CHAPTER 1

Understanding Digital
Forensics
Cybersecurity And World
• As the world goes digital, the use of computerized systems to provide services
and store information becomes prevalent in both the public and private sectors.
• A recent estimate shows that in2021, cybercrime damages have cost the world
$6 trillion.
• The increase in cybercrimes, terrorist threats, and security concerns have lead
to develop different digital forensics tools and methodologies to counter such
threats.
• Digital forensics can be used in different contexts :
• Government
• Private sector
• Financial institutions
• Legal
• As a part of disaster recovery planning.
What Is Digital Forensics
• Digital forensics is a branch of forensic science that uses scientific
knowledge for:
• Collecting
• Analyzing
• Documenting
• Presenting digital evidence in a court of law.
• The ultimate goal is knowing what was done, when it was done, and who
did it.
• The term “digital forensics” is widely used as a synonym for computer
forensics (also known as cyber forensics)
What Is Digital Forensics
• This can be expanded to cover investigating all devices that are
capable of storing digital data:
• Networking devices
• Mobile phones
• Tablets
• Digital cameras
• Internet of Things (IoT) devices
• Digital home appliances
• Digital storage media like CD/DVD
• USB drives
• SD cards
• External drives
• Backup tapes.
What Is Digital Forensics
• Digital forensics is also responsible for investigating nearly all
cyberattacks against computerized systems like:
• Ransomware,
• Phishing,
• SQL injunction attacks,
• Distributed denial-of-service (DDoS) attacks,
• Data breach,
• Cyberespionage,
• Compromised accounts,
• Unauthorized access to network infrastructure,
• Other related cyberattacks.
Digital Forensics Goals

• From a technical standpoint, there are 7 main goal of digital

forensics:
1. Finding legal evidence in computing devices and preserving its integrity
in a way that is deemed admissible in a court of law.
2. Preserving and recovering evidence following court-accepted technical
procedures.
3. Attributing an action to its initiator.
4. Identifying data leaks within an organization.
5. Accessing possible damage occurring during a data breach.
6. Presenting the results in a formal report suitable to be presented in
court.
7. Providing a guide for expert testimony in court.
Cybercrime Attack Mode

• Cybercrime includes any illegal activity committed using a type of

computing device or computer networks such as the Internet.
• Cybercrime can be originated from two main sources: insider attacks
and external attacks
• Insider attacks:
• This is the most dangerous cyber risk facing organizations today.
• Can last for a long time without them knowing about it
• Happen when there is a breach of trust from employees or former
employees, third-party contractors, or business associates.
• External attacks:
• Originates from outside the target organization, usually coming from skilled
hackers.
How Are Computers Used in Cybercrimes

1. A computing device is used as a weapon to commit a crime.

• Example: Launching denial-of-service (DoS) attacks or sending
ransomware.

2. A computing device is the target of a crime.

• Example: Gaining unauthorized access to a target computer.

3. A computing device is used as a facilitator of a crime.

• Example: Using a computer to store incriminating data or to make online
communications with other criminals.
Example of Cybercrime

• Malware Distribution
• Ransomware Distribution
• CryptoJacking
• Hacking
• SQL Injections
• Pharming
• Phishing
• E-mail Bombing and Spamming
• Identity Theft
• Cyberstalking
• Using Internet Network Illegally
• DDoS Attacks
• Social Engineering
• Software Piracy
Digital Forensics Categories

• Computer Forensics
• This is the oldest type of digital forensics
• The main activity of this type is recovering deleted data from the target
device’s storage and analyzing it for incriminating or exonerating evidence.
• Mobile Forensics
• Mobile forensics is a type of digital forensics concerned with acquiring digital
evidence from mobile devices.
• Network Forensics
• This type of digital forensics is concerned with monitoring and analyzing
traffic flow in computer networks to extract incriminating evidence
• Example discovering the source of security attacks or to detect intrusions.
Digital Forensics Categories

