Cyb 205 Digital Forensics Afit 2023

CYB 205
Introduction to Digital Forensics:

Role of Forensic Science in the Investigation of Crime
Dr Muktar Bello
Department of Cyber Security
May, 2023
PHILOSOPHICAL QUOTE
I N T R O D U C T IO N T O D I G I T A L F O R E N S I C S – C Y B 2 0 5
SOCRATES
“The only true wisdom

is in knowing you know
nothing”
NEW YEAR SPEECH BY THE PRESIDENT
ROLE OF FORENSICS IN FIGHTING CORRUPTION IN NIGERIA
MUHAMMADU BUHARI, GCFR

PRESIDENT AND COMMANDER IN CHIEF OF THE ARMED FORCES
“We have given the utmost priority to fighting corruption and

other related offenses which have been a bane to the
growth and prosperity of our dear Nation. We have made
major strides and breakthroughs through the innovative use
of Technology and Forensics in the investigative and
prosecutorial procedures with commendable results to show
that the anti-corruption drive of our Administration is
succeeding”
New Year Speech by Mr. President (1st January 2022)
SUBJECT MATTER EXPERT (SME)
SCOPE & DISCLAIMER
GLOBAL
Digital Eco-System
REGIONAL & NATIONAL

.
DISCLAIMER
My Views Only.
STATISTICS
Mobile, Population Growth and Financial Losses

AFTER AFGHANISTAN &
IRAQ
3rd 3 rd $26.4
222 Most Most Billion
Million Populated Affected
by 2050
ACTIVE MOBILE LINES POPULATION TERRORISM ECONOMIC IMPACT OF TERRORISM

GROWTH (Global Terrorism Index 2020) (Global Terrorism Index 2020)
(NCC 2021)
(UN 2017)
CASE STUDY 1 – FORENSICS 101
•Dennis Lynn Rader – BTK Killer

•Serial Killer: “Bind, Torture, Kill” victims
•Evaded Law Enforcement for decades
•Analysis of a Floppy Disk led to his arrest.
•Major breakthrough in Digital Forensic
Investigation
Investigation & CVE: Role of Digital Evidence
Information
Intelligence
Evidence
BOKO HARAM: ONLINE or OFFLINE
INTRODUCTION TO DIGITAL FORENSICS – CYB 205
SOCIAL MEDIA PRIMARILY USED FOR

PROPAGANDA
CONTENT FOCUSES ON
•ON-GOING ATTACKS
•OPERATIONAL VICTORIES
•BEHEADING OF HOSTAGES F PREFERENCE OF TRADITIONAL
MEDIA
E
SOCIAL MEDIA USE INFLUENCED G •PRE - 2015
BY: •Audio Cassettes, Leaflets, Open Air
D Lectures
•INTERNET PENETRATION
•OTHER FACTORS USE OF SOCIAL MEDIA
C A • POST - 2015
B •You Tube, Twitter &
FaceBook
TWITTER RESULTS
BETWEEN 2012 - 2017 NOT AS SOPHISTICATED AS ISIL
•BOKO HARAM – •More Advanced after pledging to ISIL
159,095
RISE OF BOKO HARAM– INADEQUATE EXPLANATION
Thurston, A. (2016). ‘The Disease is Unbelief’: Boko Haram’s Religious & Political Worldview
POVERTY MARGILAZATION EXTENSION OF ISIS MAITATSINE DOCTRINE
1ST EXPLANATION 2ND EXPLANATION 3RD EXPLANATION 4TH EXPLANATION

SOCIAL MEDIA: A TOOL FOR TERRORISM
T H E R O L E O F F O R E N S IC S C I E N C E I N T H E I N V E S T I GAT I O N O F T E R R O R I S M & C Y B E R C R I M E
UNODP (2017). A Tool for Terrorism: Exploring How ISIL, Al-SHABAAB And Boko Haram Use Social Media In
Africa
SOCIAL MEDIA TRENDS
SOCIAL MEDIA PLATFORMS PROPAGANDA RECRUITMENT OFFLINE INFLUENCES
Terrorist Use Wide Use Social Media to Online Recruitment Role of Social Media
Range of Platforms: publicise attacks, Strategy using Social complimented by
FaceBook, Twitter, operational victories, Media offline peer
WhatsApp, Telegram tactics etc influences
TERRORISM HALL OF SHAME
What have we learnt?
OSAMA BIN LADEN ABUBAKAR AL-BAGHDADI MOHAMMED YUSUF ABUBAKAR SHEKAU

