Contents

Overview of Digital Forensics Reporting

Digital Evidences Tools
Forensics

•Chapter 1: •Chapter 3: Data •Chapter 4: OS and •Chapter 8: Report

Understanding Acquisition Multimedia Writing & Expert
Digital Forensics Forensics Witness
•Chapter 2: Digital •Chapter 5:
Forensics Network Forensics
Investigation •Chapter 6: E-mail
Process & Social Media
Forensics
•Chapter 7: Various
Internet Forensics

1
2
Evidence Basics
• Evidence is proof of a fact about what did or did not happen
• Three types of evidence can be used to persuade someone:
• Testimony of a witness Can be subjective and colored by a person’s attitude
Relies primarily on the senses, sight and hearing

• Physical evidence Anything tangible. Link to the perpetrator.

• Electronic evidence In electronic form.
• Miscellaneous evidence Does not fall under the above types. Examples
polygraph, psychological exam, etc

• corpus delicti evidence The evidence that proves that a crime has been committed
• Both cyber crimes and traditional crimes can leave cybertrails of
evidence

3
 Types of Evidence
Artifact evidence
• Change in evidence that
causes investigator to think
the evidence relates to the
crime

Inculpatory evidence
• Evidence that indicates a
suspect is guilty of the
crime he or she is charged
with
• Demonstrating guilt

Exculpatory evidence Admissible evidence Inadmissible evidence

• Evidence that indicates the • Evidence allowed to be • Evidence that cannot be
suspects is innocent of the presented at trial presented at trial
crime
• Clearing the defendant of Tainted evidence
guilt • Evidence obtained from
Source: https://www.ericgjohnsonlaw.com/what-kind-of-evidence-is-admissible-in-court/ illegal search or seizure 4
 Types of Evidence (cont.)
Direct evidence
• Based on personal
knowledge or observation of
the person testifying
Circumstantial/indirect evidence
• Shows circumstances that
logically lead to a conclusion of
fact
Hearsay evidence
• Secondhand evidence
Material evidence
• Evidence relevant and
significant to lawsuit
Immaterial evidence
• Evidence that is not
relevant or significant
5
Digital Evidence (DE)
• Digital evidence is a data and • Digital evidence is found in
information of value to an files such as:
investigation; • Graphics files
• That is stored on, received, • Audio and Video recording and
files
or transmitted by a digital
device; • Internet browser histories
• Server logs
• It is acquired when data or • Word processing and
digital device are seized and spreadsheet files
secured for examination. • Emails
• Log files

6
Digital Evidence can…
Lead to an
investigation

Be supporting
evidence

Be key evidence

7
Principle of DE
Relevance Reliability Sufficient Admissible

• Able to • All processes • Enough • The most

demonstrate used in material has basic rule of
that material handling been EVIDENCE!
acquired is evidence is gathered to • It must be
relevant to auditable allow proper able to be
the and investigation used in
investigation. repeatable. to be carried court.
out.

8
Key Aspects in DE Handling
Justifiable
All actions taken are able to be
justified
(The best method and steps at point
in time for handling that DE)
Auditable
It should be possible for other
parties to evaluate activities
1 performed by First Responder &
Forensics Analyst

Key
Aspect in
4 2
DE
Handling

Reproducible
Able to produce same results
under these conditions:
• Use same procedures & methods
• Use same tools
• Can be reproduced at any time
after the analysis
Repeatable
3 Able to produce same results
under these conditions:
• Use same procedures & methods
• Use same tools
• Can be repeated at any time
after the analysis

9
Challenging Aspects of DE
1 2
Forensics investigators face
many challenges while During the investigation, it
preserving the digital can be altered maliciously or
evidence as it is a chaotic unintentionally without
form of evidence & it is leaving any traces
critical to handle it correctly

3 4
DE is circumstantial, which
makes it difficult for a
forensics investigator to trace
the system’s activity
The resulting activity may
create data remnants that
gives an incomplete view of
the actual evidence

10
The Role of DE
To establish a credible link between the attacker, victim and the crime scene
According to Locard’s Exchange
Principle, “anyone or anything,
entering a crime scene takes As a tool As a target
something of the scene with them,
and leaves something of
themselves behind when they
leave”

E.g.: If any information from the

victim’s computer is stored on the
server or system itself, the
investigator can trace that
information by examining log
files, Internet browsing history, Incidental to the crime
etc.

