Digital Forensics

FARAZ ALI
FarazAli@ucp.edu.pk
+92-321-404-1740
•Masters in Digital Forensic from University of East London, UK
•Computer Forensic Analyst (Punjab Forensic Science Agency)
•Founding member of Digital Forensic Community in Pakistan
•Case worked:
• Blasphemy
• Corporate fraud
• Data leak
• Banking fraud
• Terrorism
• Pornography
• Murder
• IED’s (improvised explosive device)
Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Grading Policy
Quizzes ………. 04 15%
Assignments ……… 04 15%
Class participation ..….…. 05%
Mid-exam ..….…. 30%
Final-exam .……… 35%

Distribution is tentative and flexible

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 Academic Honesty
• Your work in this class must be your own

• If students are found to have:

• collaborated excessively, or
• copied/shared answers

• For the first infraction…

• all involved will, at a minimum, receive grades of 0

• Further infractions…
• will result in failure in course

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Attendance Policy
Strictly in accordance with the Univ policy…

Office Hours
Office :CL207 Final year lab

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Digital Forensics and Incident Management
• Introduction to Digital Forensics
• Digital Investigation, Registry and File Structure, Data Acquisition
• Memory Forensics
• Memory Acquisition, Process Memory, Hunting Malware.
• Online Investigation and Email Forensics
• Network Forensics
• Mobile Forensics
• Cloud Forensics
• Incident Management
• Contingency Strategies, Incident response Planning, Detection Strategies, and Prevention Systems
• Mitre ATT&CK Framework
• Report Writing for Investigation

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 Recommended Reading

• Michael Hale Ligh, Andrew Case, Jamie Levy, Aaron Walters (2014),
• “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory”

• Bill Nelson, Amelia Phillips, Chris Steuart (2019),

• “Guide to Computer Forensics and Investigations,” 6th edition

• Michael E. Whitman, Herbert J. Mattord (2022),

• "Principles of Incident Response and Disaster Recovery," 3rd Edition

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Definition and Importance of Digital
Forensics

 Digital forensics is the retrieval, analysis, and use of digital evidence in a civil or criminal investigation.

 Any medium that can store digital files is a potential source of evidence for a computer forensics investigator.

 Computer forensics is a science because of the accepted practices used for acquiring and examining the evidence
and its admissibility in court.

 Forensically sound means that during the acquisition of digital evidence and throughout the investigative
process the evidence must remain in its original state.

 Moreover, everyone who has been in contact with the evidence must be accounted for and documented in the
Chain of Custody form.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Scope of Digital Forensics

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Scope Matrix and Objective

Area Primary Objective Secondary Environment

Objective

Law Enforcement Prosecution After the fact

Military Continuity of Prosecution Real Time

Operations Operations

Business & Availability of Prosecution Real Time

Industry Service

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Why do we need to investigate?

 Recover damages/monetary compensation

 Bring culprits to justice

 Make sure it does not happen again!

 Take remedial action

 Prevent leakage of confidential information

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Taxonomy of Digital Forensics

Knowledge

Tools

Experience

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 Types of Forensic Evidence and How
It Is Used
 Practically every type of file can be recovered using digital forensics.
 Email is arguably the most important type of digital evidence
 Images
 Video File Metadata
 Websites visited and Internet searches
 Cellphones
 IoT Devices

Communication Between a Client and a Web Server

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Digital Forensic Activities

 Digital forensics activities commonly include:

 the secure collection of computer data
 the identification of suspect data
 the examination of suspect data to determine details such as origin and content
 the presentation of computer-based information to courts of law
 the application of a country's laws to computer practice.

The basic methodology consists of the 3 As:

Acquire the evidence without altering or damaging the original
Authenticate the image
Analyze the data without modifying it

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Cyberspace and Criminal Behavior

 The societal impact of the Digital Revolution is as great as the Industrial Revolution .

 Action in the virtual reality of cyberspace can affect physical reality

 Type of Crime:
 Computer crime: crimes committed with computers

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Cyberspace and Criminal Behavior

 The societal impact of the Digital Revolution is as great as the Industrial Revolution .

 Action in the virtual reality of cyberspace can affect physical reality

 Type of Crime:
 Computer crime: crimes committed with computers

 Cyber crime: computer crimes that involve the Internet

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
The goal of Forensic Investigation

Includes:
Collect useful evidence

Do not interrupt business processes

Ensure that evidence has a positive impact on outcomes and legal actions.

