2.0. Introduction To Digital Forensics and Data Acquisition

AJOR RGANISED RIME & NTI-CORRUPTION GENCY
2 OXFORD ROAD, NCB (SOUTH) TOWER

7TH & 8TH FLOOR, KINGSTON 5
MOB: 425-5414, PHONE: 822-6222
EMAIL: PATRICK.LINTON@MOCA.GOV.JM, PATJANS@GMAIL.COM
Course Background Fundamentals Digital Analysis Steps
Introduction Evidence
Investigation Reconstructing Challenges of Major

scope the crime Digital Concepts
evidence
2
Experiences?
Does anyone
in this room
have any
experiences
in
Digital
Forensics?
→ Edit Master text styles

© 2020 Patjan Inc. May not be copied, scanned, or duplicated, in whole or in part, without the expressed permission of Patrick Linton
WHO AM I
Patrick Linton – DET/Insp – JCF/MOCA Director Cyber Forensics /Cyber Security - MOCA
Cybercrime Investigation – Korean National Police University - 2006
Created the first Cybercrimes Investigation and Research Unit in 2006 at JCF/OCID
Trained by the US Secret Service in Miami in CyberSecurity and Cybercrimes Investigation – 2007
Certified Trainer in Information and Communication Technology Crimes, Digital Evidence Seizure and
Digital Forensics Investigations in Nicosia, Cyprus by Interpol and The University College of Dublin - 2009
Conducted CyberForensics training course for Interpol at the Criminal Scientific Police Department in
Damascus, Syria for over 32 Law Enforcement Officers, Military and Civilians from around the world –
2010
© 2020 Patjan Inc. May not be copied,
→ scanned, or duplicated,
Edit in whole or in part, without the expressed permission of Patrick Linton
Master text styles
Conducted several training courses at the Jamaica Constabulary Force’s
Criminal Investigation Training Institute (CITI) in Cybercrimes Awareness and
Digital Evidence Seizure.
Conducted several training courses at the Regional Drug Enforcement

Training Centre in Cybercrimes Investigation, Digital Forensics, Mobile
Phones Forensics and Internet Investigations (Part of the International
Cybercrimes Training Course Development Team -REDTRAC)

Conducted several other lectures in cybercrimes awareness
at various Institutions Island-wide to include Financial
Institutions on behalf of Jamaica Banker’s Association
Conducted several lectures in cybercrimes awareness at

Northern Caribbean University and numerous other
Institutions and Corporate entities.
EnCase Certified Examiner – EnCE
Certified Cyber Security Crisis Management Responder,

Washington DC, USA.

AccessData Certified Examiner (Computer Forensics) ACE
Certified Ethical Hacker – (EC-COUNCIL) C|EH
Computer Hacking Forensic Investigator (EC-COUNCIL) C|HFI
Training Course in Legal System Building of International Police, Gendarmerie and Internal Troops (China
2015).
AccessData Mobile Examiner – AME
Lecture at Caribbean Maritime University – Cybercrimes Investigation, ICT
Cloud Computing, Big Data and Artificial Intelligence (China 2018).
Cyber Intelligence and Cyber Security (OSINT, SIGINT, HUMINT, COMMINT, ELINT, CYBINT/DNINT) –
Israel 2018
Digital Investigators don't
have to try and read
people’s minds anymore because
people’s interests, hidden secrets,
financial information, and even
their love life are all on their
computer.

© Patjan Inc. 2021
© Patjan Inc. 2021
Introduction
Welcome to Forensic Computing, an introductory course for

beginners in the digital forensics field.
This course is also for you if your goal is to become a digital

investigator, as this course is your first and most important
step in meeting your goal.
→
© Patjan Inc. 2021
Edit Master text styles
Introduction
The primary focus in this course is on the analysis phase of Digital

Forensics; this course will cover the major concepts and provides
an extremely hands-on experience.
After taking this course, you will be:
✓ Capable of conducting a complete DF Analysis and

present it in court.
✓ Able to reconstruct data structures and events from the

mass of information available.
✓ Able to locate artefacts, which are used as compelling evidence.

→
© Patjan Inc. 2021
Introduction
Furthermore, the Introduction module, this module, will lay

the basic concepts, fundamentals and techniques of
Digital Forensic that are needed for the rest of the course.
→
© Patjan Inc. 2021
Introduction
The world of Digital Forensics is extensive, with many fields in

forensic analysis. However, this course has the responsibility to
guide you through the following modules:
1. Introduction to Digital 1. Windows Forensics
Forensics 2. Network Forensics
2. Data Acquisition 3. Log Analysis and Correlation
3. Documents and File 4. Finally, Timeline Analysis and
Metadata Reporting.
4. Disks and File-systems
→
© Patjan Inc. 2021
Introduction
In my opinion, I believe that the subjects discussed in this course are

the most important and basic information you need to know during
your Digital Forensics journey.
After finishing this course, i’ll leave it up to you to decide which field
you’ll choose to become an expert in.

© Patjan Inc. 2021
Introduction: Out of Scope
Before I jump into the content of this module, I

want to clarify what will not be covered in the
course:
• Legal side of an investigation
• Types of Search Warrants
• Expert Witnesses
• Privacy Issues

© Patjan Inc. 2021
© Patjan Inc. 2021
Background
People don’t realise the artefacts, or secrets, they

leave behind when they use/log off a computer.
Such artefacts and secrets we call “evidence.”

Hence, the saying “I know what you did last
summer” is most appropriate.

© Patjan Inc. 2021
Background
Computer users think that by simply deleting traces of their activity

that everything is gone. What they don’t realise is that by using the
right Digital Forensics (DF) tool, we can locate, extract, and analyse
what was once there and get it back.
You’d be amazed by the number of artefacts that can

be recovered and extracted, even from the tiniest of
devices.

© Patjan Inc. 2021
Background
What is Digital Forensics?
Digital forensics (or digital forensic science) is a discipline of forensic

science, which is the recovery and investigation of artefacts found in
digital devices, often in relation to computer crime.
→
© Patjan Inc. 2021
Background: Digital Forensics Uses
With technology entering every aspect of our lives, the

applications of digital forensics are growing rapidly.
In general; the main goal of digital forensics is to answer the

big five W’s, regarding any digital incident.
What Where When Who HoW

© Patjan Inc. 2021
Digital Forensics can also be used to support non-digital civil and

criminal cases such as proving intent.
For example, finding “how to make bombs” in someone's browsing

history could be used as an indicator linking that person to
terrorism.

© Patjan Inc. 2021
Another example of using Digital Forensics is alibis

and claims.
For instance:
• Did the suspect send an email from where s\he is claiming to
have sent it?
• Or, has the suspect visited and used his/her computer at a site
• which s\he claims to have visited?
© Patjan Inc. 2021

Break Story
In 2000, in the murder case of Marty Theer, 77,000 emails were used
as incriminating evidence.
The emails between his wife and John Diamond proved that they
planned to murder Marty.

