CHAPTER ONE

INTRODUCTION

With the proliferation of computers in our everyday lives, the need to include computer contents
or traces as part of formal evidence has become inevitable. Computerized devices are part of our
world in the form of laptops, desktop computers, servers, etc., but there are also many other storage
devices that may contain forensic evidence. Devices such as memory cards, personal digital
assistants, and video gaming systems, are among a myriad of devices that have the ability to accept
input, provide output, and also store data. It is this data or the usage of these devices that is at the
center of computer forensics. According to Marcella and Menendez, cyber forensics, e-discovery,
digital, forensics, computer and computer forensics mean relatively the same thing yet none has
emerged as a defacto standard (Marcella, Menendez 2008). They further present a working
definition of computer forensics as ―the science of locating, extracting, and analyzing types of
data from different devices, which specialists then interpret to server as legal evidence (p5). They
further state that computer forensics can also be defined as the discipline that combines elements
of law and computer science to collect and analyze data from computer systems, networks, wireless
communications, and storage devices in a way that is admissible as evidence in a court of law
(Marcella, Menendez 2008). Computer forensics aims to attain as much information from
electronic devices or media by utilizing sound forensic techniques that may be admissible in court.
This includes concise and sound forensic techniques including a clear chain of custody and
documentation. There are two different areas that must be considered when collecting digital
forensic evidence. The first is the process of collecting the evidence without altering its contents
and ensuring it is admissible in court. The second area is the actual use of law enforcement grade
sound forensic practices that results in the collection being admissible in court. It is not the intent
of this document to address the latter. As the authors are computer science professionals, it is the
intent of this document to provide a concise overview of the process of collecting forensic evidence
and review different methods, tools, and challenges during forensic analysis and collection. The
field of digital forensics has become common place due to the increasing prevalence of technology
since the late 20th century, and the inevitable relevance of this technology in the conducting of
criminal activity. In traditional forensics, the evidence is generally something tangible that could
identify the criminal, such as hair, blood or fingerprints. In contrast, digital forensics deals with
files and data in digital form extracted from digital devices.

1
1.1 Background of Digital Forensic
As mention by Adelstein (2006) information can be obtained from live system which consists of running
processes, network connection, memory process, and system load. This information can be captured by
using live analysis technique. However, the live system is not static – files and process continuously
changing. This will prevent them taken as evidence. For instance, even the log files systems were
frequently changing and new mail continuously arrives, this activity would not disturb email messages
sent by the suspect. The evolution of technology devices required digital investigator to obtain
knowledge of digital device architecture (Marcella & Greenfield, 2002). Due to current technologies,
digital evidence can be in different type and can be more specific for different type of device (Turner,
2005). Other issues that were listed includes increasing usage of an encryption application (Kaplan,
2007), the growing size of the storage device and the usage of cloud remote processing application
(Garfinkel, 2010). Current digital forensic operation (Computing cryptographic hashes, thumbnail
generation, file carving and string searches) resulting the low performance of digital forensic tools for
investigation. There are several types of digital forensics tools available in this field. Enhancement of
high technology devices has impacted the functionality of the tool. The increase number of computer
devices and storage size resulting the increase of time in searching the evidence. It will be quite
challenging since there is no specific tool for acquiring digital evidence from high end technology. Law
enforcement faced numerous significant challenges in developing and mastering the skills, tools and
techniques of digital forensics. It is not easy in finding qualified forensics personnel, either in the private
sector or government sector. This is due to the limitations placed to the civilian access on training
programs. In law enforcement, difficulties arise due to structural and cultural factors in certain
communities. Even though some cases were well trained, there are still limitations in achieving
successful prosecution. It includes the lack of suitable equipment and facilities to process digital
evidence and unfamiliarity of prosecutor with the issues surrounding the seizure and processing the
evidence (Yasinsac et al., 2001).
1.2 Aim of Digital forensic