11
Fragility of DE
DE is fragile in nature
During the investigation
of the crime scene, if
the computer is turned
off, the data which is not
saved can be lost
permanently

If the computer is
After the incident, if a
connected to the
user “writes” any data to
Internet, the person
the system, it may
involved in the crime
overwrite the crime
may delete the evidence
evidence
by deleting the log files

12
Rules of Evidence
• Evidence that is to be presented in the court must comply with
the established rules of evidence
• Prior to the investigation process, it is important that the
investigator understands the rules of evidence
• Definition:
• Rules of evidence govern whether, when, how and for what purpose
proof of a case may be placed before a trier of fact for consideration
• The tier of fact may be a judge or a jury depending on the purpose of
the trial and the choices of the parties

13
Best Evidence Rule
• Best evidence rule is established to prevent any alteration of
DE either intentionally or unintentionally
• It states that the court only allows the original evidence of a
document, photograph, or recording at the trial rather than a
copy, but the duplicate will be allowed as an evidence under
the following conditions:
• Original evidence destroyed due to fire/flood
• Original evidence destroyed in the normal course of business
• Original evidence in possession of a third party

14
GOLDEN RULES
• Whenever possible, it is best to have a trained Digital Forensics Examiner/Analyst
collect DE
• Do you have a legal basis to seize the computer? (search warrant, consent?)
• If you have reason to believe that the computer is involved in the crime you are
investigating, take immediate steps to preserve the evidence
• If the computer is OFF, leave it OFF. DO NOT power it on to begin searching through the
computer
• If the computer is ON, follow a guide on how to properly secure the computer and
preserve the evidence
• If you reasonably believe that the computer is destroying evidence, immediately shut
down the computer by pulling the power cord from the back of the computer
• In all instances, document the location and state of the computer to include attached
electronic media
• In all instances, take photographs of the computer, the location of the computer and
any electronic media attached. If the computer is on and the screen is blank, move the
mouse of press the space bar (this will display the active image on the screen), then
photograph the screen
• Do special legal considerations apply (doctor, attorney, newspapers, etc)?

15
Types of Digital Data
Volatile Data Non-Volatile Data
• Volatile data can be • Used for the secondary
modified storage & is long-term
• Data that is lost when a persisting
computer is turned off • E.g.: hidden files, slack
• E.g.: System time, space, swap file,
logged-on user(s), open unallocated clusters,
files, network unused partitions,
information, process registry settings, event
information, process-to- logs
port mapping, process
memory, clipboard
contents, service/driver
information, command
history 16
Why is Volatile Data Important?
• Gain initial insight
• Current state of the system
• What activities are currently/were being executed
• Validity of the alert that flagged the suspicious computer
• Root of the problem
• Determine a logical timeline of the incident
• Identify the time, date, and user responsible for the security incident
• Determine next step
• Decide whether a full collection of the persistent data on the suspicious
computer is necessary
• One chance to collect
• After the system is rebooted or shut down, it’s too late!

17
Types of Digital Data (cont.)
Transient Data
• Transient data contains
information such as open
network connection, user
logout, programs that
reside in memory &
cache data
• If the machine is turned
off, all this information is
lost permanently
Fragile Data
• Information that is
temporarily saved on the
hard disk and can be
changed
• E.g. information such as
last access time stamps,
access data on files, etc
18
Types of Digital Data (cont.)
Temporary
Archival
Accessible Active data Backup Data
Data
Data
• Stored on the • Data presently • Manages data • A copy of the
hard disk and used by the for long term system data
are accessible parties for their storage and • Can be used at
only for a daily operations maintains any time of
certain time • Direct and records recovery
• E.g.: data like straightforward process after
encrypted file to recognize disaster or
system and access system crash
information using the
current system

19
Types of Digital Data (cont.)
Residual Data Metadata
• The data that is stored on • Maintains a record about a
a computer when a particular document
document is deleted • The record includes the
• When a file is deleted, file format and how, when
the computer tags the and who created, saved,
file space instead of and modified the file
cleaning the file memory
• The file can be retrieved
until the space is reused

20
Digital Devices: Types and Collecting
Potential Evidence
• Evidence is found in files that are stored on servers,
memory cards, HDD removable storage devices and
media

21
Digital Devices: Types and Collecting Potential
Evidence (cont.)
• Storage devices
• Hard drive
• Thumb drive
• Memory card
• Access control devices
• Smart Card Evidence is found in
• Dongle recognizing or authenticating
• Biometric Scanner the information of the card
and the user, level of access,
configurations, permissions
and in the device itself

22
Digital Devices: Types and Collecting Potential
Evidence (cont.)

23
Digital Devices: Types and Collecting Potential
Evidence (cont.)

24
Digital Devices: Types and Collecting Potential
Evidence (cont.)

25
Digital Devices: Types and Collecting Potential
Evidence (cont.)

26
Digital Devices: Types and Collecting Potential
Evidence (cont.)

27
Digital Devices: Types and Collecting Potential
Evidence (cont.)

28
Digital Evidence Examination Process

Evidence Evidence Evidence

Assessment Acquisition Preservation

Evidence Evidence
Documentation Examination &
& Reporting Analysis

29
Evidence Assessment
• The digital evidence should be thoroughly assessed with
respect to the scope of the case to determine the course of
the action
• Conduct a thorough assessment by reviewing the search
warrant or other legal authorization, case detail, nature of
hardware & software, potential evidence sought, and the
circumstance surrounding the acquisition of the evidence

