Agenda

•Introduction to Digital Forensics

•Rules of Digital Evidence
•Guidelines for Digital Forensics
•Digital Forensics Life Cycle
•Scope of Digital Forensics in Enterprise Networks
•Challenges in Digital Forensics
Locard’s principle of transference

The second reason this principle is important is that it highlights the reason why you should
only work with a copy of the suspect storage media, not the original, and why you should
write-protect media. You as a forensic investigator are interacting with the evidence, and you
could inadvertently introduce trace evidence.

When an investigator inadvertently introduces trace evidence, this is referred to as

contamination. In any forensic investigation, you must be very careful to avoid contamination.
 Branches of Digital Forensics

Ref: Books for Digital Forensics https://www.group-ib.com/blog/bookshelf

Stages of Digital Forensic
Investigation

Ref: NIST SP 800-86

  Collection: The first step in the forensic process is to identify potential sources of
data and acquire data from them.
 Examination : After data has been collected, the next phase is to examine the data,
which involves assessing and extracting the relevant pieces of information from the
collected data. This phase may also involve bypassing or mitigating OS or
application features that obscure data and code, such as data compression,
encryption, and access control mechanisms.
 Analysis : Once the relevant information has been extracted, the analyst should

NIST SP study and analyze the data to draw conclusions from it. The foundation of forensics
is using a methodical approach to reach appropriate conclusions based on the
available data or determine that no conclusion can yet be drawn.

800-86  Reporting : The process of preparing and presenting the information resulting from
the analysis phase. Many factors affect reporting, including the following:

contd.. Alternative Explanations. When the information regarding an event is

incomplete, it may not be possible to arrive at a definitive explanation of what
happened. When an event has two or more plausible explanations, each should be
given due consideration in the reporting process. Analysts should use a methodical
approach to attempt to prove or disprove each possible explanation that is proposed.
Audience Consideration. Knowing the audience to which the data or
information will be shown is important.
Actionable Information. Reporting also includes identifying actionable
information gained from data that may allow an analyst to collect new sources of
information
 Rules of Digital Evidence

1 2 3 4 5

Admissible : Admissible is Authentic : If you can’t tie Complete : It’s not enough Reliable : The evidence you Believable : The evidence
the most basic rule (the the evidence positively with to collect evidence that just collect must be reliable. you present should be
evidence must be able to the incident, you can’t use shows one perspective of Your evidence collection clearly understandable and
be used) in court or it to prove anything. You the incident. Not only and analysis procedures believable by a jury. There’s
otherwise. Failure to must be able to show that should you collect evidence must not cast doubt on the no point presenting a
comply with this rule is the evidence relates to the that can prove the evidence authenticity and binary dump of process
equivalent to not collecting incident in a relevant way attacker’s actions, but also veracity. memory if the jury has no
the evidence in the first evidence that could prove idea what it all means.
place, except the cost is their innocence. For Similarly, if you present
higher. instance, if you can show them with a formatted,
the attacker was logged in human-understandable
at the time of the incident, version, you must be able
you also need to show who to show the relationship to
else was logged in, and why the original binary,
you think they didn’t do it. otherwise there’s no way
This is called exculpatory for the jury to know
evidence and is an whether you’ve faked it.
important part of proving a
case.
 • Minimize handling/corruption of original data
• Account for any changes and keep detailed logs of
your actions.
• Comply with the five rules of evidence.
• Do not exceed your knowledge
• Follow your local security policy

