Dr.

Zunera Jalil
Email: zunera.jalil@mail.au.edu.pk
 Your Previous Home Task

• https://www.journals.elsevier.com/forensic-science-international-
digital-investigation
• https://link.springer.com/chapter/10.1007/978-981-15-1480-7_20
• https://www.nist.gov/news-events/news/2020/06/nist-digital-
forensics-experts-show-us-what-you-got
• https://www.computer.org/publications/tech-
news/research/digital-forensics-security-challenges-cybercrime
• www.nr3c.gov.pk
• www.fbi.gov
 Digital Forensics 3

Preservation, identification, extraction, documentation, and

interpretation of computer media for evidentiary and/or root
cause analysis using well-defined methodologies and
procedures.

Methodology:
 Acquire the evidence without altering or damaging the
original.
 Authenticate that the recovered evidence is the same as
the original seized.
 Analyze the data without modifying it.
 Cyber Attacks in Top 10 Risks (WEF Report 2020)

Cyberattacks are one of the top 10 global risks of

highest concern in the next decade, according to a
new report from the World Economic Forum (WEF),
with an estimated price tag of $90 trillion if cyber
security efforts do not keep pace with technological
change.

Cyberattacks Ranks No. 1 in dangers of digital innovation

https://guardian.ng/technology/cfin-seeks-partnership-in-implementation-of-cybercrime-act/
https://reports.weforum.org/global-risks-report-2020/wild-wide-web/
 90 % of All Criminal Cases Have One Form of Electronic
Evidence or The Other

https://guardian.ng/technology/cfin-seeks-partnership-in-implementation-of-cybercrime-act/
 Digital Forensics Market to Hit 4.8 Billion USD in
Revenues by 2020

Source (s): http://www.arma.org/r1/news/newswire/2016/03/22/digital-forensics-to-grow-to-$4.8-billion-by-2020

 Definition 7

• The growth of the Internet and the worldwide proliferation of

computers have increased the need for digital investigations.
• Computers can be used to commit crimes, and crimes can be
recorded on computers, including company policy violations,
embezzlement, e-mail harassment, murder, leaks of
proprietary information, and even terrorism.
• Law enforcement, network administrators, attorneys, and
private investigators now rely on the skills of professional digital
forensics experts to investigate criminal and civil cases.
 Definition 8

 The definition of digital forensics has also evolved over the years from
simply involving “securing and analyzing digital information stored on a
computer for use as evidence in civil, criminal, or administrative cases”.
 The “application of computer science and investigative procedures for
a legal purpose involving the analysis of digital evidence (that is stored
or transmitted in binary form) after proper search authority, chain of
custody, validation with mathematics (hash function), use of validated
tools, repeatability, reporting and possible expert presentation”

(“Commentary: Defining Digital Forensics,” Forensic Magazine, 2007).

 Digital Forensics (NIST)
In the National Institute of Standards and Technology (NIST)
document “Guide to Integrating Forensic Techniques into Incident
Response” (http://csrc.nist.gov/publications/nistpubs/800-86/SP800-
86.pdf, 2006) digital forensics is defined as:

“the application of science to the identification, collection,

examination, and analysis of data while preserving the integrity
of the information and maintaining a strict chain of custody for
the data.”
 Definition.. 10

 Digital Forensics is a branch of Forensics Science about the

Recovery, Reconstruction and Investigation of Material found in
Digital Devices
 Procedures for a legal purpose involving the analysis of digital
evidence with Validated Tools after proper Search Authority, Chain
of Custody, Reporting, and possible Expert Presentation
 The field of digital forensics can also encompass items such as
research and incident response. With incident response, most
organizations are concerned with protecting their assets and
containing the situation.
Digital Forensics Domains 11
Areas of Analysis
 Why Use Computer Forensics? 13

 Criminal Prosecutors
 Rely on evidence obtained from a computer to prosecute suspects and
use as evidence
 Civil Litigations
 Personal and business data discovered on a computer can be used in
fraud, divorce, harassment, or discrimination cases
 Insurance Companies
 Evidence discovered on computer can be
used to mollify costs (fraud, worker’s
compensation, arson, etc)
 Why Use Computer Forensics?... 14

 Private Corporations
 Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and embezzlement cases
 Law Enforcement Officials
 Rely on computer forensics to backup search warrants and post-seizure
handling
 Individual/Private Citizens
 Obtain the services of professional computer forensic specialists to
support claims of harassment, abuse, or wrongful termination from
employment
 Digital Investigations 15

 Digital Forensics is a branch of Forensics Science about the

Recovery, Reconstruction and Investigation of Material found in
Digital Devices
 Procedures for a legal purpose involving the analysis of digital
evidence with Validated Tools after proper Search Authority, Chain
of Custody, Reporting, and possible Expert Presentation
 The field of digital forensics can also encompass items such as
research and incident response. With incident response, most
organizations are concerned with protecting their assets and
containing the situation.
 Types of Forensics Requests

INTRUSION ANALYSIS
• Who gained entry?
• What did they do?
• When did this Happen?
• How did they do this?

DAMAGE ASSESMENT
• What was available for the intruder to see?
• What did he take?
 Types of Forensics Requests…
TOOL ANALYSIS What tools were used?
How were they executed?

LOG FILE ANALYSIS

What Events were Monitored?
Firewall/ Router/ Server log files?

