life. The immediate victim of password intrusion is the owner of the password, not a third
party defrauded by identity theft.
10. Interference with Security Measures: There is debate over whether automatic
17
circumvention of security measures, such as CAPTCHA, constitutes illegal access. The
interpretation may depend on technical hindrances, contractual conditions, and social
norms within national legal rules.
11. Definition of Access: "Access" is interpreted to imply control over a computer system or
user account. Sending emails or files to a system is not considered access unless it is done
without right, such as through a Trojan attachment.
12. Data and System Interference: Articles 4 and 5 of the convention address damaging,
deletion, alteration, or suppression of computer data (Article 4) and serious hindrance to
the functioning of a computer system (Article 5). These offenses supplement traditional
vandalism provisions and cover actions such as DDOS attacks and insertion of malware.
● Article 4 covers any interference with computer data, but if the interference affects the
computer system itself, it might be considered vandalism under traditional provisions or
serious hindrance under Article 5.
● Examples of actions covered by Article 4 include deleting a user registry on a cloud
service, changing passwords, replacing files with defacing web pages, or encrypting files
for extortion.
● If the hindrance to the system's functioning is not serious, traditional vandalism
provisions may apply instead of Article 5.
● Article 4 primarily deals with interference with user-generated content, such as Word
files and PowerPoint presentations.
18
● The difference between physical and informational items affects the interpretation of
dealing with passwords or similar data. Technical assistance for password cracking or
sharing passwords with others falls under the provision.
In the context of criminal procedure and digital forensic investigations, several key points are
worth noting:
● The main aim of a criminal investigation is to collect evidence to identify suspects and
prove or disprove alleged crimes.
● Each investigative step must be justified based on the nature of the crime and specific
circumstances, preventing arbitrary interference and waste of resources.
● The principle of relevancy applies to every investigative method, including digital
evidence collection.
● Digital investigations should adhere to the digital forensic process to ensure forensic
soundness, evidence integrity, and chain of custody.
● The digital forensic process must fit into the framework of procedural criminal law,
considering relevancy, legality, and the right to a fair trial.
● Search involves looking for evidence, while seizure means taking control over it.
● In the digital forensic process, the distinction between search and seizure might not be
apparent; legal definitions are determined by conditions in procedural law.
● In a scenario where police seize a suspect's laptop, the crucial point in time determines
whether the data is seized or not.
● Seizure triggers the suspect's legal right to challenge it, potentially leading to the return of
the seized material if a court deems it irrelevant.
● Tension can arise between the digital forensic process and legal rules, especially
regarding when data is considered seized and subject to challenge.
● Terms like "securing data" may have different meanings in multidisciplinary teams,
leading to misunderstandings, especially regarding breaches of procedure.
● Whether a deviation from the digital forensic process affects the admissibility of evidence
19
depends on national legal rules and principles of fair trial.
● According to the Cybercrime Convention's Article 32(a), a party can access publicly
available stored computer data without authorization from another party, regardless of its
geographical location.
● "Publicly available (open source) stored computer data" refers to data accessible to the
public, such as information on websites or services that anyone can access without
restrictions.
● Law enforcement officials can subscribe to or register for services available to the public
to access data for investigative purposes.
● The term "stored" excludes real-time methods like interception, and the data must be
publicly available.
● There might be ambiguity in interpreting the term "stored" in the context of dynamic
technical developments, but it should be understood in light of the convention's purpose
and national legal rules.
● The convention neither authorizes nor prohibits the use of fake identities for undercover
operations, but international cooperation procedures can be utilized to organize and
coordinate such operations.
● Article 19 of the Cybercrime Convention regulates search and seizure, emphasizing the
need to confine these methods within the territory.
● The provision outlines the authority to search computer systems, storage media, and seize
computer data, including the power to make copies, maintain data integrity, and render
data inaccessible or remove it from accessed systems.
● Distinctions are made between physical equipment and computer data, with both subject
to search and seizure.
● Digital devices and storage media may be seized during a house search and must be
documented to maintain the chain of custody.
● Once data relevant to the investigation is secured, seizure of equipment must be lifted,
unless other reasons justify its retention.
● Legal provisions must permit the securing of computer data as evidence independent of
the digital equipment.
● Questions arise regarding when data is seized, the obligation to seize data through
copying, routine application of hash analysis, and the need for separate permissions for
searching digital devices seized for evidentiary purposes.
● The Convention obligates parties to empower criminal investigators to order individuals
with knowledge of computer systems to provide login information, but the extent of this
obligation regarding decryption is unclear.
● Physical coercion to obtain access data requires a separate legal basis and is not currently
provided for in Norwegian procedural law.
Production Order:
● Article 18 of the Cybercrime Convention allows for the use of production orders to
access digital evidence held by third parties cooperating with law enforcement agencies.
21
● These orders apply to both historical and future data.
● Production orders may be necessary even if the third party is cooperative due to legal
duties of confidentiality, data protection rules, or commercial preferences.
● The suitability of a production order depends on the accessibility of the data; if data is
readily accessible, seizure may be more practical.
● Subscriber data, such as identity data about subscribers to e-commerce services, can be
subject to production orders.
● National legislation determines the procedures for production orders and the grounds for
issuing them.
● Expedited preservation orders (Articles 16 and 17) are used to preserve stored data or
traffic data when immediate seizure is not possible.
● Real-time investigation methods (Articles 20 and 21) allow for the collection or recording
of traffic data or content data of specified communications in real-time, subject to
suspicion-based limitations and specific communication addresses.
● These methods may involve technical means such as IMSI catching, silent SMS, or bulk
data collection from mobile base stations.
● Nations may cooperate in joint investigations, allowing for the direct transfer of real-time
data streams between states.
Principle of Sovereignty:
● Requesting assistance from the state where evidence is located is necessary to avoid
sovereignty violations.
Narrowing Focus:
● Mutual legal assistance procedures used when obtaining evidence through coercive
22
measures.
● Police cooperation useful in preparing for such requests.
● Involves requesting state (seeking assistance) and requested state (receiving request).
● Global communication networks and cloud services make digital evidence technically
accessible globally.
● Criteria for international cooperation may shift from territorial localization to
controllability of computer data.
● Allows a party to access stored computer data in another party with lawful and voluntary
consent.
● Challenges exist in determining the exact location of stored data and obtaining lawful and
voluntary consent.
● No obligation for a nation state to provide assistance in securing digital evidence without
a cooperation treaty.
● Requesting state must demonstrate reciprocity and legal basis for the requested
assistance.
● Formal request must describe the crime, cite relevant legal provisions, and demonstrate
legal permission.
