“Digital Forensics”

Let’s Grow Smart…

Mr. Raihan Patel

Assistant Professor
National Forensic Sciences University
“Introduction”
Let’s Learn…
 Problem Statement
?

“What is Forensics?

What to do if we need to
find out who committed
the crime digitally?
4

Introduction

▸ “The application of computer science and investigative

procedures for a legal purpose involving the analysis of
digital evidence after proper search authority, chain of
custody, validation with mathematics, use of validated
tools, repeat ability, reporting, and possible expert
presentation.” (Zatyko, 2007)
5

Introduction

▸ Digital Forensics is defined as the process of preservation,

identification, extraction, and documentation of computer
evidence which can be used by the court of law.

▸ It is a science of finding evidence from digital media like a

computer, mobile phone, server, or network.
6

Introduction

▸ Digital forensics encompasses much more than just laptop

and desktop computers. Mobile devices, networks, and
“cloud” systems are very much within the scope of the
discipline.
▸ It also includes the analysis of images, videos, and audio (in
both analog and digital format). The focus of this kind of
analysis is generally authenticity, comparison, and
enhancement
7

Introduction
8 ▸ It helps to recover,
analyze, and preserve
computer and related
materials in such a
manner that it helps
the investigation
Objectives of agency to present them
Computer as evidence in a court
Forensics of law.
▸ It helps to postulate the motive behind the crime and
identity of the main culprit.

▸ Designing procedures at a suspected crime scene

which helps you to ensure that the digital evidence
obtained is not corrupted.
9

▸ Data acquisition and duplication: Recovering deleted files

and deleted partitions from digital media to extract the
evidence and validate them.

▸ Helps you to identify the evidence quickly, and also allows

Objectives of you to estimate the potential impact of the malicious
Computer activity on the victim.
Forensics
▸ Producing a computer forensic report which offers a
complete report on the investigation process.

▸ Preserving the evidence by following the chain of custody.

10 Types of Digital Forensics

It deals with extracting data from

Disk Forensics: storage media by searching active,
modified, or deleted files.
Types of Digital
Forensics
It is a sub-branch of digital forensics.
It is related to monitoring and
Network
analysis of computer network traffic
Forensics:
to collect important information and
legal evidence.
11 Types of Digital Forensics

It is a division of network forensics.

The main aim of wireless forensics is
Wireless to offers the tools need to collect
Forensics:
and analyze the data from wireless
network traffic.
Types of Digital
Forensics
It is a branch of digital forensics
Database relating to the study and examination
Forensics: of databases and their related
metadata.
12 Types of Digital Forensics

This branch deals with the

Malware identification of malicious code, to
Forensics: study their payload, viruses, worms,
etc.
Types of Digital
Forensics

Deals with recovery and analysis of

Email emails, including deleted emails,
Forensics calendars, and contacts.
13 Types of Digital Forensics

It deals with collecting data from

Memory system memory (system registers,
Forensics: cache, RAM) in raw form and then
carving the data from Raw dump.
Types of Digital
Forensics
It mainly deals with the examination
and analysis of mobile devices. It
Mobile Phone
helps to retrieve phone and SIM
Forensics:
contacts, call logs, incoming, and
outgoing SMS/MMS, Audio, videos,
etc.
14 Advantages of Digital Forensics

▸ To ensure the integrity of the computer system.

▸ To produce evidence in the court, which can lead to the

punishment of the culprit.

Advantages of ▸ It helps the companies to capture important information if

Digital their computer systems or networks are compromised.
Forensics ▸ Efficiently tracks down cybercriminals from anywhere in the
world.

▸ Helps to protect the organization's money and valuable time.

▸ Allows to extract, process, and interpret the factual evidence,

so it proves the cybercriminal action's in the court.
15 Disadvantages of Digital Forensics

▸ Digital evidence accepted into court. However, it must be

proved that there is no tampering.
▸ Producing electronic records and storing them is an
extremely costly affair.
▸ Legal practitioners must have extensive computer
Disadvantages of knowledge.
Digital Forensics ▸ Need to produce authentic and convincing evidence.
▸ If the tool used for digital forensic is not according to
specified standards, then in the court of law, the evidence
can be disapproved by justice.
▸ Lack of technical knowledge by the investigating officer
might not offer the desired result.
16 Process of Digital Forensics

▸ Digital forensics entails the following steps:

Identification

Process of Digital Preservation

Forensics
Analysis

Documentation

Presentation
17 Process of Digital Forensics

▸ Digital forensics entails the following steps:

Process of Digital
Forensics
18 Process of Digital Forensics

It is the first step in the forensic

process.

The identification process mainly

Process of includes things like what evidence is
Identification
Digital present, where it is stored, and lastly,
Forensics how it is stored (in which format).

Electronic storage media can be

personal computers, Mobile phones,
PDAs, etc.
19 Process of Digital Forensics

In this phase, data is isolated,

secured, and preserved.