Regardless of their scientific specialty, all forensic scientists have the same goal: examining
evidence from a crime scene using strictly scientific knowledge and principles in order to find facts
about a criminal case. Because the outcomes are objective facts, forensic science can be useful
both to the prosecution and the defense. Any discipline of forensic science can prove whether and
how suspects and victims are linked to each other or to the crime scene itself. Forensic science has
become one of the most important parts of any criminal case. Experts who study evidence collected
at a crime scene and who explain their scientific findings to a jury make it possible for juries, in
2
 turn, to make good decisions about guilt or innocence. Courtroom verdicts are based not on
circumstantial evidence or eyewitness accounts but on solid, scientific fact. The more advanced
different fields of science become, the more important forensic science will be in court cases and
in the role of the justice system to convict the guilty and acquit the innocent. Forensic scientists
must concern themselves with science itself, not the crime. To be useful in a court of law, their
testimony must be objective, reliable and based only on scientific fact. If the facts show that no
clear conclusion can be drawn, they must state this as their finding. Forensic scientists are not on
the side of the law. They are on the side of scientific truth and fact and must stand behind whatever
outcome their findings show.

1.3 Significance of Digital Forensic

Since computers, mobile phones, and the internet represent the largest growing resource for
criminal perpetrators, digital forensics has assumed a key role in the law enforcement sector. With
cyber-crimes offering a high-yield and relatively low risk opportunity that doesn’t require physical
violence, law enforcement agencies are now continually engaged in digital forensic activities to
curb the exploits of fraudsters, identity thieves, ransom ware distributors, and others in the cyber-
criminal ecosystem. As with the gathering of evidence in physical investigations, care must be
exercised in digital forensic collection to ensure that the data being collected for analysis is as pure
and undisturbed as possible. Bearing in mind that files on a computer are altered in some way even
if you just open them in their related application without saving them, a system that’s suspected to
hold forensic evidence which might be relevant to a case should remain untouched until that
information can be extracted in a non-disruptive manner. This also holds true for incidents where
the authentication of certain files, the ways in which they’ve been accessed or used, and the
timelines of critical events have to be established. This involves running a small diagnostic
program on the target system, which copies information over to the forensic examiner’s hard drive.
For legal purposes, such a live acquisition may still produce digital forensic evidence that’s
admissible in court – so long as the examiner can adequately prove that their intrusive intervention
was absolutely necessary. In the commercial sector, business organizations routinely use digital
forensics in the resolution of cases involving industrial espionage, intellectual property theft, fraud,
forgery, employment disputes, bankruptcy investigations, the inappropriate usage of digital
resources such as email and messaging services in the workplace, and issues relating to regulatory
compliance. Returning to the “double-edged sword” analogy, those looking to counteract the
activities of digital forensic investigators may engage in the practice of “anti-forensics.” This
involves a number of techniques, including the use of encryption, modifying a file’s metadata, or
3
 otherwise disguising files and documents (file obfuscation). It’s a risky strategy, as the tools of
anti-forensics themselves also leave traces of what they’ve done on the perpetrator’s own system,
or other systems to which they have access.

1.4 Overview of The Study

Forensic psychology is the application of the science and profession of psychology to questions
and issues relating to law and the legal system. The word "forensic" comes from the Latin word
"forensis," meaning "of the forum," where the law courts of ancient Rome were held. Today
forensic refers to the application of scientific principles and practices to the adversary process
where special knowledgeable scientists play a role. Forensic psychology is a specialized branch
that deals with issues that connect psychology and the law. Interest in forensic psychology has
grown significantly in recent years. Increasing numbers of graduate programs offer dual degrees
in psychology and law, with others providing specialization in forensic psychology. While forensic
psychology is considered a rather new specialty area within psychology, the field dates back to the
earliest days in psychology's history. Philosophers and scientists have long sought to understand
what makes people commit crimes, behave aggressively, or engage in antisocial behaviors.
Forensic psychology is a relatively new specialty area. In fact, forensic psychology was just
officially recognized as a specialty area by the American Psychological Association in 2001.
Despite this, the field of forensic psychology has roots that date back to Wilhelm Wundt's first
psychology lab in Leipzig, German. Learn more about some of the major events and key figures
in the history of forensic psychology. Today, forensic psychologists are not only interested in
understanding why such behaviors occur, but also in helping minimize and prevent such actions.
The field has experienced dramatic growth in recent years as more and more students become
interested in this applied branch of psychology. Popular movies, television programs and books
have help popularize the field, often depicting brilliant heroes who solve vicious crimes or track
down killers using psychology. While depictions of forensic psychology in popular media are
certainly dramatic and attention-grabbing, these portrayals are not necessarily accurate. Forensic
psychologists definitely play an important role in the criminal justice system, however, and this
can be an exciting career for students interested in applying psychological principles to the legal
system. The examination of digital media is covered by national and international legislation. For
civil investigations, in particular, laws may restrict the abilities of analysts to undertake
examinations. Restrictions against network monitoring, or reading of personal communications
often exist. During criminal investigation, national laws restrict how much information can be
seized. For example, in the United Kingdom seizure of evidence by law enforcement is governed
4
by the PACE act. During its existence early in the field, the "International Organization on
Computer Evidence" (IOCE) was one agency that worked to establish compatible international
standards for the seizure of evidence. In the UK the same laws covering computer crime can also
affect forensic investigators. The 1990 computer misuse act legislates against unauthorized access
to computer material; this is a particular concern for civil investigators who have more limitations
than law enforcement. An individual right to privacy is one area of digital forensics which is still
largely undecided by courts. The US Electronic Communications Privacy Act places limitations
on the ability of law enforcement or civil investigators to intercept and access evidence. The act
makes a distinction between stored communication (e.g. email archives) and transmitted
communication (such as VOIP). The latter, being considered more of a privacy invasion, is harder
to obtain a warrant for. The ECPA also affects the ability of companies to investigate the computers
and communications of their employees, an aspect that is still under debate as to the extent to
which a company can perform such monitoring. Article 5 of the European Convention on Human
Rights asserts similar privacy limitations to the ECPA and limits the processing and sharing of
personal data both within the EU and with external countries. The ability of UK law enforcement
to conduct digital forensics investigations is legislated by the Regulation of Investigatory Powers
Act.

