Forensic Science

BY: Pedro Pereira (2020341058), Jennifer Manhice

 Concept of Forensic:

• Forensic Science is the use of science to solve crimes and legal disputes. Cybersecurity
Forensics is the prevention, detection, and mitigation of cyberattacks, in conjunction with
the capability to gather digital evidence and conduct cybercrime investigations
• Forensic investigation is to uncover the details of a breach or malicious attack and the
party or parties responsible.
• Most importantly, is to call out that for digital evidence to be admissible in court of law, the
process taken by the forensic expert must not modify any of the original data, and the
results must be untainted by whichever party is funding the work. This means when
working on forensics, all work is done on a digital copy of the system.
 Techniques of Forensic science

Using a variety of techniques, the role of the forensic investigator may include:
• Monitoring a network infrastructure for breaches/attacks;
• Mitigating the effects of a network breach;
• Applying risk assessment methodologies in selecting and configuring security
controls to protect information assets;
• Preparing a cybersecurity forensics evidence report.
 Forensic Data

• Forensic Data capture provides the information needed to verify the number of high priority or more
complicated incident investigations that often lead to breach of investigation. If a breach is validated
all data and results will be required by government and regulatory bodies, however, the data will be of
most use to investigators because of the detail in the way it is collected, and the depth of its contents.
• Two types of data are typically collected in data forensics.
• This first type of data collected in data forensics is called persistent data. Persistent data is data that is
permanently stored on a drive, making it easier to find.
• The other type of data collected in data forensics is called volatile data. Volatile data is impermanent
elusive data, which makes this type of data more difficult to recover and analyse.
 Types of Collected Data
Types of collected data may include:
• Actions performed by a person or technology;
• Notification of an event
• Details of an event
• Activity consistently gathered electronically and in real-time from a given
source.
 Data Loss
• Forensics expert and educator Rob Lee from Sans Institute stated “ Data is incredibly difficulty to get rid
of”. This is due to individuals that have files stored on a single drive might have connections into the cloud,
might have e-mail stored on Yahoo or Hotmail, and could have data posted on Twitter accounts, and it’s
just everything is spread everywhere.

For someone intent on destroying data, Lee says, there are three basic tactics:
• Delete the file: which is largely ineffective because of the proliferation of backups that exist on the
machine or on servers.
• Wipe the hard drive: which can be effective, even with just a single-pass electronic wipe.
• Destroy the hard drive: which is harder to accomplish than it sounds, Lee says.
 Data Loss Prevention

• Data loss prevention (DLP) is a set of tools and processes used to ensure that sensitive data is not lost,
misused, or accessed by unauthorized users. DLP software classifies regulated, confidential and business
critical data and identifies violations of policies defined by organizations or within a predefined policy pack,
typically driven by regulatory compliance such as HIPAA, PCI-DSS, or GDPR.
• Once those violations are identified, DLP enforces remediation with alerts, encryption, and other protective
actions to prevent end users from accidentally or maliciously sharing data that could put the organization at
risk.
• . Data loss prevention software and tools monitor and control endpoint activities, filter data streams on
corporate networks, and monitor data in the cloud to protect data at rest, in motion, and in use. DLP also
provides reporting to meet compliance and auditing requirements and identify areas of weakness and
anomalies for forensics and incident response.
 Examples

Examples for main uses case for data loss prevention:

• Personal Information Protection/Compliance;
• IP Protection;
• Data Visibility.
 Data Wiping

• Data wiping is another example of an anti-forensic techniques. Data wiping is used to delete files and file
systems, rendering them unrecoverable. Data wiping is used to securely delete securely unwanted files.
However, the misuse of data wiping can destroy pieces of evidence to be spoiled in a digital forensic
investigation.
• To cope with the misuse of data wiping, we proposed an anti-anti-forensic method based on NTFS transaction
features and a machine learning algorithm.
• This method allows investigators to obtain information regarding ‘which files are wiped’ and ‘which data wiping
tools and data sanitization standards used’.
• When getting rid of or reusing outdated digital equipment, one of the biggest concerns for computer users and
many businesses is data security, confidentiality, or privacy. When you sell, give away, or discard your outdated
PC or hard drives, your company information or private documents could easily end up in the wrong hands.
 Data Recover

• Data recovery, although a must when the need arises, isn’t something you can easily
dabble with if you lack the technical knowledge and skills required. Forensics is another
concept that is just as complex as it is different from data recovery.
• Forensic experts are tasked to retrieve lost data from damaged hard drive that were
intentionally damaged when the crime was committed. Forensic data recovery is an
exclusive process of restoring data and files which will be utilized for legal purposes.
• Unlike common data recovery tools out there, forensic data recovery is more complicated.
It is used to recover data and files from storage devices taken as proof or found at crime
scenes.
 Focused recovery and analysis

Focused recovery and analysis areas include:

• Admissible digital evidence;
• Event Reconstruction;
• Quality of Recovered Data;
• Spoliation of Evidence.
 When we engage forensic?

• Forensics experts are ultimately focused on the finest of details and hence
can make all the difference when it comes to cases that need to be stitched
together to present a clear and robust case.
• Given the often-complex nature of cases, forensic experts are asked to
investigate, having the ability to think laterally and beyond the obvious is
also key. It is experience that allows a forensic expert to determine the most
likely hypotheses in a case, test them scientifically, and present evidence
that will lead to a successful case outcome.
 How we engage forensic?

• The primary objective of digital forensics is to identify, collect, preserve, and analyse electronic data
in a way that is legally admissible and scientifically sound. Digital forensics is a complex and multi-
step process that is designed to collect and analyse digital evidence in a way that is both legally
admissible and scientifically sound. More specifically, digital forensics aims to:
• Investigate cybercrime;
• Recover lost or deleted data;
• Support legal proceedings;
• Prevent digital misconduct;
• Protect critical infrastructure.
 Reference

 5 Steps for Conducting Computer Forensics Investigations | Norwich University Online

 Got Evidence? How to Improve Forensic Science | NIST
 The 8 Best Forensic Data Recovery Software [2023] (wondershare.com)
 De-Wipimization: Detection of data wiping traces for investigating NTFS file system - ScienceDirect
 Forensic science - Wikipedia