SCI 4201

Digital Forensics
Lecture 1: Introduction to
Forensics

07 July 2021

Dr. Phil Nyoni

Cell: 0779457249
philnyoni@gmail.com
 Module Outcomes

This module provides students with an introduction

to Digital Forensic Science and the systematic
process of acquiring, identifying, analysing and
reporting digital evidence. Additionally, we will
cover the topics of eDiscovery, Data Retention,
Data Disposal, Litigation, Internal Investigations
and Incident Response will also be discussed
within the context of Digital Forensics.

Digital Forensics and Incident Response

 Course Outline
The module covers a variety of topics:
• Introduction to basic concepts of digital forensic
science
• Exploration of mobile, network and memory
forensics
• Examining the role of digital forensics in public and
private investigations
• Examining the potential benefits, limitations and
risks of digital forensics
• Increasing awareness of managerial issues raised
by the use of digital forensics
• Introduction to commercial and open-source forensic
tools
Digital Forensics and Incident Response
 Course Assessment
Assignments:
There are two assignments designed to help
reinforce the material that has been covered in
the lecture.

Exams:
There will be an exam.

Digital Forensics and Incident Response

 Course Materials
Suggested books for reference:

• Nelson, B., Phillips, A., Enfinger, F., Steuart, C. (2010)

Guide to Computer Forensics and Investigation. 4th
Edition. Boston, USA: Thomson Course Technology.

• Casey, E. (2011) Digital Evidence and Computer Crime.

3rd Edition. London, UK: Academic Press

• Carrier, B., File System Forensic Analysis, March 27

2005, Addison-Wesley Professional

Digital Forensics and Incident Response

 Online Resources
• Forensics Wiki
http://www.forensicswiki.org
• Digital Forensic Research Workshop (DFRWS)
http://www.dfrws.org
• Journal - Digital Investigation
http://www.sciencedirect.com
• Free Forensics Software
https://forensiccontrol.com/resources/free-software/

Digital Forensics and Incident Response

 Session Objectives

• Provide overview of incident response and digital

forensics
• Describe how to prepare for computer investigations
• Explain the difference between computer, mobile,
network and digital forensics
• Examine the link between digital forensics and
incident response

Digital Forensics and Incident Response

 Information Security Principles

The “CIA” Principle:

 Confidentiality
◦ Only authorized users can view information.
 Integrity
◦ Internally consistent.
◦ Freedom from unauthorized changes.
 Availability
◦ Resource is available for use when needed.

Digital Forensics and Incident Response

 Defining Incidents
• Event
An observable occurrence on a system or network.
• Adverse event
An event with negative consequences.
• Computer security incident
Any unlawful, unauthorized or unacceptable action that
involves a computer system or a computer network.
• Violation or imminent threat to computer security policies,
acceptable use policies, or standard security practices.

Digital Forensics and Incident Response

 Examples of Incidents
• Malicious code
– Viruses, worms, logic bombs, Trojans
• Denial of Service
– Overwhelming network services with tidal waves of
packets.
• Unauthorized access
– Accessing information or systems which a user is not
authorized to use.
• Inappropriate usage
– Installing and using peer-to-peer (P2P) applications for
file sharing.
– Install a Wifi router to bypass company monitoring

Digital Forensics and Incident Response

 Incident Response Methodology

• Pre-incident preparation
• Detection of incidents
• Initial response
• Formulate response strategy
• Investigate the incident
• Reporting
• Resolution (and Improvement)
Digital Forensics and Incident Response
 Pre-Incident Preparation

• For the organization

– This is where pro-active measures can be
implemented.
• For the Computer Security Incident Response
Team (CSIRT)
– Hardware and software needs.
– Forms and checklists for documenting incidents.
– Staff training.

Digital Forensics and Incident Response

 Who Is Involved?

• Human resource personnel, legal counsel,

technical experts, security professionals, corporate
security officers, business managers, end users,
help desk workers, and other employees.
• Computer Security Incident Response Team
(CSIRT)
– A dynamic team assembled when an organization
requires its capabilities.

Digital Forensics and Incident Response

 Detection of Incidents

• One of the most important aspects of incident

response.
• Items which should be recorded:
– Current date and time
– Who/what reported the incident
– Nature of the incident
– When the incident occurred
– Hardware/software involved
– Points of contact for involved personnel

Digital Forensics and Incident Response

 Initial Response
• Involves assembling the CSIRT, collecting
network-based and other data, determining the
type of incident that has occurred, and
assessing the impact of the incident.

