Digital Forensics

Module 3
Processing Crime and Incident Scenes

Dr. Nagaraj S V & Prof Seshu Babu Pulagara VIT

Chennai
 2

Digital Evidence

 According to E.Casey “Digital evidence or electronic evidence is any

probative information stored or transmitted in digital form that a party
to a court case may use “

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 3

Digital evidence sources

E-mails
 Digital images /photos
Digital audio
Digital Videos
 ATM transaction logs
 Word processor documents
 Instant messages and their histories
 Files saved from various programs

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 4

Databases
 The contents of computer memory and memory storage devices such as
hard disks, CDs, DVDs, USB drives, digital tapes, floppies
Computer backups
 Printouts
Global Positioning System data
 Logs from electronic door locks

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 5

 Spread sheets
 Web browser logs
 Mobile phone call logs
 Computer programs/software
 Data from handheld devices, peripheral devices (monitors, keyboards,
mouse, memory sticks, thumb drives, zip disks), network devices
 Answering machines

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 6

 Internet chat logs

 CCTV / Digital/ Web cameras
 Debit / credit /prepaid / smart cards
 VOIP devices
 Microphones
 USB / Wi-fi / Bluetooth / NFC devices
 Memory card readers
 Fax machines
 Scanners

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 7

 Network cards
 Hubs
 Modems
 Network switches
 Ethernet cables
 Power supplies
 Wireless access points
 Wireless devices

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 8

 Photocopying machines
 Routers
 IP addresses
 LAN / MAC / Network Interface Card addresses
 Digital audio/video recorders
 MP3 players
 Video game consoles

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 9

 SIM Cards / SIM card readers

 Smart watches
 Satellite phones
 Drones / UAVs
 Sensors
 Electronic pacemakers
 IoT devices
 Biometric identification devices: for fingerprint, hand
geometry, iris, Voice Recognition, and facial recognition

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 10

 Servers
 Magnetic stripe cards
 Virtual machines
 Cloud-based storage
 Network-attached storage
 Telecom equipment
 Cell phone towers
 Skimmers 

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 11

 Social media
 Wearables including activity trackers, body cams
 Automated License Plate Readers
 TASERs
 Smart TVs
 Baby monitors
 Personal digital assistants
 Keyloggers

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 12

 Electric power meters / Smart meters

 Home / building automation systems
 Home security systems
 Video display devices, projectors, monitors
 Tablets
 SD cards / CF Cards
 Computer chips
 Pagers

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 13

 Hard drive duplicators

 Videocassette recorders
 Telephone caller ID units
 Personal Computer Memory Card International Association
(PCMCIA) cards
 RAID devices
 Mobile communication devices
 External data storage devices

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 14

 Videotapes
 Wireless network equipment
 Web sites
 Card readers
 RFID tags

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 15

Digital evidence characteristics

 Can be volatile (e.g. data in RAM)
 Can be altered
 Can be stored in digital form
 May be transmitted in digital form
 Can be erased / deleted/ destroyed

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 16

SWGDE
 Scientific Working Group on Digital Evidence (SWGDE) sets
standards for retrieving, maintaining, and analyzing digital evidence
 https://www.swgde.org

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 17

Exercise
 Identify tasks investigators must perform when working with
digital evidence
 Give examples of situations where original evidence can’t be used
in courts.
 Give examples of situations where additional technical expertise
may be needed.
 What is the initial-response field kit? What does it contain?
 What is the extensive response field kit? What does it contain?

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 18

Exercise
 Attorneys may challenge digital evidence. They may ask
whether digital evidence was altered or damaged. How to
prove that the evidence is authentic?
Hint: The original creator of a Microsoft Word document can
be identified by using file metadata
 Discuss terminology such as Fourth Amendment, warrants,
innocent information, limiting phrase, plain view doctrine

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 19

Exercise
 Discuss the issues involved when collecting evidence from private
sector incident scenes.
 Discuss the issues involved when collecting evidence from public
sector incident scenes.
 Discuss the issues involved in seizing computers and digital devices.
 Give guidelines for processing an incident scene.

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 20

 Discuss the steps involved in securing an incident scene.

 Discuss the following questions to ask when acquiring evidence:
(i) Is the computer switched on when you reach the scene?
(ii) Is it necessary to take the whole computer and all computer
peripherals and media devices in the vicinity?

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 21

 How to shield the computer and media devices from damage, danger,
and destruction while carrying them to the lab?
 Is the suspected perpetrator in the immediate vicinity of the
computer or media device?
 Is it probable that the suspect harmed or ruined the computer and
media devices ?
 Should the suspect be kept away from the computer?

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 22

Storing digital evidence

 Often it becomes necessary to store digital evidence for a long time
 Magnetic tapes can store for several years and are cheaper than other
media such as CDs or DVDs, DVD-Rs, DVD+Rs, or DVD-RWs
 The risk of technology becoming obsolete is high in the computer
field. For e.g. floppy disks are no longer used widely

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 23

Safety tips
 It is safer to have at least two copies of every image to avoid data loss
 It is better to use different tools to produce the images
 Limit access to lab and evidence storage area to prevent loss, damage,
and alteration
 Maintain the chain of custody for digital evidence
 Document the evidence
 Use evidence custody forms

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 24

 Validation of evidence can be done using checksums, hash

functions, cyclic redundancy checks

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 25

References

 Nelson, Amelia Philips, Christopher Steuart, “ Guide to Computer

Forensics and Investigations”, Fifth Edition, 2015
 Wikipedia

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai