UNDERSTANDING DIGITAL FORENSICS

Cybercrime Awareness Seminar

PCI Eric Burdeos
PNP-Anti-Cybercrime Group
SEQUENCE OF PRESENTATION

o The PNP Anti-Cybercrime Group (ACG)

o Defining Digital Forensics

o Who Uses Digital Forensics

o Why Digital Forensics

o Best Practices Guide (ACPO Principles)

o Steps of Digital Forensics Process

o Evidence Processing Guidelines

o Digital Forensic Software

o Common Evidence Recovered

THE PNP ANTI-CYBERCRIME GROUP

TECHNICAL CAPABILITIES
THE PNP ANTI-CYBERCRIME GROUP
 PNP – ACG was activated on MARCH 20, 2013:

Criminal
Investigation and
Detection Group
(CIDG)

ATCCD

Authority:
NAPOLCOM RESOLUTION NO. 2013-220 dated February 27, 2013; and
GENERAL ORDER NO. DPL-12-09 dated February 27, 2013.
THE PNP ANTI-CYBERCRIME GROUP

 Functions:

 Investigate all cybercrimes and other crimes in which

Information and Communications Technology (ICT) is
used in the commission of criminal acts or the object of
attack;

 Conduct data recovery and forensic analysis on all

computers, computer peripherals and storage devices,
and other digital evidence seized by PNP units and any
other law enforcement agencies within the country;

 Provide operational support to investigating units

within the PNP.

 Formulate guidelines for Cybercrime investigation,

forensic evidence recovery and forensic data analysis;
THE PNP ANTI-CYBERCRIME GROUP

 Functions:

 Conduct vulnerability assessment of security in both

public and private IT infrastructures;

 Establish and maintain a modern digital forensic

laboratory;

 Conduct specialized training and seminars (in

coordination with the PNP Training Service) on Anti-
Cybercrime operations; and

 Maintain linkages with different PNP offices, local

government agencies, other government agencies on
matters pertaining to Anti-Cybercrime operations.
 PNP-ACG CAPABILITIES

Cellphone/
Cybercrime Computer Computer Audio/Vide
Cybercrime Mobile
Incident Network Forensic o Forensic
Investigations Forensic
Response Log Analysis Examination Examination
Examination
 PNP-ACG DIGITAL FORENSIC LABORATORIES
 Regional Digital Forensic Laboratory:

RDFL 3 RDFL 4a

San Fernando City

RDFL 10
DFL, HQ

RDFL 11
RDFL 7

RDFL 9 RDFL 12
PNP-ACG DIGITAL FORENSIC EQUIPMENT
 Digital Forensic Equipment
 PNP-ACG CYBER TRAINING FACILITY
 Training Facility and Equipment:

December 09, 2011 - Donated by US Diplomatic Security Anti-Terrorism Assistance

Program (ATAP). Currently located at 3rd floor PNP Training Service.
PNP-ACG CYBER TRAINING FACILITY
 Mobile Training Equipment:
PNP-ACG Digital Forensic Software

o EnCase v.6 and v.7 (Guidance Software Inc)

o Forensic Tool Kit (FTK) v.4.2 and v.5 ( Access Data)

PNP-ACG Cellular Phone Forensic Tool

o CelleBrite UFED Ultimate and UFED for PC

o MicroSystemation ( XRY/XACT)
PNP-ACG DIGITAL FORENSIC COMPETENCY
 International Standard Trainings and Certification
DIGITAL FORENSICS

- Digital Evidence
DEFINITION
o What is Computer ?
o Refers to an electronic, magnetic, optical, electrochemical, or
other data processing or communications device, or grouping
of such devices, capable of performing logical, arithmetic,
routing, or storage functions and which includes any storage
facility or equipment or communications facility or equipment
directly related to or operating in conjunction with such
device. It covers any type of computer device including devices
with data processing capabilities like mobile phones, smart
phones, computer networks and other devices connected to
the internet. (R.A. 10175)

o Computer Data?
o Refers to any representation of facts, information, or concepts
in a form suitable for processing in a computer system
including a program suitable to cause a computer system to
perform a function and includes electronic documents and/or
electronic data messages whether stored in local computer
systems or online.
DEFINITION

o What is Electronic Document?