Assist any potential investigation of crimes and persuade adversaries to avoid further actions against the
organization

Offer a procedure that has an acceptable cost.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
What Skills Must a Digital Forensics
Investigator Possess?
 Computer Science Knowledge

 Legal Expertise

 Communication Skills

 Linguistic Abilities

 Continuous Learning

 Appreciation for Confidentiality

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Forensic Roles
 Internal IT Security Operations
 Responsible for security-technology related items
 This includes computers, applications, networking, storage, and associated data
 Different groups within the organization may have specific focuses, such as a data center team or
information security group

 Physical Security Team

 Responsibilities include company perimeter, biometrics, and logging of physical access to different
areas and technology within the organization

 Legal Team
 Legal matters are typically handled by members with a legal education

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Forensic Roles
 Finances
 Teams that defend financial transactions could be part of IT security, but there may also be specific
members of a financial-focused group.

 Other Roles
 Specific functions such as capturing a crime scene, and human resources when employees are
involved with an incident
 Or an evidence manager responsible for documenting what is collected.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Forensic Job Markets

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Forensic Job Markets

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Lets Start the Course…

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 What is Digital forensics?
• Digital forensics is a branch of forensic science that uses scientific knowledge for collecting , analyzing ,
documenting , and presenting digital
• evidence related to computer crime for using it in a court of law.

• The ultimate goal is knowing what was done, when it was done, and who did it.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 How did we arrive here?
• The use of computing devices:

• There is a growing dependence on computerized systems to provide services and store information becomes
prevalent in both the public and private sectors.
• Individuals also use computing devices heavily in their daily lives (to organize their digital data or to
communicate with others).
• The threat of cybersecurity is unquestionably growing more serious over

• time:

• It is estimated that cybercrime damages will cost the world trillions of dollars

• annually, while the spending on information security products and services will only grow to billions of
dollars.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 PURPOSE
• The goal of computer Forensics is to examine digital media in a forensically
sound manner with the aim of identifying, preserving, recovering, analyzing
and presenting facts and opinions about the information.
• Computer Forensics will be an important and integral part of Legal evidence
found in computer systems, digital media / storage and mobile phones.
• Maintaining the documented chain of custody so that it can be presented in
the court of law as and evidence.
• Understanding ISO 17025.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 SCOPE OF COMPUTER FORENSIC
• Scientific Examination and analysis of Digital storage media i.e; Hard Drives,
Flash Memory, Floppy Disk, CD/DVD etc.
• Forensic Analysis of Mobile Phones and Digital Communication devices.

• Analysis of Standalone or Networked computers used in a crime.

• Acquire / recover evidence from digital media.

• Recover deleted data from Memory or hard drives.

• To provide expert testimony on results in the Court of Law.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 Introduction of Computer Forensic
Fundamentals
• Forensic and Digital Forensic Definitions

• Digital Evidence

• Digital Forensic Model

• Digital Forensic Process

• Need and Benefits of Digital Forensic

• Applications of Digital Forensic

• Skills required and Challenges faced by Digital Forensic

• Digital Forensic Software Tools

• Conclusion
Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 WHAT IS FORENSIC?

• Collection and analysis of evidence

 Using scientific test / techniques

o To establish facts against crime

o For presenting in a legal proceeding

• Forensic science is a scientific method of gathering, examining and

reproducing information about the recovered / deleted data which is used in
court of law.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 WHAT IS DIGITAL FORENSIC?

Digital Forensics is the use of scientifically derived and proven methods

toward:
•The preservation, collection, validation, identification, analysis, interpretation,
documentation, and presentation of digital evidence derived from digital
devices
•For the purpose of facilitation or furthering the reconstruction of events found
to be criminal, or helping to anticipate unauthorized actions shown to be
disruptive to planned operations.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 Definition F rensic Ch ice

• Forensic Science is the Application of scientific knowledge to help law enforcement

to fight crime.
• The origin of forensic science owes to,

• Bertillon

• Galton

• Lattes

• Goddard

• Osborn

• Locard

• These are the names of individuals to develop the principles and techniques for the
modern way of identification and comparison of Physical evidence.

Faraz Ali
(Digital Forensic Scientist)
 Forensic Science F rensic Ch ice

• The application of science helps the law to decide the fate of a criminal using modern techniques that are
enforced by the police in a criminal justice system.

