Unit -5

understanding computer forensics

By
- Dimple R
Assistant Professor
PESCE
Mandya
• Understanding Computer Forensics:
Introduction, Historical Background of Cyber
forensics, Digital Forensics Science, Need for
Computer Forensics, Cyber Forensics and
Digital Evidence, Digital Forensic Life cycle,
Chain of Custody Concepts.
•
• Textbook:1 Chapter 7 (7.1. to 7.5, 7.7)
 Understanding Computer Forensics:
• Introduction,
• Historical Background of Cyber forensics,
• Digital Forensics Science,
• Need for Computer Forensics,
• Cyber Forensics and Digital Evidence,
• Digital Forensic Life cycle,
• Chain of Custody Concepts.

• Textbook:1 Chapter 7 (7.1. to 7.5, 7.7)

 Introduction
• Computer forensics (also known as computer
forensic science)
• It is a branch of digital forensic science pertaining
to evidence found in computers and digital
storage media.
• The goal of computer forensics is to examine
digital media in a forensically sound manner with
the aim of identifying, preserving, recovering,
analyzing and presenting facts and opinions about
the digital information.
Historical Background of Cyberforensics

• The earliest computer crimes occurred in 1969 and

1970 when student protesters burned computers at
various universities.
• The Florida Computer Crimes Act (1978) was the first
computer law to address computer fraud and
intrusion.
• The focus of computer forensics is to find out digital
evidence to establish whether or not a fraud or a
crime has been conducted.
• Forensics means a characteristic of evidence
that satisfies its suitability for admission as
fact and its ability to persuade based upon
proof (or high statistical confidence level).

• Computer forensics deals with proving

unauthorized access has taken place while
computer security deals with preventing
unauthorized access.
 Typical types of data requested for a digital
forensics examination by the law enforcement
agencies include:
• investigating email
• website history
• cell phone usage
• VoIP (voice over internet protocol) usage
• file access history
• file creation or deletion
• chat history
• account login/logout records
 Digital Forensics Science
• Digital forensics is the application of analysis
techniques to the reliable and unbiased
collection, analysis, interpretation and
presentation of digital evidence.

• Computer forensics is the use of analytical and

investigative techniques to identify, collect,
examine and preserve evidence/information
which is magnetically stored or encoded.
In general, role of digital forensics is to:

• Uncover and document evidence and leads

• Confirm the evidence discovered in other ways
• Assist in showing a pattern of events
• Connect attack and victim computers
• Reveal an end-to-end path of events leading to a
compromise attempt, successful or not
• Extract data that may be hidden, deleted or
otherwise not directly available
 Typical scenarios involved are:

• Employee Internet abuse

• Data leak/data breach
• Industrial espionage
• Damage assessment
• Criminal fraud and deception cases
• Criminal cases
• Copyright violation
The following figure shows the types of
data you see using forensic tools:
Using digital forensics techniques, one
can:
• Confirm and clarify evidence otherwise
discovered
• Generate investigative leads for follow-up and
verification in other ways
• Provide help to verify an intrusion hypothesis
• Eliminate incorrect assumptions
 The Need for Computer Forensics
• The advances in Internet and Communication
Technologies and computers provides various
avenues for misuse as well as opportunities for
committing crime.

• The widespread use of computer forensics is the

result of two factors:
• The increasing dependence of law enforcement on digital
evidence
• Ubiquity/availability of computers that followed from the
microcomputer revolution
There are many challenges for the forensics
investigator because storage devices are
available in various shapes and sizes as shown in
the following figure:
• Looking for Digital Forensics Evidence (DFE) is
like looking for a needle in the haystack.
• Chain of Custody means the chronological
documentation trail, that indicates seizure,
custody, transfer, analysis, and disposition of
evidence.
• Evidence must be handled in a careful manner to
avoid later allegations of tampering or
misconduct.
The purpose of the chain of custody is to establish
that the alleged evidence is, indeed, related to the
crime. Documentation must include:
• Conditions under which the evidence is collected
• Identity of all those who handled the evidence
• Duration of evidence custody
• Security conditions while handling or storing the
evidence
• Manner in which evidence is transferred to
subsequent custodians
• Signatures of persons involved at each step
 Cyberforensics and Digital Evidence