© Patjan Inc. 2021
Background
Imagine a case where an individual accused of robbery or murder

claims that they were at a coffee shop during the time that the
crime happened.
In such a case, with the help of network forensics, it is possible to

gather logs and other types of network-related evidence to verify
whether the suspect used their laptop on that network during the
crime.

© Patjan Inc. 2021
Background
Break Story:
After the murder of William McGuire in 2004, the digital
investigation team found incriminating evidence in Williams’ wife’s
computer.
The evidence consisted of Google searches on: 'Untraceable

Poisons,‘ 'How to Commit a Murder,‘ and 'Where to buy a gun in
Pennsylvania.’

© Patjan Inc. 2021
Background
In comparison with conventional crimes, digital crimes impose new

challenges to investigators.
Example: Larcenous Crimes

• A conventional crime might be something like stealing a
cashier’s wallet.
• While a digital crime could be done by using different hacking
techniques, such as phishing, skimming, etc.
→
© Patjan Inc. 2021
Background
Other conventional crimes that could involve

digital investigations are, but not limited to:
1. Child exploitation 4. Terrorism

2. Fraud 5. Homicide
3. Drug trafficking

© Patjan Inc. 2021
© Patjan Inc. 2021
Fundamentals
This section goes through the fundamentals of most common digital

investigations, which include:
Digital Digital Scientific

Evidence Forensics Tools Method

© Patjan Inc. 2021
Fundamentals: Digital Evidence
In the digital world,

evidence is defined as
any digital information
In any criminal that is stored,
investigation, the transmitted or
foundation is the produced from
evidence; for instance, electronic devices
a fingerprint in a and/or software.
homicide case.

© Patjan Inc. 2021
Examples of digital evidence

are:
• Pictures produced by • Downloaded files
cameras • Email messages
• Print logs saved on printers • Deleted files
• Temporary files produced
by a web browser
One should always carefully collect evidence, but in crime scenes

with digital media involved, it’s an even more critical issue.

© Patjan Inc. 2021
That’s why you should be aware of how digital media and applications work
because digital evidence can be easily altered or lost during their life cycle.
If any procedure was conducted incorrectly, then the evidence might become inadmissible
in court.

© Patjan Inc. 2021
Also, be
aware that
your
knowledge
and expertise
in handling
the evidence
determine the
evidence
quality and
importance
in court,
which affects
the jurors’
decision.

© Patjan Inc. 2021
Fundamentals: Digital Forensics Tools
Tools have an important role in the forensic investigation process.
But, Digital Forensics isn’t about just using tools.
An investigator is expected to have a deep understanding of the

underlying technology he/she is dealing with.

© Patjan Inc. 2021
Knowing how to the tool works is important, but digital investigators

should also know how data is acquired, processed, interpreted and
displayed by the tool s/he is using.
We don’t want to be “click

monkeys.”

© Patjan Inc. 2021
There are different types of DF tools available for you to use:
Proprietary Open source Your own
You need to choose the best tool for your investigation.

© Patjan Inc. 2021
Fundamentals: Scientific Method
An investigator is also expected to be able to:

• Apply the Scientific Method during the investigation.
• Analyse data and compare samples.
• Notice any abbreviation, abnormalities, and characteristics.
This is not possible if the investigator is not aware of the regular

characteristics of data and technology.

© Patjan Inc. 2021
The Scientific Method is a body of techniques for:

• Investigating phenomena,
• Acquiring new knowledge, or
• Correcting and integrating previous knowledge[1].
The Scientific Method is the investigator’s most useful ally in

his/her mission to present reliable evidence.

© Patjan Inc. 2021
The methodology is simple:
#3 - Finally,
#2 - Collecting building a
#1 - Observing hypothesis
data and facts
based on data
collected

© Patjan Inc. 2021
Proving or
disapproving is done
through collecting
To minimise the specific data, which
chances of having supports the
any errors, s/he has investigator’s
The next step for the to consider prediction.
investigator is to start alternative
making predictions hypothesis and
based on the disapprove them.
hypothesis she/he
formulated. Such
prediction must be
testable and
provable; otherwise.
it is meaningless. → Edit Master text styles
© Patjan Inc. 2021
The reason we follow scientific procedures in extracting artefacts

and building the hypothesis is that you need a scientific base to
verify and explain the results you reached.
If there is no scientific reason to explain any procedure you have

done, this will undermine the credibility of the forensic analysis
and the evidence will be considered unreliable to be accepted in
the court.

© Patjan Inc. 2021
© Patjan Inc. 2021
Digital Evidence Life Cycle
The digital
evidence life cycle Acquisition
includes three
main phases.
It is advised to
follow these Life
phases to
Cycle
guarantee
evidence Presentation Analysis
admissibility,
regardless of
evidence type or
the incident you
investigate.
© Patjan Inc. 2021
Digital Evidence Life Cycle: Acquisition

#1 - Acquisition
Acquisition is the process of obtaining a forensically

sound image (physically or remotely) of the evidence
to be analysed.
It is an important phase, as the evidence validity depends on it.

© Patjan Inc. 2021

#1 - Acquisition
Evidence acquisition is important because the validity of other steps depends on

the validity of this phase, which means that evidence collection done incorrectly or
illegally will result in evidence being unacceptable in other steps.

© Patjan Inc. 2021

#1 - Acquisition
In the CSI series Grissom says, ”To get to the

evidence, we might destroy the evidence.”
This is a critical issue in digital evidence acquisition because the

evidence is susceptible to change even from trivial actions.

© Patjan Inc. 2021

#1 - Acquisition
Digital evidence is fragile by nature, and such fragility is what

creates challenges during the investigation process.
Because of its fast-changing nature, it’s easy to induce changes or

alterations to the evidence either intentionally or unintentionally.
→
© Patjan Inc. 2021

#1 - Acquisition
These changes can happen at any phase, starting from the

acquisition and transfer phases all the way to admission phase,
when the evidence is presented at court.
Changes can be caused by anyone from the attacker to

system admins, victims, and even a junior level digital
investigator.

© Patjan Inc. 2021

#1 - Acquisition
Investigators should have the basic experience to deal with digital

evidence in order to avoid destroying it.
The investigators should also guarantee that:

• The delivery of the evidence is as it was found.
• The evidence will not be exposed to alteration.

© Patjan Inc. 2021

#1 - Acquisition
Acquisition steps should be done carefully because any wrong action

will ruin the evidence and could lead to completely different results.
For example, if the investigator opens the file (just for reading), this
action will affect the temporal property of the file “time,” which will
change the last access time of the file.

