Digital Forensics

Digital Forensics
Course Logistics / Contents Preview
1. Course Logistics

2. Contents Primer

3. Cyber Threat Reports

4. Autopsy

All rights reserved

Digital Forensics- Riphah International University 2
All rights reserved
 Basics Concepts
 Forensic - a Latin term
– refers to a set of scientific techniques for the investigation of
crimes
– The word ‘forensic’ & ‘legal’ are synonym

 Forensic science
– the application of science to criminal and civil laws, mainly, on
the criminal side, during criminal investigation, as governed by
the legal standards of admissible evidence and criminal
procedure

Digital Forensics- Riphah International University 3

All rights reserved
 Basics Concepts
 Forensic science is in practice for more than a century
– William Herschel advocated the use of fingerprints for criminals
identification in 1858

– Use of DNA in forensic science was first introduced, by Alec

Jeffery, in 1984

– 21st century was revolutionary in terms of forensic science

– https://www.softschools.com/timelines/forensic_science_timeline/99/
– https://en.wikipedia.org/wiki/Digital_forensics

Digital Forensics- Riphah International University 4

All rights reserved
 Basics Concepts
 Forensic science has several sub-divisions
– Bloodstain pattern analysis – (Watch Dexter – TV show)
– Computational forensics – Forensic algorithms and software
– Digital forensics – focus of this course
– Forensic accounting - study/interpretation of accounting evidence
– Forensic aerial photography - study and interpretation of aerial
photographic evidence.
– Forensic archaeology - combination of archaeological techniques
and forensic science
– List goes on !!!!!

https://en.wikipedia.org/wiki/Forensic_science
https://ifflab.org/branches-of-forensic-science/
https://aafs.org/Home/Resources/Students/Types.aspx
Digital Forensics- Riphah International University 5
All rights reserved
 Course Logistics
 Reference Books
– Text Book 1: Guide to Computer Forensics and Investigations, Digital
Evidence Processing, 6th Edition
• Bill Nelson et al., 2019
– Supporting Book: Learn Computer Forensics
• Packt Publishing, 2020
– Text Book 2: File System Forensic Analysis
• Brian Carrier, Addison Wesley Professional, 2008
– Supporting Book: Practical Windows Forensics
• Packt Publishing, 2016
– Text Book 3: Digital Evidence and Computer Crime, Elsevier, Eoghan
Casey et al.
– Lab Work: Text book-1 and CHFI

– Instructor’s email: tariq.khan@riu.edu.pk

– Course TA: Mr. Shehab

Digital Forensics- Riphah International University 6

All rights reserved
 Marking Scheme - Tentative
 Marks Distribution
– Attendance (5%)
– Assignments (20 %)
– Quiz (10%)
– Course Project (15%)
– Midterm (20%)
– Final exam (30 %)

Note:
Subject to Change

Digital Forensics- Riphah International University 7

All rights reserved
 Course Preview

Digital Forensics- Riphah International University 8

All rights reserved
 What I expect? Pre-requisites

 Basic concepts of Operating Systems, File Systems, Basics of

digital world (Bits, Bytes, Number Systems etc.)

 No programming experience is required

– But skills will help you in understanding different concepts

 Cybersecurity concepts are helpful

 . . . brain and curiosity ;-)

Digital Forensics- Riphah International University 9

All rights reserved
 Contents Primer – Lecture 2
 Introduction
– Digital Forensics, History, definition and background

– Uses of digital forensics – potential area of applications

• From cybercrimes to social & administrative conflicts

– The basic elements of a Digital Forensic Process

• Search Authority / warrant, Chain of Custody, Imaging/Hashing,
Validated Tools, Analysis, Repeatability (Quality Assurance),
Reporting, Possible Expert Presentation

Digital Forensics- Riphah International University 10

All rights reserved
 Contents Primer – Lecture 3
 Evidence Collection
– Data Image Formats
• Raw format, Proprietary formats, Advanced Forensic Formats
– Proprietary formats for commercial tools
– Data Acquisition Methods
• Static vs Live Acquisitions

– Validating the evidence

– Understanding RAID & data acquisitions from RAID drives

Digital Forensics- Riphah International University 11

All rights reserved
 Contents Primer – Lecture 4
 Crime Scene Processing
– Evidence - definition and types
• Testimonial, documentary, demonstrative, physical evidence etc.