AL – QA’IDA ISIS BOKO HARAM BOKO - HARAM
WHAT IS CYBER CRIME?
CRIME, CRIMINALITY & TERRORISM
ARMED ROBBERY TERRORISM
ONLINE SEXUAL EXPLOITATION MODERN DAY SLAVERY

OF CHILDREN
CYBER-CRIME CYBER-WARFARE
CYBER-TERRORISM SGBV
WHY DO PEOPLE COMMIT CRIME?
CRIMINOLOGICAL THEORIES
Criminological theories focus on
explaining the causes of crime. They
explain why some people commit a crime,
identify risk factors for committing a crime,
and can focus on how and why certain
laws are created and enforced.
CRIMINOLOGICAL THEORY - RAT
Cohen and Felson (1979)

ABSENCE OF A
CAPABLE argued that for crime to take
GUARDIAN
place, three requirements
needed to be present
namely, a motivated
MOTIVATED SUITABLE offender, a suitable target
OFFENDER TARGET
and an absence of a
capable guardian.
INVESTIGATION TIME-LINE (1990-2023)
CRIMINAL CODE & PENAL CODE OPERATION LEA

1. Mandate of the Police to Investigate 1. Function of the CAC
2. Limitation of Laws 2. Special Powers of the CAC
3. Lack of Political Will 3. Administration of Criminal Justice Act 2015
4. Cybercrime (Prohibition & Prevention) Act 2015
2001 2022
1990 2022
2003
POST 911 TERRORIST ATTACK

1. Financial Action Task Force (FATF) Recommendations ENFORCEMENT & COORDINATION
2. Creation of the EFCC & NFIU
3. Advance Fee Fraud Act 2006 1. Proceeds of Crime Act 2022
2. Money Laundering Act 2022
3. Est. of SCUML under EFCC
4. Terrorism Act 2022
SOCIAL ENGINEERING
LAWS, POLICIES & INITIATIVES
CASE STUDY 2: SAN BARNADINO TERRORIST SHOOTING
TERRORIST
SHOOTING STATE VS APPLE
ONLINE APPLE I-PHONE

RADICALIZATION (PRIVACY)
INVESTIGATION & PROSECUTION CHALLENGES
• Accessibility of Smarter Technologies to Criminals
• New Products developed to counter lawful

Interception or Extraction (Apple ioS 8 above)
• Challenges dealing with ISPs, Telcos and Regulators
• Mutual Legal Agreement Treaty (MLAT)
• Capacity and Training Gaps
• Synergy between Stakeholders
• Emerging Technologies and Masking
Techniques & Tools

ACPO GOOD PRACTICE GUIDE FOR DIGITAL EVIDENCE
Association of Chief Police Officers

• Principle 1: No action taken by law enforcement agencies or their agents
should change data held on a computer or storage media which may
subsequently be relied upon in court.
• Principle 2: In circumstances where a person finds it necessary to access
original data held on a computer or on storage media, that person must be
competent to do so and be able to give evidence explaining the relevance and
the implications of their actions.
• Principle 3: An audit trail or other record of all processes applied to computer-
based electronic evidence should be created and preserved. An independent
third party should be able to examine those processes and achieve the same
result.
• Principle 4: The person in charge of the investigation (the case officer) has
overall responsibility for ensuring that the law and these principles are adhered
to.
FORENSIC SCIENCE
• Forensic Science: is the scientific

method of collecting and examining
information and data about the past
which is then used as evidence in a
court of law.
• The word forensic comes from the
Latin forensis, a forum.
• ‘for use in court’ or in legal
proceedings.
• Usually applied to the methods
used to obtain and analyse
evidence and persuade a court that
the evidence can be relied on.
LOCARD’S EXCHANGE PRINCIPLE
FORENSICS CASE FLOW CHART
Request to Include Evidence, Letter of A detailed Forensics Report submitted with

Authorization and Chain of Custody. relevant annexures
Crime Scene Request send Forensics Forensics Expert