© Patjan Inc. 2021

#1 - Acquisition
One important thing done by the investigator (first responder), is

securing the incident scene by moving people away from
evidence to ensure that no one is in contact with evidence.
Additionally, if there is a running device then they may start by

taking photos and writing down what appears on the screen.

© Patjan Inc. 2021

#1 - Acquisition
Also, the first responder might need to create a live image of the RAM,
because this may help to determine what exactly was the last thing that
the suspect did or what happened last on his/her computer.
If the device is running, you need to insure the continuity of the power
supply until creating the image, as cutting off the power might cause loss
of valuable artefacts.

© Patjan Inc. 2021

#1 - Acquisition
In such a situation, the right

Be careful of any destructive
thing to do may be to switch
program(s) running (i.e. -
off the power to immediately
performing a wipe operation).
save the remaining artefacts.

© Patjan Inc. 2021

#1 - Acquisition
If the device was off then acquisition will be easier; all the investigator
has to do is:
Put the Seal the

Leave the Write on the
evidence in a container with
device off container tape tape
NOTE: Writing on the tape allows you to quickly notice if someone has
tried opening the evidence prior to its delivery to the investigation lab.
→
© Patjan Inc. 2021
#1 - Acquisition
Finally, in the case of a

Make sure to use
running or turned-off
proper and secure
device, seal the
containers to secure
evidence in a container
evidence.
for later analysis.

© Patjan Inc. 2021

#1 - Acquisition
Concealment Steps
• Use digital safe containers for evidence keeping, such as:

Antistatic bags and antistatic pads.
• Make sure that those containers are well padded.
• Write notes on the tape to prevent tampering with the
evidence.
• Ensure that temperature and humidity ranges are
adequate for all evidence.

© Patjan Inc. 2021

#1 - Acquisition
The investigator should document all steps of acquisition, to indicate

its soundness; before moving on, the investigator may inspect the
scene to search for a password or any other important note.
All mentioned steps will guarantee the authenticity and soundness of

the evidence

© Patjan Inc. 2021
Digital Evidence Life Cycle: Analysis

#2 - Analysis
As mentioned earlier, the primary focus in this course will be on the

analysis phase, which we’ll explore in the next modules.
I will ensure that you have the right knowledge and skills to interpret
both the digital and physical (i.e. - a report) forms of evidence that
can be presented in court.

© Patjan Inc. 2021

#2 - Analysis
Over the next few slides, I’ll go through the common tasks done
within any analysis step.
#1 - The most important thing to consider is preserving the original

evidence without alteration, which is why it’s very important that
before starting your analysis, you should create a forensic image of
the evidence and perform your analysis on this image (sometimes it
is not possible) .

© Patjan Inc. 2021

#2 - Analysis
#2 - It is very important to validate all your analysis steps to ensure

your results later, and to leave no holes for questioning by a
defence attorney.
Just like the acquisition phase, the documentation is paramount in

the analysis phase; you need to document all tools that are used
during analysis and the procedures that you followed.

© Patjan Inc. 2021

#2 - Analysis
TIP: Remember, the DF field is rapidly changing and evolving.

• Learn and Grow: You need to constantly promote and grow
your skills even though there will always be new software or
devices in the field.
• Ask for Help: If you have no experience with software or
device, the right thing to do is to ask an expert to help you.

© Patjan Inc. 2021

#2 - Analysis
According to your hypothesis, the forensic analysis is conducted to

generate one of the following:
• Inculpatory Evidence: Supports a hypothesis

• Exculpatory Evidence: Contradicts a hypothesis
• Tampering Evidence: Indicates system tampering with the aim of
deception

© Patjan Inc. 2021
Digital Evidence Life Cycle: Presentation

#3 - Presentation
The last investigation phase is presentation, where you should

provide:
• A report of your analysis results, by mentioning the artefacts you
found,
• Steps you followed to reveal these artefacts, and
• The tools used for your analysis.
Depending on your experience, you should provide a reasonable

explanation for these artefacts and how it will help in the current
investigation. → Edit Master text styles
© Patjan Inc. 2021
#3 - Presentation
What your report should specifically include mostly depends on the

party that asked for the investigation: court, police, company, or
even individuals. Regardless of whoever requested the
investigation, when you present in court, your task will require more
effort for the proper presentation of evidence.
Juries (especially when they don’t have any technical background)

are usually convinced when they see the physical evidence;
therefore, it is your job to present the digital evidence in its best
physical form.
© Patjan Inc. 2021

#3 - Presentation
TIP: The amount and types of digital evidence that you will have
to analyse will differ from case to case and depends on different
criteria such as:
• What evidence you have,

• If the evidence you found leads you to other clues,
• In situations where there is a large amount of data, you will
only need to extract enough artefacts to incriminate the
suspect or explain the incident that occurred.
© Patjan Inc. 2021

#3 - Presentation
TIP: The analysis steps, tools and types of valid evidence may pertain
to your judicature.
Unfortunately, legalised practices are not generalised among

countries and will not be covered in this course.
You should be aware of your country’s forensics legalised practices

to build your case and form your analysis steps or ask a local attorney
office.

© Patjan Inc. 2021
Types and Sources of Digital Evidence
Types & Sources of Digital Evidence
As result of the fast growth in technology, there is an infinite list of

types and sources for digital evidence, and in each case you’re
involved in, there will be different kinds of evidence.

© Patjan Inc. 2021
We need to explore the types and sources of digital evidence

because they will determine the tool you will use or build to
analyse your evidence.
For example, to analyse Windows operating system artefacts you

will need tools that are sometimes completely different of Linux or
MacOS tools.

© Patjan Inc. 2021
Also, tools that are used to extract data from

memory vary in their implementation in reference
to tools used to analyse hard disk drives!

© Patjan Inc. 2021
Active Data

Active Data
So let’s start with data types, why they are used and how
you could benefit from them.
Active Data
This type includes all data and files that are created by
the operating system or by a word processor, web
browser, mail client, or a scanner such as documents,
cached files, emails, and images.
© Patjan Inc. 2021
Archive and Backup Data

Archive & Backup
Archive and Backup Data

This is all data that is organised and preserved for long-term storage
to avoid data loss due to attacks or disasters. Backup data is
created by making an identical copy of original files and folders.
Almost everyone has a CD; its content is an example of archived or
backup data, or like data stored on network storage (SAN device).

© Patjan Inc. 2021
Hidden Data Types

Hidden Data Types
The mentioned types of data are apparent and accessible for all
users, but their opposite is hidden [latent] data types.
During your analysis, hidden data will mostly be more important and
essential to examine, especially if the suspect in your case has a
good knowledge of using the computer.