EU's Role:
● EU conventions and agreements with non-member states enhance mutual legal assistance
and cooperation in criminal matters.
● Eurojust system facilitates practical cooperation procedures among prosecutors and
courts within the EU.
Nordic Cooperation:
● Nordic countries have a history of close cooperation, reducing bureaucracy and
increasing efficiency.
● Different procedures apply once a non-Nordic state is involved in cooperation efforts.
Informal Cooperation:
● Formal procedures of mutual legal assistance are necessary to support requests for
coercive methods.
● Informal assistance from foreign police officers may help explore options before formal
requests.
● Within the EU, the SIS enables rapid assistance and information transfer, managed by
National Central Bureaus of Schengen member states.
24
● Meetings (consultations) are held to identify practical steps for lawfully obtaining
evidence abroad.
● Europol and Eurojust support the setup of JITs in Europe, consisting of law enforcement
representatives from at least two states.
● JITs receive support from Europol and Eurojust in terms of tactical, technical, and legal
advice, as well as practical assistance.
25
UNIT III
DIGITAL FORENSIC READINESS
Syllabus:
Introduction – Law Enforcement versus Enterprise Digital Forensic Readiness – Rationale for
Digital Forensic Readiness – Frameworks, Standards and Methodologies – Enterprise Digital
Forensic Readiness – Challenges in Digital Forensics
1. Introduction:
Introduction: Television series often glamorize digital forensics, portraying it as exciting and
straightforward. However, real-life digital investigations are much more complex and require
substantial preparation. This chapter explores the concept of digital forensic readiness, which
involves preparing for efficient and effective digital investigations.
Definition: Digital forensic readiness involves being prepared to conduct digital investigations
and present evidence effectively, whether to auditors, legal advisors, or in court. It aims to
reconstruct incidents and find evidence that supports or refutes claims.
Key Points:
1. Efficient Investigations: Ideally, all digital devices would be seized, and all data
analyzed to quickly draw conclusions. However, limited resources and time necessitate
focusing on the most valuable artifacts for the specific incident.
2. Objectives: J. Tan outlines two primary objectives:
○ Maximizing the usefulness of incident evidence data.
○ Minimizing the cost of forensics during an incident response.
Definition Summary: Digital forensic readiness is defined as the ability to perform digital
investigations with minimal cost while maximizing the usefulness of evidence.
Law Enforcement:
Enterprise:
● The ability to conduct digital investigations in an enterprise with minimal cost and
disruption to business operations while maximizing the usefulness of evidence.
Key Points:
This distinction highlights the need for both law enforcement and enterprises to be prepared for
digital investigations, though their approaches and priorities may differ.
Digital forensic readiness ensures efficient and effective digital investigations by minimizing
costs and maximizing the usefulness of collected digital evidence.
4.4.1 Cost
● Minimizing Costs: Digital forensic readiness aims to reduce the costs associated
with investigations, including time, effort, equipment, and other direct expenses.
● Resource Management: Unlike TV portrayals, real-life investigations often involve
multiple concurrent cases, requiring efficient resource management.
● Cost Components: Costs include the hours spent on investigation, fees, equipment, and
other related expenses. For example, a two-hour intrusion can lead to 40 hours of forensic
27
analysis.
● Case Examples:
○ New Zealand hacker: 417 hours of investigation costing $27,800.
○ Russian hacker: 9 months of investigation costing $100,000.
● Indirect Costs: Disruption to business operations and the need for legal counseling also
add to the costs.
● Cost-Benefit Analysis: Enterprises often use cost-benefit analysis to decide whether to
pursue legal action or involve law enforcement based on the cost versus the potential
benefits or compensation.
Digital forensic readiness lacks a universally accepted approach. Various standards, frameworks,
and methodologies have been proposed by standardization bodies, organizations, and
28
researchers, reflecting the evolving nature of this discipline.
4.5.1 Standards
ISO/IEC 27037
● Defines digital evidence and its governance principles: relevance, reliability, and
sufficiency.
● Outlines general requirements for handling digital evidence, emphasizing auditability,
justifiability, and either repeatability or reproducibility.
● Details initial processes for handling digital evidence: identification, collection,
acquisition, and preservation.
ISO/IEC 17025
● Sets requirements for forensic laboratories, focusing on both management and technical
aspects.
● Emphasizes technical requirements related to methodology, equipment handling,
sampling, and quality assurance.
NIST SP 800-86
● Discusses phases of the digital forensic process: collection, examination, analysis, and
reporting.
● Provides general recommendations and detailed technical guidelines for evidence
collection and examination from various sources.
4.5.2 Guidelines
IOCE
Guidelines
SWGDE Guidelines
ENFSI Guidelines
4.5.3 Research
Enterprises are complex entities that need to maintain smooth operations. When an incident
occurs, swift action is crucial, making prior planning and preparation essential for digital
forensic readiness.
30
● Jurisdictional Compliance: Enterprises must adhere to local laws and regulations for
collecting, analyzing, and presenting digital evidence. This is particularly challenging for
international organizations.
● Cybercrime Types: Identifying relevant cybercrime types helps determine when digital
evidence is required.
● Key Legal Questions: Enterprises should address scenarios for due diligence,
admissibility of digital evidence, permissible data collection, and requirements for
evidence handling.
● Incident Scenario: Involves crimes such as computer intrusion and unlawful dealings.
● Data Retention vs. Privacy: Conflicting requirements (e.g., 90-day data retention vs.
30-day privacy regulation) highlight the need for careful compliance management.
Guidance from Standards: Standards like ISO/IEC 27037 can help define policies, procedures,
and routines for digital forensic readiness.
Key Challenge:
● Handling vast amounts of unstructured data with inherent uncertainties and errors.
● Each phase of the digital forensics process is time and resource-intensive, often
exceeding available resources.
Solutions:
Computational Forensics
Definition:
32
● Application of computational methods to forensics, involving modeling, simulation, and
computer-based analysis and recognition.
Objectives:
1. Large-Scale Investigations:
● Managing large data volumes from diverse sources using computational methods.
● Example: Automatic identification of malware traces and network traffic analysis using
link-mining techniques and Neuro-Fuzzy (NF) algorithms.
2. Automation:
3. Analysis:
Evolving Field: Digital forensics is constantly evolving due to the increasing complexity of
technologies. The Testimon Forensics Group outlines several key research areas to address
current challenges.
1. Large-Scale Investigations:
○ Focus: Automatic searching through vast amounts of electronic storage both
within closed systems and on the Internet (including the dark net).
33
○ Challenge: Efficiently managing and analyzing terabytes of data.
2. Internet and Cloud Forensics:
○ Focus: Rapid acquisition, correlation, and analysis of evidence from the Internet
and cloud services.