5
 CHAPTER TWO

LITERATURE REVIEW

2.1 Historical Background

Prior to the 1970s crimes involving computers were dealt with using existing laws. The
first computer crimes were recognized in the 1978 Florida Computer Crimes Act, which included
legislation against the unauthorized modification or deletion of data on a computer system. Over
the next few years the range of computer crimes being committed increased, and laws were passed
to deal with issues of copyright, privacy/harassment (e.g., cyber bullying, cyber stalking,
and online predators) and child pornography. It was not until the 1980s that federal laws began to
incorporate computer offences. Canada was the first country to pass legislation in 1983. This was
followed by the US Federal Computer Fraud and Abuse Act in 1986, Australian amendments to
their crimes acts in 1989 and the British Computer Misuse Act in 1990. The growth in computer
crime during the 1980s and 1990s caused law enforcement agencies to begin establishing
specialized groups, usually at the national level, to handle the technical aspects of investigations.
For example, in 1984 the FBI launched a Computer Analysis and Response Team and the
following year a computer crime department was set up within the British Metropolitan
Police fraud squad. As well as being law enforcement professionals, many of the early members
of these groups were also computer hobbyists and became responsible for the field's initial research
and direction. One of the first practical (or at least publicized) examples of digital forensics
was Cliff Stoll's pursuit of hacker Markus Hess in 1986. Stoll, whose investigation made use of
computer and network forensic techniques, was not a specialized examiner. Many of the earliest
forensic examinations followed the same profile. Throughout the 1990s there were high demand
for these new, and basic, investigative resources. The strain on central units lead to the creation of
regional, and even local, level groups to help handle the load. For example, the British National
Hi-Tech Crime Unit was set up in 2001 to provide a national infrastructure for computer crime;
with personnel located both centrally in London and with the various regional police forces (the
unit was folded into the Serious Organized Crime Agency (SOCA) in 2006). During this period
the science of digital forensics grew from the ad-hoc tools and techniques developed by these
hobbyist practitioners. This is in contrast to other forensics disciplines which developed from work
by the scientific community. It was not until 1992 that the term "computer forensics" was used
in academic literature (although prior to this it had been in informal use); a paper by Collier and
Spaul attempted to justify this new discipline to the forensic science world. This swift development