Investigation from Examination Report Testimony
OPS or LEAs & Analysis Issued
Forensics Investigators Secure the Analysts Examines and Analyzes Analyst Testifies in Court as
Crime Scene Evidence an Expert Witness
DIGITAL EVIDENCE
WHAT TO COLLECT
HOW TO COLLECT
Digital & Electronic
Evidence Crime Scene
Management; Chain of
Custody, SOP & Chain of
Custody
HOW/WHAT TO EXAMINE
Tools
Link Analysis WHAT TO PRESENT
3rd Party Verification
Forensics Report,
Certificate of
Authentication &
Supporting Documents
(Certified True Copies)
CASE STUDY 3: KILLING OF BOKO HARAM LEADER
Alleged Killing by LEA

Evidence Based on
Video
5 Police Officers Defendant discharged

Charged & Acquitted
COLLECTION OF DIGITAL EVIDENCE
• Digital Forensics: Branch of

Forensic Science that deals with
recovering and investigating data or
information found on digital
devices.
• Scope: Any device capable of
storing, processing or retrieving
data.
• Limitation:
• Lack of standard operating
procedures for investigation.
• Too many methodologies and
framework
• Evolving nature of technology
DIGITAL EVIDENCE SOURCES
• Computers/Hard drives
• Mobile phone/SD cards/SIM cards
• Network Peripherals, Network AP’s
• Internet of Things
• Cloud
• Printers
• Flash Drives
• Emails
• Social Media
• Drones .. ?
DATA TYPES
• Contacts • Subscriber numbers

• Call registers • Email
• Text messages • Photos
• Calendar • Ringtones
• Identification numbers • Videos
• Multimedia messages • Sound recordings
• Internet • Applications
• WiFi / Bluetooth • GPS / SatNav
MOBILE IDENTIFICATION
T H E R O L E O F F O R E N S IC S C I E N C E I N T H E I N V E S T I GAT I O N O F T E R R O R I S M & C Y B E R C R I M E
IMEI – MOBILE PHONE IDENTITY
CASE STUDY 4: OIL BUNKERING CASE
SIM - IDENTIFICATION
• Once was the richest source of data

• Types of GSM SIM card:
• 2G SIM Cards
• Original GSM SIM cards c1991
• 3G USIM Cards
• Original 3G USIM cards c2002
• Dual Mode Cards (SIM/USIM)
• 4G & 5G
• Micro & Nano SIM small form factor card
• ICCID - Integrated Circuit Card Identifier

• Printed on SIM card and/or original packaging
• Used to identify the SIM card itself
• Stored electronically within the SIM. Cannot be changed.
• IMSI – International Mobile Subscriber Identity
• Stored electronically within the SIM. Cannot be changed.
• Primary link between the SIM card and the subscriber phone
number allocated to it by the network.
Integrated Circuit Card Identifier - ICCID
ICCID (Electronically stored inside & printed on the SIM packaging)

89 920 34 999999999999
Card serial number (Luhn Algorithm

includes date of manufacture)
Network Identifier (variable length)
Country dialling code (variable length)
Card Type: 89 = Telecoms

International Mobile Subscriber Identity- IMSI
IMSI (Stored electronically in the SIM card)

410 01 62 99999999
Mobile Subscriber Identification Number (MSIN) - 10

digits *
Mobile Network Code (MNC) - 2 digits (Mobilink)

Mobile Country Code (MCC) - 3 digits
Used by Network to identify SIM card and assign mobile

number (MSISDN)
International Mobile Subscriber Identity- IMEI
35 833900 272075 3 [01]
Optional software version number
Check digit OR 0 if CDMA 1 GSM handset
Serial Number (SNR) - 6 digits
Type Allocation Code (TAC) - 8 digits

First digits are reporting body identifier
MEMORY CARDS
• Lots of standards (most common microSD)
• Use standard file system
• Stored data is device dependent
• Internal
• Access requires removal of battery
• External
• Accessible without battery removal
MOBILE OPERATING SYSTEM
EVOLUTION OF DIGITAL FORENSICS INVESTIGATION
DIGITAL FORENSICS INVESTIGATION MODEL
COLLECTION
-Identification
-Preservation
/Isolation –
Faraday Bags
(integrity)
-Data Extraction
(Imaging)
DOCUMENTATION, EXAMINATION & ANALYSIS
PART 2: EXAMINATION
• Get authorization to conduct

examination
• Secure the Crime Scene
• Establish Chain of Custody
• Document processes
• Isolate wireless devices in Faraday bag
• Use write-blocking software or hardware

for extraction
• Select extraction method

ANALYSIS OF EVIDENCE
PART 3: ANALYSIS OF EVIDENCE
• How can I analyze the

Evidence?
• Manual documentation of
Physical features of the
electronic evidence
• 3 Party Verification:
rd
Request for CDRs from