○ Challenge: Developing new tools and methods, and educating law enforcement
and practitioners.
3. Embedded Systems and IoT:
○ Focus: Forensic analysis of mobile devices and other embedded systems,
including both hardware and software.
○ Challenge: Proprietary technology, device-specific hardware, customized data
acquisition, and decoding binary data.
4. Cross-Media Search and Data Integration:
○ Focus: Accessing and integrating data from diverse sources, with an emphasis on
data enrichment from Internet sources.
○ Challenge: Effective cross-media search technologies.
5. Encrypted Evidence:
○ Focus: Developing algorithms to analyze encrypted evidence and cryptographic
credentials.
○ Challenge: Overcoming encryption barriers to access and interpret evidence.
6. Computational Intelligence:
○ Focus: Advanced computing technologies for more objective evidence analysis
and decision-making.
○ Challenge: Implementing computational intelligence to enhance accuracy and
efficiency.
7. Attribution and Profiling:
○ Focus: Methods and tools for digital perpetrator attribution and profiling,
visualizing criminal relationships, and geographical mapping of evidence.
○ Challenge: Accurate identification and profiling of digital criminals.
Summary
34
UNIT IV
iOS FORENSICS
Syllabus:
Mobile Hardware and Operating Systems - iOS Fundamentals – Jailbreaking – File System –
Hardware – iPhone Security – iOS Forensics – Procedures and Processes – Tools – Oxygen
Forensics – MobilEdit – iCloud
• Vital for cellular communication, used to radiate and receive electromagnetic (EM)
waves.
• Types of Antennas:
• Omnidirectional: Radiates EM waves in all directions.
• Directional: Radiates EM waves in a specific direction.
35
• Dipole Antenna:
• Consists of two conductors with a feedline in between.
• Variations include short dipole antennas, which are shorter than half the
wavelength of the transmission.
5. Antenna Characteristics:
• Radiation Pattern: The plot showing radio wave strengths at different angles.
• Radiating Near-Field (Fresnel Region): Intermediate region where the radiation starts
to spread out.
• Far Field (Fraunhofer Region): Farther from the antenna, where radiated power
decreases with distance squared.
Importance for Forensic Examiners
• Understanding Limits of Tools:
• Tools like Cellebrite, Mobile Edit, Oxygen, etc., have limitations.
• A thorough knowledge of mobile hardware and operating systems helps in
understanding these limits and when to go beyond the tools for manual evidence
collection.
• Knowledge Application:
• Forensic examiners must understand all aspects of the device being examined,
including hardware (SoC, CPU, DSP, antennas) and software (operating systems).
• This foundational knowledge is crucial for accurate and thorough forensic
analysis.
Free-Space Path Loss
1. Free-Space Path Loss:
• Definition: The loss of signal strength that occurs even without interference, proportional
36
to the square of the distance and the square of the frequency of the radio signal.
• Simplified Formula: space path lossFree space path loss=(λ4πd)2 Where:
• d = distance between transmitter and receiver (meters)
• λ = signal wavelength (meters)
• f = signal frequency (Hertz)
• c = speed of light in a vacuum (meters/seconds)
2. Friis Transmission Formula:
37
• Definition: A fast algorithm to compute the Fourier transform, used in DSP to convert
signals between time and frequency domains efficiently.
• Importance: Facilitates the processing of digital signals in mobile devices.
• Definition: A SIM (Subscriber Identity Module) card is a circuit that stores the
International Mobile Subscriber Identity (IMSI), which identifies the phone.
• Key Functions:
• Stores unique serial number (ICCID)
• Contains IMSI
• Holds security authentication and ciphering information
• Includes network information, accessible services, and two passwords (PIN and
38
PUK)
2. Historical Background:
• Origin: First SIM cards were specified by the European Telecommunications Standards
Institute and manufactured by Giesecke & Devrient.
• First Use: Sold to Radiolinja, a Finnish network operator, in 1991.
3. Pre-SIM Era:
• NAM (Number Assignment Module): Used before SIM cards, stored telephone
number, IMSI, and Electronic Serial Number, and was a permanent chip in the device.
4. SIM Card Components:
• Reset Signal: C2
• Ground: C5
• Programming Voltage: C6
• Part 10: Electronic signals and answer to reset for synchronous cards
• Arithmetic Logic Unit (ALU): Performs mathematical operations using binary logic.
• Registers: Small, fast memory locations within the CPU for temporary data storage.
41
• ARM (Advanced RISC Machine): A specific architecture for CPUs, based on RISC
(Reduced Instruction Set Computer) principles.
• CPU's Role: Acts as the "brains" of the device, performing data processing.
• Components: Include control units, ALUs, MMUs, and various types of registers.
• Mobile CPU Architecture: Often uses ARM, a type of RISC architecture, optimized for
efficient instruction execution.
• ARM v8-A Features: 64-bit addressing, numerous general-purpose registers,
double-precision floating point support, and cryptographic acceleration.
Jammers
• US Law: Violations of 47 USC 301, 302(a), and 333 can lead to fines up to $11,000 per
offense, imprisonment up to one year, and equipment seizure.
• Exceptions: Some countries allow law enforcement use or legal ownership but illegal
use.
42
IMSI Catchers
• Example: StingRay.
43
Tier Name Description
Radio (SDR) narrow-band operation, security functions, etc.
Ideal Software Radio Programmability extends to the entire system with analog conversion
3 (ISR)
only at the antenna.
Ultimate Software
4 Radio (USR)
Defined for comparison purposes only.
2. iOS Fundamentals:
44
Operating System Fundamentals
• Purpose: Controls, manages, and communicates with system hardware and software.
• Abstraction: Allows programmers to write apps for iOS without dealing with hardware
specifics.
• Framework: Provides essential functions for applications, like file access and memory
allocation.
Key Concepts
• Kernel: The core of the operating system, loaded early in the boot process.
• Access: Few forensic tools can access data in kernel space. JTAG is an exception
but rarely holds significant evidence.
• File System: Organizes raw data into files and directories.
iOS Characteristics
45
iOS Basics for Mobile Forensics
• Kernel: XNU kernel of Darwin, with versions evolving from iPhone OS 1.0 to iOS 14.
• Security: Uses 256-bit encryption and Address Space Layout Randomization (ASLR).
Security Enhancements
iOS Architecture
• Four Layers:
1. Core OS Layer: Contains essential low-level processes like Bluetooth
framework, security services, and local authentication.
2. Core Services Layer: Includes services like address book, core location, cloud
kit, core motion, and healthkit. Apps frequently interact with this layer.