6
resulted in a lack of standardization and training. In his 1995 book, "High-Technology Crime:
Investigating Cases Involving Computers", K. Rosenblatt wrote: Seizing, preserving, and
analyzing evidence stored on a computer is the greatest forensic challenge facing law enforcement
in the 1990s. Although most forensic tests, such as fingerprinting and DNA testing, are performed
by specially trained experts the task of collecting and analyzing computer evidence is often
assigned to patrol officers and detectives. Since 2000, in response to the need for standardization,
various bodies and agencies have published guidelines for digital forensics. The Scientific
Working Group on Digital Evidence (SWGDE) produced a 2002 paper, "Best practices for
Computer Forensics", this was followed, in 2005, by the publication of an ISO standard (ISO
17025, General requirements for the competence of testing and calibration laboratories). A
European lead international treaty, the Convention on Cybercrime, came into force in 2004 with
the aim of reconciling national computer crime laws, investigative techniques and international
co-operation. The treaty has been signed by 43 nations (including the US, Canada, Japan, South
Africa, UK and other European nations) and ratified by 16 nations. The issue of training also
received attention. Commercial companies (often forensic software developers) began to offer
certification programs and digital forensic analysis was included as a topic at the UK specialist
investigator training facility, Centrex. Since the late 1990s mobile devices have become more
widely available, advancing beyond simple communication devices, and have been found to be
rich forms of information, even for crime not traditionally associated with digital
forensics. Despite this, digital analysis of phones has lagged behind traditional computer media,
largely due to problems over the proprietary nature of devices. Focus has also shifted onto internet
crime, particularly the risk of cyber warfare and cyberterrorism. A February 2010 report by
the United States Joint Forces Command concluded: Through cyberspace, enemies will target
industry, academia, government, as well as the military in the air, land, maritime, and space
domains. In much the same way that airpower transformed the battlefield of World War II,
cyberspace has fractured the physical barriers that shield a nation from attacks on its commerce
and communication. The field of digital forensics still faces unresolved issues. A 2009 paper,
"Digital Forensic Research: The Good, the Bad and the Unaddressed", by Peterson and Shenoi
identified a bias towards Windows operating systems in digital forensics research. In 2010 Simson
Garfinkel identified issues facing digital investigations in the future, including the increasing size
of digital media, the wide availability of encryption to consumers, a growing variety of operating
systems and file formats, an increasing number of individuals owning multiple devices, and legal

7
 limitations on investigators. The paper also identified continued training issues, as well as the
prohibitively high cost of entering the field.

2.2 The Development Of Forensic Tools

During the 1980s very few specialized digital forensic tools existed, and consequently
investigators often performed live analysis on media, examining computers from within the
operating system using existing sysadmin tools to extract evidence. This practice carried the risk
of modifying data on the disk, either inadvertently or otherwise, which led to claims of evidence
tampering. A number of tools were created during the early 1990s to address the problem. The
need for such software was first recognized in 1989 at the Federal Law Enforcement Training
Center, resulting in the creation of IMDUMP (by Michael White) and in 1990, SafeBack
(developed by Sydex). Similar software was developed in other countries; DIBS (a hardware and
software solution) was released commercially in the UK in 1991, and Rob McKemmish
released Fixed Disk Image free to Australian law enforcement. These tools allowed examiners to
create an exact copy of a piece of digital media to work on, leaving the original disk intact for
verification. By the end of the 1990s, as demand for digital evidence grew more advanced
commercial tools such as EnCase and FTK were developed, allowing analysts to examine copies
of media without using any live forensics. More recently, a trend towards "live memory forensics"
has grown resulting in the availability of tools such as WindowsSCOPE. More recently, the same
progression of tool development has occurred for mobile devices; initially investigators accessed
data directly on the device, but soon specialist tools such as XRY or Radio Tactics Aceso appeared.

2.3 Forensic Process

A digital forensic investigation commonly consists of 3 stages: acquisition or imaging of exhibits,

analysis, and reporting. Ideally acquisition involves capturing an image of the computer's volatile
memory (RAM) and creating an exact sector level duplicate (or "forensic duplicate") of the media,
often using a write blocking device to prevent modification of the original. However, the growth
in size of storage media and developments such as cloud computing have led to more use of 'live'
acquisitions whereby a 'logical' copy of the data is acquired rather than a complete image of the
physical storage device. Both acquired image (or logical copy) and original media/data
are hashed (using an algorithm such as SHA-1 or MD5) and the values compared to verify the
copy is accurate. An alternative (and patented) approach (that has been dubbed 'hybrid forensics' or
'distributed forensics') combines digital forensics and discovery processes. This approach has been

8
embodied in a commercial tool called ISEEK that was presented together with test results at a
conference in 2017.