© Patjan Inc. 2021
Hidden Data Types
Hidden Data Types
Hidden data types encompass the following:
Metadata Residual data Replicant data

© Patjan Inc. 2021
Hidden Data Types
Hidden Data Types
Metadata
• Defined as “data about data”, which is used to provide context

or additional information about data and files, such as date of
file creation, or information about the file structure.
• Metadata is considered one of the most valuable pieces of

evidence as it contains a lot of information about a file such as
the name of the file owner, and file last access and
modification time.
© Patjan Inc. 2021
Hidden Data Types
Hidden Data Types
You could benefit from metadata information in your

analysis to prove that a document was created on the
suspect device if they were not altered or modified.

© Patjan Inc. 2021
Hidden Data Types – Break Story
Hidden Data Types
Here is the famous story of Dennis Rader who’s known as BTK

(Bind, Torture, Kill). The serial killer, Dennis, murdered 10 people
within 30 years. Regular investigations revealed nothing, but
when Dennis sent the police a floppy disk that contained a letter
in the form of a word document file from him, analysing the word
document metadata revealed the identity of Dennis and resulted
in arresting him.

© Patjan Inc. 2021
Hidden Data Types

Hidden Data Types
Residual data
• This is deleted data on the disk.
• An important issue to know is that even after

data deletion occurs the data “might” still be
there, but you just cannot see it, for example
the directory list of your Windows Explorer.
Hidden Data Types
Hidden Data Types
Why did we say “might?” Because if the storage location was overwritten
with new data (example: a new file), it will be hard to get back the old
data that used to be there.
With that said, it is not hard to retrieve residual data, all you need is the
right tool. It is important for you to understand how to deal with this type
of data because deleting files is the first thing any suspect might do; after
all, he/she wants to hide his incriminating actions, right?

© Patjan Inc. 2021
Hidden Data Types

Hidden Data Types
Replicant data
• This type of data is generated when a program like

word processor creates a temporary copy of an
opened file, this is needed as a backup to avoid
data loss in case an error occurs, and the file is
forced to close without saving the changes.

© Patjan Inc. 2021
Hidden Data Types
Hidden Data Types
Files created by Replicant data may help to discover the last actions
that the suspect has done, like the last printed documents.
The importance of these files is that they could be retrieved

even after the document file was deleted.
© Patjan Inc. 2021

Hidden Data Types
Hidden Data Types
Examples of residual data include:
Data blocks
Temporary resulting
Web cache Memory
directories from a
move

© Patjan Inc. 2021
Hidden Data Types – Break Story
Hidden Data Types
Edward Ray Barton was sentenced for having picture of a young

model in his “temporary internet files folder”. The defence of the
suspect was that he typed the wrong website URL , and when he
realised what it was, he closed it immediately. By having the
pictures stored in the temporary internet files has supported his
claims and exonerated him.

© Patjan Inc. 2021
Volatility
Volatility
The last issue to consider about data types is the volatility nature of
data.
This is essential to consider before starting a DF investigation

because it determines which data you should collect first to avoid
losing digital artefacts. These types are:
Non-volatile data Volatile Data

© Patjan Inc. 2021
Volatility

Volatility
Non-volatile data
• All previously mentioned types are considered

non-volatile data, and could be retrieved
even if the computer has been turned off.

© Patjan Inc. 2021
Volatility

Volatility
Volatile Data
• The data that resides in RAM and is acquired only

when the device is running. Collecting volatile data is a
perilous task, because of its changing nature (example:
running your forensic tool will change part of the
memory), and if the power is disconnected we’ll lose
all of this data.

© Patjan Inc. 2021
Devices
Devices
You can find all mentioned types of data in a number of different

devices, so we could say that your investigation may involve any
device that is able to store digital data, and these could be categorised
in, but not limited to:
Image Files Hidden Files Keyword Search
Software applications Encrypted Files Known Remote Access Tools

Deleted Files Hidden partitions

© Patjan Inc. 2021
Devices
Devices
Computer Systems
Desktops, laptop, etc.
It is the richest source of artefacts and contains valuable

information about the suspect and what they were doing. You may
find various types of artefacts like email, chat logs and financial
information.

© Patjan Inc. 2021
Devices
Devices
Storage Devices
Hard drives and external hard drives
These devices differ in size and the way they process and store data. These
devices may contain valuable artefacts for analysis.

© Patjan Inc. 2021
Devices
Devices
Removable media
• Any type of storage device that could be removed

while the system is running, such as a CD. These
devices are used by people to store information or
applications they use.

© Patjan Inc. 2021
Devices

Devices
Thumb drives
• These small storage devices can easily be

hidden and transported, so that they may
be used by a suspect to hide important files.

© Patjan Inc. 2021
Devices

Devices
Memory cards
• These cards can be found in many devices, such

as digital cameras and mobile phones. Even with
its small size, you may find a large amount of data
inside these cards such as pictures and other files.

© Patjan Inc. 2021
Devices
Devices
Handheld Devices
• These devices are a close friend for most people; it can

tell you great details about your suspect, as it can store
data, images, global positioning system (GPS)
information and other valuable information.

© Patjan Inc. 2021
Devices
Peripheral Devices
• These devices may be helpful to find the last thing the

suspect did.
• For example, if you find a printer you could know what

documents have been printed recently, and the same
for other devices, including scanner, fax, etc.

© Patjan Inc. 2021
Devices – Break Story
Devices
In a case where a woman was found dead, the first examination of

the scene indicated this as a suicide especially when the
investigators found a printed letter signed with the name of the
women testifying the reason of her suicide.

© Patjan Inc. 2021
Devices – Break Story
Devices
With the help of the DF team, they were able to determine the
time the letter was printed. Comparing this time with the rigor
mortis estimation of death time revealed that the letter was printed
after the woman died and this was the proof that this was a
murder case, not suicide.

© Patjan Inc. 2021
Devices

Devices
Computer Networks
• The network contains the largest amount of data you could

ever analyse. When your case involves a company or a large
organisation your investigation may include network devices.
These devices, such as Authoritative name server, will provide
valuable information such as IP address, which could be
used to relate an incident to a suspect’s device.

© Patjan Inc. 2021
Devices

Devices
Hidden Storage
• An example of these devices is a chip hidden inside USB

cable, or A/C power-pack that contains a hidden camera.
These types of evidence are difficult to notice unless you
realise their existence, and they are sure to contain
important artefacts.

© Patjan Inc. 2021
Devices
Devices
You may find unexpected evidence inside digital

devices, for example, even if iPod devices are only used
to hear music, you may find document files stored on it.

© Patjan Inc. 2021
Devices
Devices
As you may already know, in each case there will be different

devices to deal with, but whatever the device involved in the case
you investigate, you should be familiar with how to deal with this
type of evidence and data it contains.
You should also know exactly how this device works, how data is
stored and processed in it and, most importantly, be sure that the
tool you use will give you the results you look for.

© Patjan Inc. 2021
TIP
Devices
In cases where you encounter evidence you are not

familiar with, you should call an expert to help you
complete the analysis to avoid wrong procedures that
causes data loss or dismissal of evidence in court.