Telco's.
• Link & Time Analysis,
Charts, Softwares, Open
Source Tools
ANALYSIS OF EVIDENCE II
PART 3: ANALYSIS OF EVIDENCE
• What constitutes electronic

evidence?
– Information stored, processed
on PC, Phone, Tablet, USB,
(Memory)
– Mobile Forensics: Phone, SIM
and Memory
• What an investigator should
look for?
– Mobile: Call Data Record
(CDR), Phone Book, Images,
Chat History, Short Message
Service (SMS)
– Computer: Emails, Docs,
Images, etc.
ANALYSIS OF EVIDENCE III
SOCIAL MEDIA STAKEHOLDERS
• Users
• Content Owners
• Investigators
• Service Providers
• Courts & Attorneys
• Law Enforcement
• Companies & Marketers
• The Public
COLLECTION METHODS
• Screen Shots
• Manual Documentation
• Open Source tools
(HTTrack)
• Commercial Tools (X1)
• Web service (Pagefreezer)
• Forensic Recovery
• Content subpoena
ETHICAL ISSUES
• Laws that prevent from

searching subjects on social
media.
• Multiplication of Messages
on Social Media
• Public V Private
• Terms of service
• Licensing & Jurisdiction
TECHNICAL ISSUES
• Evolving Technical
Landscape
• Provider Limitations
• Content Diversity &
Volume
• Validated Tools
GENERAL THOUGHTS
• Constant Evolution
• Social media Crime on the
Rise
• Can we monitor SM?
• “Catch me if you can”
• Increasing Privacy Awareness
DOES SOCIAL MEDIA MATTER?
CASE STUDY 5: HUSHPUPPI
SOCIAL MEDIA CYBER-CRIMINAL

INFLUENCER
MULTIPLE ONLINE EVIDENCE - INSTAGRAM

JURISDICTION
ROLE OF AN EXPERT WITNESS
• Person engaged to give an

opinion based on his/her
experience, knowledge and
expertise
• Duty of an Expert Witness is
to provide:
• independent,
• impartial and unbiased
evidence to the court or
tribunal.
HOW TO BECOME AN EXPERT WITNESS
• Experience
• Business
• Academic
• Testimonial
• Training
• Certification
• Academic Background
CASE STUDY 6: MILITARY COURT MARTIAL – EXPERT WITNESS
Cross FORENSICS REPORT

Examination
TECHNICAL AUTHOURIZATION
QUESTIONING
PRESENTATION OF EVIDENCE IN COURT
• Vital Documents to be presented in

Court:
• Ownership Attestation Form ( Duly
signed by suspect)
• Request Letter for Investigation
(Letter headed, duly assigned).
• Chain of Custody of Digital Device.
• Examination Sheet and Analysis
Report.
• Report to Investigating Authority
(Head of Unit/Agency requesting
investigation).
• Certificate of Authentication (COA):
Stating the details of the device used.
• Qualifications – Expert Witness
• All should be certified true copies of the originals
PRESENTATION OF EVIDENCE IN COURT II
• What Lawyers
(Prosecutors) should
ask?
• Job Designation,
Qualification, Schedule
of Duties
• What role you played in
the investigation?
• What tools and
procedures used? ----
Section 84 (2)
• Findings and
conclusion.
DIGITAL INNOVATION
01 Artificial Intelligence
02 Machine Learning &

IoT
03 Forensics Science
04 Evidence Based
Policing & Predictive
FUTURISTIC CRIMES
CYBER-ENABLED CRIME.
CYBER-RAPE?
AI CRIMES, ROBOT CRIMES,

“TERRORISM”, DRONE
OFFENSES
“INDUSTRIAL GENOCIDE”?
FUTURISTIC POLICING
PREVENTION
PREDICTIVE & EVIDENCE BASED
SCIENCE BASED &

INTELLIGENCE DRIVEN
EVIDENCE REVIEW
CENTRAL CASE REGISTER (CCR)

