CCS343 DIGITAL AND MOBILE FORENSICS

UNIT I
INTRODUCTION TO DIGITAL FORENSICS

Forensic Science – Digital Forensics – Digital Evidence – The Digital Forensics

Process – Introduction – The Identification Phase – The Collection Phase – The
Examination Phase – The Analysis Phase – The Presentation Phase

Forensic Science
Forensic is a Process of collection and Analysis of evidence in order to solve any criminal or
civil cases.
Forensic science is the use of scientific methods or expertise to investigate crimes or examine
evidence that might be presented in a court of law. In simple, Forensic science deals with
collect, examine and analyze the evidence.
It encompasses various branches of science, including biology, chemistry, physics, and even
computer science, to examine physical evidence found at crime scenes.

Digital Forensics
The world is becoming increasingly interconnected. We find connected devices in virtually
every home, and computer networks are the nervous systems of corporate and government
organizations everywhere.
Since the usage of digital devices has increased, and also crime involving in digital devices is
growing rapidly, Digital Forensic is important.
Digital Forensics is defined as the process of identification, extraction, preservation and
documentation of computer evidence which can be used by the court of law. It is a science of
finding evidence from digital media like a computer, mobile phone, server, or network. It
provides the forensic team with the best techniques and tools to solve complicated digital-
related cases.

Here are some of the main types of digital forensics:

1. Computer Forensics
2. Mobile Device Forensics
3. Cloud Forensics
4. Network Forensics
5. Memory Forensics
6. Digital Media Forensics
7. Forensics Data Analysis
8. Database Forensics
9. Malware Analysis
10. IoT (Internet of Things) Forensics

Computer Forensics - This is the most well-known type of digital forensics. It involves the
investigation of computers, laptops, servers, and other computing devices to recover evidence
related to crimes or incidents. This could include analyzing file systems, deleted files, metadata,
and logs to determine what actions were taken on the system.

Mobile Device Forensics - Mobile forensics deals with extracting and analyzing data from
mobile phones, tablets, and other portable devices. Investigators may recover text messages,
call logs, emails, GPS data, and app usage information.

Cloud Forensics - As more data moves to cloud-based environments, cloud forensics has
emerged. Investigators analyze cloud storage and services to determine if they’ve been used
for illegal activities or to locate potential evidence.

Network Forensics - This type involves monitoring and analyzing network traffic to identify
and investigate security breaches, unauthorized access, or suspicious activities. Network
forensics can help reconstruct the timeline of events during a cyber attack.

Memory Forensics - Memory forensics involves analyzing a computer’s volatile memory

(RAM) to gather information such as running processes, open network connections, and
encryption keys. This can be crucial in understanding an attacker’s actions.

Digital Media Forensics - Digital media forensics focuses on the analysis of multimedia files,
such as images, audio recordings, and videos.

Forensics Data Analysis - This type involves using data analysis techniques to uncover
patterns, trends, and anomalies within large volumes of digital data. It can help investigators
identify relationships between entities and understand the context of an incident.

Database Forensics - Database forensics involves the analysis of databases to uncover

unauthorized access, data tampering, or other illicit activities. It’s commonly used in cases
involving data breaches and corporate espionage.

Malware Analysis - In this field, analysts dissect and study malicious software (malware) to
understand its behavior, purpose, and potential impact. Malware analysis helps in identifying
the tactics used by cybercriminals and in developing countermeasures.

IoT (Internet of Things) Forensics - With the growth of IoT devices, this field focuses on
investigating smart devices, wearables, and other IoT technologies for digital evidence in cases
related to privacy breaches or cybercrimes.

Challenges in Digital Forensics

1. Easy availability of hacking tools
2. Lack of Physical evidence makes the case and prosecution difficult and time consuming
3. Requires high level of technical expert since the usage of digital devices are complex
4. There are many encryption method to protect data, hence it is difficult to decrypt the
data and solve the case
5. Chances of corruption in data
6. Rapid changing in technology is the major difficulty in Digital Forensic
Digital Evidence
In the digital age, crime scenes have evolved beyond physical boundaries and have extended
into the digital realm. As technology continues to play a significant role in our daily lives, it
also becomes an integral part of criminal activities. Thus, collecting digital forensic evidence
accurately and efficiently is crucial for a successful investigation.
Digtial Evidence refers to any information or data that is stored or transmitted in a digital form
and can be used as evidence in legal proceedings. This can include emails, text message,
documents, photos, videos, audio.
Digital Evidence is often crucial in investigations involving cybercrimes, intellectual property
theft, fraud, and other offence.

Why We Collect Evidence in Digital Forensics?

Digital evidence is collected in digital forensics for several important reasons:

Establishing Facts - It helps establish the facts and circumstances surrounding a digital incident
or crime.