© Patjan Inc. 2021
Devices

Devices
Digital Evidence should have the following characteristics:
• Admissibility - accepted in a court

• Authenticity - relevant to the case
• Complete - no missing information

© Patjan Inc. 2021
© Patjan Inc. 2021
Analysis Steps
DF analysis is defined as scientific

method, which starts by gathering facts
from the evidence you have, building a
hypothesis to explain an incident, and
extracting artefacts to prove or refute
this hypothesis.

© Patjan Inc. 2021
Analysis Steps
The scientific method is a generic approach used in most

fields and not just restricted to digital forensics.
In this section, we’re going to go through best practices and

key points that investigators have to take into consideration
when conducting their investigation and applying the
scientific method.

© Patjan Inc. 2021
Analysis Steps
Prepare for your DF analysis
In every case you should prepare a new special device

(storage) for your analysis, if this is impossible to achieve,
you should perform a forensic wipe on the disk to remove
old data on the disk before copying the new evidence.

© Patjan Inc. 2021
Analysis Steps
Prepare for your DF analysis
• Some digital devices will need special treatment.

• For example, if you need to analyse a wireless
device, this device should be isolated from the
surrounding environment to prevent a new
connection, which will alter the evidence because
of new data packets flowing in and out of the
device wiping the old packets from the device.

© Patjan Inc. 2021
Analysis Steps
In physical cases, investigators collect observations from

evidence they have, such as a victim’s wounds to help
in determining how the incident crime happened,
when and by whom.

© Patjan Inc. 2021
Analysis Steps
Digital analysis works the same as physical cases; it starts

by gathering observations from the evidence you have,
building a hypothesis that explains what caused the
evidence, and by whom to gain an understanding of the
whole case.

© Patjan Inc. 2021
Analysis Steps
Your analysis may encompass recovering deleted files,

specifying the time of creation and linking it to a suspect.
Also, the evidence you find could lead you to

further evidence from different resources.

© Patjan Inc. 2021
Analysis Steps
For example, reading a suspect email may indicate the

existence of important information that was sent to the
suspect on CD, or the analyser has to search the internet
for evidence like chats between the suspect and victim.

© Patjan Inc. 2021
Analysis Steps: Break Story
The Corey Beantee Melton Child Pornography case in 2004.
Possession of child pornography.
Circumstances: Corey Beantee Melton brought his malfunctioning

home computer to Best Buy’s Geek Squad for virus removal.
Incriminating Evidence: After locating several viruses the store

found them re-attaching to movies. The videos were soon
identified as child pornography and the police were contacted.
Verdict: Melton was sentenced to 10 years in prison.

© Patjan Inc. 2021
Analysis Steps
To get ready for the analysis, the following are the base
requirement before starting:
• A workstation running an operating system
• A write-blocker device
• Digital forensics acquisition tool(s)
• Digital forensics analysis tool(s)
• Target drive to receive the source or suspect disk data
• Spare PATA or SATA ports
• USB ports

© Patjan Inc. 2021
Analysis Steps
The common analysis steps within most cases are the

following (even if its not the same in each case where
you might use other steps and techniques):

© Patjan Inc. 2021
Analysis Steps
1. 1. Creating Forensic Image:
• First start by creating a forensic image, which should be a

duplicate of the evidence; a duplicate means it’s bit by bit
copying.
• Allocated, unallocated and free sectors on the source

evidence should be copied to the storage device.

© Patjan Inc. 2021
Analysis Steps
Before attaching the evidence to be copied, you should ensure

that the evidence is connected to a write blocker (a device that
blocks all write operations on the acquired media); if such a device
is not available (example: maybe too expensive) you should install
the appropriate software to allow only reading and viewing of the
data and preventing alteration of the evidence (example: maybe
use a forensic bootable disk).

© Patjan Inc. 2021
Analysis Steps
It is not always about

finding the evidence; in
some cases the lack of
evidence is the base
for our hypothesis(or
our case).

© Patjan Inc. 2021
Analysis Steps: Break Story
The hypothesis on the Corcoran Group case was built on evidence

that was missing.
The Corcoran Group sold a building that was flooded with water
during a storm. The company claimed that it had no idea about
the flood. When the case started, a forensic expert conducted an
analysis on the company computers. The interesting thing was the
missing files and emails that should exist. The court judged the
company based on misleading the investigation by deleting that
evidence.

© Patjan Inc. 2021
Analysis Steps
2. 2. Image verifying:
• After finishing the copy, you should make a hash

signature for both the original evidence and its copy
and then compare the two hashes to ensure that the
copy is an accurate duplicate of the evidence.
• You can also (which is better) create another image

and keep it as an archive for further analysis, this will
help in case you were asked to provide more
artefacts.

© Patjan Inc. 2021
Analysis Steps
3. 3. Evidence Preservation:
• You should then put the original evidence in its container

again, in a safe place away from humidity, temperature,
and other effects.
• In order to reduce the time of the analysis, you should

reduce the large size of data to be analysed, try to remove
irrelevant data, such as OS data, events that are outside
the interest time frame, etc.

© Patjan Inc. 2021
4. Analysis:
• This step include several techniques that depends on

the case type that the investigator is handling.

© Patjan Inc. 2021
Analysis Steps
5. 5. Analysis Validation:
• Any artefact you extract during the analysis should be

validated to ensure its soundness; for example, if you
managed to retrieve a deleted file you need to be sure
that it is accurate and no commingling happened.

© Patjan Inc. 2021
Analysis Steps
Also, you need to be sure that it was not tampered with

intentionally; for example, before relying on the file associated time
and date to determine the time of the incident, you need to be
sure that the suspect has not altered the system date!

© Patjan Inc. 2021
Analysis Steps
It is not hard even for a non-technical person to program a

computer to send an email from a home desktop at a specific
time, while they are somewhere else; so, it should be verified
before, using it as an artefact to determine the suspect location.
You also need to ensure that your analysis results are repeatable
and reproducible, which mean that the same result will be
produced when the evidence is tested again in the same or
different lab using the same or different tools and equipment.

© Patjan Inc. 2021
© Patjan Inc. 2021
Investigation Scope
Not all cases are the same, which means different types of cases
will requires different types of investigations.
Different types of investigations have different rules and

strictness levels too.

© Patjan Inc. 2021
Investigation Scope
Internal Investigation:
• An Investigation that is being carried inside an

organisation, investigating Insider threats or incidents,
could also be an employee policy violation.
• An investigator usually has to follow the

organisation’s guidelines and policies during
all steps of the investigation.

© Patjan Inc. 2021
Investigation Scope
Examples of cases that require internal investigations are: Fraud,

Data exfiltration and sexual harassment within the workplace.
If the Investigator uncovers more dangerous problems such as

terrorism, they have to immediately inform official law
enforcement agencies.