It includes preventing people from

Process of using the digital device so that digital
Collection / evidence is not tampered with.
Digital Preservation
Forensics
This often involves seizing physical
assets, like computers, phones or
hard drives; care must be taken to
ensure that no data is damaged or
lost.
20 Process of Digital Forensics

In this step, investigation agents

reconstruct /recovers data and draw
conclusions based on evidence
found.
Process of
Analysis For each relevant data item,
Digital
examiners will answer the basic
Forensics
questions about it — who created it?
who edited it? how was it created?
when did this all happen? — and
attempt to determine how it relates
to the case.
21 Process of Digital Forensics

In this process, a record of all the

visible data must be created. It helps
in recreating the crime scene and
Process of reviewing it.
Documentation
Digital
It Involves proper documentation of
Forensics the crime scene along with
photographing, sketching, and crime-
scene mapping.
22 Process of Digital Forensics

In this last step, the process of

summarization and explanation of
conclusions is done.
Process of
Presentation However, it should be written in a
Digital
layperson's terms using abstracted
Forensics terminologies.

All abstracted terminologies should

reference the specific details.
23 What Can We Except from Digital Forensics Analysis?

▸ Data Recovery: includes recovering and analyzing deleted

files that have not been overwritten, as well as carving out
portions of files and text from unallocated and slack space.
What Can We
▸ String and Keyword Searching: involves looking at known
Except from
and unknown files, as well as unallocated and slack space, to
Digital Forensic identify readable text within a binary file or to find a file that
Analysis contains a specific string.

▸ Volatile Evidence Analysis: gives the analyst the ability to see

what state the System is currently in by peering into
connections, processes and cache tables.
24 Standard Operating Procedures

Standard
Operating
Procedures
“Locard's Principle”
Let’s Trace It…
26 Locard's Principle

Dr. Edmond Locard, a forensic science pioneer in France,

formulated the theory which states, “Every contact leaves a
trace”.

Edmond Locard also called the “Sherlock Holmes of France”,

Locard's Principle
was an important forensic scientist of the 19th century.

The fundamental principle formulated by him – Locard’s

Exchange Principle – is essential for today’s law enforcement.

According to Locard’s exchange principle, every perpetrator of

a crime will bring something into the crime scene and takes
something of the crime scene with them.
27 Locard's Principle

In the digital investigation, both of these occurrences can be

used as digital evidence in a forensic investigation.

In other words, Locard believed that no matter where a

criminal goes or what a criminal does, he will leave something
Locard's Principle
at the scene of the crime.

A criminal can leave all sorts of evidence, including

fingerprints, footprints, hair, skin, blood, bodily fluids, pieces
of clothing and more. By coming into contact with things at a
crime scene, a criminal also takes part of that scene with him,
whether it's dirt, hair or any other type of trace evidence.
“Chain of Custody”
Let’s Find It…
29 Chain of Custody

The term chain of custody refers to the process of maintaining

and documenting the handling of evidence.

In criminal and civil law, the term “chain of custody” refers to

the order in which items of evidence have been handled during
the investigation of a case.
Chain of Custody
Definition : “Chain of custody (CoC), in legal contexts, is the
chronological documentation or paper trail that records the
sequence of custody, control, transfer, analysis, and
disposition of physical or electronic evidence.”

Not only does it help establish the elements of the crime, but
it can also identify a victim or perpetrator.
30 Chain of Custody

An item will not be accepted as evidence during the trial and

will not be seen by the jury, if the chain of custody is broken
and properly documented trail without gaps or discrepancies.

In order to convict a defendant of a crime, the evidence

against them must have been handled in a careful manner to
Chain of Custody prevent tampering or contamination.

The Chain of Custody Form (CCF or CoC) is used to record all

changes in the seizure, custody, control, transfer, analysis, and
disposition of physical and electronic evidence.

A typical Chain of Custody Form will describe the evidence

and detail the location and conditions under which the
evidence was collected.
31 Chain of Custody

Some Sample Chain of Custody Form :

Chain of Custody
“Boot Process”
Let’s Reload…
33 Windows OS Boot Process

Booting :

Booting is a process in which your computer gets initialized.

This process includes initilizing all your hadware components

OS
in your computer and get them to work together and to load
Booting Process your default operating system which will make your computer
operational.

Operating system:-

An operating system or OS is a software program that enables

the computer hardware to communicate and operate with the
computer software.
34 Windows OS Boot Process

All computers running Windows Family share the same startup

sequence:

Power-on self test (POST) phase

OS
Boot loader phase
Booting Process
Detect and configure hardware phase

Kernel loading phase

Logon phase
35 Windows OS Boot Process

Power On Self Test phase (POST) :

The pre-boot sequence begins when the power is turned on.

The computer runs Power-On Self Test(POST) routines to

OS
determine the amount of physical memory and the other
Booting Process hardware components present.

The computer’s BIOS locates the boot device, and then loads
and runs the Master Boot Record(MBR).

If the computer has a plug and play BIOS, the hardware is

recognized and configured.
36 Windows OS Boot Process

OS
Booting Process
▸ When you switch on the computer.

▸ BIOS is initialise first. It does POST (Power On Self Test) to

check whether all hardware is working fine.

▸ The POST routines are part of a device's pre-boot sequence

and only once they complete successfully is the bootstrap
loader code invoked to load an operating system(bootmgr
file).
37 Windows OS Boot Process

OS
Booting Process

▸ Next, the MBR(Master Boot Record) is accessed.

▸ Next comes the boot loader(boot.ini).

▸ The complete kernel is loaded along with the login screen.

38 Some Popular Bootloaders

OS
Booting Process
39 Master Boot Record

OS
Booting Process

▸ The MBR is the first and most important component on the

software side of things in the boot procedure on BIOS-based
machines.

▸ MBR contains partition table, which is an index of up to four

partitions that exist on the same disk, which means you can
have different OS on the same disk.
 Any Questions?
40
41

THANKS!