3. Media Layer: Manages multimedia functionalities, graphics, images, animation,
and 3D graphics (Metal API). Includes AV Kit and AV Foundation.
4. Cocoa Touch Layer: Handles user gestures and system commands, EventKit, and
MapKit. Widely used by app developers.
46
3. Jailbreaking :
Jailbreaking Utilities
Several utilities have been developed to aid in jailbreaking iOS devices. Notable examples
include:
● Redsn0w
● unc0ver
● Absinthe
● Pangu
Conclusion
While jailbreaking can provide additional functionality and flexibility, it comes with substantial
risks, including security vulnerabilities and the possibility of damaging the device. Therefore,
users should carefully weigh these risks before deciding to jailbreak their iOS devices.
4. File System:
Introduction to APFS
Since macOS High Sierra (10.13), tvOS 10.2, and iOS 10.3, Apple has utilized the Apple File
System (APFS) for its products. Before APFS, Apple employed the HFS+ file system, which
itself replaced the older HFS (Hierarchical File System). APFS is designed to optimize
performance and reliability on solid-state drives (SSDs) and flash storage.
47
Key Features of APFS
Figure 3.3 illustrates 3uTools, a comprehensive utility for iOS devices. This tool can aid in
various aspects of iOS management and forensic analysis, including data backup, firmware
management, and jailbreaking, providing a practical interface for interacting with iOS devices.
Conclusion
APFS represents a significant advancement in Apple's file system technology, providing robust
features optimized for modern storage while introducing new challenges and opportunities for
digital forensics. Understanding APFS's structure and capabilities is essential for forensic
examiners dealing with Apple devices.
5. Hardware :
Early Touchscreens:
Transition to OLED:
1. Introduction of OLED:
○ The iPhone X was the first model to feature an Organic Light Emitting Diode
(OLED) display, which offers superior image quality compared to LCDs.
2. Types of OLED:
○ PMOLED (Passive Matrix OLED): Controls each row sequentially.
○ AMOLED (Active Matrix OLED): Controls each individual pixel, resulting in
better resolution and image quality.
3. OLED Variations:
○ Bottom vs. Top-Oriented: Refers to the direction light exits the device.
Bottom-oriented OLEDs pass light through the bottom electrode and substrate,
49
while top-oriented OLEDs emit light through the lid added during manufacturing.
○ Stacked OLEDs: Feature red, green, and blue subpixels stacked vertically instead
of side by side, enhancing color accuracy and brightness.
1. 3D Touch:
○ Introduced with the iPhone 6s, 3D Touch could recognize different levels of
pressure applied to the screen, enabling varied haptic feedback and interaction.
2. Haptic Touch:
○ Replacing 3D Touch with the iPhone 11, Haptic Touch does not detect pressure
differences but rather the duration of touch. This provides tactile feedback based
on how long the screen is pressed.
Security Enhancements:
1. Secure Enclave:
○ iPhones have incorporated a coprocessor named Secure Enclave, dedicated to
handling cryptographic keys and biometric information, like fingerprints and
facial recognition data. This coprocessor operates with its own secure boot
process, ensuring enhanced security for sensitive operations.
Summary:
The iPhone's touchscreen has evolved from a simple 3.5-inch LCD to advanced OLED displays
with varying sizes and superior resolution. Each iteration has brought improvements in visual
quality and interactivity, including innovations like 3D Touch and Haptic Touch. Additionally,
security features like the Secure Enclave coprocessor have enhanced the protection of biometric
data, making the iPhone both a powerful and secure device.
6. Phone Security :
50
● iPhones feature a dedicated cryptographic processor where encryption keys are stored.
● iPhones use AES (Advanced Encryption Standard) with a 256-bit key for encryption,
providing robust security. This encryption is enforced and cannot be disabled.
● The FBI's inability to access the iPhone of the San Bernardino shooter in 2015
underscores the strength of iPhone encryption. Despite legal pressure, Apple could not or
would not unlock the device.
GrayKey Tool:
● While iPhone encryption is strong, tools like GrayKey have been developed to potentially
bypass some security measures. More details on such tools are discussed in Chapter 10.
Passcodes:
Facial Recognition:
● Introduced with the iPhone X, Face ID leverages the Secure Neural Engine, which is
integrated into the Secure Enclave. It uses an infrared sensor, dot projector, and
illuminator to create a detailed 3D map of the user's face. Face ID adapts to changes in
the user's appearance, such as glasses or facial hair.
Secure Enclave
Key Features:
● Unique Cryptographic Key: Each device has a unique root cryptographic key
embedded during manufacturing.
● User ID (UID) and Group ID (GID): A randomly generated UID is fused into the SoC,
and a GID is common to all devices using the same SoC.
● Dedicated Memory Protection: Operations are executed in a protected memory region.
Data written to this region is encrypted using AES and a Cipher-Based Message
51
Authentication Code (CMAC) for integrity.
● Secure Boot Monitor: Starting with the A13 chip, the Secure Enclave includes a boot
monitor to ensure the integrity of the OS being booted.
● System Coprocessor Integrity Protection (SCIP): Ensures that only legitimate Secure
Enclave Boot ROM is executed.
Conclusion
The iPhone's comprehensive security framework, including strong encryption, biometric security,
and the Secure Enclave, poses significant challenges for forensic examiners. Understanding these
features is essential for devising strategies to access and analyze data on locked or encrypted
iPhones. As technologies evolve, so do the methods for securing and potentially bypassing these
security measures, which are further explored in specialized chapters such as Chapter 10 on
countermeasures and tools like GrayKey.
7. iOS Forensics :
Forensic analysis of iOS devices incorporates standard mobile forensics practices and general
forensics principles but also requires specialized techniques and tools. This section provides a
foundational understanding of iOS forensics, emphasizing the importance of both traditional and
advanced methodologies.
52
Importance of Mobile Device Forensics
Mobile devices, including iPhones, are ubiquitous and central to modern life. They store vast
amounts of personal data, making them crucial in various types of investigations. The pervasive
nature of these devices means they often contain valuable evidence, such as:
● Call history
● Emails, texts, and other messages
● Photos and videos
● Phone information
● Global positioning system (GPS) data
● Network information
● Provides information about who the user has communicated with and for how long.
● Can offer supporting evidence and general intelligence about the suspect’s activities.
● Critical in cases like cyberstalking, where patterns of contact can be crucial.
● Includes text messages, emails, and data from various chat apps (e.g., Snapchat,
WhatsApp, Signal).
● Forensic tools may retrieve data from many, but not all, of these apps. Advanced
techniques, such as SQLite forensics, may be necessary for extracting data from app
databases.
