LESSON 7

Learning Objectives

At the end of the session, you will be able to:

a. Analyze the basic Incident Response and Forensics;

b. Classify and present different digital forensic evidence;
c. Identify persons/agency who can use digital forensic evidence in court or other
tribunals to prosecute cyber criminals; and
d. Realize the importance of Security training

I. Basic Incident Response and Forensics

Digital Forensic and Digital Evidence

What is Digital Forensic?

◎Digital Forensic

The scientific examination and analysis of data held on or retrieved from computer
storage media or network and its presentation in a manner legally acceptable to a Court

What is Computer?

Refers to an electronic, magnetic, optical, electrochemical, or other data processing or

communications device, or grouping of such devices, capable of performing logical,
arithmetic, routing, or storage functions and which includes any storage facility or
equipment or communications facility or equipment directly related to or operating in
conjunction with such device.
It covers any type of computer device including devices with data processing
capabilities like mobile phones, smartphones, computer networks and other
devices connected to the internet.(R.A.10175)

What is Computer Data?

Refers to any representation of facts, information, or concepts in a form suitable for

processing in a computer system including a program suitable to cause a computer
system to perform a function and includes electronic documents and/or electronic data
messages whether stored in local computer systems or online.(R.A.10175)

What is Electronic Document?

Refers to information generated, sent, received or stored by electronic, optical or similar

means. It includes digitally signed documents.

The term "electronic document" may be used interchangeably with "electronic data
message.”(Rules on Electronic Evidence A.M. No. 01-7-01-SC)

What is Digital Evidence?

Refers to digital information that may be used as evidence in a case

Any information being subject to human intervention or not, that can be extracted from a
computer system

Must be in human-readable format or capable of being interpreted by a person with

expertise in the subject

Digital Forensic Examples

◎Performing computer related crime investigation

◎Recovering evidence from deliberately formatted hard drive

◎Recovering thousands of deleted emails and chat messages

◎Recovering internet artifacts and file’s metadata

Who Uses Digital Forensic?

Law Enforcement Officers

Rely on computer forensics to back-up their investigation and use the recovered evidence
to support the filing of cases.

Prosecutors

Rely on evidence obtained from a computer to prosecute suspects.

Civil Litigations

Personal and business data discovered on a computer can be used as evidence in any
civil cases.

Insurance Companies

Evidence discovered on computer can be used to mollify costs (fraud, worker’s

compensation, etc.)

Private Corporations

Obtained evidence from employee’s computer can be used as evidence in harassment,

fraud, and theft cases.

Individual/Private Citizens

Obtain the services of professional computer forensic specialists to support claims of

harassment, abuse, or wrongful termination from employment.

Why Digital Forensic?

◎Criminals use computer as:

◉Tool
◉Target
◉Depository

Why Digital Forensic

Data as seen by forensic investigator using sophisticated forensic tools.

These data may include deleted, hidden, encrypted, etc.
Data as seen by common users using windows explorer, cmd shell, web browser

Why Digital Forensic?

Any person can gather

information from a computer
“ BUT“
The Forensic element means it has to be gathered in a manner which makes it reliable to
a Court or other body and the information has to become
“ EVIDENCE”
Reasons for Evidence

Law enforcement authorities collect evidence for computer related crimes and traditional
crimes such as:

Theft or destruction of intellectual property

Trafficking in Persons

Illegal Drugs investigation

Sexual harassment

Software Piracy

Hacking

Malware distribution

Fraud

Access Device investigation

Possession of child pornography

Homicide investigations

Forgery

Many Types of Evidential Data

But no matter what type of data, it is just..
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010

Why I can’t just turn it on?

Windows XP alters over 1,000 files on start up !!!

Where Is the Evidence?

Digital Evidence

Volatile data

Non-volatile data

Types of Computer Data

Volatile Data

This data is temporarily stored in the Memory (RAM) of the Computer system.

This data will be deleted once power is removed from the computer

Non-Volatile Data

This data resides in persistent storage media (hard disk drive, USB flash drive, optical
storage media)

It remain saved regardless if the power of the computer is On or Off

Where are Evidentiary Data Located?

Where are Evidentiary Data Located?

The nature of data storage on computer system often allows recovery of data from:
Where are Evidentiary Data Located?
The nature of data storage on computer system often allows recovery of data from

ACPO Digital Evidence Principles

Principle 1 – Primary Rule…

o No action taken by the law enforcement agencies or their agents should change
the data held on a computer or other media which may subsequently be relied
upon in Court.
o Where possible computer data must be ‘imaged’ and that version be examined.
Principle 2

In exceptional circumstances it may be necessary to access the original data held on a

target computer.

However it is imperative that the person doing so is competent and can account for their
actions.

Principle 3

An audit trail or other record of all processes applied to digital evidence should be created
and preserved. An independent third party should be able to examine these processes
and achieve the same result.

Principle 4

The person in charge of the case has overall responsibility for ensuring that a computer
has been correctly examined in accordance with the law and these principles.
What is a Forensic Image?

o A forensic image refers to verifiable and unaltered complete copy of the contents
of original storage device.

o Creating a forensic image ensures:

o The integrity of the evidence
o No unintentional changes or damage to
the original data

Why Obtain a Forensic Image?

o Provides access to additional (non-volatile) data:

o Log files
o Temporary files
o Compromised applications
o Page and swap files
o Information in registry
o Defeats log-on request and passwords
o Distribute to Forensic Specialists
II. The Importance of Security Training

Training has always been an important process for every team in every business. It helps
to ensure that your employees are all on the same page, armed with the knowledge and
skills they need in order to do their jobs effectively.

It’s key to have the right type of training for the appropriate teams. This way you know
your resources are being used properly and yielding the best results possible. So you
may be hesitant at first to equip your entire workforce with cyber security training. After
all, isn’t doing so with your IT team sufficient?

As it turns out, it isn’t. It’s proven that human error is the biggest threat to cyber security,
and this can come from any corner of your organization.