– Rules of evidence
• Best evidence rule and FRE (USA)

– Corporate and criminal scenes

– Securing and processing crime scene

– Digital evidence searching

Digital Forensics- Riphah International University 12

All rights reserved
 Contents Primer – Lecture 5
 System Boot Sequence
– BIOS vs UEFI

 Hard Disk Geometry & Other Storage devices

 Understanding Windows Partitions

– Partitions & Partitions Table

Digital Forensics- Riphah International University 13

All rights reserved
 Contents Primer – Lecture 6
 Windows Filesystem Analysis - FAT
– FAT Boot Sector configuration

– Understand FAT Area & Data Area

– FAT disks allocation units & Directory Entries

– Anatomy of file creation / deletion on a FAT disk

Digital Forensics- Riphah International University 14

All rights reserved
 Contents Primer – Lecture 7 & 8
 NTFS File System Analysis
– NTFS History

– NTFS Disks – Boot Sector Analysis

– Master File Table (MFT) – the heart of NTFS

• MFT Entry Layout
• File attributes
• MFT structures and file data
• Metadata files

Digital Forensics- Riphah International University 15

All rights reserved
 Contents Primer – Lecture 9
 Windows Registry Forensics
– Registry terminology
• Keys, sub-keys, values etc.

– Registry key hierarchy

– Forensic value of Windows Registry

Digital Forensics- Riphah International University 16

All rights reserved
 Contents Primer – Lecture 10/11
 Network Forensics
– Introduction and challenges

– Network devices

– Network evidence collection

• Passive & Active techniques

– Network Evidence Analysis

Digital Forensics- Riphah International University 17

All rights reserved
 Contents Primer – Lecture 12
 Email & Social Media Forensics
– Importance of Email Artifacts

– Understanding emails headers

– Email clients & servers

– Social Media forensics

Digital Forensics- Riphah International University 18

All rights reserved
 Contents Primer – Lecture 13
 Smartphone Forensics
– Types of artifacts in smartphones

– Challenges in smartphone forensics

– Smartphone memory basics

• SIM card
• Phone memory

– Evidence collection & analysis

Digital Forensics- Riphah International University 19

All rights reserved
 Contents Primer – Lecture 14 / 15
 Memory Forensics
– Process and Memory Management

– Memory data structures

– Windows Memory Forensics

• Processes, handles and tokens

• Process memory Internals

• Hunting Malware in process memory

Digital Forensics- Riphah International University 20

All rights reserved
 Contents Primer – Lecture 16
 Anti-Forensics
– Throw-away Bootable Drives

– Disk Wiping

– Packing & Encryption

– TOR, Anonymous Browsing

Digital Forensics- Riphah International University 21

All rights reserved
 Skills of a Digital Forensic Analyst

Digital Forensics- Riphah International University 22

All rights reserved
 Skills of a Digital Forensics Expert
 Analytical talent – The most important skill
 Anyone in an investigative role must have the analytical skills
– to piece together information and solve the case

– High speed of analytical thinking and precise observation skills

– The ability to find patterns and make correlations is crucial in

the investigation process

Digital Forensics- Riphah International University 23

All rights reserved
 Skills of a Digital Forensics Expert
 Computer science/tech skills
 Deep understanding of the technology is compulsory
– It all boils down to the hardware / software internals

 Having experience with computer science area is a pre-

requisite for transitioning to the area of digital forensics

Digital Forensics- Riphah International University 24

All rights reserved
 Skills of a Digital Forensics Expert
 Understanding of cybersecurity
– The field of digital forensics is all about solving cybercrimes

– It's impossible to guard against data breaches without knowing

the techniques being used to target systems

– It also helps in preventing crimes

• Many of the famous forensics examiners belong to cybersecurity area

Digital Forensics- Riphah International University 25

All rights reserved
 Skills of a Digital Forensics Expert
 Self-Organization
– Being extremely organized and thorough are a must
• Documentation of your findings is necessary as they might be
presented to attorneys and judges.