● Can provide direct evidence of crimes (e.g., child pornography, illegal activities).
● Criminals often have incriminating photos or videos on their devices, which can be
crucial for investigations.
Phone Information:
GPS Information:
● Includes data on Wi-Fi hotspots the phone has connected to, which can indicate the
phone’s location over time.
● Useful in cases like stalking, where frequent connections to Wi-Fi networks near a
victim’s location can be significant.
Specialized Techniques and Tools NIST Standards:
● National Institute of Standards and Technology (NIST) provides guidelines and standards
for mobile device forensics.
● Adhering to these standards ensures the reliability and validity of forensic methods and
results.
Forensic Tools:
● Several tools are essential for iOS forensics, including GrayKey, which may help bypass
certain security measures.
● Understanding the capabilities and limitations of each tool is crucial for effective forensic
analysis.
Encryption:
● iPhones use AES 256-bit encryption, which is robust and difficult to breach.
● Encryption is enforced when the phone is locked, making data extraction challenging
without the passcode or biometric access.
Secure Enclave:
● A dedicated security subsystem integrated into Apple’s SoC since the iPhone 6s.
● Isolates sensitive data from the main processor, using a unique cryptographic key and
AES encryption to protect data integrity and confidentiality.
● Secure Boot Monitor and System Coprocessor Integrity Protection (SCIP) ensure only
legitimate code is executed during boot, enhancing the security of the device’s operating
system.
Conclusion
Forensic examination of mobile devices, including iOS devices, requires adherence to strict
standards and procedures to ensure the integrity of the evidence. The following outlines key
forensic procedures, standards, and techniques specific to mobile forensics, with a focus on iOS
devices.
● Purpose: Prevent remote access and changes to the device during examination.
● Procedure: Enable airplane mode immediately to isolate the device from all networks.
Minimal Alteration:
● Objective: Make as few changes as possible to the device during the forensic process to
maintain the integrity of the evidence.
● Levels of Extraction:
1. Manual: Direct interaction with the device.
2. Logical: Extraction of a portion of the file system.
3. File System: Full file system access.
4. Physical (Non-Invasive): Physical data acquisition without opening the device.
5. Physical (Invasive): Physical data acquisition requiring device disassembly.
6. Chip-Off: Removal and analysis of the memory chip.
7. MicroRead: High-power microscope analysis of memory cells.
55
● CFTT Program: Computer Forensics Tool Testing Program to validate forensic tools.
● Website: CFTT
Reporting Standards:
● Auto-Sync Prevention: Ensure the iPhone does not synchronize with the
forensic workstation.
● Documentation: Thoroughly document all interactions with the device to maintain a
clear chain of custody.
Windows PC Precautions:
Summary
Adhering to established forensic procedures and guidelines is crucial for maintaining the
integrity of the evidence extracted from mobile devices, particularly iOS devices. This involves
using standardized methods for data extraction, ensuring minimal alteration to the device, and
thoroughly documenting the forensic process. By following these procedures, forensic examiners
56
can ensure that their findings are accurate, reliable, and admissible in court.
9. Tools :
In the realm of iOS forensics, various tools are used to extract and analyze data from iPhones and
other iOS devices. Each tool has its unique features, strengths, and limitations. Here are some of
the most notable tools used in iOS forensics:
Cellebrite Overview:
Key Products:
Pros:
Cons:
● High cost.
● Requires extensive training and expertise.
iMazing
Overview:
● Purpose: Initially designed as an iOS device manager, not specifically for forensics.
● Cost: $49.99 for a lifetime license for up to 3 devices, or $59.99 per year for unlimited
devices.
● Accessibility: User-friendly interface, suitable for basic forensic investigations.
Capabilities:
57
● Data Retrieval: Gathers call logs, messages, photos, and more.
● Export Options: Can export data to PDF, Excel, CSV, or text files.
Pros:
Cons:
Capabilities:
● Data Recovery: Recovers deleted data and supports data extraction from iTunes and
iCloud backups.
● User Interface: Intuitive and easy to navigate.
Pros:
Cons:
Capabilities:
Pros:
58
● Inexpensive and supports both iOS and Android devices.
● User-friendly interface with essential forensic capabilities.
Cons:
Summary
When choosing tools for iOS forensics, it's essential to consider the specific needs of your
investigation, the budget available, and the level of expertise required to operate the tools. While
Cellebrite offers a comprehensive and robust toolset suitable for advanced investigations, tools
like iMazing, iMyFone D-Back, and Dr. Fone provide affordable and user-friendly alternatives
for basic forensic tasks. Each tool has its own set of features and limitations, making it crucial to
evaluate them based on the forensic requirements of each case.
Oxygen Forensics
Overview:
Key Features:
1. User-Friendly Interface:
○ Ease of Use: The initial connection with a mobile device is facilitated via a
wizard, making the tool accessible even for those with less technical expertise.
○ Extraction Process: The wizard guides the user through the extraction process
step-by-step, ensuring a smooth and efficient workflow.
2. Comprehensive Data Extraction:
○ Data Types: Oxygen Forensics can extract a wide range of data, including call
logs, messages, contacts, and app data.
○ User Interface: The extracted data is presented in a clear and easily navigable
interface, allowing forensic examiners to quickly locate and analyze the
information they need.
59
3. Geolocation Mapping:
○ Timeline Events: One of the standout features is the ability to place timeline
events on a map, aiding in the visualization of movements and activities over
time.
○ Figure 5.13: This feature enhances the forensic analysis by providing a
geographical context to the data.
Pros:
● Ease of Use: The wizard-based setup and intuitive interface reduce the learning curve.
● Comprehensive Features: Offers more capabilities than basic tools like Dr. Fone,
though not as extensive as Cellebrite.
● Geolocation Mapping: Provides valuable insights through its mapping feature.
Cons:
● Cost: At $7,000 per license, it is a significant investment, though still less expensive than
Cellebrite.
● Feature Set: While it has many features, it lacks some of the advanced capabilities found
in more expensive tools like Cellebrite.
Summary
Oxygen Forensics offers a balanced solution for digital forensics professionals, combining ease
of use with a robust feature set. It stands out for its user-friendly interface, guided setup process,
and the ability to map timeline events geographically. While it is a more affordable option than
Cellebrite, it still requires a substantial investment. Given the high cost of forensic tools, it is
advisable to seek recommendations from colleagues and industry experts to ensure the best fit for
your forensic lab's needs.
11. MobilEdit :
Overview:
Key Features:
1. Case Management:
○ Case Details: Allows the examiner to enter case-specific details, helping manage
60
complex caseloads.
○ Figure 5.15: The case information screen assists in organizing and documenting
case details efficiently.
