Digital Forensics

What is forensic?

Forensic Science is any aspect of science as it relates to the law.

What is Digital Forensic?

Digital forensics is the application of computer investigation and analysis

techniques in the interests of determining potential legal evidence.

• Forensic science is the application of natural science to matters of law

• Forensic science seeks to find the root cause of an event

• “To be considered a discipline, Digital Forensic Science must be

characterized by the following associated entities:

– Theory: a body of statements and principles that attempts to explain

how things work

– Abstractions and models: considerations beyond the obvious, factual,

or observed

– Elements of practice: related technologies, tools, and methods

– Corpus of literature and professional practice

– Confidence and trust in results: usefulness and purpose

• The current state of Digital Forensic Science exhibits only some of these
characteristics and they are not tied to specific disciplinary practices
considered by any group as scientifically rigorous.”*

Formally digital forensic is:

“The use of scientifically derived and proven methods toward the preservation,
collection, validation, identification, analysis, interpretation, documentation and
presentation of digital evidence derived from digital sources for the purpose of
facilitating or furthering the reconstruction of events found to be criminal, or
helping to anticipate unauthorized actions shown to be disruptive to planned
operations.”

Framework for an Investigative Process for Digital Forensics:

• Identification

– Event/crime detection

– Resolve signature

– Profile detection

– Anomalous detection

– Complaints

– System monitoring

– Audit analysis

• Preservation

– Case management

– Imaging technologies

– Chain of custody

– Time synchronization

• Collection

– Preservation

– Approved methods

– Approved software

– Approved hardware

– Legal authority
 – Lossless compression

– Sampling

– Data reduction

– Recovery techniques

• Examination

– Preservation

– Traceability

– Validation Techniques

– Filtering techniques

– Pattern matching

– Hidden data discovery

– Hidden data extraction

• Analysis

– Preservation

– Traceability

– Statistical

– Protocols

– Data mining

– Timeline

– Link

– Special
 • Presentation

– Documentation

– Expert testimony

– Clarification

– Mission impact statement

– Recommended countermeasure

– Statistical interpretation

Structuring and Formalizing the Digital Forensic Process:

• Reliable methods*

– “Help distinguish evidence from coincidence without ambiguity

– Allow alternative results to be ranked by some principle basic to the

sciences applied

– Allow for certainty considerations Wherever appropriate through this

ranking of available alternatives

– Disallow hypotheses more extraordinary than the facts themselves

– Pursue general impressions to the level of specific details

– Pursue testing by breaking hypotheses (alternative explanations) into

their smallest logical components, risking one part at a time

– Allow tests either to prove or disprove alternative explanations

(hypotheses)”

• A formalized approach

– Has specific rules, structure and vocabulary

– Allows repeatability
 – May be used to verify a process

• End-to-end digital investigation (EEDI)

– Complex attacks begin with the attacker and end with the victim

– Requires a corroborated or linked chain of evidence

• Using the Digital Investigation Process Language (DIPL) to describe the

investigative process

– Allows us to describe the process

– Allows us to describe the attack as perceived by the investigator

– Permits verification of a complex investigation during the

investigation to identify holes in the evidence chain and suggest how
to plug those gaps

– Permits verification that the investigative process was complete and

correct and followed a reliable method of inquiry*

• Integrity

• Competence

• Defensible technique

• Relevant experience

Problems We Want to Solve:

• Inconsistency in forensic analysis of digital events

• Inconsistencies in interpreting digital evidence in complex attacks

 • Inconsistencies in representing results of digital investigations

• Incomplete or unsupported evidence chains in complex digital

investigations possibly leading to erroneous conclusions

• Current tendency to focus upon specific platforms or environments instead

of a generalized process

The End-to-End Digital Investigative Process (EEDI):

• EEDI takes the view that the incident begins at the attacker, ends at the
victim, and includes everything in between

• First rule of end-to-end forensic digital analysis

– Primary evidence must always be corroborated by at least one other

piece of relevant primary evidence to be considered a valid part of
the evidence chain. Evidence that does not fit this description, but
does serve to corroborate some other piece of evidence without
itself being corroborated, is considered to be secondary evidence.

– Exception: the first piece of evidence in the chain from the

Identification layer

• Must be well corroborated with secondary evidence

An Example of an End-to-End Investigation:

• Identification

– Call received

• Preservation

– Case file opened

– Server imaged
 • Image in chain of custody

– Server logs preserved

– Entry in case file

• Collection

– Safe Back used

– Policies reviewed for authority to proceed

– Began interviews

– Event described

• Unavailable mortgage database

• Server checked: db gone

• Observed action by admin including remote login

• Restore from backup unsuccessful – data bad

– Entry in case file