o Refers to information generated, sent, received or stored by
electronic, optical or similar means.
o The term "electronic document" may be used interchangeably with
"electronic data message”. (Rules on Electronic Evidence A.M. No. 01-7-01-SC)

o What is Digital Forensics?

o The scientific examination and analysis of data held on or
retrieved from computer storage media and its presentation in a
manner legally acceptable to a Court.

o What Constitutes Digital Evidence?

o Any information being subject to human intervention or not, that
can be extracted from a computer.
o Must be in human-readable format or capable of being interpreted
by a person with expertise in the subject.
DIGITAL FORENSICS EXAMPLES

o Recovering of deleted emails, chat messages, and

Internet history files

o Recovering of deleted text messages and call logs

o Recovering evidence from formatted hard drive

o Recovering of deleted files and analysis of its

metadata
WHO USES DIGITAL FORENSICS ?

o Prosecutors
o Rely on evidence obtained from a computer to
prosecute suspects and use as evidence.

o Civil Litigations
o Personal and business data discovered on a
computer can be used in fraud, divorce,
harassment, or discrimination cases.

o Insurance Companies
o Evidence discovered on computer can be used to
mollify costs (fraud, worker’s compensation, etc)
WHO USES DIGITAL FORENSICS ?

o Private Corporations
o Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and
theft cases.

o Law Enforcement Officers

o Rely on computer forensics to backup search
warrants and post-seizure handling.

o Individual/Private Citizens
o Obtain the services of professional computer
forensic specialists to support claims of
harassment, abuse, or wrongful termination from
employment.
 REASONS FOR EVIDENCE

o Law enforcement authorities collect evidence for

computer related crimes and traditional crimes such as:

o Fraud o Theft of or destruction of

o Position of pornography
o Hacking
o Virus/Trojan distribution
o Homicide investigations
o Access Device investigation
o Forgery
intellectual property
o Trafficking in Persons
o Illegal Drugs investigation
o Sexual harassment
o Software Piracy
WHY DIGITAL FORENSICS ?

Any person can gather information from a computer

“ BUT “
The Forensic element means it has to be gathered
in a manner which makes it reliable to a Court
or other body and the information has to become

“ EVIDENCE ”
 MANY TYPE OF EVIDENTIAL DATA
Graphics Internet

Correspondence

Database & data files

web mail Communications

e-mail Home accounts etc.

Reports
Finance
Life Style ?
Diary Faxes
Address book
Organizer
BUT NO MATTER WHAT TYPE OF DATA, IT IS JUST….

1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
WHY CAN’T I JUST TURN IT ON ?

Windows XP alters over

1,000 files on start up !!!
TYPE OF COMPUTER DATA

o Volatile Data

o This data is temporarily stored in the Memory (RAM) of

the Computer system.
o This data will be deleted once power is removed from
the computer.
TYPE OF COMPUTER DATA

o Non-Volatile Data

o This data is stored in a non-volatile storage media

(hard disk drive, USB flash drive, optical storage media)
and it will remain saved regardless if the power of the
computer is On or Off.
ORDER OF VOLATILITY

 Collect the data that is most susceptible to change (volatile)

first

 If the computer is off, no volatile data exists

Less Volatile More Volatile

WHERE THE FILES LOCATED ?

The nature of data storage on computer system

often allows recovery of data from:

29
WHERE THE FILES LOCATED ?

The nature of data storage on computer system

often allows recovery of data from:

30
WHERE THE FILES LOCATED ?

The nature of data storage on computer system

often allows recovery of data from:
WHERE THE FILES LOCATED ?

The nature of data storage on computer system

often allows recovery of data from:
 FILE SLACK

Hard Disk split into

hhjj#bnbnmb Clusters in this example each one
nnncsan is 8K in size
nnnn,nm

l
e
U LETTER.DOC
LETTER.DOC t
N then deleted
5K t 5K U it becomes
S
e
r
E ?ETTER.DOC
.
D BUT...
d Data Remains there
o until overwritten
c 3K
 FILE SLACK

klkkkk
bhh Remains of File can be viewed.
bjhjkjhk

Invoice.doc 3K

INVOICE.DOC 5K
3K
S 2K remains of
l letter.doc
a
c
k 3K
 A BEST PRACTICES GUIDE

Not Law but…..