Digital Forensics- Riphah International University 26

All rights reserved
 Skills of a Digital Forensics Expert
 Communication skills
– The team and the people you work with need to know the
proceedings
• You must be able to communicate

– Must have strong speaking and writing skills

Digital Forensics- Riphah International University 27

All rights reserved
 Any Questions?

Digital Forensics- Riphah International University 28

All rights reserved
 High Profile Forensic Cases

Digital Forensics- Riphah International University 29

All rights reserved
 Case 1 – Kidnapping of Alicia
 2002 Scott Tyree
– On January 1st, 2002, Scott Tyree kidnapped and imprisoned
13-year-old girl - Alicia Kozakiewicz
– Tyree aired the video, via Yahoo IM, which was noticed by a
man who informed FBI
• Provided the Yahoo screen name of the person who had sent the
IM: "masterforteenslavegirls".
– FBI investigators contacted Yahoo to obtained the IP address
and recovered the girl – Tyree was arrested

http://www.aliciaproject.org/about-alicia-kozakiewicz.html
Digital Forensics- Riphah International University 30
All rights reserved
 Case 2 – BTK
 2005 Dennis Rader --- The "BTK" Serial Killer
– Played with police for more than 30 years
– Used to send messages to Police via newspapers
• He asked, if all put on a floppy would be safe, police reply was +ive

– File's metadata contained the name "Dennis“

as the last person to modify the deleted file
and a link to the Lutheran Church

https://en.wikipedia.org/wiki/Dennis_Rader

Digital Forensics- Riphah International University 31

All rights reserved
 Case 3 – Murder of Wife
 Matt Baker
– Kari Baker, wife of Matt, died of a sleeping pill overdose
• court determined that her death was a suicide
• Kari's family suspected that her husband, Matt, was really responsible for her death

– Matt computer forensics analysis revealed his browsing history

• searched online for information about sleeping pills

– A witness testified that Matt Baker had, in fact, murdered his wife
 https://en.wikipedia.org/wiki/Deadly_Little_Secrets
 https://www.iigpi.com/5-cases-cracked-with-digital-forensics/46/2821/
 https://blog.eccouncil.org/5-cases-solved-using-extensive-digital-forensic-evidence/
 https://www.fbi.gov/investigate/cyber/news

Digital Forensics- Riphah International University 32

All rights reserved
 Threat Reports on Cyber Crimes

Digital Forensics- Riphah International University 33

All rights reserved
 Retargeting – FIREEYE 2019

Digital Forensics- Riphah International University 34

All rights reserved
 Tools, Tips & Procedures – FIREEYE 2019

Digital Forensics- Riphah International University 35

All rights reserved
 China APT Actors Stats – FIREEYE 2019

Digital Forensics- Riphah International University 36

All rights reserved
 https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html
Digital Forensics- Riphah International University 37
All rights reserved
 Iran APT Actors Stats – FIREEYE 2019

