Professional Documents
Culture Documents
2
Experiences?
Does anyone
in this room
have any
experiences
in
Digital
Forensics?
Patrick Linton – DET/Insp – JCF/MOCA Director Cyber Forensics /Cyber Security - MOCA
Created the first Cybercrimes Investigation and Research Unit in 2006 at JCF/OCID
Trained by the US Secret Service in Miami in CyberSecurity and Cybercrimes Investigation – 2007
Certified Trainer in Information and Communication Technology Crimes, Digital Evidence Seizure and
Digital Forensics Investigations in Nicosia, Cyprus by Interpol and The University College of Dublin - 2009
Conducted CyberForensics training course for Interpol at the Criminal Scientific Police Department in
Damascus, Syria for over 32 Law Enforcement Officers, Military and Civilians from around the world –
2010
© 2020 Patjan Inc. May not be copied,
→ scanned, or duplicated,
Edit in whole or in part, without the expressed permission of Patrick Linton
Master text styles
Conducted several training courses at the Jamaica Constabulary Force’s
Criminal Investigation Training Institute (CITI) in Cybercrimes Awareness and
Digital Evidence Seizure.
Training Course in Legal System Building of International Police, Gendarmerie and Internal Troops (China
2015).
AccessData Mobile Examiner – AME
Cyber Intelligence and Cyber Security (OSINT, SIGINT, HUMINT, COMMINT, ELINT, CYBINT/DNINT) –
Israel 2018
→ Edit Master text styles
Digital Investigators don't
have to try and read
people’s minds anymore because
people’s interests, hidden secrets,
financial information, and even
their love life are all on their
computer.
→
© Patjan Inc. 2021
Edit Master text styles
Introduction
→
© Patjan Inc. 2021
Edit Master text styles
Introduction
→
© Patjan Inc. 2021
Edit Master text styles
Introduction
After finishing this course, i’ll leave it up to you to decide which field
you’ll choose to become an expert in.
→
© Patjan Inc. 2021
Edit Master text styles
Background: Digital Forensics Uses
For instance:
• Did the suspect send an email from where s\he is claiming to
have sent it?
• Or, has the suspect visited and used his/her computer at a site
• which s\he claims to have visited?
Break Story
In 2000, in the murder case of Marty Theer, 77,000 emails were used
as incriminating evidence.
The emails between his wife and John Diamond proved that they
planned to murder Marty.
Break Story:
After the murder of William McGuire in 2004, the digital
investigation team found incriminating evidence in Williams’ wife’s
computer.
→
© Patjan Inc. 2021
Edit Master text styles
Background
That’s why you should be aware of how digital media and applications work
because digital evidence can be easily altered or lost during their life cycle.
If any procedure was conducted incorrectly, then the evidence might become inadmissible
in court.
Also, be
aware that
your
knowledge
and expertise
in handling
the evidence
determine the
evidence
quality and
importance
in court,
which affects
the jurors’
decision.
#3 - Finally,
#2 - Collecting building a
#1 - Observing hypothesis
data and facts
based on data
collected
Proving or
disapproving is done
through collecting
To minimise the specific data, which
chances of having supports the
any errors, s/he has investigator’s
The next step for the to consider prediction.
investigator is to start alternative
making predictions hypothesis and
based on the disapprove them.
hypothesis she/he
formulated. Such
prediction must be
testable and
provable; otherwise.
it is meaningless. → Edit Master text styles
© Patjan Inc. 2021
Fundamentals: Scientific Method
The digital
evidence life cycle Acquisition
includes three
main phases.
It is advised to
follow these Life
phases to
Cycle
guarantee
evidence Presentation Analysis
admissibility,
regardless of
evidence type or
the incident you
investigate.
→ Edit Master text styles
© Patjan Inc. 2021
Digital Evidence Life Cycle: Acquisition
→
© Patjan Inc. 2021
Edit Master text styles
Digital Evidence Life Cycle: Acquisition
For example, if the investigator opens the file (just for reading), this
action will affect the temporal property of the file “time,” which will
change the last access time of the file.
