Digital Forensics

Digital Forensics – History and Basics

1. Definition & History of

DF

2. Public Sector Vs
Private Sector
Investigations

3. Digital Forensic
Principles

4. Digital Forensic
All rights reserved
Procedure
 Digital Forensics - Introduction
 Your PC, Laptop, or Cell Phone can betray you
– As you move through the web, you leave footprints
• Cell phone records, ATM transactions, web searches, e-mails etc.

 We all are literally drowning in digital information

Digital Forensics- Riphah International University 2

All rights reserved
 Digital Forensics - Introduction

https://www.raconteur.net/infographics/a-day-in-data/
Digital Forensics- Riphah International University 3
All rights reserved
 Digital Forensics - Introduction
 Digital evidence (DE) is finding its way into legal proceedings
– DE - Piece of information transmitted, received or stored in an
electronic device

 Criminal, civil, and administrative proceedings often utilize

digital evidence
– foreign to many key players e.g. attorneys, judges, lawyers, cops
etc.

Digital Forensics- Riphah International University 4

All rights reserved
 Digital Forensics - Introduction
 Forensic science has been around for years
– Digital forensics is still in its infancy - 1985

 Digital evidence is virtual in nature – 0s & 1s

– Require knowledge of computer internals and data storage methods

Digital Forensics- Riphah International University 5

All rights reserved
  Digital forensics is the field of forensic science that is
concerned with retrieving, storing and analyzing electronic
data that can be useful in criminal investigations. This
includes information from computers, hard drives, mobile
phones and other data storage devices.

https://www.nist.gov/digital-evidence
https://www.nist.gov/news-events/news/2020/06/nist-digital-fo
rensics-experts-show-us-what-you-got

Digital Forensics- Riphah International University 6

All rights reserved
 Digital Forensics - History

Books on the use of computers

for investigation (1976, 1990)

Digital Forensics- Riphah International University 7

All rights reserved
 Digital Forensics – History (1985 – 1995)
 IBM PC in the early 80s attracted hobbyists
– Peoples from IRS, Secret agencies across the world

 In 1993, FBI hosted the First International Conference on

Computer Evidence
– attended by representatives from 26 countries

 In 1995, 2nd conference was held in Baltimore

Digital Forensics- Riphah International University 8

All rights reserved
 Digital Forensics – History (1985 – 1995)
 International Organization on Computer Evidence (IOCE) was formed
 To standardize the recovery of computer-based evidence

 Several programs emerged

– U.S. Secret Service - Electronic Crimes Special Agent Program (ECSAP) - 1987
– FBI - Computer Analysis Response Team (CART)

 Federal Law Enforcement Training Centers (FLETC)

 Inter-agency law enforcement training body for 91 United States government
federal law enforcement agencies

Digital Forensics- Riphah International University 9

All rights reserved
 Digital Forensics – History (1995 - 2005)

IOCE, G-8 High Tech 1999 - 2000

Crime Subcommittee,
SWGDE

Standards

Regional Computer
Forensic Laboratory 2004
(FBI)

For US Military
requirements Sets ‘gold
standards’ for
forensic labs

https://archives.fbi.gov/archives/about-us/lab/forensic-science-communications/fsc/april2000/swgde.htm
https://www.swgde.org/documents
Digital Forensics- Riphah International University 10
All rights reserved
 Digital Forensics – History (2006 - 2010)
 ANAB – ANSI National Accreditation Board
– Merger of American National Standard Institute (ANSI) & American
Society for Quality (ASQ)
 Recently ASCLD/LAB has also merged its forensic operation with
ANAB

Disciplines for which ANAB offers

accreditation

https://anab.ansi.org/forensic-accreditati
on/iso-iec-17025-forensic-labs

www.ascld.org
https://anab.ansi.org/

Digital Forensics- Riphah International University 11

All rights reserved
 Digital Forensics – International Organizations
 American Academy of Forensic Sciences (AAFS) is a premier
forensic organization since 1948
– directors of most federal crime labs are members of AAFS
• Provide consultancy on the development of CSI: The Experience
– A traveling exhibition about crime lab forensic science

– 6000 members from over 60 countries

• From all walks of life

 The Forensic Science Education Programs Accreditation

Commission (FEPAC) was created by the AAFS
– Academic programs accreditation in the forensic science