Digital Forensics- Riphah International University 38

All rights reserved
 Legal services abused by C2 – CISCO 2018

Digital Forensics- Riphah International University 39

All rights reserved
 Statistics - CISCO Annual Threat Report 2018

Digital Forensics- Riphah International University 40

All rights reserved
 Statistics - CISCO Annual Threat Report 2018

Digital Forensics- Riphah International University 41

All rights reserved
 Statistics - CISCO Annual Threat Report 2018

Digital Forensics- Riphah International University 42

All rights reserved
 Statistics - CISCO Annual Threat Report 2018

Digital Forensics- Riphah International University 43

All rights reserved
 Statistics - CISCO Annual Threat Report 2018

Digital Forensics- Riphah International University 44

All rights reserved
 Digital Investigation Articles

 Forensic exploration on windows File History March 2021

Jisung Choi | Jungheum Park | Sangjin Lee

 Forensic analysis of open-source XMPP multi-client social

networking apps on iOS devices March 2021
Alex Akinbi | Ehizojie Ojie

 Dark web in the dark: Investigating when transactions take

place on cryptomarkets March 2021
Yoichi Tsuchiya | Naoki Hiramoto

https://www.journals.elsevier.com/forensic-science-international-digital-
investigation/recent-articles

Digital Forensics- Riphah International University 45

All rights reserved
 Forensic Investigation

AUTOPSY (4.8.0)

Digital Forensics- Riphah International University 46

All rights reserved
 Autopsy
 A GUI for a set of digital forensic tools – the sleuth kit
– Maintained by Basis Technology Corp

 Autopsy Design Principles

– Extensible — can be extended for new functionality
– Centralized — offers a standard mechanism for accessing all the available features & modules
– Ease of Use — offer standard GUI features like wizards, history tools to facilitate the users avoiding any unnecessary reconfiguration
– Multiple Users — can work in both single / multiple user mode

Digital Forensics- Riphah International University 47

All rights reserved
 Autopsy
 For Creating a new case, click “New Case”

Digital Forensics- Riphah International University 48

All rights reserved
 Autopsy
 Creating a new case – Step 2

Digital Forensics- Riphah International University 49

All rights reserved
 Autopsy
 Creating a new case – Step 3

Digital Forensics- Riphah International University 50

All rights reserved
 Autopsy
 Creating a new case – Step 4

Digital Forensics- Riphah International University 51

All rights reserved
 Autopsy
 Creating a new case – Step 5

Digital Forensics- Riphah International University 52

All rights reserved
 Autopsy
 Creating a new case – Step 6

Digital Forensics- Riphah International University 53

All rights reserved
 Autopsy – Ingest Modules
 Module 01 – Recent Activity

Digital Forensics- Riphah International University 54

All rights reserved
 Autopsy – Ingest Modules
 Module 02 – Hash Lookup

s
set
ash
h
ns
tio
ica
ppl
a
le,
b
cea
, t ra
wn
kno
f
et o
as
ash
RL
NS

Digital Forensics- Riphah International University 55

All rights reserved
 Autopsy – Ingest Modules
 Module 03 – File Type Identification

s
f ile
e
bas
at a
ged
g ua
. lan
s e.g
f ile
d
i ze
tom
us
n tc
e
i ffer
d
n tify
i de
To

Digital Forensics- Riphah International University 56

All rights reserved
 Autopsy – Ingest Modules
 Module 04 – Embedded File Extractor

 Extracts data hidden inside well-known file types e.g. doc, docx, ppt etc.
Digital Forensics- Riphah International University 57
All rights reserved
 Autopsy – Ingest Modules
 Module 05 – Exif Parser

 EXIF Metadata: GPS info, date/time of snap, camera type etc.

Digital Forensics- Riphah International University 58
All rights reserved
 Autopsy – Ingest Modules
 Module 06 – Keyword Search

 You can preset a list of keywords / patterns to search for

 Use Global Settings button to look for unique patterns / keywords
Digital Forensics- Riphah International University 59
All rights reserved
 Autopsy – Ingest Modules
 Module 07 – Email Parser

 Extracts locally stored emails from PST/OST files

Digital Forensics- Riphah International University 60

All rights reserved
 Autopsy – Ingest Modules
 Module 08 – Extension Mismatch Detector

 A simple way to do Anti-forensics – make a legal file appear illegal i.e. change ext

Digital Forensics- Riphah International University 61

All rights reserved