Figure 2.1 A portable tableau write-blocker attached to the hard drive

During the analysis phase an investigator recovers evidence material using a number of different
methodologies and tools. In 2002, an article in the International Journal of Digital
Evidence referred to this step as "an in-depth systematic search of evidence related to the suspected
crime." In 2006, forensics researcher Brian Carrier described an "intuitive procedure" in which
obvious evidence is first identified and then "exhaustive searches are conducted to start filling in
the holes." The actual process of analysis can vary between investigations, but common
methodologies include conducting keyword searches across the digital media (within files as well
as unallocated and slack space), recovering deleted files and extraction of registry information (for
example to list user accounts, or attached USB devices). The evidence recovered is analyzed to
reconstruct events or actions and to reach conclusions, work that can often be performed by less
specialized staff. When an investigation is complete the data is presented, usually in the form of a
written report, in lay persons' terms.

9
2.4 Applications Of Digital Forensic

Digital forensics is commonly used in both criminal law and private investigation. Traditionally it
has been associated with criminal law, where evidence is collected to support or oppose a
hypothesis before the courts. As with other areas of forensics this is often as part of a wider
investigation spanning a number of disciplines. In some cases the collected evidence is used as a
form of intelligence gathering, used for other purposes than court proceedings (for example to
locate, identify or halt other crimes). As a result, intelligence gathering is sometimes held to a less
strict forensic standard. In civil litigation or corporate matters digital forensics forms part of
the electronic discovery (or eDiscovery) process. Forensic procedures are similar to those used in
criminal investigations, often with different legal requirements and limitations. Outside of the
courts digital forensics can form a part of internal corporate investigations.

Figure 2.2 An example of an image's Exifmetadata that might be used to prove its origin

A common example might be following unauthorized network intrusion. A specialist forensic

examination into the nature and extent of the attack is performed as a damage limitation exercise.
Both to establish the extent of any intrusion and in an attempt to identify the attacker. Such attacks
were commonly conducted over phone lines during the 1980s, but in the modern era are usually
propagated over the Internet. The main focus of digital forensics investigations is to recover

10
objective evidence of a criminal activity (termed actus reus in legal parlance). However, the
diverse range of data held in digital devices can help with other areas of inquiry.

 Attribution

Meta data and other logs can be used to attribute actions to an individual. For example,
personal documents on a computer drive might identify its owner.

 Alibis and statements

Information provided by those involved can be cross checked with digital evidence. For
example, during the investigation into the Soham murders the offender's alibi was
disproved when mobile phone records of the person he claimed to be with showed she was
out of town at the time.

 Intent

As well as finding objective evidence of a crime being committed, investigations can also
be used to prove the intent (known by the legal term mens rea). For example, the Internet
history of convicted killer Neil Entwistle included references to a site discussing How to
kill people.

 Evaluation of source

File artifacts and meta-data can be used to identify the origin of a particular piece of data;
for example, older versions of Microsoft Word embedded a Global Unique Identifier into
files which identified the computer it had been created on. Proving whether a file was
produced on the digital device being examined or obtained from elsewhere (e.g., the
Internet) can be very important.

 Document authentication

Related to "Evaluation of source," meta data associated with digital documents can be
easily modified (for example, by changing the computer clock you can affect the creation
date of a file). Document authentication relates to detecting and identifying falsification of
such details.

11
 CHAPTER THREE

DISCUSSION

3.1 Techniques In digital Forensic

Live incident response collects all of the relevant data from the system that will be used to confirm
whether an incident occurred. Live incident response includes collecting volatile and nonvolatile
data. Volatile data is information we would lose if we walked up to a device and disconnected the
power cord. Nonvolatile data includes data that would be very useful to collect during digital
forensic collection such as system event logs, user logons, and patch levels, among many others.
Live incident response further includes the collection of information such as current network
connections, running processes, and information about open files. Live incident response is
typically collected by running a series of commands that produces data that would normally be
sent to the console but is sent to a different storage device or a forensic workstation. A forensic
workstation is a machine that the forensic investigator considers trusted and is used to collect data
from a suspected host computer. There are various ways to transmit the data to the forensic
workstation during forensic collection. Some of the most common tools to collect data include
commercial software such as EnCase and FTK (forensic toolkit from accessdata.com) but there
are many other open source and commercial tools that can be part of our arsenal during collection.
Some of the most common tools include Netcat and Cryptcat. Netcat is the considered by many
as the Swiss army knife of live incident response collections. Netcat crates TCP channels can be
executed in listening mode like a telnet server, or in connection mode like a telnet client. Netcat
also includes MD5 check sum capability which, as we will cover later, is an essential part of any
sound digital collection order to prove the data was not altered during collection. Netcat works by
booting to a shell and ―listening‖ on a particular TCP port in verbose or listening mode. Once
the forensic workstation is in ―listening‖ mode via Netcat, the data is sent from the target host to
the particular port the forensic workstation is listening to. Cryptcat is a variant of Netcat that is
worth mentioning in this document as it encrypts all of the data across the TCP channel. It uses
all of the same commands and command-line switches as Netcat but enhances Netcat by providing