Non Compliance
Will often make
evidence
inadmissible

http://www.7safe.com/electronic_evidence/A
CPO_guidelines_computer_evidence.pdf
ACPO PRINCIPLES OF DIGITAL EVIDENCE

Principle 1 The Primary Rule…..

o No action taken by the law enforcement agencies

or their agents should change the data held on a
computer or other media which may subsequently
be relied upon in Court.
o Where possible computer data must be ‘imaged’
and that version be examined.
WHAT IS A FORENSIC IMAGE?

o A forensic image refers to verifiable

and unaltered complete copy of the
contents of original storage device.

o Creating a forensic image ensures:

o The integrity of the evidence

o No unintentional changes or
damage to the original data
WHY OBTAIN A FORENSIC IMAGE?

o Provides access to additional (non volatile) data:

o Log files
o Temporary files
o Compromised applications
o Page and swap files
o Information in registry
o Defeats log-on request and passwords

o Distribute to Forensic Specialists

ACPO PRINCIPLES OF DIGITAL EVIDENCE

Principle 2

o In exceptional circumstances it may be

necessary to access the original data held on a
target computer.

o However it is imperative that the person doing

so is competent and can account for their
actions.
ACPO PRINCIPLES OF DIGITAL EVIDENCE

Principle 3

o An audit trail or other record of all processes applied to

digital evidence should be created and preserved. An
independent third party should be able to examine these
processes and achieve the same result.
DIGITAL FORENSIC REPORT AND WORKING NOTES

Digital Evidence Examination Report

Working Notes
ACPO PRINCIPLES OF DIGITAL EVIDENCE

Principle 4

o The person in charge of the case has overall responsibility

for ensuring that a computer has been correctly examined
in accordance with the law and these principles.
 STEPS OF DIGITAL FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

o Digital Forensics involves the following:

o Identification,
o Acquisition/Imaging,
o Analysis,
o Reporting, and
o Court Presentation
 STEPS OF COMPUTER FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

o Identification
o This step involves identifying what type of storage
media and what data or information could be
recovered relative to the investigation or case.
STEPS OF DIGITAL FORENSICS

o Identification
o This step involves identifying what type of storage
media and what data or information could be
recovered relative to the investigation or case.
 STEPS OF DIGITAL FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

o Acquisition/ Imaging
o Physically or remotely obtaining possession of the
computer data from the original digital storage
media through digital forensic imaging process.

o Imaging is the second phase and requires

forensically-sound procedures and validated tools.

o This should be processed by trained technicians

using validated hardware and software tools.
STEPS OF DIGITAL FORENSICS

o Hardware-Base Imaging Tools:

o Write blocker (physical bridge)

o Stand-alone imaging device

(multifunction tool with dedicated
forensic capabilities)

Protecting data integrity

is the top priority!
STEPS OF DIGITAL FORENSICS

o Software-Base Imaging Tools:

o Write-blocker: Specialized application

o Forensic Imager: Multi-function tools

that assist with hard drive preparation
and duplication, forensic imaging, and
verification
 STEPS OF DIGITAL FORENSICS

PHYSICAL VERSUS LOGICAL

750 Gb

HARD DISK DRIVE

Sector[A] Sector[X]

Sector[0]

C:\ E:\
Sector[Z]

Sector[B] Sector[Y]

Partition Boundary
STEPS OF DIGITAL FORENSICS

PHYSICAL VERSUS LOGICAL

Sector[0]  Sector [Z] Sector[A]  Sector [B]

Physical image: A forensic Logical image: A forensic copy

copy of every addressable of every addressable sector
sector from source media between two partition
boundaries
STEPS OF DIGITAL FORENSICS

VERIFICATION OF FORENSIC IMAGE

o A Hash:

o Is a mathematical algorithm
o Produces a unique digital fingerprint
o Verifies that binary content of an acquired forensic
image is exactly the same as the source media

MD5 = ABC123 MD5 = ABC123

STEPS OF DIGITAL FORENSICS

PREPARATION OF DESTINATION STORAGE MEDIA

o Verify size requirements of original evidence

o Select storage media that meets or exceeds capacity
of source
o Sterilize destination media through wiping process
o Format storage media

