TODAY’S FORENSIC

Challenges in a real-world application

Digital Forensic, a General Definition 2

• “Digital Forensics is a branch of forensic science that focuses on

digital devices and cybercrime. Through a process of identifying,
preserving, analyzing, and documenting digital evidence, DFI’s
recover and investigate information to aid in the conviction of
criminals. The DF process is extensive, and a secure environment
is necessary to retrieve and preserve digital evidence.”
• By University of Nevada, Reno
Today’s Digital Forensic 3

• “Digital forensics is the process of uncovering and interpreting

electronic data.
• The goal of the process is to preserve any evidence in its most
original form while performing a structured investigation by
collecting, identifying, and validating digital information to
reconstruct past events.
• The context is most often for the usage of data in a court of law,
though digital forensics can be used in other instances.”
• By Techopedia
The Need of Digital Forensic 4

• “For businesses, Digital Forensics is an important part of the

Incident Response process. Forensic Investigators identify and
record details of a criminal event as evidence to be used by LEA.
Rules and regulations surrounding this process are often
instrumental in proving innocence or guilt in a court of law.”
• By EC Council
Incident Response Governance 5

• Various sets of well-known general activities for Digital Forensic

practitioners related to the incident handling, but not limited to:
• Extracting and recovering deleted data and discovering evidence
e.g. artifact of misconduct and/or violation of the regulation.
• Prove a misuse of the device, data, information, and/or any other
organization’s Information Technology (IT) assets or property.
• To intensively mitigate and recover the damage, preventing wider
impact, loss, and recurring events or system disruption.
• Leading management, legal, and business process-wise handling.
The Digital Forensic Experts 6

• “A Digital Forensics Investigator is someone who wants to follow the

evidence and solve a crime virtually. Imagine a security breach
happening at a company, resulting in stolen data. In this situation, a
computer forensic analyst would determine how attackers gained access
to the network, where they traversed the network, and what they did
on the network, whether they took information or planted malware.
Under those circumstances, a digital forensic investigator must recover
data like documents, photos, and emails from computer hard drives and
other data storage devices, such as zip and flash drives, with deleted,
damaged, or otherwise manipulated.”
• By EC Council
Professional Certification 7

• Vendor-neutral programs cover the best practices in a particular

field of development, such as project or security management.
• Vendor-specific programs deal with specific tools/developer’s
software platforms or products and provide training in specific.
• DF list INFOSEC INSTITUTE compare to Security Certification
• Guide DF Certification Guide (In-General), DF Magazine, NIST
• Certification Vendors ISFCE, IACRB, ISC2, SANS, EC-Council, ACE,
IACIS, ENCASE, DFCB, CAST, CCFTC
Reputable and widely accepted Certification 8

Number Digital Forensic Industry Standard Professional Training / Certification

1 ENCE Training (EnCase Certified Examiner)

2 X-Ways Forensics Training
3 Advanced Forensic Training (NFI)
4 Oxygen Forensics Training
5 E-Discovery Training
6 Basic Certified Computer Forensic Examiner Course (Bootcamp)
7 Training CHFI (Certified Hacking Forensics Investigator)
8 CHFI certification (Certified Hacking Forensics Investigator)
9 Training CEH (Certified Ethical Hacking)
10 Certification CEH (Certified Ethical Hacking)
11 ACE Certification (Accesdata Certified Examiner), FTK
12 CFCE Certification (Certified Computer Forensics Examiner)
13 CCE Certification (Certified Computer Examiner)
Digital Forensic Application 9

Data Acquisition and Recovery

Evidence Investigation Incident

Crime Civil Business

Steps of Digital Forensic 10

Chain of Custody is:

1. Preparation 6. Presentation
A global standardized
Investigation Process
2. Identification 5. Documentation
The Audit Trail is:

A process to validate
3. Preservation 4. Analysis the Chain of Custody
in court examination
Steps for Digital Forensic First Responder 11