30
Evidence Assessment
Prioritize the
evidence where
necessary

Assess the need to

provide continuous Determine how to
electric power to the document the
battery-operated evidence
devices

Determine the
Evaluate storage
condition of the
locations for
evidence as a result
electromagnetic
of packaging,
interference
transport or storage

31
Prepare for Evidence Acquisition
• All the actions and outcomes of the previous phases of the DE
examination process should be determined properly
• Documentation that helps in preparing for evidence acquisition:

An initial estimate of the impact of A detailed network topology

the situation on the organization’s diagram that highlights the affected
business computer systems

Summaries of interviews with users Outcomes of any legal and third-

and system administrators party interactions

Reports and logs generated by tools

A proposed course of action
used during the assessment phase

32
Common First Responder Mistakes
• Shutting off or rebooting the machine
• Assuming that some parts of the suspicious computer are
reliable and usable
• Not having access to baseline documentation about the
suspicious computer
• NOT DOCUMENTING THE DATA COLLECTION PROCESS

33
Evidence Acquisition
• Evidence Acquisition from Crime Location
• Disassemble the case of the computer to be examined to permit
physical access to the storage devices
• Ensure that the equipment is protected from static electricity and
magnetic fields
• Identify the storage devices that need to be acquired; these devices
can be internal, external or both
• Disconnect storage devices using the power connector or data cable
from the back of the drive from the motherboard to prevent the
destruction, damage or alteration of data

34
Evidence Preservation
• Preserving Digital Evidence checklist
• Document the actions and changes that you observe in the monitor,
computer printer or in other peripherals
• Verify if the monitor is in on, off or in sleep mode
• Remove the power cable depending on the power state of the
computer
• Do not turn “on” the computer if it is in “off” state
• Take photo of the monitor screen if the computer is in “on” state
• Check the connections of the telephone modem, cable, ISDN and DSL
• Remove the plug from the power router or modem

35
Home Personal Computer or Laptop
Computer
• Do not use the computer or attempt to search for evidence
• Photograph the surrounding area prior to moving any evidence
• Photograph the front and back of the computer and label cords and connected
devices
• If the computer is OFF, leave it OFF. DO NOT power it on to begin searching
through the computer
• If the computer is ON and something is displayed on the monitor, photograph
the screen
• If the computer is ON and the screen is blank, move the mouse of press the
space bar (this will display the active image on the screen), then photograph
the screen
• If the computer is ON and a DF Examiner/Analyst is available, consider
conducting a volatile memory (RAM) acquisition to capture the data that may
be lost when powered off

36
Home Personal Computer or Laptop
Computer (cont.)
• If the computer is ON and networked (attached to a network device such
as router) and a DF Examiner/Analyst is available, consider capturing the
volatile network information (IP addresses, open ports, active network
connections) and network logs if applicable
• If networked, unplug the power to the network device(s), and record the
MAC address(es) from the device(s)
• If a DF Examiner/Analyst is unavailable, unplug the power cord from the
back of computer
• If the laptop computer does not shutdown when the power cord is
removed, locate and remove the battery
• If the laptop battery cannot be removed, shut down the computer as
normal*
*It is important to note that laptop computer often have wireless communication
capabilities and could potentially be manipulated by the owner if it has power and
the ability to receive a wireless signal. Consider using a Faraday bag or similar to
block communication to the laptop computer
37
Home Personal Computer or Laptop
Computer (cont.)
• If the laptop computer battery is removed, do not return it to the
battery compartment
• Disconnect all cords and devices from the computer
• Package components and transport/store as fragile cargo
• Seize additional electronic storage media
• Keep all computers and electronic storage media away from
magnets, radio transmitters and other potentially damaging
elements
• Collect instruction manuals, documentation and notes (may contain
passwords)
• Document all steps involved in the seizure of the computer and
components

38
Home Networking Elements
• Collect volatile network information such as IP addresses, open ports, active
network connections by a trained examiner/analyst
• If you are unable to collect this information, contact someone who is familiar
with networks before disconnecting the network connection
• To disconnect the computer and network, disconnect the power source from the
router
• Locate the router and trace all cables running from it to determine if they are
connected to other network devices (such as wireless access points) possibly
hidden in other parts of the building
• Consider wireless access points not physically at the target location, such as
neighbour’s unsecured wireless network used by the suspect
• Consider scanning for the presence of wireless access points and document the
findings
• Contact a network specialist and have him present or be readily available to
provide assistance with seizing the computer and digital evidence

