Digital Forensics

Dr. P. Nyoni
Lecture 1
Overview: Introduction to Digital Forensics
 COURSE INFORMATION
This module provides students with an
introduction to Digital Forensic Science and the
systematic process of acquiring, identifying,
analysing and reporting digital evidence.
Additionally, we will cover the topics of
eDiscovery, Data Retention, Data Disposal,
Litigation, Internal Investigations and Incident
Response will also be discussed within the
context of Digital Forensics.
 COURSE INFORMATION
The module covers a variety of topics:
• Introduction to basic concepts of digital forensic
science
• Exploration of mobile, network and memory
forensics
• Examining the role of digital forensics in public
and private investigations
• Examining the potential benefits, limitations and
risks of digital forensics
• Increasing awareness of managerial issues
raised by the use of digital forensics
• Introduction to commercial and open-source
forensic tools
 COURSE INFORMATION
• Textbook:
Guide to Computer Forensics and
Investigations: Processing Digital Evidence, 5th
Ed, Cengage, B. Nelson, A. Phillips, and C.
Steuat, 2016
• Assignments:
There are two assignments designed to help reinforce
the material that has been covered in the lecture.
• Exams:
There will be an exam.
 HOW TO SUCCEED
• DO ALL THE ASSIGNMENTS AND MAKE TIME
FOR PRACTICE!
• STUDY THE COURSE NOTES (before and after
courses)
• Academic Honesty
• Do your best!
 Cybersecurity in 21st
Century
• Conventional computer security:
Defensive
 Protecting: To prevent the IT asset from attack
 Detecting: To identify attack in real time
 Reacting: To counter the attack and minimize
the impact
• Digital forensics and cyber warfare:
Offensive
 Tracking: To uncover the digital evidences
 Attacking: To arrest the source of attack
 Information Security Principles

The “CIA” Principle:

Confidentiality
◦ Only authorized users can view information.
Integrity
◦ Internally consistent.
◦ Freedom from unauthorized changes.
Availability
◦ Resource is available for use when needed.
 Protecting the
Cyberspace
• Targets on Outside-In threats
• Possible threats
Invalid access
Malicious software
• Means of protection
Build fences and walls
Guard the gates
Enforce identity and access management
Hide the information
 Three-Lines of Defense in
Protecting Cybersecurity
• User Authentication: The process of verifying an identity
claimed by or for a system entity
Identification - specify identifier such as user ID and
password.
Verification - bind entity (person) and identifier
• Access Control: To assign access privilege
Least privilege
• Cryptology: To encrypt and protect the data from
unauthorized user.
 Detecting the Threat
• Targets on Outside-In threats and possibly
insiders
• Possible threats
Invalid access and elevated privilege
Malicious software
DDOS
• Means of detection
IDS and honeypot
IPS: Firewall, gateway, and VPN
 Monitor logs
 Honeypot
 Honeypots
• Are decoy systems to lure a potential attacker away from
critical systems
 Divert an attacker from accessing critical systems.
 Collect information about the attacker’s activity.
 Let the attacker to stay on the system long enough for
administrators to respond.
• System design:
 Filled with fabricated info
 Instrumented with monitors / event loggers
 Without exposing production systems
• Initially were single systems with IP addresses designed to
attract hackers. More recently are/emulate entire networks
 Reacting to the attack
• Targets on Outside-In threats and possibly
inside-out.
• Possible impacts
Data breaches
System capture
Financial lose
Political agenda
• Means of reaction
Security management: Policy, awareness, and training.
Risk management
Mitigation and contingence plan
Auditing
 Risk Management
• Identification
 Who or what could cause it harm?
 How could this occur?
• Analysis
Probability
Severity of the impact(s)
• Ranking: Threshold on ranking
• Mitigation: Planned actions when risk
occurs.
 What can we do after these Defense?