© Patjan Inc. 2021
Investigation Scope
Civil Investigation:
• Is an investigation carried out to collect data regarding

a case concerning the safety of the organisation’s
assets, such as: Internal network, Copyrights and other
resources.
• It is preferred for an investigator who is carrying such

investigations to have a background in law.

© Patjan Inc. 2021
Investigation Scope
Here are examples of what civil investigations attempt to solve:
Illegal access DoS attacks Malware

and breaches attacks

© Patjan Inc. 2021
Investigation Scope
Civil Investigations are usually harder to conduct, especially within

large organisations due to the size and complexity.
For example, in many situations, the whole case might depend on

the investigator’s ability to prove that a certain user was logged
into the system at a certain time.
Thus, the tools that are used within such types of investigations are
usually more sophisticated and expensive.

© Patjan Inc. 2021
© Patjan Inc. 2021
Crime Reconstruction
• Is the forensic science discipline in which one gains

"explicit knowledge of the series of events that
surround the commission of a crime using deductive
and inductive reasoning, physical evidence,
scientific methods, and their interrelationships “.

© Patjan Inc. 2021
In crime reconstruction, the investigator pieces all the evidence and

facts that were collected together in order to get the full picture of
what happened.
A “full picture” includes locations, devices and events. As well as

how, when and why were they used, and the relationship between
them and the crime.

© Patjan Inc. 2021
Inferencing the existence of a relationship between two pieces of

evidence or between a digital evidence and a place or a
machine is referred to as “relational analysis.”
Know how a piece of evidence was used or works, is referred to as

“Functional analysis.”

© Patjan Inc. 2021
Finally, linking events together to get the timeline of the events

happened is what we refer to as Temporal analysis.
Another technique used by investigators when proving or

disapproving hypothesis, is the Same Origin Comparison.
© Patjan Inc. 2021

Crime Reconstruction: Same Origin Comparison
This is where investigators try to prove/disprove that two pieces of

evidence came/didn’t come from the same origin.
These pieces of evidence could be images that we want to

investigate to determine if they were taken by the same mobile or
digital camera or not. Or, documents that we want to know if they
were created using the same computer or not.

© Patjan Inc. 2021
Note that same origin isn’t the only type of relationship that an
investigator has to prove.
Sometimes the case requires examining whether two pieces were

altered or modified using the same tool for example.

© Patjan Inc. 2021
Crime Reconstruction - Tip
For each case, you need to follow reasonable

steps in order to solve the case:
1.Determine
1. . type of the case that you are investigating.
• Follow a scientific approach for case solving.
• Write a detailed checklist of needed resources.
• This one is extremely important, believe me ☺
• Obtain, copy and maintain the evidence

© Patjan Inc. 2021
→ ©Edit
Patjan
MasterInc.
text 2021
styles
Challenges of Digital Evidence
The following slides mention some challenges that you may

encounter during DF investigation.
Unfortunately, there will always be other challenges within different

DF cases.

© Patjan Inc. 2021
#1 - Legal Challenges
The first challenge that you may encounter is to guarantee

evidence admissibility, which means evidence acceptance to be
used in court. Start by determining the relevant evidence to issue
an adequate warrant, and if you get the warrant you should stick to
what is mentioned in it, as any variation is not accepted!
© Patjan Inc. 2021

You then need to maintain and keep updating the CoC without any
discontinuity, from the moment that the evidence was acquired until the
case has been brought to the court.
A naive practitioner may not properly label and document the

evidence found, or not doing this at all; this will cause discontinuity in
the CoC of the evidence and thus losing reliability.
→
© Patjan Inc. 2021
Another problem
you may encounter
is Privacy issues; in
some cases, you
cannot examine or
expose all data
because it contains
sensitive
information.
→
© Patjan Inc. 2021
Acquiring the evidence sometimes isn’t just plugging your acquisition

device and start copying data from the target.
Sometimes you might face unsupported hardware interfaces to

use, unsupported operating systems, huge storage size required,
must sustain the system’s productivity, installing new network
devices, the need for remote acquisition, etc.
© Patjan Inc. 2021
#2 – Type of Digital Evidence
• Digital devices are evolving on a yearly (some even less

than that) basis with different operating systems.
• With that comes a huge variety of applications and file formats

used within these operating systems. Analysing each
application may require a different tool!
→
© Patjan Inc. 2021
• Due to diversity in technology changes, a tool or a

technique used in an investigation may not work in another.
• Also, since technology is changing so rapidly, the tools used

and/or implemented for a current forensic investigation may
not sustain or be used for future forensic investigations.

© Patjan Inc. 2021
• Investigators are now challenged by different devices owned

by the same suspect.
• Memory-only malware is another factor that makes forensic

analysis more challenging; these malicious programs load
themselves into RAM, leaving no evidence of their existence
on hard disk, and the only solution is live analysis of the
evidence. However, you cannot always perform live analysis as
you need to sustain the device productivity.
→
© Patjan Inc. 2021
People are now protecting their data using various hiding techniques, such as
encryption or steganography.
This adds another challenge for the analyst to retrieve digital artefacts.
In some cases, it may be easy to decrypt the data, but in other cases it may take a
very long time, depending on the encryption technique the suspect has used.
Fortunately, sometimes live forensic (if permitted) may help in revealing passwords.
→
© Patjan Inc. 2021
#3 – Size & Distribution
Size and distribution of digital evidence may be the biggest challenge for DF
analysts, who have to analyse a huge size of data within limited time frame and
limited resources!
In some cases, you may encounter a large size of data to analyse, and it is
impossible to create a forensic image of this evidence; in such cases, the
solution is to define the most relevant parts of evidence to be collected or at
least the parts that help to incriminate or exonerate the suspect. This comes
with a trade off, that you might not acquire the relevant data to be analysed.

© Patjan Inc. 2021
When speaking about devices such as RAID storage,

where data is distributed among many disks, the
analysis cannot be performed unless the RAID array is
rebuilt.
→
© Patjan Inc. 2021
In digital forensic challenges, Big Data comes in second place.

This environment imposes huge volume of data, a variety of
data structure and velocity. It also requires different acquisition,
analysis, and presentation of evidence of such environment.

© Patjan Inc. 2021
#4 – Evidence Dynamic
Alteration – Intention or not
Evidence Dynamic is defined as any effect that may change the

evidence validity during its life cycle.
One reason for evidence dynamic is the suspect. People are now
aware of digital investigation tools, and by surfing the Internet, anyone
can learn how to hide their traces and disrupt forensic techniques or
even destroy the evidence! And, there are many malware developed
by criminals to disguise their activities; for example, using a wiping tool
will prevent any artefact examination.

© Patjan Inc. 2021
Also, the devices themselves are

easy to be concealed as well.
For example, some MicroSD cards

(may hold two gigabytes of data)
are as small as a fingernail and can
be hidden easily.