Supporting Legal Actions - Digital evidence can be crucial in legal proceedings, such as
criminal trials, civil litigation, or regulatory investigations.

Providing Accountability - It holds individuals accountable for their actions, as digital evidence
can be used to trace digital activities back to specific users or devices.

Uncovering the Truth - It assists in uncovering the truth behind complex cases, providing a
clear picture of events, motives, and connections.

Preventing Tampering - The careful collection of digital evidence ensures that it is preserved
and documented in a way that prevents tampering or alterations, maintaining its integrity and
admissibility in court.

What is the Process of Collecting Digital Evidence?

Collecting digital evidence is a systematic and careful process that involves the following steps:

 Identification: The first step is to identify and locate potential sources of digital
evidence. This includes computers, mobile devices, network devices, and other
digital storage media.

 Preservation: Once identified, the evidence must be preserved to prevent any

tampering or alteration. This involves creating forensic images of storage devices,
making exact copies of the data without modifying the original.

 Collection: Physical collection of devices and storage media is conducted, along

with any relevant accessories, such as cables and peripherals. This may also
include documenting the physical setup of network devices.
  Examination: In this step, digital forensic experts analyze the collected evidence.
They use specialized software and tools to examine data for relevant information,
such as files, communication logs, or network activity.

 Presentation: Finally, the findings are documented and presented in a format

suitable for legal proceedings. Digital evidence should be organized, properly
documented, and presented in a clear and understandable manner.

How Digital Evidence Can Be Used in a Criminal Investigation?

Digital evidence plays a critical role in modern criminal investigations:

 Establishing Timelines: Digital evidence can help establish timelines of events,

providing insights into when and how certain actions or activities took place.

 Corroborating Testimony: Digital evidence can corroborate or dispute witness

testimonies, making the case stronger or revealing inconsistencies.

 Tracing Communications: Email records, text messages, and online chat logs can
provide vital information about interactions between suspects and victims.

 Identifying Perpetrators: Digital forensics can help identify and trace the activities
of individuals involved in criminal acts, linking them to specific actions or
locations.

 Reconstructing Events: In some cases, digital evidence can be used to reconstruct

events, showing a clear sequence of actions or revealing the modus operandi of a
suspect.

There are two types of data, that can be collected in a computer forensics investigation:
 Persistent data: It is the data that is stored on a non-volatile memory type storage
device such as a local hard drive, external storage devices like SSDs, HDDs, pen
drives, CDs, etc. the data on these devices is preserved even when the computer
is turned off.

 Volatile data: It is the data that is stored on a volatile memory type storage such
as memory, registers, cache, RAM, or it exists in transit, that will be lost once the
computer is turned off or it loses power. Since volatile data is evanescent, it is
crucial that an investigator knows how to reliably capture it.
The Digital Forensics Process

The Stages/ Phases/ Process of a Digital Forensics

1: Identification

The very first step in a digital forensics investigation is to identify the devices and resources
containing the data that will be a part of the investigation. The data involved in an investigation
could be on organizational devices such as computers or laptops, or on users’ personal devices
like mobile phones and tablets.

These devices are then seized and isolated, to eliminate any possibility of tampering. If the data
is on a server or network, or housed on the cloud, the investigator or organization needs to
ensure that no one other than the investigating team has access to it.

2: Extraction and Preservation

After the devices involved in an investigation have been seized and stored in a secure location,
the digital forensics investigator or forensics analyst uses forensic techniques to extract any
data that may be relevant to the investigation, and stores it securely.

This phase can involve the creation of a digital copy of the relevant data, which is known as a
“forensic image.” This copy is then used for analysis and evaluation, while the original data
and devices are put in a secure location, such as a safe. This prevents any tampering with the
original data even if the investigation is compromised.

3: Analysis

Once the devices involved have been identified and isolated, and the data has been duplicated
and stored securely, digital forensic investigators use a variety of techniques to extract relevant
data and examine it. This often involves recovering and examining deleted, damaged or
encrypted files, using techniques such as:

 Reverse Steganography

 File or Data Carving

 Keyword Searches:

4: Documentation

At this stage, all the found relevant evidence is documented. It helps to extend the crime scene
and prompts investigation. Any digital evidence is recorded together with the photos, sketches,
and crime scene mapping.
5: Presentation

Once the investigation is complete, the findings are presented to a court. Digital forensics
investigators can act as expert witnesses, summarizing and presenting the evidence they
discovered, and disclosing their findings.

The Identification Phase

Incidents can be identified based on complaints, alerts, or other indications.

For example, it can be used to identify which evidence or objects to look for during the
investigation. The identification of an incident or a crime leads to the formation of a hypothesis
about what might have happened.