39
Network Server / Business Network
• Whenever possible, have a DF Examiner/Analyst conduct a volatile memory
acquisition to capture the live data that may be lost when powered off
• Unless the servers or computers on the business network are NOT able to be
properly shut down and safely remove, the examination of network servers or
business networks should ONLY be attempted by an Examiner/Analyst
• DO NOT DISCONNECT THE POWER CORD
• Pulling the plug could:
• Severely damage the system
• Disrupt legitimate business
• Create officer/investigator and department liability
• The FR should determine who is responsible for maintaining the computer
network
• If possible, establish contact with the IT personnel familiar with the system and
direct him to gather the data the investigator believes is of evidentiary value

40
Electronic Storage Media
• E.g. USB thumb drives, CS, DVD, memory cards
• Collect the instruction manuals, documentation, and any notes
• Document all steps involved in the seizure of electronic
storage media

41
Special Consideration for FR
Volatile Data
• If DF Examiner/Analyst is available,
consideration should be given to
capturing volatile memory (RAM) on
live computers to preserve the data
that may be lost when powered off
Encryption
• If DF Examiner/Analyst is available,
consideration should be given to
checking if encryption is present on
live computers found by FR
• Powering off computers using full
disk encryption and/or individual
file encryption could make the data
extremely difficult or unlikely to be
recovered
• Consideration should be given to live
imaging the computer(s) by a DF
Examiner/Analyst if encryption is
present
42
Mobile Phones, Smart Phones, Tablets
and GPS Units
• Device is ON:
• Locate and remove any SIM cards and place the device in Airplane
mode
• Power off the device and remove the batter if possible
• Store the device in a Radio Frequency (RF) shielded enclosure such as
Faraday bag to block connectivity to cellular, Wi-Fi, GPS, Bluetooth or
other wireless signals
*Even if the device is powered off, an alarm may cause the device to
“wake up” and power back on
• Document the steps taken and take photographs of the screen

43
Special Consideration in Seizing Mobile
Devices
• BLOCK COMMUNICATION BETWEEN THE DEVICE AND ITS HOST
NETWORK(S)
• This can be accomplished by removing power from the device
and/or b shielding it from RF/Bluetooth/Wi-Fi signals, etc.
• Shielding is vital:
• Suspect or accomplice can alter or destroy evidence on a device
• When a device connects to its host network, several items on the
device can change as a matter of normal functionality or worst case
scenario, the device could be remotely wipe by the owner or
someone with access to that functionality

44
Handling Digital Evidence
• Wear protective latex gloves for searching and seizing operations
on the site
• Store the electronic evidence in a secure area and climate
controlled environment
• Use wireless stronghold bag to block the wireless signals from
getting to the electronic device
• Avoid folding and scratching storage devices such as diskettes, CD
• Pack the magnetic media in antistatic packaging
• Protect the electronic evidence from magnetic field, dust,
vibration and other factors that may damage the integrity of the
electronic evidence

45
Evidence Examination & Analysis

• General forensics principles apply when examining digital

evidence
• Different types of cases and media may require different
methods of examination
• Preparation
• Prepare working directory/directories on separate media to which
evidentiary files and data can be recovered and/or extracted
• Extraction
• Two different types of extraction:
• Physical
• Logical

46
Physical and Logical Extraction
Physical
Logical Extraction
Extraction
• Identity and • Identify and
recover data recover files and
across the entire data based on
physical drive installed OS(s),
without the file file system(s)
system and/or
applications(s)
47
Bit-Stream Copy

48
Write Protection
• Write protection should be initiated, if available, to preserve
& protect original evidence
• Create a known value for the subject evidence prior to
acquiring the evidence (e.g. perform an independent cyclic
redundancy check (CRC), MD5 hashing)
If hardware write If software write
protection is used: protection is used:
• Install a write protection • Boot the system with the
device examiner’s controlled OS
• Boot the system with the • Activate write protection
examiner’s controlled OS

49
Evidence Documentation & Reporting

• Documentation of the digital evidence examination is an ongoing

process, therefore it is important to correctly record each step during
the examination
• Report should be written simultaneously with the examination and
presentation of the report should be consistent with the departmental
policies

50
Evidence Examiner Report
Common consideration list that helps examiner
throughout the documentation process:
• Take notes when discussing with the case investigator
• Preserve a copy of the search authority and chain of custody
documentation
• Write detailed notes about each action taken
• Include date, time, complete description, and result of each action
taken in the documentation
• Document any irregularities encountered during the examination
• Include the operating system’s name, software, and installed
patches

51
Final Report of Findings
• Disclose specific files related to the request
• Other files, including deleted files, that support the findings
• String Search, keyword searches and text searches
• Descriptive data analysis
• Description of the relevant programs on the examined items
• Techniques used to hide or mask data, such as encryption,
steganography, hidden attributes, hidden partitions and file
name anomalies

52