• First Response - A digital forensic team jumps into action as soon

as a security incident occurs and is reported.
• Search and Seizure - Target devices involved in the crime for
evidence and data to be seized to prevent the continued act.
• Evidence Collection - After seizing the devices, professionals
collect the data using forensic methods to handle the evidence.
• Securing the Evidence - Store in a safe environment, in a secure
space or compartment, where the data can be authenticated and
proven accurate and accessible.
Steps for Digital Forensic Examiner 12

• Data Acquisition - Retrieves electronically stored information (ESI)

from the devices. Use proper procedure and take care to avoid
altering the data, sacrificing the integrity of the evidence.
• Data Analysis - Team members sort and examine the authenticated
ESI to identify and convert data that is useful in court.
• Evidence Assessment - Once ESI is identified as evidence,
investigators assess it in relation to the security incident. This
phase is about relating the data gathered directly to the case.
Steps for Digital Forensic Expert 13

• Explaining digital evidence's role, context, and event chronology

• Documentation and Reporting - This phase happens once the initial
criminal investigation is done. Make reports and documentation of
the forensic process, data, and information findings in the digital
evidence in accordance with the court of law.
• Expert Witness Testimony - Is a professional involved in the
investigation, who works in a field related to the case. Affirms
that the data is useful as evidence and presents it in court.
Digital Evidence Context 14

• Physical Context - regulating procedures for identification and

collection of physical media such as documenting all evidence
found, duplicating and storing them safely.
• Logical Context - regulating procedures for examining, and
analyzing data in the media, to find hidden files, recover those
that have been deleted, reconstruct and present chronologically as
well as analyze the relevance according to the cases.
• Legal Context - regulates physical and information governance of
forensic procedures according to the rules and law, determination
of authorities and competence, warrants, confiscations, filings,
and reports as well as presentation in court.
Model Process Forensic 15

Identificatio
Admission
• Verify Legal Authority n • Hash Verification
• Search and Seizure • Bit Stream Imaging
Warrant • Location • Authentication • Interpretation
• Photographic • Date, Time • Chain of Custody • Retain Integrity
Documentation • Witnesses • (Audit Trail) • Filter Irrelevant Data
• Secure Collection • System Info • Analysis • Reconstruction
• Physical Evidence • Objective Unbiased
• Preservation • Present and Defend
Preparation Examination
Standardize Model Process 16

1. 2. 3. 4.
Identification Examination Analysis Admission
Target: Media Target: Data Result: Information Product: Evidence

• Reference from Association Of Chief Police Officers (ACPO) -

Good Practice Guide For Computer-based Electronic Evidence
• Reference from ISO/IEC 27037 (2012) Information Technology —
Security Techniques — Guidelines For Identification,
Collection, Acquisition, And Preservation Of Digital Evidence
• Reference from National Institute of Standards and Technology
Industry Standard Tools 17

• Well known and recognized Forensic Application Tools, tested and standardized by the
respected accreditation body and were approved in the field and widely accepted by
Digital Forensic practitioners, experts, and academia worldwide
• NIST Computer Forensic Tools Testing (CFTT) Labs. and Catalog
• Accredited Testing Labs. https://www.cftt.nist.gov/
• Tools Catalog https://toolcatalog.nist.gov/taxonomy/
• Free Tools https://forensiccontrol.com/resources/free-software/
• Anti DF https://en.wikipedia.org/wiki/Anti-computer_forensics
• Free Live General Forensic https://www.caine-live.net/
• Windows https://www.caine-live.net/page2/page2.html
• WIKI https://en.wikipedia.org/wiki/List_of_digital_forensics_tools
Branch of Digital Forensic 18

Computer Mobile Cyber

Forensic Forensic Forensic

Database Data IoT

Forensic Analysis Forensic
Computer Forensic Activity 19

• Formerly known as Host Forensic – extracting digital evidence and

collecting data from general computer systems, including PCs and
servers. Finding deleted files and other artifact material. RAM or
other volatile data acquisition including the operating system and
file system-specific data e.g., registry, ADS in NTFS, etc.
• Targeted user activity and its history including internet-related
accounts e.g., emails, cloud storage, social media, and local user.
• Challenges – specific tools needed to overcome every complexity
of the wide range of systems hosts and technology was targeted.
Mobile Forensic Activity 20