EVIDENCE SEARCH
Deleted Files
Hidden Files, Encrypted Files
Known Remote Access Tools
Hidden partitions
 Types of Digital Investigations

Two categories:

• Public-sector investigations involve government agencies

responsible for criminal investigations and prosecution.
• The law protects the rights of people, including people suspected of crimes; as
a digital forensics examiner, you must follow these laws.

• Private-sector investigations focus more on policy violations, such as

not adhering to Health Insurance Portability and Accountability Act
of 1996 (HIPAA) regulations. However, criminal acts, such as
corporate espionage, can also occur.
• Private-sector investigations often start as civil cases, they can develop into
criminal cases; likewise, a criminal case can have implications leading to a
civil case
Computer Crimes
 Following Legal Process

• When conducting a computer investigation for potential criminal

violations of the law, the legal processes you follow depend on local
custom, legislative standards, and rules of evidence.
• A criminal case follows three stages: the complaint, the
investigation, and the prosecution.
• Someone files a complaint, and then a specialist investigates the
complaint and, with the help of a prosecutor, collects evidence and
builds a case. If the evidence is sufficient, the case might proceed to
trial.
• A criminal investigation generally begins when someone finds evidence
of or witnesses an illegal act. The witness or victim makes an allegation
to the police, an accusation of fact that a crime has been committed.
 Private Sector Investigations

• Private-sector investigations involve private companies and lawyers

who address company policy violations and litigation disputes, such as
wrongful termination.

• When conducting an investigation for a private company, the business

must continue with minimal interruption from investigation. Businesses
also strive to minimize or eliminate litigation, which is an expensive way
to address criminal or civil issues.

• Private-sector computer crimes can involve e-mail harassment,

falsification of data, gender and age discrimination, embezzlement,
sabotage, and industrial espionage, which involves selling sensitive or
confidential company information to a competitor. Anyone with
access to a computer can commit these crimes.
 How to Avoid Violations?

• One way that businesses can reduce the risk of litigation is to publish
and maintain policies that employees find easy to read and follow. In
addition, these policies can make internal investigations go more
smoothly.

• The most important policies are those defining rules for using the
company‟s computers and networks; this type of policy is commonly
known as an “acceptable usage policy.” Organizations should have all
employees sign this acceptable use agreement.

• Published company policies also provide a line of authority for

conducting internal investigations; it states who has the legal right to
initiate an investigation, who can take possession of evidence, and
who can have access to evidence
23
24
Digital Investigation Process
 Identification

• The first step is identifying evidence and potential

containers of evidence

• More difficult than it sounds

Small scale devices
Non-traditional storage media
Multiple possible crime scenes

Sources of Evidence???
Sources of Evidence 27
Sources of Evidence 28
Device Identification
 Evidence Collection

• Care must be taken to minimize contamination

• Collect or seize the system(s)
• Create forensic image
Live or Static?
Do you own the system
What does your policy say?
 Evidence Collection

• Take detailed photos and notes of the computer /

monitor
 If the computer is “on”, take photos of what is displayed on the
monitor – DO NOT ALTER THE SCENE
Make sure to take photos and notes of all
connections to the computer/other devices
 Digital Forensics 4 step Process
1. Acquisition
Physically or remotely obtaining possession of the computer, all network mappings
from the system, and external physical storage devices

2. Identification
This step involves identifying what data could be recovered and electronically
retrieving it by running various Computer Forensic tools and software suites

3. Evaluation
Evaluating the information/data recovered to determine if and how it could be used
again the suspect for employment termination or prosecution in court

4. Presentation
This step involves the presentation of evidence discovered in a manner which is
understood by lawyers, non-technically staff/management, and suitable as evidence
as determined by United States and internal laws
Digital Investigation Process
Cybercrimes
 Cyber crimes
Definition

Cybercrime is criminal activity that either targets or

uses a computer, a computer network or a
networked device.
[Kaspersky ]

Most cybercrime falls under two main categories:

• Criminal activity that targets computers

• Criminal activity that uses computers to commit other crimes
 Examples of Cyber crimes
• Email and internet fraud.
• Identity fraud (where personal information is stolen and used).
• Theft of financial or card payment data.
• Theft and sale of corporate data.
• Cyberextortion (demanding money to prevent a threatened
attack).
• Ransomware attacks (a type of cyberextortion).
• Cryptojacking (where hackers mine cryptocurrency using
resources they do not own).
• Cyberespionage (where hackers access government or
company data).
 Challenges in Cybercrimes Investigations

• Speed - Crime rate Vs investigation rate

• Anonymity (new forms of attacks and ways emerging)
• Volatile nature of Evidence (logs, radio signals, etc.)
• Evidence size and Complexity
• (Data on servers, distributed, formats)
• Difference in Laws (domestic vs international/organized
crimes)
• Legal /Technical understanding
Home Task

Learn Python
 Home Task 42

Reading Handouts- Guide to Integrating Forensic… Approx 15 pages

-Install Python 3.7 on your laptops.
-Go through tutorial on
https://www.youtube.com/playlist?list=PLBZBJbE_rGRWeh5mIBhD-hhDwSEDxogDg
-Learn and explore about
PyCharm (a Python IDE )
• IPython (a better interactive shell for Python than the default interpreter)
• Jupyter (a browser-based interactive programming environment for Python and
many other languages)
• PyDev (an Eclipse plugin for Python development)
ANY QUESTIONS