Also, the first responder might need to create a live image of the RAM,
because this may help to determine what exactly was the last thing that
the suspect did or what happened last on his/her computer.
If the device is running, you need to insure the continuity of the power
supply until creating the image, as cutting off the power might cause loss
of valuable artefacts.
If the device was off then acquisition will be easier; all the investigator
has to do is:
NOTE: Writing on the tape allows you to quickly notice if someone has
tried opening the evidence prior to its delivery to the investigation lab.
→
© Patjan Inc. 2021
Edit Master text styles
Digital Evidence Life Cycle: Acquisition
#1 - Acquisition
Concealment Steps
I will ensure that you have the right knowledge and skills to interpret
both the digital and physical (i.e. - a report) forms of evidence that
can be presented in court.
Over the next few slides, I’ll go through the common tasks done
within any analysis step.
#3 - Presentation
TIP: The amount and types of digital evidence that you will have
to analyse will differ from case to case and depends on different
criteria such as:
TIP: The analysis steps, tools and types of valid evidence may pertain
to your judicature.
So let’s start with data types, why they are used and how
you could benefit from them.
Active Data
This type includes all data and files that are created by
the operating system or by a word processor, web
browser, mail client, or a scanner such as documents,
cached files, emails, and images.
© Patjan Inc. 2021
→ Edit Master text styles
Archive and Backup Data
The mentioned types of data are apparent and accessible for all
users, but their opposite is hidden [latent] data types.
During your analysis, hidden data will mostly be more important and
essential to examine, especially if the suspect in your case has a
good knowledge of using the computer.
Metadata
Residual data
Why did we say “might?” Because if the storage location was overwritten
with new data (example: a new file), it will be hard to get back the old
data that used to be there.
With that said, it is not hard to retrieve residual data, all you need is the
right tool. It is important for you to understand how to deal with this type
of data because deleting files is the first thing any suspect might do; after
all, he/she wants to hide his incriminating actions, right?
Replicant data
Files created by Replicant data may help to discover the last actions
that the suspect has done, like the last printed documents.
Data blocks
Temporary resulting
Web cache Memory
directories from a
move
Volatility
The last issue to consider about data types is the volatility nature of
data.
Non-volatile data
Volatile Data
Devices
Devices
Computer Systems
Devices
Storage Devices
These devices differ in size and the way they process and store data. These
devices may contain valuable artefacts for analysis.
Devices
Removable media
Thumb drives
Memory cards
Devices
Handheld Devices
Devices
Peripheral Devices
Devices
Devices
With the help of the DF team, they were able to determine the
time the letter was printed. Comparing this time with the rigor
mortis estimation of death time revealed that the letter was printed
after the woman died and this was the proof that this was a
murder case, not suicide.
Computer Networks
Hidden Storage
Devices
Devices
You should also know exactly how this device works, how data is
stored and processed in it and, most importantly, be sure that the
tool you use will give you the results you look for.
Devices
To get ready for the analysis, the following are the base
requirement before starting:
• A workstation running an operating system
• A write-blocker device
• Digital forensics acquisition tool(s)
• Digital forensics analysis tool(s)
• Target drive to receive the source or suspect disk data
• Spare PATA or SATA ports
• USB ports
The Corcoran Group sold a building that was flooded with water
during a storm. The company claimed that it had no idea about
the flood. When the case started, a forensic expert conducted an
analysis on the company computers. The interesting thing was the
missing files and emails that should exist. The court judged the
company based on misleading the investigation by deleting that
evidence.
2. 2. Image verifying:
3. 3. Evidence Preservation:
5. 5. Analysis Validation:
You also need to ensure that your analysis results are repeatable
and reproducible, which mean that the same result will be
produced when the evidence is tested again in the same or
different lab using the same or different tools and equipment.
Not all cases are the same, which means different types of cases
will requires different types of investigations.
Internal Investigation:
Civil Investigation:
Thus, the tools that are used within such types of investigations are
usually more sophisticated and expensive.
Crime Reconstruction
Note that same origin isn’t the only type of relationship that an
investigator has to prove.