12
 secrecy and authentication—which are now very important in the age of eavesdropping and wire
tapping.

3.2 Volatile vs. Nonvolatile data

Some of the volatile data that should be collected includes system date and time, current network
connections, open TCP and UDP ports, which executables are opening UDP and TCP ports, cached
NETBIOS name table, users currently logged on, the internal routing table, running processes,
scheduled jobs, open files, and process memory dumps. This list is not all inclusive as a forensic
investigator must consider any and all possible variables during collection. However, one thing
that all these have in common is that they would be lost if the power were removed from your
target machine. While there are various methods of collecting volatile data, some of the most
common and noncommercial methods will be presented:

 System date and time – can be collected by using the time and date commands at the
prompt.
 Current network connections – can be collected by using the netstat command with the –
an flags to retrieve all of the network connections and see the raw IP addresses instead of
the FQDN.
 Open TCP and UDP ports – use netstat –an. Also use FPort tool (www.foundstone.com)
in order to link the open ports to the executables that opened them.
 Users currently logged on – run PsLoggedOn from www.sysinternals.com. This tool will
return the users that are currently logged onto the system or accessing the resource shares.
PsExec can also be used. e. Internal routing table – netstat with the –rn switch.
 Running processes – it is important to identify running processes as they could contain
backdoors. Use pslist from PsTools suite.
 Running Services – use PsService from PsTools suite.
 Scheduled jobs – run at command at command prompt
 Open files – run Psfile from pstools
 Process Memory dumps – process memory dumps may provide critical investigative
material of a volatile nature.

13
 These include Command line utilized by the intruder and remotely executed console commands
and their resultant output. Memory dumps can be captured using userdump.exe provided by
windows. Nonvolatile data includes information we would like to acquire including system version
and patch level, file system time and date stamps, registry data, the auditing policy, a history of
logins, system event logs, user accounts, IIS logs, and any suspicion files. These can be acquired
using the following methods:

 System Version and Patch level – knowing which patches have been applied to a server or
workstation will enable us to narrow our initial investigation to areas of high probability.
Use PSInfo from pstools to query system information. Switches include –h to show
installed hotfixes, -s to show installed software, and –d to show disk volume information.
 File System Time and Date stamps (pg 31) – UnxUtils from http://sourceforge.net
 Registry Data – Leads we want to capture include programs executed on bootup and
entries created by intruder’s tools. We use RegDmp to capture the complete registry.
http://www.softpanorama.org/unixification/registry/microsoft_registry_tools.s
htm#RegDmp
 The Auditing Policy - Windows has auditing disabled by default. Use auditpol included in
Microsoft resource kits
 System event logs – Psloglist from sysinternals
 User accounts – use pwdump utility to dump user accounts.
http://foofus.net/fizzgig/pwdump g. IIS Logs ii. Most attacks happen over port 80 iii. You
cannot block what you must allow in iv. C:\winnt\system32\logfiles – IIS logs

3.3 Network Based Evidence (NBE)

Investigators collect 4 types of network based evidence including full content data, session data,
alert data, and statistical data full content data involves collecting all data transmitted over a wire.
It consists of the actual packets, typically including headers and application information, seen on
the wire or in the airwaves. It records every bit present in a data packet. When looking at headers,
analysts can identify subtle aspects of packets. The presence of certain options or the values of
certain fields can be used to identify operating systems. Full content data presents the greatest
opportunity for analysis, but it also requires the greatest amount of work. I. Session Data a.
Includes data that was created or modified during a particular user’s session. II. Alert Data a.
Alert data is created by analyzing NBE for predefined items of interest. b. Example: a client
using IP address 192.168.0.42 has queried the remote procedure call (RPC) port mapper on a
14
 server, 192.168.0.40. This could be the precursor to an attack because an intruder could use the
information to identify vulnerable RPC services on the server. The alert is a judgment made by
the network IDS (intrusion detection) that the packet it saw is a query of the port mapper service.
III. Statistical data a. Provides a big picture perspective b. In the data world, statistical data has
traditionally been used to measure the health and performance of a network.