• Nothing:
 Current practice of computer security
profession.
• Be proactive for better security
 Digital Forensics: Finding evidence and
improving on vulnerabilities
• Fight back (so “they” won’t attack us
again)
 Cyber warfare: White/black hat hacking
approach
 Digital Forensics
• Also called “System
Forensics.”
• Computer Forensics
World: The use of
analytical and
investigative techniques to
identify, collect, examine,
preserve
evidence/information
which is electronically
stored or encoded.
 Digital Evidence
• ISO 27037 Information technology --
Security techniques -- Guidelines for
identification, collection, acquisition and
preservation of digital evidence
• Real: HD, USB, etc.
• Documentary: Word files, emails, etc
– Testimonial: System log files, history , etc.
• Demonstrative: Chart, pictures, etc
 Volatility of Digital
Evidence
• Registers and cache
• Routing table
• ARP (Address Resolution Protocol) cache
• Process table
• Kernel statistics and modules
• Main memory
• Temporary file systems
• Secondary memory
• Router configuration
• Network topology
 Testing Forensics Evidence
• Authenticity: Does the material come from where
it purports to come from?
• Reliability:
– Is it believable
– Is it consistent
• Completeness: Is the story complete?
• Freedom from interference and contamination:
Are the levels of interference and contamination
acceptable?
 Challenges to Digital
Forensics
• System complexity
HW, SW, OS, mobile, etc.
• Large volumes of data
Pictures, A/V, documents, etc.
• Distributed crime scenes
The Internet
• Law and Policy
International cooperation
• Limited resources
Digital forensics specialists
 Digital Forensic Methods
• Digital Forensic Research Workshop
(DFRWS 2001)
Identification
Collection/Acquisition
Preservation
Examination
Analysis
Presentation
 Technical Overview
• Recovering data
Undeleting
Rescuing damaged media
• Uncovering hiding and scrambling
information
Steganography
Cryptography
• Email forensics
Email files
Tracing Email
 Technical Overview (Cont.)