2. Reporting Formats:
○ Multiple Formats: Offers various report formats including HTML and PDF.
○ User-Friendly Reports: HTML reports are easy to navigate, while PDF reports
are suitable for submission to third parties, such as attorneys.
○ Figure 5.17: Shows an example of an HTML report with navigable links on the
left.
3. Device Compatibility:
○ Cross-Platform: Compatible with both Apple and Android devices, making it
versatile for different types of mobile devices.
Pros:
Cons:
● Feature Limitations: May lack some advanced features found in higher-priced tools.
Key Features:
1. Versatility:
○ Multi-Platform Support: Can be used to forensically examine both mobile
devices and PCs, making it highly versatile.
○ Cloud Solution: Offers a cloud-based solution, expanding its capabilities.
2. User Interface:
○ Case Information Management: Provides a detailed case information screen to
keep track of investigations.
○ Figure 5.18: Shows the basic case information screen.
3. Data Extraction:
○ Wide Range of Data: Capable of extracting a vast array of data from mobile
devices, including information from numerous apps.
○ Figure 5.20: Demonstrates the extensive data retrieval capabilities.
61
Pros:
Cons:
Reincubate
Overview:
Key Features:
Pros:
● Low Priced: Affordable options for extracting data from iOS backups.
● Useful for Backup Analysis: Effective when phone security prevents direct data access.
Cons:
UltData
Overview:
● Reputation: Known for its ability to recover data from iTunes backups and live devices.
● Website: UltData
Key Features:
1. Data Recovery:
○ Multiple Sources: Can recover data from local iTunes backups, iCloud, and live
devices.
62
○ Figure 5.22: Shows the interface for selecting the data recovery source.
2. Comprehensive Data Retrieval:
○ Diverse Data Types: Retrieves messages, call history, contacts, Safari history,
voicemail, and data from apps like WhatsApp, WeChat, and Line.
○ Figure 5.23: Displays the data retrieved from an iTunes backup.
3. Voicemail Recovery:
○ Old Voicemails: Capable of recovering old voicemails even from a phone with
transferred SIM cards.
○ Figure 5.24: Demonstrates recovery of a voicemail from 3 years ago.
Pros:
Cons:
● Limited Advanced Features: May not offer the full range of features required for
comprehensive forensic investigations.
12. iCloud :
iCloud Forensics
Overview:
● Relevance: iCloud is a critical source of data for forensic investigations, especially when
physical access to an iPhone is not possible.
● User Base: As of 2018, 850 million customers back up their data to iCloud.
Key Features:
1. Data Accessibility:
○ Remote Access: Data stored in iCloud can be retrieved remotely without physical
access to the iPhone.
○ Account Credentials: Access requires the Apple ID and password. These
credentials can sometimes be extracted from the user's computer.
2. Types of Data Stored in iCloud:
○ Backups: Comprehensive device backups that include app data, settings,
messages, and more.
○ Photos and Videos: Media files uploaded to iCloud Photos.
○ Documents: Files stored in iCloud Drive.
63
○ Messages: iMessages and SMS/MMS backed up or stored in iCloud.
○ Contacts and Calendars: Synced contacts and calendar events.
○ Notes and Reminders: Synced notes and reminders.
3. Forensic Tools and Techniques:
○ Credential Recovery: Tools and techniques to recover or crack Apple ID
credentials from a suspect's computer.
○ Data Extraction: Specialized software to access and download data from iCloud
once credentials are obtained.
1. Cellebrite: Known for its comprehensive forensic capabilities, including iCloud data
extraction.
2. Elcomsoft Phone Breaker: Specifically designed for extracting data from iCloud
backups and accounts.
3. Oxygen Forensics: Includes features for iCloud data extraction and analysis.
4. Dr. Fone: Can also extract data from iCloud, though it is more limited compared to
dedicated forensic tools.
5. iMyPhone D-Back: Useful for recovering data from iCloud, including backups.
Pros:
64
● Remote Access: Ability to access data without physical access to the device.
● Comprehensive Data: iCloud backups can include a wide range of data types.
● Widespread Use: High likelihood of finding relevant data due to the large user base.
Cons:
65
UNIT V
ANDROID FORENSICS
Syllabus:
Android basics – Key Codes – ADB – Rooting Android – Boot Process – File Systems –
Security – Tools – Android Forensics – Forensic Procedures – ADB – Android Only Tools –
Dual Use Tools – Oxygen Forensics – MobilEdit – Android App Decompiling.
1. Android basics :
Android is a very common operating system. It is obviously found on Android phones, but it is also
found in smart TVs, automobiles, and some IoT devices. It is clearly quite important to understand the
Android operating system in some depth.
The Android operating system is a Linux-based operating system, and it is completely open source. If
you have a programming and operating systems background, you may find it useful to examine the
Android source code from
Android was first released in 2003 and is the creation of Rich Miner,
Andy Rubin, and Nick Sears. Google acquired Android in 2005, but still
keeps the code open source. The versions of Android have been named
after sweets:
• Version 1.5 Cupcake
• Version 1.6 Donut, etc…
The differences between Android versions typically involve new features rather than radical
changes, allowing familiarity with version 7.0 (Nougat) to suffice for forensic examination on
version 9.0 (Pie). Android's open-source nature means vendors may modify the OS, including
partition layouts, but common partitions are usually present across devices.
66
Key Partitions:
1. Boot Loader: Necessary for hardware initialization and loading the kernel, not
usually forensically relevant.
2. Boot: Contains bootup information, generally not forensically important.
3. Recovery: Boots the phone into a recovery console; rarely holds forensically relevant
data but useful for recovery mode.
4. Userdata: Most relevant for forensic investigations, containing user data and app data,
including many SQLite databases.
5. Cache: Stores frequently accessed data and recovery logs, can contain important
forensic data that users might be unaware of.
6. System: Not typically important for forensics.
Key Directories:
include:
2. Key Codes:
Android phones have numerous keycodes that can be used to retrieve useful information or
perform specific functions. While some codes are universal across all Android models, others
may be specific to particular devices. These codes are valuable for diagnostics and forensic
investigations.
67
Universal Diagnostic and Forensic Key Codes:
These codes can be highly useful for performing diagnostics or extracting information during forensic
68
examinations. For model-specific codes, a search for "Secret codes for [model name] phones" can
provide additional insights.
3. ADB:
Starting ADB:
The client checks for an existing server process; if none exists, it starts one. To list connected
devices, use: adb devices
If a device doesn't show as attached, ensure developer mode is enabled and troubleshoot by
restarting the ADB service: adb kill-server , adb start-server
ADB Shell:
● The adb shell command opens a shell on the Android device, allowing the use
of Linux commands like pstree, ps, ls, netstat, and lsof.