Digital Forensics- Riphah International University 12

All rights reserved
 Digital Forensics Certifications
Certificate Fee ($) Jobs Organization
(2018) Offered
CHFI: Computer Hacking 500 275 EC-Council
Forensic Investigator V8
CFCE: Certified Forensic 750 390 International
Computer Examiner Association of
Computer
Investigative
Specialists (IACIS)
CCE: Certified Computer 395 360 International Society
Examiner of Forensic Computer
Examiners (ISFCE)
CSFA: Cyber Security Forensic 750 480 Cyber Security
Analyst Institute (CSI)
GCFA(Global Information - 629-659 SANS Institute
Assurance Certification Forensic (Training)
Analyst ) And GCF(Global - 1299 (Exam
Certification Forum) Challenge)
Certifications
Digital Forensics- Riphah International University 13
All rights reserved
 Digital Forensics Basics

DEFINITION & BACKGROUND

Digital Forensics- Riphah International University 14

All rights reserved
 Forensics Science
 Forensics is the application of science to solve a legal
problem
– the law and science are forever integrated in forensics

 Neither can be applied without paying homage to the other

– The best scientific evidence in the world is worthless if it’s
inadmissible in a court of law

 The systematic study of digital data becomes a forensic

discipline when it relates to the investigation and prosecution
of a crime

Digital Forensics- Riphah International University 15

All rights reserved
 Example of systematic study

Digital Forensics- Riphah International University 16

All rights reserved
 Digital Forensics - Definition
 Digital Forensics - definition:
– “Any data stored or transmitted using a computer that support or
refute a theory of how an offense occurred or that address
critical elements of the offense such as intent or alibi (adapted
from Chisum, 1999)

 It includes every type of computing device

– Desktops, laptops, smart-phones, networks, clouds etc.

Digital Forensics- Riphah International University 17

All rights reserved
 Digital Forensics - Intelligence
 Both terrorists & secret agencies use digital finger-prints
– Terrorists for planning, recruiting and executing attacks
– Intelligence agencies, on the other hand, have counter strategies

 Document and Media Exploitation (DOMEX)

– collection and exploitation of captured equipment, documents,
and media to generate actionable intelligence

 DOMEX vs digital forensics

– DOMEX targets intelligence while digital forensics is mainly used
for litigation

https://www.adfsolutions.com/news/what-is-domex

Digital Forensics- Riphah International University 18

All rights reserved
 Digital Investigation Classes

PUBLIC VS PRIVATE SECTOR

INVESTIGATIONS

Digital Forensics- Riphah International University 19

All rights reserved
 Digital Investigations
 Digital investigations
fall into two
categories:
– Public-sector
investigations
– Private-sector
investigations

Digital Forensics- Riphah International University 20

All rights reserved
 Digital Forensics Investigations - Public
 Public-sector investigations
– involve government agencies responsible for criminal
investigations and prosecution
• Killing, Robbery, burglary (entering in a building without authorization)

– Major paradigm shift

• From conventional investigation to seek out the digital evidence in
the first place

 How it all begins?

– someone finds evidence of or witnesses a crime - Police jumps-in

– Police interview the complainant and writes FIR

• The case is processed then on its merit

Digital Forensics- Riphah International University 21

All rights reserved
 Digital Investigations - Private-Sector
 Private Sector Investigations
– Usually includes civil & administrative cases, ediscovery is a huge
business
• “Any process in which electronic data, digital evidence is sought,
located, secured, and searched with the intent of using it as
evidence in a civil or criminal legal case”.

 Private sector mostly include violations of a company’s rules /

attack on its assets.

Digital Forensics- Riphah International University 22

All rights reserved
 Cont…

Digital Forensics- Riphah International University 23

All rights reserved
 Digital Investigations - Private-Sector
 Major Private-Sector cases
– Abuse or misuse of computing assets
– E-mail / Internet abuse
– Other policy violation issues

 A private-sector investigator’s job is to minimize risk to the

company

 ISO standard 27037 ( www.iso.org/standard/44381.html)

A Digital Evidence First Responder (DEFR)
has the skill and training to arrive on an incident scene, assess the situation, and take
precautions to acquire and preserve evidence.
A Digital Evidence Specialist (DES) has
the skill to analyze the data and determine when another specialist should be called in
to assist with the analysis.

Digital Forensics- Riphah International University 24

All rights reserved
 Digital Forensics Principles

KEY CONCEPTS & TERMS

Digital Forensics- Riphah International University 25

All rights reserved
 Digital Forensics Principles
 The foundation of digital forensics
– Evidence Exchange & Characteristics
– Forensic Soundness
– Authentication of evidence
– Evidence Integrity
– Objectivity & Repeatability

Digital Forensics- Riphah International University 26

All rights reserved
 Digital Forensics Principles
1. The Evidence Exchange
– The purpose of investigation is to trail the criminals and tie them
to the crime / crime scene
– Locard’s Exchange Principle (https://en.wikipedia.org/wiki/Locard%27s_exchange_principle)

• Contact between two items will result in an exchange

In forensic science, Locard's principle

holds that the perpetrator of a crime will
bring something into the crime scene and
leave with something from it, and that
both can be used as forensic evidence.
Dr. Edmond Locard was a pioneer in
forensic science who became known as
the Sherlock Holmes of Lyon, France.