© Patjan Inc. 2021
In some cases, the victim may change the evidence; the victim may disrupt the
evidence unintentionally (as an administrator who is trying to protect his network ),
or even a victim may fake evidence to incriminate a suspect!
Even though it is rare, it is

possible to encounter hardware
A practitioner may conduct a
or software failures that result in
wrong procedure, which results
altering the evidence, or even
in changing of the evidence and
nature affects such as: water,
losing its soundness.
fire, or ordinary corruption as
decay with time.
© Patjan Inc. 2021
Other challenges results of new trends of malware attacks

including and data hiding techniques:
Botnets Covert
Channels
Targeted
Attacks
Steganography
Organised
Crime
Mobile Encryption
Malware

© Patjan Inc. 2021
© Patjan Inc. 2021
Major Concepts
This section covers major concepts related to digital forensics that

every investigator must understand.

© Patjan Inc. 2021
Major Concepts
Commingling or Contamination:
• In a physical laboratory putting chemical material in a

vessel with residue of other material will result in
mixing the materials together, thus becoming
corrupted and invalid as evidence.

© Patjan Inc. 2021
Major Concepts
The same could happen with digital evidence; while creating

an image of the evidence, make sure that the storage device
you use to copy the evidence is new or wiped to avoid
commingling of evidence from different cases together, just
like what happens with chemical materials.

© Patjan Inc. 2021
Major Concepts
Copying new data to a hard disk that already contains other data may
cause the old data to be analysed as part of the new data, even if old
data was erased.

© Patjan Inc. 2021
Major Concepts
Commingling also may result from improper

documenting of the evidence; in a case where
data has been collected from similar devices,
wrong documentation makes it hard to relate the
evidence with the device.

© Patjan Inc. 2021
Major Concepts
Forensically soundness
• Is a term used extensively in the digital forensics community

to qualify and, in some cases, to justify the use of a
particular forensic technology or methodology.
• Many practitioners use the term when describing the

capabilities of a particular piece of software or when
describing a particular forensic analysis approach. Such a
wide application of the term can only lead to confusion.

© Patjan Inc. 2021
Major Concepts
Using this common theme, in Advances in Digital Forensics,

McKemmish explores how the term “forensically sound” has been
used and examines the drivers for using such a term.
Finally, a definition of “forensically sound” is proposed and four

criteria are provided for determining whether or not a digital
forensic process may be considered to be “forensically sound.”
https://link.springer.com/content/pdf/10.1007%2F978-0-387-84927-0_1.pdf
→
© Patjan Inc. 2021
Major Concepts
Even though CSI is not a reference, some of their sayings are

applicable here.
Grissom once said that, “To get to the evidence, we may destroy
the evidence.”
This is because evidence is susceptible to change even from trivial

actions.

© Patjan Inc. 2021
Major Concepts
For example, double-clicking on the file will ruin your evidence!!!
If the investigator opens the file (just for reading), this action will
affect the temporal property of the file “time,” as this will change
the last access time of the file.

© Patjan Inc. 2021
Major Concepts
The Admissibility of an evidence is another term for “court

acceptance.”
When an evidence is presented within the court, it is first examined

by all parties in the court before accepting it.

© Patjan Inc. 2021
Major Concepts
There are a number of factors an investigator has to take into

consideration when searching, finding, storing, examining and
presenting the evidence; otherwise, the court wouldn’t consider
the evidence or the claim it is supporting.
The next slides cover those factors and what it means for
evidence to be admissible.

© Patjan Inc. 2021
Major Concepts
In order for the evidence to be admissible, it has to be relevant,

reliable and competent.
For an evidence to be relevant, it has to prove or disapprove a

hypothesis related to the case at hand.

© Patjan Inc. 2021
Major Concepts
And, for it to be reliable, the party presented the evidence has to

prove its authenticity and its objectivity.
Authenticity for digital evidence is usually proven by presenting

the chain of custody from the first person who collected the
evidence till the person presenting it.

© Patjan Inc. 2021
Major Concepts
And, for the evidence to be objective it has to be a proven fact,

as personal opinions and claims that can’t be proved or
disapproved don’t formulate evidence.

© Patjan Inc. 2021
Major Concepts
For the evidence to be competent, it must have been acquired

through legal ways.
It also must not violate the confidentiality of an information

protected by law or constitution.

© Patjan Inc. 2021
Most of the points mentioned before are legal issues.
From a technical point of view, the most crucial point for evidence
admissibility is the Authenticity.

© Patjan Inc. 2021
Major Concepts
Evidence acceptance in court depends on:
• Credibility of scientific method used in the analysis

• Qualifications/ expertise of the investigator
• Reproducibility: repeating the analysis gives the same result

© Patjan Inc. 2021
Major Concepts
Chain of custody
• It is a form that is used to keep track of the evidence

since it was acquired until the completion of the
analysis (the case is closed or the evidence is
presented in court)

© Patjan Inc. 2021
Major Concepts
The chain of custody contains information such as:
• What is the evidence?

• How the evidence was acquired?
• When the evidence was acquired?
• Who acquired the evidence?
• Where the evidence was stored?
• And any other action that was performed on the
evidence.

© Patjan Inc. 2021
Major Concepts
When reading digital evidence, the tool tells us what artefact it has;
we never see the real data firsthand, what we see is the tools
representation of data!
The evidence never lies, and that’s true, but do you trust the tool
you have to tell you the right story?
Are you sure that the tool you have has no bugs and works
correctly in every case?

© Patjan Inc. 2021
Major Concepts
Right answer: tools will not always tell us the truth!
This is not because of wrong procedures, but because of the

abstraction layer issue.

© Patjan Inc. 2021
Major Concepts
Misunderstanding computer functionality or how tools apply an

abstraction layer to process data will make it difficult for you to
understand the results of your analysis and artefacts you have, this
will make it hard to explain the results in the court, or make an
incorrect interpretation of the evidence.

© Patjan Inc. 2021
Major Concepts
Abstraction layer
• Abstraction layer issues arise from the fact that the

actual data is stored in digital devices in its raw format
(bits), which is very difficult for humans to read, that is
why we use tools to interpret this raw data to a structure
that is easily read by humans.

© Patjan Inc. 2021
Major Concepts
To avoid this problem, when you choose or are going to build a

tool, you should understand the input, output and the rule set
employed in the layer of abstraction used by this tool.

© Patjan Inc. 2021
Major Concepts
An example of a tool that uses an abstraction layer to represent

data is the packet analyser.
At the raw level, packets are transmitted as a sequence of bits by

applying network protocol standards Request For Comment (RFC)
abstraction layer; packet analyser translates these bits into its
corresponding field’s value to form packets again.

© Patjan Inc. 2021
Major Concepts
Usually, computer users don’t deal with the physical data.