• The scientific principles of technology to the legal system. It involves the characterization and examination
of physical evidence.
• There are 13 disciplines of Forensic science which are implemented all around the world:
• Firearms and Tool Marks • Narcotics Analysis
• Question document Analysis • Audio & Video Analysis
• Polygraph Examination • Digital Forensics
• DNA & Serology • Latent Finger Print Analysis
• Forensic Toxicology • Crime Scene Investigation
• Trace Chemistry Analysis • Death Scene Investigation
• Forensic Photography • Forensic Pathology

Faraz Ali
(Digital Forensic Scientist)
 BRANCHES OF DIGITAL FORENSICS

• The technical aspect of an investigation is divided into several sub-branches,

relating to the type of digital devices involved:
o Computer Forensics

o Database Forensics

o Network Forensics

o Forensic data analysis

o Mobile device Forensics.

• The typical forensic process covers the seizure, forensic imaging and analysis
of digital media and the production of a report into collected evidence.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 DIGITAL EVIDENCE

• Evidence
o A piece of information that supports a conclusion

• Digital evidence
o Any data that is recorded or preserved on any medium in or by a
computer system or other similar digital device, that can be read or
understood by a person or a computer system or other similar device.
o It includes a display, printout or other output of that data.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 CHARACTERISTICS OF DIGITAL
EVIDENCE
• An evidence must be:
• Admissible
o Conformity with the common law and legislative rules

• Authentic
o In linking data to specific individuals and events

• Fragile
o Easily altered, damaged, or destroyed

• Accurate
o Believed and is consistent

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 CHARACTERISTICS OF DIGITAL
EVIDENCE
• Complete
o With a full story of particular circumstances.

• Convincing to juries
o To have probative value, subjective and practical test of
presentation – To proving beyond doubt

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 EXAMPLES OF DIGITAL EVIDENCE
ACCEPTED BY PAKISTAN COURTS
• E-mails,

• Digital photographs,

• Microsoft Documents,

• Instant Message Histories,

• Internet Browser Histories,

• Databases,

• Computer Backups

• Digital Video or Audio files

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 TYPES OF DIGITAL EVIDENCE

• Persist ant data

o Data that remains intact when the digital device is turned off.

o Hard drives and removable storage devices (such as USB

drives or flash drives).
• Volatile data
o Data that would be lost if the digital device is turned off.

o Deleted files, computer history, the computers registry,

temporary files and web browsing history.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 LOCATION FOR EVIDENCE

• Internet History Files

• Temporary Internet Files

• Slack/Unallocated Space

• Chat records

• News groups/club lists/posting

• Settings, folder structure, file names

• File Storage Dates

• Software/Hardware added

• File Sharing ability

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 DIGITAL FORENSIC PROCESS

• Identification

• Preservation

• Analysis

• Documentation

• Presentation

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 DIGITAL FORENSIC MODEL

IDENTIFICATION

EVIDENCE
ACQUISITION

EVIDENCE
COMPUTER AUTHENTICITY MOBILE

ANALYSIS

REPORTING

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 PRESERVATION

• State of physical and digital evidence at the time of confiscation.

o Isolate

o Secure
o Preserve

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 ANALYSIS

• Based on evidence found

o Determine significance

o Reconstruct fragments of data

o Draw conclusions

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 DOCUMENTATION

• Record of all visible data

• Recreating the scene

• Reviewing it any time

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 REPORTING

• Information regarding victim and suspect.

• Complete data recovered information.

• Data presented in USB or in DVD

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 DIGITAL FORENSICS NEED

• Ensure the integrity of digital system.

• Offenses which intervene the system.

• Track down the suspects or terrorists.

• Evidence that can lead criminal to punishment from the court of Law.

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 CHALLENGES IN DIGITAL
FORENSICS
• Increase of computers, mobile phones and internet access has made the
exchange of information quick and inexpensive.
o Easy availability for Hackers

o Lack of physical evidence

o Digital crimes harder to prosecute.

• The large amount of storage space.

o The rapid technological requires constant changes for solutions

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
 SKILLS REQUIRED FOR DIGITAL
FORENSICS
• Programming or computer-related experience

• Understanding of different operating systems

• Analytical skills

• System administrative skills

• Latest intruder tools knowledge

• Knowledge regarding cryptography and steganography

• Knowledge about rules and evidence handling

• Expert witness in a court of law

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)
Thank You
Question and Answers

Faraz Ali
(Lecturer FOIT)
(University of Central Punjab)