Digital Forensics- Riphah International University 27

All rights reserved
 Digital Forensics Principles
2. The Evidence Characteristics
– The evidence recovered from a crime scene may have:
• Class characteristics
– Shoe print recovered from a scene indicating a particular make & model of the
shoe

• Individual characteristics
– forensic analysis uncovers detailed wear patterns in the shoe prints and a similar
wear is found in the suspect shoe

Digital Forensics- Riphah International University 28

All rights reserved
 Digital Forensics Principles
3. Forensic Soundness
– Evidence must be examined & preserved in a forensically sound
manner
• “Preserve everything and change nothing” is inconsistent across forensic
disciplines

– Key to forensic soundness is documentation

• How the evidence is originated & handled?

– The evidence acquisition process should minimize changes to the

original evidence
• Changes must be documented, if any

– Volatile data must include the time & date of acquisition, tools etc.

Digital Forensics- Riphah International University 29

All rights reserved
 Digital Forensics Principles
4. Authentication of evidence
– Satisfying the court that:
• The information inside a record does originate from the claimed
source

• Contents of the record remained unaltered

• Extra information e.g. date of record is accurate

Digital Forensics- Riphah International University 30

All rights reserved
 Digital Forensics Principles
6. Evidence Integrity
– To show that evidence has not been tampered starting from its collection

7. Objectivity & Repeatability

– To remain objective, free from any bias
– Repeatable means it should be independently verifiable.

Digital Forensics- Riphah International University 31

All rights reserved
 Digital Forensic Procedures

SERIES OF STEPS IN A
FORENSIC PROCESS

Digital Forensics- Riphah International University 32

All rights reserved
 Digital Forensics Process
 Digital forensic process consists of the following steps
– Search Authority
– Gathering and Securing Evidence
– Chain of Custody
– Imaging/Hashing Function
– Validated Tools
– Analysis
– Reporting
– Possible Expert Presentation

Digital Forensics- Riphah International University 33

All rights reserved
 Digital Forensics Process – Search Authority
1. Search Authority – Legal orders to collect the evidence
– Search warrants for example
– Consent of the parties in civil cases

 Search must be within the bounds of the consent or comply

with the search warrant or other authority

 Search authority may not be necessary if:

– Cell phone recovered from battle field etc.
– A human life is in danger etc.

Digital Forensics- Riphah International University 34

All rights reserved
 Digital Forensics Process - Gathering the Evidence
2. Gathering & Securing Evidence
– Warning: Avoid damaging the evidence
 Steps
– Meet the IT manager to interview him
– Fill out the evidence form, have the IT manager sign
– Place the evidence in a secure container
– Carry the evidence to the computer forensics lab
– Complete the evidence custody form
– Secure evidence by locking the container

Digital Forensics- Riphah International University 35

All rights reserved
 Digital Forensics Process – Securing Evidence
 Use evidence bags to secure and catalog the evidence

 Use computer safe products when collecting computer

evidence
– Antistatic bags

 Use evidence tape to seal all openings

– CD drive bays
– Insertion slots for power supply electrical cords and
USB cables

 Make sure you have a safe environment for transporting

and storing it until a secure evidence container is available

Digital Forensics- Riphah International University 36

All rights reserved
 Digital Forensics Process – Chain of custody
3. Chain of Custody – the process of validating how any kind of
evidence has been gathered, tracked and protected on its
way to the court
– Identifies the entities through which evidence reaches the court
– Any changes to the evidence are also recorded

 Chain is documented
– via forms, reports, evidence receipts, notes, and marking the
actual evidence item itself

 A broken chain could nullify the entire evidence

Digital Forensics- Riphah International University 37

All rights reserved
 Digital Forensics Process – Chain of custody
 Chain of Custody – Golden Rules
– Don't count on getting your training from a TV show

– DO expect that chain-of-custody evidence will end up in court

– DO guard the "best evidence" closely – first image of the HDD

• Store it under lock and key and make a working copy
• Maintain a stack of forms – record every access

– DON'T submit the hardware to court unless you have to

Digital Forensics- Riphah International University 38

All rights reserved
 Digital Forensics Process – Chain of custody Forms

Digital Forensics- Riphah International University 39

All rights reserved
 Digital Forensics Process – Imaging and Hashing
3. Imaging & Hashing – working on original copy of digital
evidence can be catastrophic
– It can modify or even destroy the original evidence