Hard Drive Interfaces

52
 STEPS OF DIGITAL FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

o Analysis
o Evaluating the information or data recovered from the
storage media evidence to determine if and how it
could be used against the suspect.
STEPS OF DIGITAL FORENSICS
 STEPS OF DIGITAL FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

o Reporting
o Once the analysis is complete, a report is
generated. This report may be a written report,
oral testimony, or some combination of the two.
STEPS OF DIGITAL FORENSICS
STEPS OF DIGITAL FORENSICS
STEPS OF DIGITAL FORENSICS
 STEPS OF DIGITAL FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

o Court Presentation
o This step involves the presentation of evidence
discovered, in a manner which is understood by
lawyers, non technically staff/management, and
suitable as evidence as determined by the rules on
electronic evidence or any related law.
STEPS OF DIGITAL FORENSICS

Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation

MD5 = ABC123 MD5 = ABC123

EVIDENCE PROCESSING GUIDELINES

o Recommended 16 steps in processing computer

base evidence:
o Step 1: Shut down the computer
o Considerations must be given to volatile information
o Prevents remote access to machine and destruction of
evidence (manual or anti-forensic software)

o Step 2: Document the Hardware Configuration of The

System
o Note everything about the computer configuration
prior to re-locating
COMPUTER BASE EVIDENCE PROCESSING GUIDELINES

o Step 3: Transport the Computer System to A Secure

Location
o Do not leave the computer unattended unless it is locked in
a secure location

o Step 4: Make Bit Stream Backups of Hard Disks and any

Storage Media.

o Step 5: Mathematically Authenticate Data on All Storage

Devices
o Must be able to prove that you did not alter any of the
evidence after the computer came into your possession

o Step 6: Document the System Date and Time

o Step 7: Make a List of Key Search Words
o Step 8: Evaluate the Windows Swap File
EVIDENCE PROCESSING GUIDELINES

o Step 9: Evaluate File Slack

o File slack is a data storage area of which most computer users are
unaware; a source of significant information.

o Step 10: Evaluate Unallocated Space (Erased Files)

o Step 11: Search Files, File Slack and Unallocated Space for Key
Words
o Step 12: Document File Names, Dates and Times
o Step 13: Identify File, Program and Storage Anomalies
o Step 14: Evaluate Program Functionality
o Step 15: Document Your Findings
o Step 16: Retain Copies of Software Used
DIGITAL FORENSICS SOFTWARE
ENCASE V.7
FORENSIC TOOL KIT (FTK) V.4
COMMON EVIDENCE RECOVERED
COMMON EVIDENCE RECOVERED
DOCUMENTS (CONTRACTS, IDS, ETC)
DOCUMENTS (CONTRACTS, IDS, ETC)
DOCUMENTS (CONTRACTS, IDS, ETC)
PICTURES AND VIDEOS
WEB-MAIL CACHE
INSTANT MESSAGING CHAT CONVERSATION
INSTANT MESSAGING CHAT CONVERSATION
TEMPORARY INTERNET FILES
QUESTIONS

?
END

Thank you
and
Good day …
ISSUES AND CHALLENGES
o 1. Equipment and Training of Personnel.
o 2. Rapid evolution of Computer Technology.
o 3. Update of Forensic Hardware and Software and CPE of Forensic
Examiners
o 4. Limited number of Trained Digital Forensic Examiners
o 5. Limited number of field Police Officers who were trained in
seizure of digital evidence.
o 6. Only few Prosecutors and Judges who are inclined in Digital
Forensic.
o 7. Storage Media Encryption Technology
o 8. The 30 days extension period for Digital Forensic Examination
base on R.A 10175, SEC. 15
o 9. SEC. 18. Exclusionary Rule. — Any evidence procured without a
valid warrant or beyond the authority of the same shall be
inadmissible for any proceeding before any court or tribunal.
o a. (How about electronic evidence recovered through warrantless arrest
like entrapment operation)
o b. Evidence recovered from the Crime Scene such as Cellular Phone and
other form of portable storage media (SD, Micro SD)