Do’s and • Capture as accurate an image of the system as

possible
Don’t s • Be prepared to testify
• Ensure your actions are repeatable
• Work fast
• Proceed from volatile to persistent evidence
• Don’t shutdown before collecting evidence
• Don’t run any programs on the affected system
 NIJ guidelines
• Create policies and procedures for the establishment and/or operation of a computer
forensics.
Mission statement - Define the objective/purpose.
Personnel - Identify people participating in the mission and define criteria
for selection. Define prerequisites.
Administrative considerations
Software licensing - Be Cautious with Trial/ Opensource applications
Resource commitment – Define clear accountability
Training - Professional certifications/ continuous learning in Digital
Forensics/periodical knowledge sharing among team members/ Proof of concepts/Use
cases
Service request and intake – Always Comply with Organization defined process
Case management - Plan for relevant storage resources to preserve evidence.
Evidence handling and retention – Make sure comply with regulatory guidelines
Case processing - Make sure the evidence was processed fully and processing errors
are addressed.
 Principle: Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by
improper handling or examination. For these reasons special precautions should be taken to
preserve this type of evidence. Failure to do so may render it unusable or lead to an inaccurate
conclusion.
Procedure: Acquire the original digital evidence in a manner that protects and preserves the
evidence. The following bullets outline the basic steps:
Secure digital evidence in accordance with departmental guidelines. In the absence of such
guidelines, useful information can be found in Electronic Crime Scene Investigation: A Guide for First
Responders (http://www.ojp.usdoj.gov/nij/pubs-sum/ 187736.htm).

Evidence  Document hardware and software configuration of the examiner’s system.

 Verify operation of the examiner’s computer system to include hardware and software.

Acquisitio  Disassemble the case of the computer to be examined to permit physical access to the storage
devices. — Take care to ensure equipment is protected from static electricity and magnetic fields.

n
 Identify storage devices that need to be acquired. These devices can be internal, external, or
both.
 Document internal storage devices and hardware configuration.
 Drive condition (e.g., make, model, geometry, size, jumper settings, location, drive interface).
 Disconnect storage devices (using the power connector or data cable from the back of the drive
or from the motherboard) to prevent the destruction, damage, or alteration of data
 The term chain of custody refers to the process of maintaining and documenting the
handling of evidence. It involves keeping a detailed log showing who collected,
handled, transferred, or analyzed evidence during an investigation.
A forensics investigator carefully studies the scene and takes photographs and detailed
notes for each piece of evidence found. These notes should include:
• Location of evidence
• Time and date of evidence recovery
• Description of item
Chain of • Condition of item

Custody
• Unique markings on items
To maintain an accurate and complete record, these examples of chain of evidence
elements must be met:
• Limit the number of people handling evidence
• Confirm all names, identification numbers, and dates on the chain
of evidence documents
• Seal the package
• Double check markings before submission
• Obtain signed receipts upon transfer
Sample
Chain of
Custody
Form
Types of Forensic Imaging
1. Physical Image:
2. Logical Image
3. Targeted Collection

Different methods for collecting

1.Forensic
Dead Box Imaging ( TurnImage
off the device safely; Remove storage Media; Connect it to forensic workstation via write
blocker)
2. Live Imaging from the target device ( be cautious) Run live forensic imaging Softwares such as Encase Forensic
Imager, FTK Imager lite etc..
3. Remote acquisition ( Encase End Point Investigator; F- Response; AD Enterprise etc..)
Devices used in Dead Box imaging

• Write Blockers (Hardware)

Software Write Blockers: Disable USB mount key in Registry; Encase Fast Block SE; Disk Arbitrator for Mac OS
Network based Acquisition using
TD3
Live Imaging using Forensic boot
CD
Live Imaging using FTK Imager
 file slack, and unallocated file space. Steps may include:
 Extraction of the file system information to reveal
characteristics such as directory structure, file attributes,
file names, date and time stamps, file size, and file
location.
Data reduction to identify and eliminate known files
through the comparison of calculated hash values to
authenticated hash values.
Evidence Extraction of files pertinent to the examination. Methods
Extraction to accomplish this may be
based on file name and extension, file header, file
content, and location on the drive.
Recovery of deleted files.
Extraction of password-protected, encrypted, and
compressed data.
Extraction of file slack.
Extraction of the unallocated space.
 Analysis is the process of interpreting the
extracted data to determine their significance
to the case.
Analysis Timeline analysis
of Reviewing the time and date stamps
extracted contained in the file system metadata
 Reviewing system and application logs that
data may be present. These may include error
logs, installation logs, connection logs,
security logs, etc.
 Renaming of file extensions

Hidden Partitions

Hidden
Encrypted containers ( True Crypt, Disk Cryptor, Vera Crypt etc.)

