Digital Forensics

By:-
Kausar Sorathiya
Zainab Shekhani
Malay Punjani
Ronak Bafna
Contents:-
• Definition
• History
• Uses
• Forensic Process
• Branches
• Advantage and Disadvantage
• Conclusion
 Definition
• Digital forensics is the forensic science related to computer
operations, software, and files, as well as the digital or
electronic files contained on other technology-based appliances
or storage devices.

OR
• Digital forensics (sometimes Digital forensic science) is a branch
of forensic science encompassing the recovery and
investigation of material found in digital devices.
History - A look at the past of the digital forensics

• In 1980’s crimes involving computers were dealt

with using existing laws.
• The first computer crimes were recognized in the
1978 Florida Computer Crimes Act which included
legislation against the unauthorized modification or
deletion of data on a computer system
• In the next few years the range of computer crimes
being committed increased, and laws were passed to
deal with issues of copyright, privacy/harassment
and child pornography.
• Canada was the first country to pass
legislation in 1983.
• This was followed by the US Federal
Computer Fraud and Abuse Act in 1986.
• In response to the growth in computer crime
during the 1980s and 1990s
law enforcement agencies began to establish
specialized investigative groups, usually at the
national level.
• In the early 1990s a number of tools were
created to allow investigations to take place
without the risk of altering data. As demand
for digital evidence grew more advanced
commercial tools were developed.
• Recently the same progression of tool
development has occurred for mobile devices;
initially investigators accessed data directly on
the device, these were soon replaced with
specialist tools.
Uses-The main use of digital forensics is to
recover evidence of a crime.
The diverse range of data held in digital devices
can help with other areas of investigation.
1. Attribution - Meta data and other logs can be
used to attribute actions to an individual.For
example, personal documents on a computer
drive might identify its owner.
2. Alibis and statements - Information provided
by those involved can be cross checked with
digital evidence.
For example, during the investigation into
the Soham murders, the offenders alibi was
disproven when mobile phone records of the
person he claimed to be with showed she
was out of town at the time.
3. Intent - Finding objective evidence of a crime
being committed, investigations can also be
used to prove the intent .
For example, the Internet history of convicted
killer Neil Entwistle included references to a
site discussing How to kill people.
4. Evaluation of source - File artifacts and meta-
data can be used to identify the origin of a
particular piece of data.
For example, older versions of Microsoft Word
embedded a Global Unique Identifer into files
which identified the computer it had been
created on.
Proving whether a file was produced on the
digital device being examined or obtained from
elsewhere (e.g., the Internet) can be very
important.
5. Document authentication – Related to
"Evaluation of Source", meta data associated
with digital documents can be easily modified.
For example, by changing the computer clock
you can affect the created date of a file.
Document authentication relates to detecting
and identifying falsification of such details.
 Forensic Process
A digital forensic investigation commonly
consists of 3 stages –
 Acquisition or imaging of exhibits.
 Analysis.
 Reporting.
 Acquisition
• Once exhibits have been seized an exact sector level duplicate
(or "forensic duplicate") of the media is created, usually via a
write blocking device, a process referred to as Acquisition.
• The duplicate is created using a hard-drive duplicator or
software imaging tools.
• The original drive is then returned to secure storage to
prevent tampering.
• The acquired image is verified. At critical points throughout
the analysis, the media is verified again, known as "hashing",
to ensure that the evidence is still in its original state.
• In corporate environments seeking civil or internal charges,
such steps are generally overlooked due to the time required
to perform them
 Analysis
• After acquisition the contents of image files are analysed to identify
evidence that either supports or contradicts a hypothesis or for signs of
tampering (to hide data).
• In 2002 the International Journal of Digital Evidence referred to this stage as
"an in-depth systematic search of evidence related to the suspected crime“.
• During the analysis an investigator usually recovers evidence material using
a number of different methodologies , often beginning with recovery of
deleted material.[Many forensic tools use hash signatures to identify notable
files or to exclude known ones; acquired data is hashed and compared to
pre-compiled lists .
• Once evidence is recovered the information is analysed to reconstruct
events or actions and to reach conclusions, work that can often be
performed by less specialist staff.
• Digital investigators, particularly in criminal investigations, have to ensure
that conclusions are based upon data and their own expert knowledge.
 Reporting
• When an investigation is completed the information is often
reported in a form suitable for non-technical individuals.
• Reports may also include audit information and other meta-
documentation.
• When completed reports are usually passed to those
commissioning the investigation, such as law enforcement
(for criminal cases) or the employing company (in civil cases),
who will then decide whether to use the evidence in court.
• Generally, for a criminal court, the report package will consist
of a written expert conclusion of the evidence as well as the
evidence itself (often presented on digital media).
 Branches
Digital forensics includes several sub-branches
relating to the investigation of various types of
devices, media or artefacts –
1. Computer forensics
2. Mobile device forensics
3. Network forensics
4. Database forensics
 Computer Forensics
• Computer forensics is a branch of digital forensic science
pertaining to legal evidence found in computers and digital
storage media.
• The goal of computer forensics is to examine digital media
in a forensically sound manner with the aim of recovering,
linking and understanding information.
• It is most often associated with the investigation of a wide
variety of computer crime, computer forensics may also be
used in civil proceedings.
• Computer forensics can deal with a broad range of
information; from logs (such as internet history) through to
the actual files on the drive.
Examples –
• Computer forensics has played a pivotal role in many cases.
• Dennis Rader was convicted of a string of serial killings that
occurred over a period of sixteen years. Towards the end of
this period, Rader sent letters to the police on a floppy disk.
Metadata within the documents implicated an author named
"Dennis" at "Christ Lutheran Church"; this evidence helped
lead to Rader's arrest.
• Joseph E. Duncan III A spreadsheet recovered from Duncan's
computer contained evidence which showed him planning his
crimes. Prosecutors used this to show premeditation and
secure the death penalty.
• Sharon Lopatka Hundreds of emails on Lopatka's computer
lead investigators to her killer, Robert Glass
Techniques
A number of techniques are used during computer forensics investigations.
• Cross-drive analysis -A forensic technique that correlates information found
on multiple hard drives. The process, which is still being researched, can be
used for identifying social networks and for performing detection.
• Live analysis - The examination of computers from within the operating
system using custom forensics or existing sysadmin tools to extract
evidence. The practice is useful when dealing with Encrypting File Systems,
for example, where the encryption keys may be collected and, in some
instances, the logical hard drive volume may be imaged (known as a live
acquisition) before the computer is shut down.
• Deleted files - A common technique used in computer forensics is the
recovery of deleted files. Modern forensic software have their own tools
for recovering or carving out deleted data. Most operating systems and
file systems do not always delete physical file data, allowing it to be
reconstructed from the physical disk sectors
 Mobile Device Forensics
• Mobile device forensics is a sub-branch of digital forensics relating
to recovery of digital evidence or data from a mobile device.
• Investigations usually focus on simple data such as call data and
communications (SMS/Email) rather than in-depth recovery of
deleted data.
• SMS data from a mobile device investigation helped to exonerate
Patrick Lumumba in the murder of Meredith Kercher.
• Mobile devices are also useful for providing location information;
either from inbuilt gps/location tracking or via cell site logs (which
track the devices within their range). Such information was used to
track down the kidnappers of Thomas Onofri in 2006.
Data Types - As mobile device technology advances, the amount and types
of data that can be found on a mobile device is constantly increasing.