 Create image of the media, exact replica of the original media

– All analysis is performed on this copy

 To fulfill legal requirements, Hashing is used

– Create MD5 of each image and compare

Digital Forensics- Riphah International University 40

All rights reserved
 Digital Forensics Process – Imaging and Hashing
 The creation of a true forensic hard drive image is a tricky
business
– If not done by trained professional, you may severely
compromise your evidence

 Some peoples recommend an objective third party

– to avoid accusations of evidence tampering

 Guidelines for hard drive imaging

– standardized by Department of Justice (DOJ) and NIST

Digital Forensics- Riphah International University 41

All rights reserved
 Digital Forensics Process – Tools Validation
4. Validated tools – proper working of the software or hardware
tools must be validated before the process
– Results must be repeatable and reproducible

 A detailed procedure for tools validation is given here

– http://www.cftt.nist.gov/CFTT-Booklet-08112015.pdf

 A scientific method of collecting results must answer:

– Has the method in question undergone empirical testing?
– Has the method been subjected to peer review?
– Does the method have any known or potential error rate?
– Do standards exist for the control of the technique's operation?
– Has the method received general acceptance in the relevant scientific community?

Digital Forensics- Riphah International University 42

All rights reserved
 Digital Forensics Process – Analysis
5. Analysis – Interpretation of artifacts depends on the skills and
experience
– Analysis may be short & straightforward
– Or it may be quite complicated and time-consuming

 After Analysis, expert renders his / her opinion

– Expressed as likelihood of any event
– Definite ‘yes’ or ‘no’

Digital Forensics- Riphah International University 43

All rights reserved
 Digital Forensics Process – Analysis
 Analysis may include:
– Linking some activity with a specific user account
– Establishing a timeline of events
– Determining whether a USB storage device was connected to the machine
– Breaking encryption
– Identifying relationships/connections between individuals (i.e., suspect and victim)
– Identifying websites that have been visited
– Determining whether certain files were opened or downloaded
– Identifying what search engine queries have been entered
– Locating contraband (such as child pornography)
– Determining what applications have been installed or uninstalled
– Recovering deleted files
– Determining whether or not the system has been compromised in some way

Digital Forensics- Riphah International University 44

All rights reserved
 Digital Forensics Process – Reporting
6. Reporting – Report of a forensic process is compulsory
outcome
– Some tools generate auto reports – mostly technical contents
– Need to add expert opinion as well

 While reporting, think about the audience or readers

– May be interpreted by a Judge who may not know how to browse
or send an email
– User-friendliness of report should be considered seriously

– Do not try to exclude the technical content – it is the crux of the

whole report

Digital Forensics- Riphah International University 45

All rights reserved
 Digital Forensics Process – Reporting
 A report may include:
– an executive summary
– list of the evidence
– items examined
– the methods
– tools used to perform the analysis
– Findings
– Conclusions
– any relevant exhibits

https://spdblotter.seattle.gov/

Digital Forensics- Riphah International University 46

All rights reserved
 Digital Forensics Process – Expert Presentation
7. Expert Presentation – the pinnacle of the forensic process is
the presentation of the findings to a judge / jury
– Explaining technology to non-technical guys
• Believe me, it is incredibly difficult task
– If you ever did this, you will know it

 The outcome of a trial could may boil down to the judge’s or

jury’s understanding of a specific piece of technology or
technical process
– If you failed to explain, it is all over !!!!!

Digital Forensics- Riphah International University 47

All rights reserved
 Digital Forensics – Forensic Experts
 The digital forensics practitioner often plays the role of an
expert witness
– can and often do give their opinion

 Expert is someone who can assist jury to understand and

interpret evidence
– Not necessarily a degree holder

 Expert knows more about a subject than a layman

 What separates a qualified expert from a truly effective one?

– It is the ability to communicate with the judge and jury

Digital Forensics- Riphah International University 48

All rights reserved
 Preparing Forensic Workstation
 Primary OS – Windows (7 or later)
– A write blocker software
– Forensic Acquisition Tool
• FTK Imager is recommended
– Digital Forensic Analysis Tool
• Autopsy - Recommended
• FTK Tool Kit
• ProDiscover
– A target Hard Disk / USB for image storage
– Miscellaneous Tools
• Disk editor, text editor, Graphics viewer, MS Office tools,

 Must use a Virtual Machine Manager e.g. VMware or

Virtualbox
Digital Forensics- Riphah International University 49
All rights reserved
 Preparing Forensic Workstation
 Primary OS – Linux
– Several Linux distribution come as all-in-one package
• CAINE – Computer Aided Investigative Environment
• SIFT Workstation
• Kali Linux

 Must use a Virtual Machine Manager e.g. Virtualbox

Digital Forensics- Riphah International University 50

All rights reserved