● To exit the shell, type exit.
4. Rooting Android:
Rooting an Android phone allows you to gain complete root access, similar to an administrator
in Linux. However, it voids the phone's warranty and has become more challenging with newer
models.
1. Carrier Unlock:
○ Contact your carrier to unlock the phone if the contract is paid off.
2. OEM Unlock:
○ Enable OEM Unlock in the developer settings.
○ Use ADB (Android Debug Bridge) to reboot into the bootloader by typing adb
reboot bootloader.
○ Attempt OEM unlock with fastboot oem unlock.
○ If this fails, request an unlock code from the phone's manufacturer.
3. Check OEM Unlock Status:
○ In the bootloader mode, check the status with fastboot oem device-info.
4. Rooting with Magisk:
○ After OEM unlock, use tools like Magisk to install a rooted image.
○ Push the new image to the system using adb push.
5. Install TWRP Recovery:
70
○ Download the TWRP image from TWRP.
○ Place the TWRP image in the "ADB and Fastboot" folder.
○ Check device connection with adb devices.
○ Reboot into the bootloader with adb reboot bootloader.
○ Use the phone screen to select "Apply Update from ADB Sideload."
○ Flash the recovery image with fastboot flash recovery twrp.img.
Key Points:
Remember, the specific steps and success rates depend on the phone's model and Android version.
Boot Process:
The Android boot process involves several key steps from powering on the device to loading
the operating system.
1. Initial Power-On:
○ Pre-Power State: The CPU is in a state with no initializations.
○ Power On: Execution starts with the boot ROM code, specific to the device's CPU.
71
2. Boot ROM Code Execution:
○ Step A: Initializes device hardware and detects boot media.
○ Step B: Copies the initial boot loader to internal RAM and transfers execution to it.
3. Bootloader Execution:
○ +Initial Program Load (IPL):
■ Step A: Detects and sets up external RAM.
○ Second Program Load (SPL):
■ Step B: Copies SPL to RAM and shifts execution to it.
■ Step C: SPL loads the Linux kernel from boot media to RAM.
4. Kernel Initialization:
○ The Linux kernel is central to the Android OS, handling process and
memory management and enforcing security.
○ Version Variations: Different Android versions use different Linux kernel
versions, which manufacturers may alter.
5. Root Filesystem Mounting:
○ Step A: With memory management units and caches initialized, the system uses
virtual memory and launches user space processes.
○ Step B: The kernel looks for and launches the init process from the root
filesystem (rootfs), the initial user space process.
6. Initramfs Handling:
○ Basic Initramfs: A compressed archive used for booting the kernel,
unpacked into a RAM-based disk.
○ Mounting: The RAM-based disk serves as the initial root filesystem.
This process ensures that the device transitions from a powered-off state to a fully functional
operating system, ready for user interaction.
File Systems:
Android uses various file systems to organize files on storage devices. The major file systems
include F2FS, JFFS2, and YAFFS.
72
F2FS (Flash-Friendly File System)
● Node Structure:
○ Inode: Contains 923 data block indices, 2 direct node pointers, 2 indirect node
pointers, and 1 double indirect node pointer.
○ Direct Node: Contains 1018 data block indices.
○ Indirect Node: Contains 1018 node block indices.
● Volume Division:
○ Superblock (SB): At the beginning of the partition, with a backup copy.
○ Checkpoint (CP): Contains system information, active segments, and orphaned inodes.
○ Segment Information Table (SIT): Block count and bitmap of main area blocks.
○ Node Address Table (NAT): Addresses for nodes.
○ Segment Summary Area (SSA): Information about node block ownership.
○ Main Area: File and directory data.
● Nodes:
○ Inodes
○ Dirent Nodes (directory entries)
● Features:
○ Journaling: Logs changes to the file system to enable rollback or recreation in
case of failure.
○ Garbage Collection: Frees up blocks that were not released properly, similar to
memory garbage collection in programming.
● Data Writing: Written as an entire page (chunk) including file metadata and data.
● Object ID: Each new file gets a unique object ID.
● Data Structure: Uses a tree structure for physical location of chunks/pages.
● Version 2: Default AOSP flash file system for kernel version 2.6.32. Not supported
in newer kernel versions, though some vendors may still use YAFFS2.
73
These file systems ensure efficient organization and management of files on Android devices,
each with unique features catering to different needs of the operating system.
Security:
Android Security :
Android's security features vary across different manufacturers and models but include robust
cryptographic and application isolation measures.
Cryptography
● Adiantum:
74
● Salsa Cipher:
○ Proven robust, with studies such as the 2013 Mouha and Preneel proof
indicating 15 rounds of Salsa20 offer 128-bit security against differential
cryptanalysis.
Application Security
Tools:
Various tools are available for managing and modifying Android phones, some specific to
manufacturers and others more general. These tools range from flashing firmware to deep code
inspection.
Manufacturer-Specific Tools
75
1. Odin3:
○ Usage: Flash images onto Samsung phones, including stock/custom firmware
and root packages.
○ Download: Samsung Odin
○ Purpose: Created for Samsung's internal use in service centers and factories.
○ Note: Always use the latest version.
2. SamFirm:
○ Usage: Flash different images onto Samsung devices.
○ Download: SamFirm Tool
○ Purpose: Another Samsung-specific flashing tool.
General Tools
● These tools can be used to recover bricked phones or bypass phone security.
● They vary in efficacy depending on the phone model and Android version.
● There is a risk of permanently bricking your phone when using these tools.
Understanding and utilizing these tools requires careful consideration and a solid understanding
of their functions and potential risks.
76
Android Forensics:
Android forensics encompasses approaches, techniques, and tools to extract valuable evidence
from Android devices. Key points include:
Understanding and effectively utilizing these forensic techniques and tools are essential for
extracting pertinent evidence from Android devices in various investigative scenarios.
Forensic Procedures:
Forensic procedures in mobile device forensics adhere to standards and guidelines set by
organizations like the Scientific Working Group on Digital Evidence (SWGDE) and the United
States National Institute of Standards and Technology (NIST). Key points include:
1. Airplane Mode:
○ Essential to prevent remote access during examinations and minimize
changes to the device.
2. Mobile Forensics Pyramid:
○ Defines levels of forensic examination, ranging from manual to chip-off
methods, with each level requiring specific skills and providing varying
degrees of data access.
3. Tool Selection:
○ Choose tools and methods based on forensic needs, ensuring adequacy
for the investigation.
○ NIST-sponsored CFTT provides guidance on selecting validated tools.