An investigation can focus on identifying supporting information to prove a case, identifying

information that refutes a case, or verifying the validity of any given information.

In the case of computer and file system analysis, the identification step includes making a
determination about which files on a volume are available, active, or deleted.

Proper planning helps prevent poor performance or substandard results in an investigation, and
it is a precondition for an efficient and effective investigation. This is applicable for
investigations of all types of incidents, including digital crimes.

Law enforcement agencies, digital forensic units, and corporate investigators all need to be
well prepared before a crime or incident even occurs. A trained team of investigators is crucial
for determining what occurred, based on the digital objects at hand. The ability to have access
to such a team depends, of course, on the resources available.

The first responder in a criminal case is typically a police officer, arriving at a physical scene
of an event, such as at a crime scene. The first responders are the ones responsible for handling
potential evidence, including digital devices.
The processing of potential evidence normally starts during the identification phase, and it is
crucial to preserve the chain of custody and evidence integrity from the very start. This includes
activities to isolate, secure, and document the physical and digital devices at hand. Evidence
preservation may require the assessment of technologies for subsequent copying of the original
media, establishing time synchronization, and any other tasks that facilitate additional forensic
activities.

The documentation activities begin from the moment the investigator starts handling the digital
devices that will be “touched” during the investigation phases. The documentation enables
reproducibility of results and traceability from the physical object’s origin to the final evidence
presentation. This calls for thorough documentation throughout the digital forensic process.

Physical equipment that holds potential digital evidence is identified either as live(turned on)
or dead(turned off, with no power):

By live systems, we mean systems that are running and are at the time of identification
potentially holding evidence that may be lost or hard to acquire if the system is shut down.

By dead systems, we mean systems not running. Any data in temporary storage areas such as
cache, main memory, running processes, or active application dialogues on a computer will
normally be lost when the system is powered down.

The Collection Phase

In a digital forensics investigation, the collection phase refers to the acquisition or copying of
the data. This is when a forensic investigator gains access to the electronic device(s) containing
raw data that has been identified as relevant for the specific case. The collection phase of the
digital forensics process is common to most literature and scientific research in digital
forensics.

Collection of data from digital devices to make a digital copy using forensically sound methods
and techniques.

Physical collection is not always feasible as it often requires traveling to a location to identify
and collect devices of interest, such as the hard drives of a set of computers. Remote forensic
acquisition can increase the speed of the investigation and reduce expenses.
Furthermore, the more time it takes to arrive on-site and begin the collection, the more data
may be lost. In case of data stored in cloud services, it may not be practically feasible or even
possible for an investigator to enter a data center. There are several important considerations
that are worth noting, including:
 To enable remote acquisition, software will have to be installed on devices or systems
to support remote acquisition.
 Data must be transmitted over a network, which can breach confidentiality, integrity,
and availability.
 Trust is reduced as we are not in possession of the physical device and a complete
collection of data may be infeasible.
 It is dependent upon the hardware of the device as tools are running on the IT.

Many forensic software vendors include remote forensics capabilities in their tools, such as
Guidance Software (EnCase), Access data (FTK), and Fire Eye. An investigator can also collect
data by secure shell access (SSH) or Power shell. These tools along with an incident response
capability in an IT security department of a company provide quicker response times to initiate
forensic analysis of devices in remote locations.

The Examination Phase

All data collected must be examined and prepared for later analysis as part of the examination
phase. As with all phases in the digital forensics process, it is important to document our actions
and handling of the data to support the chain of custody. The examination often requires
restructuring, parsing, and preprocessing of raw data to make it understandable for a forensic
investigator in the upcoming analysis. To facilitate this phase, an analyst typically uses forensic
tools and techniques appropriate for extracting relevant information. As stated in
ISO/IEC27041:2015(ISO/IEC,2015a), we are attempting to “retrieve relevant potential digital
evidence from one or more sources.”

A copy of the data source can be considered a “black box” of unstructured, binary data. The
objective of the initial, basic examination of the data is to make it more structured and readable.
Digital forensics tools automate much of these preliminary examination and preprocessing
tasks. This reduces the manual task load for the investigator, and reduces the likelihood of
mistakes, such as overlooking essential evidence or damaging it.

Many digital forensics tool kits and software suites come with their own file formats or
databases to store information that has been collected in a structured manner.

Most computer systems, digital devices, and file systems are typically designed to treat
information in the most efficient way to enhance performance and the user experience. As a
result, they are not designed to securely wipe or destroy data upon request. In most modern file
systems, only the pointer to the file is marked “available” or “unallocated.” This results in the
space being available, and a new file can over write the previous file. Data can thus be
recovered from the storage area even after deletion of a file, as long as the data area was not
over written.
For example, if an image were deleted years prior to an investigation, parts of the image might
still be extracted. The image data can be rebuilt in a viewer, and it will represent the original
material and its content, even though other details or portions of the data are missing.

