CHAPTER 12:

Digital forensics:

 Forensics is the coherent application of methodical investigatory

techniques to present evidence of crimes in a court or court-like setting.
 Digital forensics involves the preservation, identification, extraction,
documentation, and interpretation of computer media for evidentiary
and/or root cause analysis.
 Like traditional forensics, it follows clear, well-defined methodologies, but
still tends to be as much art as science. This means the natural curiosity
and personal skill of the investigator play a key role in discovering
potential evidentiary material.
 Evidentiary material (EM), also known as an item of potential
evidentiary value, is any information that could potentially support the
organization’s legal or policy-based case against a suspect.

Digital forensics can be used for two key purposes:

1. To investigate allegations of digital malfeasance. A crime against or using

digital media, computer technology, or related components (computer as
source or object of crime) is referred to as digital malfeasance. To
investigate digital malfeasance, you must use digital forensics to gather,
analyze, and report the findings of an investigation. This is the primary
mission of law enforcement in investigating crimes involving computer
technologies or online information.
2. To perform root cause analysis. If an incident occurs and the organization
suspects an attack was successful, digital forensics can be used to examine
the path and methodology used to gain unauthorized access, as well as to
determine how pervasive and successful the attack was. This is used
primarily by IR teams to examine their equipment after an incident.
The organization must choose one of two approaches when employing
digital forensics:

1. Protect and forget. This approach, also known as patch and proceed, focuses
on the defense of the data and the systems that house, use, and transmit it. An
investigation that takes this approach focuses on the detection and analysis of
events to determine how they happened, and to prevent reoccurrence. Once the
current event is over, who caused it or why is almost immaterial.

2. Apprehend and prosecute. This approach, also known as pursue and

prosecute, focuses on the identification and apprehension of responsible
individuals, with additional attention on the collection and preservation of
potential EM that might support administrative or criminal prosecution. This
approach requires much more attention to detail to prevent contamination of
evidence that might hinder prosecution.

The Digital Forensics Team

 There should be people in the information security group trained to

understand and manage the forensics process. Should a report of
suspected misuse from an internal or external individual arise, this person
or group must be familiar with digital forensics procedures in order to
avoid contaminating potential EM.
 This expertise can be obtained by sending staff members to a regional or
national information security conference with a digital forensics track or
to dedicated digital forensics training.
Affidavits and Search Warrants

 Affidavit
 Sworn testimony that certain facts are in the possession of the
investigating officer; can be used to request a search warrant
 The facts, the items, and the place must be specified.

 When an approving authority signs the affidavit, it becomes a search

warrant, giving permission to:
 Search for EM at a specified location
 Seize specific items for official examination

Digital Forensics Methodology

In digital forensics, all investigations follow the same basic methodology:

1. Identify relevant items of evidentiary value (EM)

2. Acquire (seize) the evidence without alteration or damage

3. Take steps to assure that the evidence is at every step verifiably

authentic and is unchanged from the time it was seized

4. Analyze the data without risking modification or unauthorized access

5. Report the findings to the proper authority
The digital forensic process has the following five basic stages:

i. Identification – the first stage identifies potential sources of relevant

evidence/information (devices) as well as key custodians and location of
data.
ii. Preservation – the process of preserving relevant electronically stored
information (ESI) by protecting the crime or incident scene, capturing
visual images of the scene and documenting all relevant information about
the evidence and how it was acquired.
iii. Collection – collecting digital information that may be relevant to the
investigation. Collection may involve removing the electronic device(s)
from the crime or incident scene and then imaging, copying or printing
out its (their) content.
iv. Analysis – an in-depth systematic search of evidence relating to the
incident being investigated. The outputs of examination are data objects
found in the collected information; they may include system- and user-
 generated files. Analysis aims to draw conclusions based on the evidence
found.
v. Reporting – firstly, reports are based on proven techniques and
methodology and secondly, other competent forensic examiners should be
able to duplicate and reproduce the same results.

Evidentiary Procedures

 Strong procedures for handling potential evidentiary material can

minimize the probability of an organization losing a legal challenge.
 Organizations should develop specific procedures, along with guidance
for effective use.
 Should be supported by a procedures manual