• Document steps that must be taken.

• Team must verify that an incident has actually

occurred, which systems are directly or
indirectly affected, which users are involved,
and the potential business impact.
Digital Forensics and Incident Response
 Formulate a Response Strategy
• Goal is to determine the most appropriate response strategy
given the circumstances of the incident.
• Factors to consider:
– How critical are the affected systems?
– How sensitive is the compromised or stolen information?
– Who are the potential perpetrators?
– Is the incident known to the public?
– What is the level of unauthorized access attained by the
attacker?
– What is the apparent skill of the attacker?
– How much system and user downtime is involved?
– What is the overall dollar loss?

Digital Forensics and Incident Response

 Taking Action

• Legal
– File a civil complaint and/or notify
law enforcement.
• Administrative
– Usually has to deal with internal
employees who have violated
workplace policies.

Digital Forensics and Incident Response

 Investigating the Incident
 Data Collection
◦ Host-based information, network-based information, and other
information.
◦ Collected from a live running system or one that is turned off.
◦ Must be collected in a forensically sound manner.
◦ Collect in a manner that protects its integrity (evidence handling).
 Forensic Analysis
◦ Reviewing items such as log files, system configuration files, items
left behind on a system, files modified, installed applications
(possible hacker tools), etc.
◦ Could involve many types of tools and techniques.
◦ May lead to additional data collection.

Digital Forensics and Incident Response

 Reporting

• Keys to making this phase successful:

– Document immediately.
– Write concisely and clearly. Don’t use shorthand.
– Use a standard format.
– Have someone else review to ensure accuracy and
completeness.

Digital Forensics and Incident Response

 Resolution

• Three steps:
– Contain the problem.
– Solve the problem.
– Take steps to prevent the
problem from occurring again.

Digital Forensics and Incident Response

 Outcomes
• Better security mean reduced incidents.
• Be proactive to provide security services:
– Physical
– Network
– Workstation
– User training
• Be prepared
– Have a plan.
– An incident response plan is vital. It is the blueprint for
dealing with incidents.
– A well-executed response can uncover the true extent
of a compromise and prevent future occurrences.
Digital Forensics and Incident Response
 Defining Forensics
Forensic:
• “…a characteristic of evidence that satisfies its suitability for
admission as fact.”

The aim of forensic science is:

• “…to demonstrate how digital evidence can be used to
reconstruct a crime or incident, identify suspects, apprehend
the guilty, defend the innocent, and understand criminal
motivations.”

source: Casey, “Digital Evidence and Computer Crime”

Digital Forensics and Incident Response

 Computer Forensics vs Digital Forensics

“Computer forensics is simply the The use of scientifically derived

application of computer and proven methods towards the
investigation and analysis preservation, collection,
techniques in the interests of validation, identification, analysis,
determining potential legal interpretation, documentation, and
evidence. Evidence might be presentation of digital evidence
sought in a wide range of derived from the digital sources
computer crime or misuse, for the purpose of facilitation or
including but not limited to theft of furthering the reconstruction of
trade secrets, theft of or events found to be criminal, or
destruction of intellectual helping to anticipate
property, and fraud.” unauthorized actions shown to be
disruptive to planned operations.

(Judd, 2011) (Digital Forensics Research Workshop, 2012)

Digital Forensics and Incident Response

 Computer Forensics & Other Related
Disciplines
• Computer forensics
– Investigates data that can be retrieved from a
computer’s hard disk or other storage media
• Network forensics
– Yields information about how a perpetrator or an
attacker gained access to a network
• Mobile forensics
– Task of recovering digital evidence or data from
mobile devices
– Evidence can be inculpatory (“incriminating”) or
exculpatory
Digital Forensics and Incident Response
 Computer Forensics & Other Related
Disciplines (continued)
• Data recovery
– Recovering information that was deleted by mistake
• Or lost during a power surge or server crash
– Typically you know what you’re looking for

• Disaster recovery
– Uses computer forensics techniques to retrieve
information their clients have lost
• Investigators often work as a team to make
computers and networks secure in an organization

Digital Forensics and Incident Response

 Computer Forensics & Other Related
Disciplines

Digital Forensics and Incident Response

 Computer Forensics & Other Related
Disciplines (continued)

• Vulnerability Assessment group

– Tests and verifies the integrity of standalone
workstations and network servers
– Professionals in this group have skills in network
intrusion detection and incident response
• Intrusion Response group
– Actions taken in response to a computer security
incident. These include identifying, containing and
remediating the cause of the incidents.