Types of data that can be found on mobile devices can include :

• multimedia files (sounds, music, images, video, podcasts)
• messages (SMS, MMS, Twitter, Chat)
• e-mails
• browser history/bookmarks/cookies
• personal information (Calendars, Contacts, Notes)
• log files (calls, networks, applications)
• maps (Google, OpenStreetMap)
• connection information (Bluetooth, WLAN, VPN)
• GPS positions
• running processes
• routing tables
• network and connectivity statistics
• boot sequence, default libraries
Forensic Process in Mobile Devices
• Preservation : First step in digital evidence
recovery. It is the process of seizing a suspect's
property without altering or changing the
contents of the data that reside on devices or
removable media.
• Acquisition : The second step in the forensic
process is acquisition, the process of retrieving
material from a device.This process can take
place either at the crime scene or laboratory.
• Examination & analysis : The examination process uncovers
digital evidence, including that which may be hidden or obscured.
The results are gained through applying established scientifically
based methods, and should describe the content and state of the
data fully, including the source and the potential significance.
Data reduction, separating relevant from irrelevant information,
occurs once the data is exposed. The analysis process differs from
examination in that it looks at the results of the examination for
its direct significance and probative value to the case.
• Reporting : Reporting is the process of preparing a detailed
summary of all the steps taken and conclusions reached in the
investigation of a case. Reporting depends on maintaining a
careful record of all actions and observations, describing the
results of tests and examinations, and explaining the inferences
drawn from the evidence
 Network Forensics
• Network forensics is a sub-branch of
digital forensics relating to the monitoring and
analysis of computer network traffic for the
purposes of information gathering, legal
evidence or intrusion detection.
• Network investigations deal with volatile and
dynamic information. Network traffic is
transmitted and then lost, so network forensics
is often a pro-active investigation
• Systems used to collect network data for forensics
use usually come in two forms:
• "Catch-it-as-you-can"
Where all packets passing through certain traffic
point are captured and written to storage with
analysis being done subsequently in batch mode.
This approach requires large amounts of storage.
• "Stop, look and listen"
Where each packet is analyzed in a rudimentary
way in memory and only certain information
saved for future analysis. This approach requires a
faster processor to keep up with incoming traffic.
 Database Forensics
• Database Forensics is a branch of digital forensic science relating to the
forensic study of databases and their related metadata.[1]
• The discipline is similar to computer forensics, following the normal
forensic process and applying investigative techniques to database
contents and metadata.
• A forensic examination of a database may relate to the timestamps that
apply to the update time of a row in a relational table being inspected
and tested for validity in order to verify the actions of a database user.
Alternatively, a forensic examination may focus on identifying transactions
within a database system or application that indicate evidence of wrong
doing, such as fraud.
• Currently many database software tools are in general not reliable and
precise enough to be used for forensic work as demonstrated in the first
paper published on database forensics.
• The forensic study of relational databases requires a knowledge of the
standard used to encode data on the computer disk.
 Advantages
• It aids in finding and explaining complex facts
to a jury, and at least in theory provides
neutral, scientifically supported information.
• Its ability to search and analyze a mountain
of data quickly and efficiently
 Disadvantages
1.Privacy Concern :
 One of the primary concerns of computer forensics is the impact it will have on the
computer owner's privacy.
 Computer forensics can prove to be a disadvantage if proper safeguards are not in
place to ensure that data is protected.
2. Cost : The cost to maintain a laboratory containing appropriate computers, computer
analysis tools, software and security implements to safeguard information can be
enormous.
3. Data Corruption :
 There is the inherent danger that the investigator will somehow alter the original data
in the process of attempting to acquire it.
 The non-permanent nature of computer data can make it highly suspect in legal cases.
 Conclusion
• The science of digital media forensics has come a long
way and, as time passes will become a staple of the
corporate information security officer.
• A general understanding is the first step, the
realization of its necessity comes next.
• Forensics will play a larger part in the planning and
execution of policy.
• It is further intended to help identify the information
security officer's need for digital media forensics
capabilities.
Thank You