Meaning, they don’t look at the electric pulses on the cables or
examine physical bits from the hard disk platter directly.
Instead, they deal with the presentation layer provided by the

operating system.

© Patjan Inc. 2021
Major Concepts
Forensics Investigations are a different story however.
Investigators have to deal with both the Data Representation

presented by the tools they’re using, which is based on the
presentation layer provided by the OS, and the Physical Layer
which the OS usually encapsulates from users.
© Patjan Inc. 2021

Major Concepts
The input of an abstraction layer is the raw data

and translation rules which describe the structure
of data or how to process this data.

© Patjan Inc. 2021
Major Concepts
The abstraction layer uses the given translation rules to interpret

data to other forms, the output data of abstraction layer could
become an input for another layer of abstraction or be the final
result depending on the type of data that is being processed.
Also, each abstraction layer will result in a margin of error or

distortion.

© Patjan Inc. 2021
Major Concepts
Another example of an abstraction layer is the Text Editor, such as

notepad.
On the disk, the file is a series of zeros and ones, and by applying
ASCII abstraction layer each group of consecutive bits is
translated to its corresponding character, and the text file is
viewed as a series of letters, numbers, and symbols.

© Patjan Inc. 2021
Major Concepts
In case the output of ASCII layer was an HTML document, then it

would be considered as a first layer, and the HTML document could
then be fed to a second layer, such as a Web Brower, which uses
the document and HTML specifications to produce a formatted
document.

© Patjan Inc. 2021
Major Concepts
The problem of abstraction layer translation may result

from programming errors or using a wrong rule set.
For example, if the analyst was searching for JPG file

using a tool that works, searching for the file extension
will not be sufficient because it is easy for the suspect
to change the extension of a file.

© Patjan Inc. 2021
Major Concepts
To mitigate errors resulting from abstraction layer translation, you

either need to use multiple tools to verify analysis results or analyse
data before and after using abstraction layer, which will be harder.
In the image example, you should validate your analysis by using a

tool that searches for image files depending on the file signature.

© Patjan Inc. 2021
Major Concepts
For many reasons, such as software bugs or developers’

misunderstanding for the underlying technology, tools might suffer
from bugs, which affect the accuracy of the results they present.
This is why it is always recommended to examine the evidence on

both layers and run multiple tools to verify the output’s consistency.

© Patjan Inc. 2021
Major Concepts
An example of Presentation layer vs Physical layer would be file

examination.
Say we are looking for pictures on a machine. The traditional way

is to look for files with JPEG, JPG or any other image extensions.

© Patjan Inc. 2021
Major Concepts
However, what if the picture we’re looking for is renamed

with another extension (i.e., MP9)?
Looking at the presentation layer won’t help us, and we need to

look on a lower level (the files’ headers and magic numbers) to be
able to find our target file.

© Patjan Inc. 2021
Major Concepts - Tips
All artefacts resulting from analysis, even if it were incriminating

evidence, will be dismissed if gathered without a specific warrant
for this type of evidence.
However, this is not for all cases, you should be familiar of your
country’s law or at least, check with an attorney.

© Patjan Inc. 2021
Major Concepts – Break Story
In one case, upon searching the suspect computer, the investigator

found a video file that convicted the suspect.
In the court this evidence was dismissed, the defendant attorney

argued that the warrant used by the investigator included only text
files in the suspect computer! [US LAW]

© Patjan Inc. 2021
Major Concepts
You can’t use the same solution for a digital investigation for every
single case. Each case presents and will require different steps to
go through and will depend on your suspect’s mentality, and
his/her computer skills.
You need to be aware of new techniques and methods suspects

may use.

© Patjan Inc. 2021
Conclusion
This is just the end of the beginning. By now, you should have
sufficient knowledge about DF analysis, can identify relevant types
and sources of digital evidence, realise to only count on facts and
to conduct scientific procedures during DF analysis, what problems
you may encounter and how to benefit from analysis tools!

© Patjan Inc. 2021

2.0. Introduction To Digital Forensics and Data Acquisition

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2.0. Introduction To Digital Forensics and Data Acquisition

Uploaded by

Copyright:

Available Formats

AJOR RGANISED RIME & NTI-CORRUPTION GENCY

2 OXFORD ROAD, NCB (SOUTH) TOWER

Investigation Reconstructing Challenges of Major

→ Edit Master text styles

Cybercrime Investigation – Korean National Police University - 2006

Conducted several training courses at the Regional Drug Enforcement

→ Edit Master text styles

Conducted several lectures in cybercrimes awareness at

EnCase Certified Examiner – EnCE

Certified Cyber Security Crisis Management Responder,

→ Edit Master text styles

Certified Ethical Hacker – (EC-COUNCIL) C|EH

Computer Hacking Forensic Investigator (EC-COUNCIL) C|HFI

Lecture at Caribbean Maritime University – Cybercrimes Investigation, ICT

Cloud Computing, Big Data and Artificial Intelligence (China 2018).

→ Edit Master text styles

Welcome to Forensic Computing, an introductory course for

This course is also for you if your goal is to become a digital

The primary focus in this course is on the analysis phase of Digital

After taking this course, you will be:

✓ Capable of conducting a complete DF Analysis and

✓ Able to reconstruct data structures and events from the

✓ Able to locate artefacts, which are used as compelling evidence.

Furthermore, the Introduction module, this module, will lay

The world of Digital Forensics is extensive, with many fields in

In my opinion, I believe that the subjects discussed in this course are

→ Edit Master text styles

Before I jump into the content of this module, I

→ Edit Master text styles

People don’t realise the artefacts, or secrets, they

Such artefacts and secrets we call “evidence.”

→ Edit Master text styles

Computer users think that by simply deleting traces of their activity

You’d be amazed by the number of artefacts that can

→ Edit Master text styles

What is Digital Forensics?

Digital forensics (or digital forensic science) is a discipline of forensic

With technology entering every aspect of our lives, the

In general; the main goal of digital forensics is to answer the

What Where When Who HoW

→ Edit Master text styles

Digital Forensics can also be used to support non-digital civil and

For example, finding “how to make bombs” in someone's browsing

→ Edit Master text styles

Another example of using Digital Forensics is alibis

© Patjan Inc. 2021

→ Edit Master text styles

→ Edit Master text styles

Imagine a case where an individual accused of robbery or murder

In such a case, with the help of network forensics, it is possible to

→ Edit Master text styles

The evidence consisted of Google searches on: 'Untraceable

→ Edit Master text styles

In comparison with conventional crimes, digital crimes impose new

Example: Larcenous Crimes

Other conventional crimes that could involve

1. Child exploitation 4. Terrorism

→ Edit Master text styles

This section goes through the fundamentals of most common digital

Digital Digital Scientific

→ Edit Master text styles

In the digital world,

→ Edit Master text styles