3.4 Common Forensic Analysis Techniques

When you conduct forensic analysis, there are a few steps that must be executed in nearly every
type of investigation to prepare the data for analysis. For instance, it is usually recommended to
recover any deleted files and add them to the analysis. It is also advantageous to reduce the data
set collected to the smallest number of files and add them to the analysis for efficient review.
Another step that should be incorporated into the analysis is string searching to identify relevant
files and fragments of relevant files. Recovering deleted files is of crucial importance. Particularly
in cases where the target computer in question has been utilized by a savvy computer user or a
suspect who may have wanted to delete traces of their digital footprints. In order to avoid doing
work twice, recovering deleted files should be done first. There are several different options and
solutions that provide similar results which will be listed below. It is worth mentioning that at the
time of this writing, the authors of this document tested all solutions presented here and discovered
an interesting and extremely important fact that should be of great importance during collection
particularly when collection and recovered data is to be presented as legal evidence. Although
commercial software was the easiest to use, it was unable to recover all deleted files. In some
instances, utilizing open source tools produced the recovery of additional deleted files after a first
pass with a commercial product. During our forensic tests, it was also found that in every instance,
commercial software was able to recover most of the deleted files when compared to open source
tools. It is then concluded that the best way to undelete the most data from a target host is to utilize
a combination of commercial and open source tools. The tools tested at the time of this writing
are the following:

 EnCase & FDK

Windows-based commercial products that seems to be dominating the forensic market at the
time of this writing. The main advantage to recover undeleted files using these tools is that
they do not have to be installed on the target host. They can search and undelete files based

15
on a forensic duplication (clone of the target host’s hard drive). II. Linux Kernel – it is an
open source tool that enables us to take a forensic duplication and make it act like a real hard
drive under Linux. a. ftp://ftp.hp.nasa.gov/pub/ig/ccd/enhanced_loopback b. Once the Linux
kernel has been loaded and it recognizes our forensic duplication as a mounted volume, we
need to recover the deleted files. The most used tool used to be The Corner’s Toolkit t
http://www.fish.com/tct but the limitation that it only recovers files from Windows made it
less popular. The most popular at the time of this writing is TASK and The Sleuth Kit at:
http://www.sleuthkit.org.

 Production of Time Stamps and Other Metadata for Files

After undeleting files, the next step in forensic analysis is attaining metadata and time stamp
of files. Metadata includes full title names, file sizes, MD5 hashes, among others. Commercial
solutions such as EnCase and FDK produce metadata information by default. In lieu of
commercial solutions, there are open source tools such as GNU find that produce the same
information. After attaining metadata, our next chore is attaining the MD5 checksum
(define). As in the case of metadata, commercial solutions produce the MD5 checksum by
default and there is little or no intervention from the forensic analyst. There are also open
source solutions one of which is the fls command included in the Sleuth kit.

 Removing known files

All of the aforementioned steps may include thousands of files that we may need to investigate.
There are usually thousands of files associated with both operating systems and application
programs that, upon an integrity check by the forensic analyst, can be removed in order to
alleviate the load in the forensic analyst. Since during collection we don’t know if the files we
collect from alleged application programs and operating systems are of trusted origin, we must
compare the MD5 hashes of every file against a known good installation (usually part of a
forensic analyst’s arsenal) and good set of hashes. If malicious code or an altered file exists
masqueraded as a legitimate operating system file, comparing the suspect file against the
legitimate file’s MD5 checksum will produce a red flag. In order to attain a reputable source
of files, we can either install the operating system ourselves in a controlled environment or use
somebody else’s work. Installing the operating systems may present a great task due to the
increasingly large number of operating systems. An alternative is using a list of MD5 hashes
that may be available for this purpose.

16
  Web Browsing Activity Reconstruction

The last piece of forensic analysis that will be covered is the collection of web browsing
activity and its reconstruction. In this area, nothing beats commercial solutions. EnCase, FTK
and IE history at http://www.pillipsponder.com provide the necessary tools to collect and
reconstruct Web browsing activity.