• Database Forensics
• Database forensics is concerned with the analysis of data and metadata
within a database such as Microsoft SQL Server, Oracle, MySQL, and others.
• Database forensics looks for who accesses a database and what actions are
performed to help uncover malicious activities conducted therein.
• Other Type of Forensic
• e-mail forensics, cloud storage forensics, forensics for specific application
(e.g., Web browser forensics), file system forensics (NTFS, FAT, EXT), hardware
device forensics, multimedia forensics (text, audio, video, and images), and
memory forensics (RAM [volatile memory])
Digital Forensics Investigation Types

• Digital forensic investigations can be broadly segmented into two

major categories:
• Public investigations
• Private (corporate) sector investigations

Public investigations
• Involve law enforcement agencies and are conducted according to
country or state law
• They involve criminal cases related to computer investigations and
are processed according to legal guidelines settled by respected
authorities.
Public investigations
Private Investigations
• Private investigations are usually conducted by enterprises to
investigate policy violations, litigation dispute, wrongful termination,
or leaking of enterprise secrets (e.g., industrial espionage).
• There are no specific rules (or laws) for conducting such investigations
as it depends on each enterprise’s own rule.
• These procedures are similar to public investigations
• When investigating crime, as some cases can be transferred later to
court and becomes official criminal cases.
Digital Evidence
• The amount of digital data produced by humans and machines have exceed
44 zettabytes in the year 2020.
• Most computer users think that the deletion of a file erases it completely
and forever from their hard drive, but this is quite wrong.

Digital Evidence Types

1. Text files (e.g. MS Office documents, IM chat, bookmarks), spreadsheets,
database, and any text stored in digital format.
2. Audio and video files,
3. Digital images,
4. Webcam recordings (digital photos and videos),
5. Address book and calendar,
Digital Evidence
6. Hidden and encrypted files (including zipped folders) created by the
computer user,
7. Previous backups (including both cloud storage backups and offline
backups like CD/DVDs and tapes),
8. Account details (username, picture, password),
9. E-mail messages and attachments (both online and client e-mails as
Outlook),
10. Web pages, social media accounts, cloud storage, and any online
accounts created by the user.
Machine/Network-Created Data
Machine/network-created data includes any data which is autogenerated by a digital device. It includes
the following and more:
• Computer logs. These include the following logs under Windows OS: Application, Security, Setup,
System, Forward Events, Applications, and Services Logs,

• Router logs, including third-party service provider (e.g., Internet service providers (ISPs) commonly store
users’ account web browsing history logs),

• Configuration files and audit trails,

• Browser data (browser history, cookies, download history),

• Instant messenger history and buddy list (Skype, WhatsApp),

• GPS tracking info history (from devices with GPS capability),

• Device Internet protocol (IP) and MAC addresses in addition to the IP addresses associated with a LAN
network and the broadcast settings,

• Applications history (e.g., recently opened file on MS Office) and Windows history,
Machine/Network-Created Data
• Restore points under Windows machines,
• Temporary files,
• E-mail header information,
• Registry files in Windows OS,
• System files (both hidden and ordinary),
• Printer spooler files,
• Hidden partition and slack space (can also contain hidden user information),
• Bad cluster,
• Paging and hibernation files,
• Memory dump files,
• Virtual machines,
Locations of Electronic Evidence
• Digital evidence is commonly found on hard drives; however, with the continual advance of
computing technology, digital evidence becomes present in almost all digital-aware devices:

• The following list shows most of the different devices that must be investigated for digital
evidence:
1. Desktops
2. Laptops
3. Tablets
4. Servers and RAIDs
5. Network devices like hubs, switches, modems, routers, and wireless access points
6. Internet-enabled devices used in home automation (e.g., AC and smart refrigerator)
7. IoT devices
8. DVRs and surveillance systems
9. MP3 players
Locations of Electronic Evidence
11. Smartphones

12. PDA

13. Game stations (Xbox, PlayStation, etc.)

14. Digital cameras

15. Smart cards

16. Pagers

17. Digital voice recorders

18. External hard drives

Locations of Electronic Evidence
20. Printers

21. Scanners

22. Fax machines (e.g., incoming and outgoing fax numbers)

23. Copiers (e.g., recently copied files)

24. Fixed telephony and cordless phones (e.g., calls made, received, and
answered, voice messages and favorite numbers)

25. Answering machines

26. Backup tapes

Challenge of Acquiring Digital
Evidence
• Criminals use different ways to frustrate digital forensic examiners by destroying and
hiding their incriminating activities.