Large amounts of data present a challenge for effective digital forensics investigations. A single
digital device may hold tera bytes of data from billions of files. All methods for safely reducing
the data volume should be considered. Filtering is an example of a method that can be used
during examination.

Many files in a computer belong to the operating system, software, and other applications.
These files usually do not contain any useful evidence, and they can safely be ignored in the
examination/analysis.

During the examination phase, compressed files should be uncompressed, and encrypted files
should be decrypted if possible.

Automation is an objective in itself during the examination phase, for reasons of both forensic
soundness and efficiency. Most of the tasks in the examination phase can be automated using
scripts or programs. File parsing, string searches, and extraction of compressed files will
significantly reduce the manual task load on an investigator, in particular when working with
large data sets. The most common digital forensic tools, such as EnCase, offer special-purpose
scripting languages to help automate tasks.

The Analysis Phase

In the analysis phase, forensic investigators determine the digital objects to be used as digital
evidence to support or refute a hypothesis of a crime, incident, or event

Analysis Phase is defined as the processing of information that addresses the objective of the
investigation with the purpose of determining the facts about an event, the significance of the
evidence, and the person responsible.

Following the examination phase, the data is prepared for analysis. Statistical methods, manual
analysis, techniques for understanding protocols and data formats, linking of multiple data
objects (e.g., through the use of data mining), and time lining are some of the techniques that
are used for analysis.

Any case will have its own evidence, depending on the type of crime. For example, the
evidence of a physical crime, where clues regarding the motivation of the crime can be found
in a digital device owned by the suspect or the victim, will be much different from the evidence
of a cyber crime conducted from a computer.
Imagine investigating a case where a computer has been seized for you to analyze. Examples
of potential evidence can be the information found in an email file, such as a message that was
sent from a specific email address. The address can then be linked to one person and sent to
another person’s email. Another example can be a malicious application that was found
installed on a system unbeknownst to the person owning that system. The Trojan horse defense
is a well-known concept intended to complicate digital forensics investigations. To prove or
disprove the validity of a Trojan horse defense requires thorough analysis.

The Presentation Phase

Following the analysis phase, theories have been developed and hypotheses tested. The
presentation phase involves the final documentation and presentation of the results of the
investigation to a court of law or other applicable audiences, such as a corporation’s top
management or crisis management team. The presentation is based on objective findings with
a sufficient level of certainty, based on the analysis of digital evidence.

It is important that the findings are summarized and that all actions performed during the
investigation are accounted for and described in a fashion understandable by the audience.

You might think all the work has been completed. The evidence is “in your hands” and is ready
to put the suspect behind bars. But there is one thing left to do–prepare the final report. As we
can see from the digital forensics process, chain of custody and evidence integrity rely on
thorough documentation of all actions taken from the time you arrive “at the scene” until the
results are presented to the relevant authority. To wrap it up, the final report should include all
relevant case management information. The report describes the context and background of
what has been done, who has conducted the investigation, and what was investigated.
Typical information required in a final report is:

 Roles and tasks assigned for the investigation;

 executive summary of all information sources and evidence;
 The forensic acquisition and analysis, which reflect chain of custody and evidence
integrity;
 visualizations and diagrams;
 images and screenshots;
 information that supports repeatability or reproducibility of the analysis;
 tools used; and
 findings.
Many digital forensics tools have reporting functionality that documents and summarizes all
the interactions that have been carried out. This alone is not enough, especially since you may
have used a variety of tools, manual tasks, and analyses during the process. This means that
the investigator must be able to prepare this information so that it is understandable to a third
party. Ultimately, this is the purpose of the investigation: to present the findings in a clear and
understandable manner. It is also important for the report to sufficiently document
reproducibility. Given your report of the methods used and the same evidence, a skilled third
party should, in principle, be able to reproduce the findings.

An example report generated by the digital forensic analysis tool Autopsy

Example report generated by Autopsy.

The preparation of the final report can be time-consuming, especially for large and long-lasting
investigation.

The documented chain of custody is the glue that holds the forensics process together and
supports the final evidence integrity so that it can be presented as trustworthy evidence in court.
If you have not documented all activities, a court could claim that a critical task did not occur.
No matter how carefully the work has been completed, an inability to document the chain of
custody for all phases could compromise the trust in the authenticity and integrity of the
evidence in court.

The documentation made throughout the digital forensics investigation, together with
recommendations and expert testimony, will form the final presentation. The evidence and
methods used to find it are presented to a court of law or to a corporate audience.