• Computer forensics
Logs, directories, and Windows registry
Windows/Shell commands
• Mobile forensics
SIM/micro-SD cloning
• Network forensics
Sniffer: Wireshark
Port scanning: Nmap
Web proxy analysis: Splunk or SARG
 Anti-Forensics
• Data destruction: Tools and defragment
• Data hiding: Dark data stored in hidden partition
• Data transformation: Encryption or
steganography
• Data contraception: Data
stored in virtual memory
• Data fabrication
• File system alteration
• Anonymity surfing
 Trends and Future
Directions
• Hardware
Mobile devices, cameras, Copiers, Network
Equipment, GPS, Vehicle recorder, etc.
• Software
File formats, SaaS, big data, software defined
networing etc.
• Technology evolution
Cloud computing, drones, etc.
• Legal environment
Regulation, location, ownership, etc.
The Thread Model in Cyberspace
 Digital Forensics and Other
Related Disciplines
• Investigating digital devices includes:
– Collecting data securely
– Examining suspect data to determine details such as
origin and content
– Presenting digital information to courts
– Applying laws to digital device practices
• Digital forensics is different from data
recovery
– Which involves retrieving information that was deleted
by mistake or lost during a power surge or server
crash
 Digital Forensics and Other
Related Disciplines
• Forensics investigators often work as part
of a team, known as the investigations
triad
 Digital Forensics and Other
Related Disciplines
• Vulnerability/threat assessment and risk
management
– Tests and verifies the integrity of stand-along workstations and
network servers
• Network intrusion detection and incident
response
– Detects intruder attacks by using automated tools and
monitoring network firewall logs
• Digital investigations
– Manages investigations and conducts forensics analysis of
systems suspected of containing evidence
 Understanding Case Law
• Existing laws can’t keep up with the rate of
technological change
• When statutes don’t exist, case law is used
– Allows legal counsel to apply previous similar cases
to current one in an effort to address ambiguity in
laws
• Examiners must be familiar with recent court
rulings on search and seizure in the electronic
environment
 Preparing for Digital
Investigations
• Digital
investigations
fall into two
categories:
– Public-sector
investigations
– Private-sector
investigations
 Understanding Law Enforcement
Agency Investigations
• When conducting public-sector
investigations, you must understand laws
on computer-related crimes including:
– Standard legal processes
– Guidelines on search and seizure
– How to build a criminal case
• The Computer Fraud and Abuse Act was
passed in 1986
– Specific state laws were generally developed
later
 Understanding Private-Sector
Investigations
• Private-sector investigations involve private
companies and lawyers who address company
policy violations and litigation disputes
– Example: wrongful termination
• Businesses strive to minimize or eliminate litigation
• Private-sector crimes can involve:
– E-mail harassment, falsification of data, gender and
age discrimination, embezzlement, sabotage, and
industrial espionage
• Line of authority - states who has the legal right to
initiate an investigation, who can take possession of
evidence, and who can have access to evidence
 Understanding Private-Sector
Investigations (Cont.)
• During private investigations, you search
for evidence to support allegations of
violations of a company’s rules or an
attack on its assets
• Three types of situations are common:
– Abuse or misuse of computing assets
– E-mail abuse
– Internet abuse
• A private-sector investigator’s job is to
minimize risk to the company
 Preparing a Digital Forensics
Investigation
• The role of digital forensics professional is to
gather evidence to prove that a suspect
committed a crime or violated a company policy
• Collect evidence that can be offered in court or
at a corporate inquiry
– Investigate the suspect’s computer
– Preserve the evidence on a different computer
• Chain of custody
– Route the evidence takes from the time you find it
until the case is closed or goes to court
 Procedures for Private-Sector
High-Tech Investigations
• As an investigator, you need to develop
formal procedures and informal checklists
• Cases of investigation
– Employee termination
– Internet abuse
– Email abuse
– Attorney-client privilege
– Industrial espionage
– Interview and interrogations in hi-tech
 Overview of a Computer Crime
• Computers can contain information that helps
law enforcement determine:
– Chain of events leading to a crime
– Evidence that can lead to a conviction
• Law enforcement officers should follow proper
procedure when acquiring the evidence
– Digital evidence can be easily altered by an
overeager investigator
• A potential challenge: information on hard disks
might be password protected so forensics tools
may be need to be used in your investigatio
 Types of Computer Crime
• Identity Theft
Phishing
Spyware
Discarded information
• Hacking
SQL injection
Password cracking (E.g., Ophcrack)
• Cyberstalking and Harassment
 Types of Computer Crime
(Cont.)
• Fraud
Investment offer
Privacy and intellectual property
• Non-Access Computer Crime
DoS and DDoS
Viruses
Logic bombs
• Cyberterrorism
 Understanding Data Recovery
Workstations and Software
• Investigations are conducted on a computer
forensics lab (or data-recovery lab)
– In data recovery, the customer or your company just
wants the data back
• Computer forensics workstation
– A specially configured PC
– Loaded with additional bays and forensics software
• To avoid altering the evidence use:
– When you start any OS while you are examining a
hard disk, the OS alters the evidence disk
– Use write-blockers devices
• Enable you to boot to Windows without writing data to the
evidence drive
 Understanding Bit-Stream
Copies
• Bit-stream copy
– Bit-by-bit copy of the original storage medium
– Exact copy of the original disk
– Different from a simple backup copy
• Backup software only copy known files
• Backup software cannot copy deleted files, e-mail
messages or recover file fragments
• Bit-stream image
– File containing the bit-stream copy of all data
on a disk or partition
– Also known as “image” or “image file”
 Understanding Bit-stream
Copies (Cont.)
• Copy image file to a target disk that
matches the original disk’s manufacturer,
size and model
 Using ProDiscover Basic to
Acquire a USB Drive
• Create a work folder for data storage
• Steps to perform an acquisition on a USB
drive:
– On the USB drive locate the write-protect switch
and place the drive in write-protect mode
– Start ProDiscover Basic
– In the main window, click Action, Capture Image
from the menu
– Click the Source Drive drop-down list, and select
the thumb drive
Lab1: Using ProDiscover Basic
to Acquire a USB Drive
 Reading Assignment 1
• Read Chapter 2 The Investigator’s Office
and laboratory