Professional Documents
Culture Documents
Chapter 1
Chapter 1
Understanding Digital
Forensics
Cybersecurity And World
• As the world goes digital, the use of computerized systems to provide services
and store information becomes prevalent in both the public and private sectors.
• A recent estimate shows that in2021, cybercrime damages have cost the world
$6 trillion.
• The increase in cybercrimes, terrorist threats, and security concerns have lead
to develop different digital forensics tools and methodologies to counter such
threats.
• Digital forensics can be used in different contexts :
• Government
• Private sector
• Financial institutions
• Legal
• As a part of disaster recovery planning.
What Is Digital Forensics
• Digital forensics is a branch of forensic science that uses scientific
knowledge for:
• Collecting
• Analyzing
• Documenting
• Presenting digital evidence in a court of law.
• The ultimate goal is knowing what was done, when it was done, and who
did it.
• The term “digital forensics” is widely used as a synonym for computer
forensics (also known as cyber forensics)
What Is Digital Forensics
• This can be expanded to cover investigating all devices that are
capable of storing digital data:
• Networking devices
• Mobile phones
• Tablets
• Digital cameras
• Internet of Things (IoT) devices
• Digital home appliances
• Digital storage media like CD/DVD
• USB drives
• SD cards
• External drives
• Backup tapes.
What Is Digital Forensics
• Digital forensics is also responsible for investigating nearly all
cyberattacks against computerized systems like:
• Ransomware,
• Phishing,
• SQL injunction attacks,
• Distributed denial-of-service (DDoS) attacks,
• Data breach,
• Cyberespionage,
• Compromised accounts,
• Unauthorized access to network infrastructure,
• Other related cyberattacks.
Digital Forensics Goals
• Malware Distribution
• Ransomware Distribution
• CryptoJacking
• Hacking
• SQL Injections
• Pharming
• Phishing
• E-mail Bombing and Spamming
• Identity Theft
• Cyberstalking
• Using Internet Network Illegally
• DDoS Attacks
• Social Engineering
• Software Piracy
Digital Forensics Categories
• Computer Forensics
• This is the oldest type of digital forensics
• The main activity of this type is recovering deleted data from the target
device’s storage and analyzing it for incriminating or exonerating evidence.
• Mobile Forensics
• Mobile forensics is a type of digital forensics concerned with acquiring digital
evidence from mobile devices.
• Network Forensics
• This type of digital forensics is concerned with monitoring and analyzing
traffic flow in computer networks to extract incriminating evidence
• Example discovering the source of security attacks or to detect intrusions.
Digital Forensics Categories
• Database Forensics
• Database forensics is concerned with the analysis of data and metadata
within a database such as Microsoft SQL Server, Oracle, MySQL, and others.
• Database forensics looks for who accesses a database and what actions are
performed to help uncover malicious activities conducted therein.
• Other Type of Forensic
• e-mail forensics, cloud storage forensics, forensics for specific application
(e.g., Web browser forensics), file system forensics (NTFS, FAT, EXT), hardware
device forensics, multimedia forensics (text, audio, video, and images), and
memory forensics (RAM [volatile memory])
Digital Forensics Investigation Types
Public investigations
• Involve law enforcement agencies and are conducted according to
country or state law
• They involve criminal cases related to computer investigations and
are processed according to legal guidelines settled by respected
authorities.
Public investigations
Private Investigations
• Private investigations are usually conducted by enterprises to
investigate policy violations, litigation dispute, wrongful termination,
or leaking of enterprise secrets (e.g., industrial espionage).
• There are no specific rules (or laws) for conducting such investigations
as it depends on each enterprise’s own rule.
• These procedures are similar to public investigations
• When investigating crime, as some cases can be transferred later to
court and becomes official criminal cases.
Digital Evidence
• The amount of digital data produced by humans and machines have exceed
44 zettabytes in the year 2020.
• Most computer users think that the deletion of a file erases it completely
and forever from their hard drive, but this is quite wrong.