#1 - Legal Challenges
#1 - Legal Challenges
You then need to maintain and keep updating the CoC without any
discontinuity, from the moment that the evidence was acquired until the
case has been brought to the court.
→
© Patjan Inc. 2021
Edit Master text styles
Challenges of Digital Evidence
#1 - Legal Challenges
Another problem
you may encounter
is Privacy issues; in
some cases, you
cannot examine or
expose all data
because it contains
sensitive
information.
→
© Patjan Inc. 2021
Edit Master text styles
Challenges of Digital Evidence
#1 - Legal Challenges
→
© Patjan Inc. 2021
Edit Master text styles
Challenges of Digital Evidence
→
© Patjan Inc. 2021
Edit Master text styles
Challenges of Digital Evidence
People are now protecting their data using various hiding techniques, such as
encryption or steganography.
This adds another challenge for the analyst to retrieve digital artefacts.
In some cases, it may be easy to decrypt the data, but in other cases it may take a
very long time, depending on the encryption technique the suspect has used.
Fortunately, sometimes live forensic (if permitted) may help in revealing passwords.
→
© Patjan Inc. 2021
Edit Master text styles
Challenges of Digital Evidence
Size and distribution of digital evidence may be the biggest challenge for DF
analysts, who have to analyse a huge size of data within limited time frame and
limited resources!
In some cases, you may encounter a large size of data to analyse, and it is
impossible to create a forensic image of this evidence; in such cases, the
solution is to define the most relevant parts of evidence to be collected or at
least the parts that help to incriminate or exonerate the suspect. This comes
with a trade off, that you might not acquire the relevant data to be analysed.
→
© Patjan Inc. 2021
Edit Master text styles
Challenges of Digital Evidence
#4 – Evidence Dynamic
Alteration – Intention or not
One reason for evidence dynamic is the suspect. People are now
aware of digital investigation tools, and by surfing the Internet, anyone
can learn how to hide their traces and disrupt forensic techniques or
even destroy the evidence! And, there are many malware developed
by criminals to disguise their activities; for example, using a wiping tool
will prevent any artefact examination.
#4 – Evidence Dynamic
Alteration – Intention or not
#4 – Evidence Dynamic
In some cases, the victim may change the evidence; the victim may disrupt the
evidence unintentionally (as an administrator who is trying to protect his network ),
or even a victim may fake evidence to incriminate a suspect!
Botnets Covert
Channels
Targeted
Attacks
Steganography
Organised
Crime
Mobile Encryption
Malware
Commingling or Contamination:
Copying new data to a hard disk that already contains other data may
cause the old data to be analysed as part of the new data, even if old
data was erased.
Forensically soundness
https://link.springer.com/content/pdf/10.1007%2F978-0-387-84927-0_1.pdf
→
© Patjan Inc. 2021
Edit Master text styles
Major Concepts
Grissom once said that, “To get to the evidence, we may destroy
the evidence.”
If the investigator opens the file (just for reading), this action will
affect the temporal property of the file “time,” as this will change
the last access time of the file.
The next slides cover those factors and what it means for
evidence to be admissible.
From a technical point of view, the most crucial point for evidence
admissibility is the Authenticity.
Chain of custody
When reading digital evidence, the tool tells us what artefact it has;
we never see the real data firsthand, what we see is the tools
representation of data!
The evidence never lies, and that’s true, but do you trust the tool
you have to tell you the right story?
Are you sure that the tool you have has no bugs and works
correctly in every case?
Abstraction layer
On the disk, the file is a series of zeros and ones, and by applying
ASCII abstraction layer each group of consecutive bits is
translated to its corresponding character, and the text file is
viewed as a series of letters, numbers, and symbols.
However, this is not for all cases, you should be familiar of your
country’s law or at least, check with an attorney.
You can’t use the same solution for a digital investigation for every
single case. Each case presents and will require different steps to
go through and will depend on your suspect’s mentality, and
his/her computer skills.
This is just the end of the beginning. By now, you should have
sufficient knowledge about DF analysis, can identify relevant types
and sources of digital evidence, realise to only count on facts and
to conduct scientific procedures during DF analysis, what problems
you may encounter and how to benefit from analysis tools!