Digital Forensics and Incident Response

 Computer Forensics & Other Related
Disciplines (continued)
• Computer investigations group
– Manages investigations and conducts forensic
analysis of systems suspected of containing evidence
related to an incident or a crime

Digital Forensics and Incident Response

 History of Computer/Digital Forensics
1970s
Electronic crimes were increasing, especially in the financial
sector.
Most law enforcement officers didn’t know enough about
computers to ask the right questions or to preserve evidence
for trial.

1980s
PCs gained popularity and different OSs emerged.
Disk Operating System (DOS) was available.
Forensics tools were simple, and most were generated by
government agencies.

Digital Forensics and Incident Response

 History of Computer/Digital Forensics
1990s
Tools for computer forensics were available
International Association of Computer Investigative Specialists
(IACIS)
Training on software for forensics investigations
First commercial GUI software for computer forensics Created
by ASR Data. Recovers deleted files and fragments of deleted
files

2000s
FBI, CIA and NSA each with their own full cyber crime
divisions, full digital forensics labs, dedicated onsite and field
agents
Digital Forensics and Incident Response
 Digital Investigation
A digital investigation is a process where we develop and test
hypotheses that answer questions about digital events. This is
done using the scientific method where we develop a
hypothesis using evidence that we find and then test the
hypothesis by looking for additional evidence that shows the
hypothesis is impossible.

Digital Evidence is a digital object that contains reliable

information that supports or refutes a hypothesis.

B. Carrier, 2006
File System Forensic Analysis

Digital Forensics and Incident Response

 Characteristics of Evidence

i. Data can be viewed at different levels of

abstraction
ii. Data requires interpretation
iii. Data is Fragile
iv. Data is Voluminous

Digital Forensics and Incident Response

 Investigation Process
According to many professionals, Computer Forensics is a four
(4) step process:

Digital Forensics and Incident Response

 Investigation Process
Acquisition
Physically or remotely obtaining possession of the computer, all
network mappings from the system, and external physical
storage devices Example: An investigator obtains computers,
hard drives or other equipment under investigation.

Identification
This step involves identifying what data could be recovered and
electronically retrieving it by running various Computer Forensic
tools and software suites
Example: An investigator has pinpointed a suspicious IP
address belonging to the laptop in Ohio. The digital forensics
investigator may have a co-worker send them the suspected
laptop for analysis.
Digital Forensics and Incident Response
 Investigation Process
Analysis/Evaluation
This is the investigative portion of the process where a
forensics practitioner begins looking into the acquired asset or
medias data to find evidence of the suspected crime. Example:
The investigator may look through documents, email and chat
conversations, browser website history, hard drives, and other
user activities.

Reporting/Presentation
This step involves the presentation of evidence discovered in a
manner which is understood by lawyers, staff/management,
and suitable as evidence. Example: A digital forensics
investigator may debrief a company's technical leaders in detail
and then give a high-level summary to the general manager

Digital Forensics and Incident Response

 Role of a Forensic Investigator
• Understanding of relevant laws
• Knowledge of file systems, OS, and applications
– Where are the logs, what is logged?
– What are possible obfuscation techniques?
– What programs and libraries are present on the system and
how are they used?
• Know what tools exist and how to use them
• Be able to explain things in simple terms

Digital Forensics and Incident Response

 Challenges to Forensics
• Size of storage devices
• Proliferation of operating systems and file formats
• Multi-device analysis
• Pervasive Encryption
• Cloud computing
• RAM-only Malware
• Legal Challenges decreasing the scope of forensic
investigations

Digital Forensics and Incident Response

 Summary
• Usage of computers and other electronic data
storage devices leaves the footprints and data trails
of their users.
• A security incident is any unlawful, unauthorised
action that involves a computer system or a computer
network.
• Computer forensics applies forensics procedures to
digital evidence
• An investigation typically follows a four step process
of acquisition, identification, analysis and reporting.
• Forensic analysis requires a knowledgeable and
skilled investigator.
Digital Forensics and Incident Response
 Quick Quiz

Question:
Describe a role of Acquisition process in Computer
Forensic Investigation.

Question:
List and describe minimum two challenges facing
Digital Forensics in the next 10 years.

Digital Forensics and Incident Response

 Additional Readings
https://subscription.packtpub.com/book/networking_and_servers/
9781788625005/1/ch01lvl1sec10/a-brief-history-of-digital-
forensics

https://blog.veriato.com/the-evolution-of-digital-forensics

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800
-61r2.pdf