CHAPTER FOUR

CONCLUSION

Although still considered in its infancy, computer forensics has been on the forefront of
many recent legal investigations. As they digitize anything from video to live television,
digital forensics will not only inevitably become increasingly important to legal
investigations, but it may soon become a science with legislated methods. There are clear
benefits to investigators if they can access the data relevant to their case faster and see all
the relevant data in one common format rather than separate reports or platforms for data
from different sources. If the investigators can be enabled to conduct their own searching
of digital information then the technical staff can also benefit through having more time
available to focus on the technical issues which will continue to emerge as technology
progresses. Other benefits can accrue from the ability to direct reviewing towards relevant
investigators and the visualizations available (albeit currently limited) to help investigators
identify key patterns in the data. The most important conclusion from this document should
be the fact that there are no tools that are infallible. It is the job of a computer forensics
scientist to utilize different tools in order to recover and capture digital evidence in a
forensically sound manner. Digital forensics, which is an introduction to computer
forensics and investigation, has given you a taster for the full course, which is M812. It has
given you a broad view of the scope of digital forensics, including topics which are covered
in greater depth in M812. As you have seen, both forensics (in general) and digital forensics
(in particular) encompass a wide range of distinct disciplines. A clear distinction between
scientific investigations for research purposes and forensic investigations using scientific
methods has been made. It is vital to remember this distinction. Scientific research is
always subject to revision whereas forensic investigations should result in a clear-cut result
and any limitations on that result made clear to a court.
17
 REFERENCES

Marcella, Albert J, Menendez, Doug (2008). Cyber Forensics. Boca Raton, FL: Auerbach
Publications Taylor & Francis Group.

Gialanella, David. (2008) New Tech, Old Problem. ABA Journal, 94(8), 35.

M Reith; C Carr; G Gunsch (2002). "An examination of digital forensic models". International
Journal of Digital Evidence. Archived from the original on 15 October 2012. Retrieved 2
August 2010.

Carrier, B (2001). "Defining digital forensic examination and analysis tools". Digital Research
Workshop II. Archived from the original on 15 October 2012. Retrieved 2 August 2010.

Various (2009). Eoghan Casey, ed. Handbook of Digital Forensics and Investigation. Academic
Press. p. 567. ISBN 0-12-374267-6.

Carrier, Brian D (7 June 2006). "Basic Digital Forensic Investigation Concepts". Archived from
the original on 26 February 2010.

"Florida Computer Crimes Act". Archived from the original on 12 June 2010. Retrieved 31
August 2010.

Peter Sommer (January 2004). "The future for the policing of cybercrime". Computer Fraud &
Security.

Simson L. Garfinkel (August 2010). "Digital forensics research: The next 10 years". Digital
Investigation.

Linda Volonino; Reynaldo Anzaldua (2008). Computer forensics for dummies. For Dummies.

GL Palmer; I Scientist; H View (2002). "Forensic analysis in the digital world". International
Journal of Digital Evidence. Retrieved 2 August 2010.

18
Rizwan Ahmed (2008). "Mobile forensics: an overview, tools, future trends and challenges from
law enforcement perspective" (PDF). 6th International Conference on E-Governance. Archived
(PDF) from the original on 2016-03-03.

Peterson, Gilbert; Shenoi, Sujeet (2009). "Digital Forensic Research: The Good, the Bad and the
Unaddressed".

Adams, Richard (2013). "'The Advanced Data Acquisition Model (ADAM): A process model for
digital forensic practice" (PDF). Murdoch University.

National Institute of Justice. (2001)"Electronic Crime Scene Investigation Guide: A Guide for
First Responders" (PDF).

Belkasoft Research. (2013)"Catching the ghost: how to discover ephemeral evidence with Live
RAM analysis".

Adams, Richard (2013). "'The emergence of cloud storage and the need for a new digital forensic
process model" (PDF). Murdoch University.

Maarten Van Horenbeeck (24 May 2006). "Technology Crime Investigation".

Elliot Spencer, Samuel J. Baker, Erik Andersen, Perlustro LP. (2009) "Method and system for
searching for, and collecting, electronically-stored information".

Richard, Adams,; Graham, Mann,; Valerie, Hobbs, (2017). "ISEEK, a tool for high speed,
concurrent, distributed forensic data acquisition".

19