• Extracting digital evidence and collecting data from wearable

gadgets and mobile devices e.g. data SIM card, operating system
and application logs, users activity and its history including calls
and messages, camera (photos and videos), audio records, data
items related to any files or metadata including deleted material,
internet-related accounts e.g. emails, cloud storage, social media.
• Challenges – mobility and distribution of the target devices, user
account remote capability including wiping and encrypting device.
Cyber Forensic Activity 21

• Including Cloud Forensic and an Internet Investigation – extracting

digital evidence and collecting data from network traffic packets,
active and passive network devices, and any devices connected to
the networks (LAN, WAN, Intranet, Internet), capture admin, user
data credentials, accounts, logs, history, temporary and any other
volatile data e.g. in-RAM and in-FLOW/TRANSIT data acquisition.
• Challenges - the size (volumes), encrypted database, in-use data,
the speed of data transmission, limitation of the device interface,
and legal complications e.g. data protection regulation, ownership
and authority, cross-border data jurisdiction especially in CLOUD.
Database Forensic Activity 22

• Including database structure and metadata analysis, logs, activity,

history, usage and utility, and admin and user credential within a
data warehouse repository. But, sometimes extracting RAW or data
materials from data lakes, e.g., the big data crawler results. RAW
and unstructured data also need to be analyzed by Data scientists.
• Targeted databases and their related material extraction need
special acquisition techniques and tools e.g., memory forensics,
and cryptography (hash encoding, decoding, encryption analysis).
• Challenges – the size (volumes), encrypted database, in-use data.
Forensic Data Analysis Activity 23

• A special in-depth digital format data e.g., multimedia analysis,

data carving, recovered data fixing and reconstruction, timeline,
and correlation analysis involving special examination e.g., audit
and investigating financial related fraudulent activity.
• Generally, examine unstructured data by Data Scientist, specific
digital format data expert, or specialist.
• Challenges – data protection technology including TPM, T2 chip,
TRIM on SSD and storage device or data encryption in general.
Internet of Things Forensic Activity 24

• Extracting digital evidence and collecting data from autonomous

and intelligent electronic devices (Internet of Things), including
automobiles, smoke alarms, watches, eyeglasses, webcams, and
other devices, are now connected to the Internet (IoT).
• This type of connection is especially concerning privacy and
security violation, given the rapid increase in the number of
existing and new IoT devices implemented in the field of public
and private environment control and mass surveillance.
IoT Forensic Challenges 25

• Recent threats and assaults related to IoT security have been

regarded as a potential and problematic area of research. This
necessitates the quick development or creation of suitable
technologies for the nature of crimes in the IoT environment.
• On the other hand, criminal investigation specialists encounter
difficulties and hurdles due to various locations, data types,
instruments used, and device recognition from different vendors.
IoT Forensic Challenges 26

• In-depth research on the criminal content of the IoT is needed.

• It compares stages of traditional digital forensics in terms of
similarities and differences, the frameworks used in dealing with
electronic crimes, the techniques used in both types, discuss the
challenges, and provides solutions and strategies.
• Adopting comprehensive IoT criminal frameworks that are used to
protect communication in the field of IoT, e.g. the Digital Forensic
Investigation Framework (DFIF), Digital Forensic Framework for
Smart Environments (IoT DOTS), Forensic State Acquisition from
the Internet of Things (FSA IoT).
References 27

• The Phases of Digital Forensics, by University of Nevada

• Practical Digital Forensics, by Richard Boddington, 2016
• Digital Forensics Basics, a book by Nihad A. Hassan, 2019
• Digital Forensics: What Is It in 2021—2022?, by Recfaces, 2021
CSIRT.ID Indonesia Cyber Security Independent Resilience Team 28

• Email Address

 Author: pataka@csirt.id
 General inquiry: info@csirt.id
 Incident report: incident@csirt.id

• Postal Address

 MULA by GALERIA – The CILANDAK Town Square

 TB SIMATUPANG Highway – (KAVLING) Lot 17
 Jakarta Selatan, DKI Jakarta 12770 – Indonesia
 Phone and Facsimile +62 21-7592-0274