4. Report Writing Guidelines:
○ Include descriptive list of submitted items, examiner identity, equipment used,
steps taken during examination, findings, supporting materials, details of relevant
programs, and techniques used to hide or mask data.
○ Reports should be detailed, providing a roadmap of the investigation for
verification by other forensic examiners.
○ Guidelines from organizations like the Department of Justice and the SANS
Institute emphasize accuracy, completeness, and adherence to legal
standards.
5. Documentation:
○ Maintain accurate records throughout the examination process.
○ Detailed documentation is crucial for transparency, verification, and
78
admissibility of evidence in legal proceedings.
Following standardized procedures and guidelines ensures the integrity and reliability of forensic
examinations, facilitating thorough analysis and interpretation of digital evidence.
ADB :
Android Debugging Bridge (ADB) serves as a crucial tool for conducting forensic examinations
on Android devices. Here's a summary of its key functionalities and commands:
1. Server Initialization:
○ ADB client checks for an existing server process. If none exists, it initiates one,
binding to TCP port 5037 to listen for commands.
2. Device Listing:
○ Initial step involves listing all connected devices to the computer with ADB installed.
3. Backup Creation:
○ adb backup -all -f backup: Command to create a backup of all user-accessible
data on the device.
○ Backup file serves as a safeguard against accidental alterations to the device
during investigation.
4. Forensic Examination Commands:
○ adb shell: Enter the device's Linux shell for examination.
○ ls: List contents of directories on the device.
○ su ls: Access system directories on rooted devices.
79
○ Specific directories to explore:
■ /data: Contains user data, including contacts, SMS, and installed applications.
■ /cache: Stores frequently accessed data and app components.
■ /misc: Holds miscellaneous system settings.
■ /mnt: Displays information about SD card(s).
5. Information Retrieval Commands:
○ Retrieve device-specific information using commands like getprop.
○ Example commands include ro.product.model, ro.build.version.release, etc.
6. Additional Shell Commands:
○ Utilize variations of ls command for detailed exploration.
○ Explore processes using ps command, with options like -A, -E, etc.
○ Check network status using netstat command.
7. Package Listing Commands:
○ pm list packages: Lists installed packages, with variations like -f, -d, -e, etc.
8. Data Extraction:
○ Explore /sdcard/ directory for images, videos, and other data.
○ Use adb pull command to extract desired files or directories to the forensic machine.
Utilizing ADB for forensic examinations provides investigators with access to crucial data stored
on Android devices, aiding in the analysis and interpretation of digital evidence.
Here's a summary of the Android forensics tools covered in this section, along with their features
and download links:
1. All-In-One Tool:
○ Available at: AndroidFileHost
○ Features a user-friendly GUI for ADB functionalities.
○ Allows for easy access to ADB commands without memorization.
○ Supports functions like bootloader unlock, fastboot mode, etc.
2. Android Tools:
○ Available at: SourceForge
○ Offers a versatile GUI for ADB commands.
○ Allows launching a shell console for Linux commands.
○ Includes tabs for ADB commands, fastboot commands, and advanced
features like working with ADB backup files.
3. Autopsy:
○ Available at: Autopsy
80
○ Primarily designed for PC forensics but can analyze mobile phone images.
○ Extracts information from Android phone images.
○ Provides analysis of call logs, contacts, messages, GPS track points, etc.
4. BitPim:
○ Available at: SourceForge
○ Limited in the phones it can recognize.
○ Offers a user-friendly interface with a comprehensive help file.
○ Useful for extracting data from compatible phones.
5. OSAF (Open-Source Android Forensics):
○ Available at: SourceForge
○ Ubuntu Linux-based virtual machine pre-loaded with various Android forensics tools.
○ Provides easy access to a range of forensic analysis tools.
○ Default password: forensics.
These tools offer a range of functionalities for Android forensics, from basic ADB commands to
comprehensive analysis and extraction of data from Android devices. They are essential for
conducting forensic examinations effectively and efficiently.
1. Cellebrite:
○ Widely used in law enforcement and well-respected in the industry.
○ Offers a range of tools including UFED, Physical Analyzer, UFED Cloud,
Premium, Blacklight, and Commander.
○ Known for its robustness and effectiveness, but comes with a high cost.
○ Requires formal training and extensive knowledge to use effectively.
2. Dr. Fone:
○ A tool for mobile device recovery and data transfer.
○ Works with both iPhone and Android devices.
○ Affordable, with a full version priced at $139.95.
○ Provides features for viewing SMS messages, accessing the file system, and
copying data to a forensics workstation.
These tools offer varying levels of functionality and cost, catering to different needs and
budgets in the realm of mobile device forensics. While Cellebrite is known for its
comprehensive capabilities and professional-grade features, Dr. Fone provides a more
accessible option for those with limited resources.
81
Oxygen Forensics:
Oxygen Forensics is recognized for its user-friendly interface, making it accessible for forensic
investigators. Here's a summary of its key features:
● Ease of Use: Oxygen Forensics employs a wizard for initial device connection,
simplifying the extraction process.
● Variants: Previously, Oxygen offered both Detective and Analyst versions, but now
only the Detective version is available.
● Interface: The wizard facilitates smooth navigation through extraction steps, ensuring
logical access for Android devices to avoid rooting issues.
● Results Presentation: Extracted data is neatly organized, offering easy access to
events, phone books, messages, and other relevant information.
● Compatibility: While it may not boast all the features of tools like Cellebrite, Oxygen
Forensics still provides comprehensive data extraction and analysis capabilities.
● Cost: Priced at approximately $7000 per license, Oxygen Forensics offers a reasonable
option for professional forensic labs.
● Recommendations: When choosing forensic tools, it's advised to seek
recommendations from colleagues rather than relying solely on vendor marketing
information.
Overall, Oxygen Forensics stands as a robust tool with an intuitive interface, making it a valuable
addition to forensic labs.
MobilEdit:
Overall, MobileEdit Forensic Express presents a user-friendly and cost-effective solution for
forensic investigations across a wide range of mobile devices.
83
Online Decompilers:
Android Studio:
● Decompilation with Android Studio: Android Studio, a popular IDE for Android
development, provides built-in tools for decompiling and debugging apps. Users can
initiate the decompilation process from the main screen, guiding them through selecting
the APK file for decompilation.
Other Decompilers:
● Alternative Options: Various other online decompilers are available, such as
decompileandroid.com and apkdecompilers.com. While the specific decompiler used
may vary, the primary focus lies in analyzing the decompiled code.
Analysis:
By utilizing Android app decompilation tools and understanding the decompiled code, forensic
examiners can gain insights into app functionalities and potentially uncover evidence relevant to
investigations.
84