Data Password protected archives (Zip,rar etc..)

Analysis Steganography

HPA (Host Protected Area)

Disk Configuration Overlay (DCO)

 Procedure: All documentation should be complete, accurate, and
comprehensive. The resulting report should be written for the intended
audience.
Take notes when consulting with the case investigator and/or
prosecutor.
■ Maintain a copy of the search authority with the case notes.
■ Maintain the initial request for assistance with the case file.
■ Maintain a copy of chain of custody documentation.

Documenti ■ Take notes detailed enough to allow complete duplication of actions.

■ Include in the notes dates, times, and descriptions and results of
ng and actions taken.

Reporting ■ Document irregularities encountered, and any actions taken

regarding the irregularities during the examination.
■ Include additional information, such as network topology, list of
authorized users, user agreements, and/or passwords.
■ Document changes made to the system or network by or at the
direction of law enforcement or the examiner.
■ Document the operating system and relevant software version and
current, installed patches.
■ Document information obtained at the scene regarding remote
storage, remote user access, and offsite backups.
NIST Recommendations for forensic
process
Organizations should perform forensics using a consistent process (Process to initiate
a forensic investigation)
Analysts should be aware of the range of possible data sources. (Potential Sources)
Organizations should be proactive in collecting useful data. ( Archival & Retention
Policies)
Analysts should perform data collection using a standard process. (SOP for evidence
collection)
Analysts should use a methodical approach to studying the data.
Analysts should review their processes and practices (Periodical review of SOPs &
Run books)
  Assess the situation and based on feasibility proceed with forensic
imaging
 Select the suitable method of imaging
 Always store the evidence in an encrypted storage device
 Define criteria for identifying/ labelling forensic images

Preparatio  Make sure necessary power settings and automatic updates

scheduler are disabled prior to forensic image
n steps for  Make sure the forensic imaging application is not flagged as
malicious by EDR/AV Solution.
forensic  Document the time zone in which forensic imaging is done

imaging
 verify the evidence report carefully and document if there are any
bad sectors/ disk read errors
 Be patient while doing forensic imaging
 Always have a duplicate copy of Forensic image
 Make sure the chain of custody document has captured information
accurately, that includes any challenges that were encountered during
forensic imaging.
Potential sources of Digital Evidence
Common practices of Digital
Forensics in Enterprise Network
Potential sources of evidence
from storage media
Potential  End user Devices Laptops/ Mac books
 Cloud storage locations One Drive
sources of
 Mailbox – O365 Security & Compliance
evidence console
from  Code 42 – Cloud Backup
Corporate  Networks Shares (Project/ Team Specific)
Infrastruct  AWS Cloud
ure  Azure Cloud
Popular Forensic Tools
Challenges for Digital Forensics
 Increase in Physical Memory and Secondary Storage
Decryption support for Forensic Tools
 Limited tool support for forensically sound extraction of data from mobile devices, IoT
devices
 Ensuring the integrity of evidence while collecting evidence in an enterprise/ corporate
network (Requires setting up of isolated VLAN and secure inbound/ out bound
connections)
 Forensically sound Collection and analysis of data from legacy systems
 Anonymity of IP Address
 Missing of logs
 Delay in Detection of an incident and collection and preserve relevant evidence for
investigation
 • Easy availability of hacking tools
Continued • Lack of physical evidence makes prosecution
difficult.
.. • Any technological changes require an
upgrade or changes to solutions.
 Lack of transparency from commercial
forensic software
Challenges for Data Recovery restrictions on Solid State
Digital Drives (SSDs) (Limitation with SSD Technology)

Forensics Cloud Forensics in Multi Tenant Environment

Investigations Bandwidth considerations while acquiring

evidence over network
Contd..
Workforce/ skills gap in cyber forensics
 Technical Challenges – Anti forensics
Encryption
Steganography
Covert Channel
Anti Data hiding in storage space
Forensics Residual Data Wiping
Attacking the tools
Attacking the investigators
Questions
Thank you