• Router logs, including third-party service provider (e.g., Internet service providers (ISPs) commonly store
users’ account web browsing history logs),
• Device Internet protocol (IP) and MAC addresses in addition to the IP addresses associated with a LAN
network and the broadcast settings,
• Applications history (e.g., recently opened file on MS Office) and Windows history,
Machine/Network-Created Data
• Restore points under Windows machines,
• Temporary files,
• E-mail header information,
• Registry files in Windows OS,
• System files (both hidden and ordinary),
• Printer spooler files,
• Hidden partition and slack space (can also contain hidden user information),
• Bad cluster,
• Paging and hibernation files,
• Memory dump files,
• Virtual machines,
Locations of Electronic Evidence
• Digital evidence is commonly found on hard drives; however, with the continual advance of
computing technology, digital evidence becomes present in almost all digital-aware devices:
• The following list shows most of the different devices that must be investigated for digital
evidence:
1. Desktops
2. Laptops
3. Tablets
4. Servers and RAIDs
5. Network devices like hubs, switches, modems, routers, and wireless access points
6. Internet-enabled devices used in home automation (e.g., AC and smart refrigerator)
7. IoT devices
8. DVRs and surveillance systems
9. MP3 players
Locations of Electronic Evidence
11. Smartphones
12. PDA
16. Pagers
21. Scanners
24. Fixed telephony and cordless phones (e.g., calls made, received, and
answered, voice messages and favorite numbers)
• Also, seizing digital devices is subject to different laws across states and countries. The
following lists the main obstacles facing examiners when obtaining digital evidence:
• Locked computer with a password, access card, or dongle.
• Digital steganography techniques to conceal incriminating data in images, videos, audio files, file
systems, and in plain sight (e.g., within MS Word document).
• Encryption techniques to obscure data, making it unreadable without the password.
• Full disk encryption (FDE) including system partition (e.g., BitLocker drive encryption).
• Strong passwords to protect system/volume; cracking them is very time consuming and expensive.
• File renaming and changing their extensions (e.g., changing DOCX into DLL, which is a known
Windows system file type).
Chain of Custody
• Chain of custody is an integral part of any digital forensic investigation process.
• Proper chain of custody must declare clearly how digital evidence was
discovered, acquired, transported, investigated (analyzed), preserved, and
handled between different parties involved in the investigation.
• The ultimate goal is to ensure the integrity of digital evidence its acquisition to its
presentation in a court.
• If we fail to understand who was in contact with the evidence during any phase of
investigation, the chain of custody will be jeopardized and the acquired evidence
will become useless in a court of law.
Chain of Custody
Digital Forensics Examination
Process
• There is no standard form or methodology that outlines the steps to conducting digital forensic
investigations across the globe.
• However, all approaches divide the work into the four main phases:
• Seizure
• Acquisition
• Analysis
• Reporting
Seizure
• In this phase, the physical evidence (digital device) will be seized and
transferred safely to the forensic lab.
• This evidence can be any computing device type such as laptop, tablet,
mobile phone, external hard drive, USB flash drive, wearable device (e.g.,
digital watch), or even a desktop PC.
• Remember, you need to have a permission from the proper authority
(e.g., court warrant) to seize the suspect’s machine.
• Modern forensic practices appreciate the great importance of acquiring
volatile memory while the PC is still running.
Acquisition
• This phase deals with the computing secondary storage device (e.g.,
HDD, solid state drive [SSD], thumb drive, tape drive) and with the
volatile memory (RAM) if the computer was still running.
• In this phase, a computer forensic examiner will conduct a duplication of
the suspect hard drive (this is also known as a bit-to-bit image) to create
a complete image of the seized hard drive.
• Examiners usually use hardware duplicators or software imaging tools
like the DD command in Linux to duplicate drives.
Acquisition
• Remember that the suspect hard drive should be write-protected when
conducting the duplication process to avoid tampering with the original
evidence.
Analysis
• In this phase, the contents of the acquired forensic image file are
investigated .
• A set of tools to search for interesting leads within the acquired image.
• Hidden, deleted, and encrypted files in addition to IM chat logs, Internet
browsing history, and deleted e-mails can all be recovered using
specialized tools like EnCase, Sleuth Kit, Volatility, and Forensic Toolkit
(FTK) from AccessData, to name a few.
• Forensic tools can also perform searches within the acquired image file
using keyword search terms or phrases.
• This will effectively speed up the investigation and help investigators to
find relevant information quickly.
Reporting
• In this phase, the examiner produces a structured report about his/her
findings.
• Such a report is usually prepared for nontechnical people (like attorneys,
judges, and juries).
• Writing style, terminology, and the way facts are presented should be
taken into consideration when writing the report.
• Evidence should be presented along with the report, mostly in digital
format.
Reporting
• The general content of forensic report should contain the following:
• Summary of key findings.
• Description of tools (both hardware and software) used during the
investigation.
• Version of the software tools.
• Method used to acquire the digital evidence.
• Description of the digital evidence (image content) and the interesting
artifacts found within it (e.g., Internet browsing history, e-mail history, USB
registry analysis, deleted files found).
• It is preferable to use screen captures where applicable to describe to the
reader steps undertaken to analyze digital evidence.
• Explanation of technical terms used like “unallocated disk space,” “Host
Protected Area,” and the like so nontechnical people can understand the
technical terms mentioned in the report.
• Conclusion of the investigation.
END