Custodian of both hard and soft copy of the Central Case Register
(CCR)
DOCUMENT CONTROL
Lead Implementers of the ISO 9001 & 17025 Standards
EVIDENCE HANDLING & LABELLING

Managed within the Evidence Review Room,
QCA INTERNAL CONTROL

Handle issues of Non-Conformance, Root Cause Analysis and
Corrective Actions
ROLE OF QUALITY CONTROL & ASSURANCE SECTION
IMPLEMENTATION OF QUALITY
MANAGEMENT SYSTEM (QMS)
ISO 9001
MONITORING &EVALUATING
COMPETENCE OF ANALYSTS
IMPLEMENTATION OF
LABORATORY MANAGEMENT
SYSTEM (LMS) ISO 17025
EVIDENCE REVIEW AND

MANAGEMENT
Evidence Handling, Labelling and Tracking
COLLATION OF DATA & STATISTICS

All suspects arrested are brought for processing in
conformance with Section 15 of ACJA.
WAY FORWARD
CHECKING
ASSUME NOTHING BELIEVE NOTHING EVERYTHING
A B C

Cyb 205 Digital Forensics Afit 2023

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyb 205 Digital Forensics Afit 2023

Uploaded by

Copyright:

Available Formats

CYB 205

Introduction to Digital Forensics:

“The only true wisdom

MUHAMMADU BUHARI, GCFR

“We have given the utmost priority to fighting corruption and

REGIONAL & NATIONAL

Mobile, Population Growth and Financial Losses

ACTIVE MOBILE LINES POPULATION TERRORISM ECONOMIC IMPACT OF TERRORISM

•Dennis Lynn Rader – BTK Killer

SOCIAL MEDIA PRIMARILY USED FOR

POVERTY MARGILAZATION EXTENSION OF ISIS MAITATSINE DOCTRINE

1ST EXPLANATION 2ND EXPLANATION 3RD EXPLANATION 4TH EXPLANATION

SOCIAL MEDIA TRENDS

SOCIAL MEDIA PLATFORMS PROPAGANDA RECRUITMENT OFFLINE INFLUENCES

What have we learnt?

OSAMA BIN LADEN ABUBAKAR AL-BAGHDADI MOHAMMED YUSUF ABUBAKAR SHEKAU

ARMED ROBBERY TERRORISM

ONLINE SEXUAL EXPLOITATION MODERN DAY SLAVERY

Cohen and Felson (1979)

CRIMINAL CODE & PENAL CODE OPERATION LEA

POST 911 TERRORIST ATTACK

ONLINE APPLE I-PHONE

• Accessibility of Smarter Technologies to Criminals

• New Products developed to counter lawful

• Challenges dealing with ISPs, Telcos and Regulators

• Mutual Legal Agreement Treaty (MLAT)

• Capacity and Training Gaps

• Synergy between Stakeholders

• Emerging Technologies and Masking

Techniques & Tools

Association of Chief Police Officers

• Forensic Science: is the scientific

Request to Include Evidence, Letter of A detailed Forensics Report submitted with

Crime Scene Request send Forensics Forensics Expert

Alleged Killing by LEA

5 Police Officers Defendant discharged

• Digital Forensics: Branch of

• Contacts • Subscriber numbers

• Once was the richest source of data

• ICCID - Integrated Circuit Card Identifier

ICCID (Electronically stored inside & printed on the SIM packaging)

Card serial number (Luhn Algorithm

Card Type: 89 = Telecoms

IMSI (Stored electronically in the SIM card)

Mobile Subscriber Identification Number (MSIN) - 10

Mobile Network Code (MNC) - 2 digits (Mobilink)

Used by Network to identify SIM card and assign mobile

35 833900 272075 3 [01]

Optional software version number

Check digit OR 0 if CDMA 1 GSM handset

Serial Number (SNR) - 6 digits

Type Allocation Code (TAC) - 8 digits

• Lots of standards (most common microSD)

• Use standard file system

• Stored data is device dependent

• Get authorization to conduct

• Secure the Crime Scene

• Establish Chain of Custody

• Isolate wireless devices in Faraday bag

• Use write-blocking software or hardware

• Select extraction method

PART 3: ANALYSIS OF EVIDENCE

• How can I analyze the

Request for CDRs from