• Also, seizing digital devices is subject to different laws across states and countries. The
following lists the main obstacles facing examiners when obtaining digital evidence:
• Locked computer with a password, access card, or dongle.
• Digital steganography techniques to conceal incriminating data in images, videos, audio files, file
systems, and in plain sight (e.g., within MS Word document).
• Encryption techniques to obscure data, making it unreadable without the password.
• Full disk encryption (FDE) including system partition (e.g., BitLocker drive encryption).
• Strong passwords to protect system/volume; cracking them is very time consuming and expensive.
• File renaming and changing their extensions (e.g., changing DOCX into DLL, which is a known
Windows system file type).
Chain of Custody
• Chain of custody is an integral part of any digital forensic investigation process.
• Proper chain of custody must declare clearly how digital evidence was
discovered, acquired, transported, investigated (analyzed), preserved, and
handled between different parties involved in the investigation.
• The ultimate goal is to ensure the integrity of digital evidence its acquisition to its
presentation in a court.
• If we fail to understand who was in contact with the evidence during any phase of
investigation, the chain of custody will be jeopardized and the acquired evidence
will become useless in a court of law.
Chain of Custody
Digital Forensics Examination
Process
• There is no standard form or methodology that outlines the steps to conducting digital forensic
investigations across the globe.
• However, all approaches divide the work into the four main phases:
• Seizure
• Acquisition
• Analysis
• Reporting
Seizure
• In this phase, the physical evidence (digital device) will be seized and
transferred safely to the forensic lab.
• This evidence can be any computing device type such as laptop, tablet,
mobile phone, external hard drive, USB flash drive, wearable device (e.g.,
digital watch), or even a desktop PC.
• Remember, you need to have a permission from the proper authority
(e.g., court warrant) to seize the suspect’s machine.
• Modern forensic practices appreciate the great importance of acquiring
volatile memory while the PC is still running.
Acquisition
• This phase deals with the computing secondary storage device (e.g.,
HDD, solid state drive [SSD], thumb drive, tape drive) and with the
volatile memory (RAM) if the computer was still running.
• In this phase, a computer forensic examiner will conduct a duplication of
the suspect hard drive (this is also known as a bit-to-bit image) to create
a complete image of the seized hard drive.
• Examiners usually use hardware duplicators or software imaging tools
like the DD command in Linux to duplicate drives.
Acquisition
• Remember that the suspect hard drive should be write-protected when
conducting the duplication process to avoid tampering with the original
evidence.
Analysis
• In this phase, the contents of the acquired forensic image file are
investigated .
• A set of tools to search for interesting leads within the acquired image.
• Hidden, deleted, and encrypted files in addition to IM chat logs, Internet
browsing history, and deleted e-mails can all be recovered using
specialized tools like EnCase, Sleuth Kit, Volatility, and Forensic Toolkit
(FTK) from AccessData, to name a few.
• Forensic tools can also perform searches within the acquired image file
using keyword search terms or phrases.
• This will effectively speed up the investigation and help investigators to
find relevant information quickly.
Reporting
• In this phase, the examiner produces a structured report about his/her
findings.
• Such a report is usually prepared for nontechnical people (like attorneys,
judges, and juries).
• Writing style, terminology, and the way facts are presented should be
taken into consideration when writing the report.
• Evidence should be presented along with the report, mostly in digital
format.
Reporting
• The general content of forensic report should contain the following:
• Summary of key findings.
• Description of tools (both hardware and software) used during the
investigation.
• Version of the software tools.
• Method used to acquire the digital evidence.
• Description of the digital evidence (image content) and the interesting
artifacts found within it (e.g., Internet browsing history, e-mail history, USB
registry analysis, deleted files found).
• It is preferable to use screen captures where applicable to describe to the
reader steps undertaken to analyze digital evidence.
• Explanation of technical terms used like “unallocated disk space,” “Host
Protected Area,” and the like so nontechnical people can understand the
technical terms mentioned in the report.
• Conclusion of the investigation.
END