Cyberforensics can be divided into two domains:

• Computer forensics
• Network forensics
• Network forensics is the study of network traffic to
search for truth in civil, criminal, and administrative
matters to protect users and resources from
exploitation, invasion of privacy, and any other crime.
 Digital evidence is different from physical
evidence because of the following
characteristics:
• Digital evidence is much easier to
change/manipulate
• Perfect copies can be made without harming
the original
• Different information is available at different
levels of abstraction
• Computer forensics experts know the
techniques to retrieve data from files listed in
standard directory search, hidden files,
deleted files, deleted E-Mail and passwords,
login ids, encrypted files, hidden partitions,
etc.
 Computer systems have the following:
• Logical file system that consists of:
– File system
– Random Access Memory (RAM)
– Physical storage media
• Slack space: It is a space allocated to the file but is not actually
used due to internal fragmentation
• Unallocated space
• User created files
• Computer created files (backups, cookies, config. Files,
history files, log files, swap files, system files, temp.
files, etc.)
• Computer networks
• Dr. Edmond Locard is known as the father of
forensic science.
• He is also known as the “Sherlock Holmes of
France”.
• The famous principle given by Locard is “Every
contact leaves a trace“,
• It is known as Locard’s exchange principle.
 The Rules of Evidence
• According to Indian Evidence Act 1872,
evidence means:

All statements which the court permits or

requires to be made before it by witnesses, in
relation to matters of fact under inquiry, are
called oral evidence.
All documents that are produced for the
inspection of the court are called documentary
evidence.
 • Newly added provisions in the Indian Evidence Act 1972
through the ITA 2000, constitute the body of law
applicable to electronic evidence.
• Digital evidence by its very nature is invisible to the eye.
• Digital evidence must be developed using tools other
than the human eye.
• Acquisition of digital evidence is both a legal and
technical problem.

Difficulties associated with gathering digital evidence:

✔ Determining what piece of digital evidence is required
✔ Where the evidence is physically located
 Different contexts involved in actually
identifying a piece of digital evidence:
• Physical context
– It is definable by its physical form, that is, it should
reside on a specific piece of media
• Logical context
– It must be identifiable as to its logical position, that is,
where does it reside relative to the file system
• Legal context
– The evidence must be placed in the correct context to
read its meaning
– This may require looking at the evidence as machine
language
 Guidelines for digital evidence collection phase:
1. Follow site’s security policy and engage the appropriate incident
handling and law enforcement personnel
2. Capture a picture of the system as accurately as possible
3. Keep detailed notes with dates and times
4. Note the different system clock and coordinated universal clock
(UTC)
5. Be prepared to testify outlining all actions you took and at what
times
6. Minimize changes to the data as you are collecting it
7. Remove external avenues for change
8. Always choose collection before analysis
9. Your procedures should be implementable
10. Manage the work among the team members
11. Proceed from volatile to less volatile.
12. Make a bit-level copy of the evidence copy
Digital Forensics Life Cycle
1. Preparing for the Evidence and Identifying
the Evidence
• In order to be processed and analysed, evidence
must first be identified.
• It might be possible that the evidence may be
overlooked and not identified at all.
• A sequence of events in a computer might
include interactions between:
❑ Different files
❑ Files and file systems
❑ Processes and files
❑ Log files
• In case of a network, the interactions can be
between devices in the organization or across
the globe (Internet).
• If the evidence is never identified as relevant,
it may never be collected and processed.
2. Collecting and Recording Digital Evidence
• Digital evidence can be collected from many sources.
• The obvious sources can be:
❑ Mobile phone
❑ Digital cameras
❑ Hard drives
❑ CDs
❑ USB memory devices
• Non-obvious sources can be:
❑ Digital thermometer settings
❑ Black boxes inside automobiles
❑ RFID tags
• Proper care should be taken while handling
digital evidence as it can be changed easily.
• Once changed, the evidence cannot be analysed
further.

• A cryptographic hash can be calculated for the

evidence file and later checked if there were any
changes made to the file or not.
• Sometimes important evidence might reside in
the volatile memory.
• Gathering volatile data requires special technical
skills.
3. Storing and Transporting Digital
Evidence
• Some guidelines for handling of digital evidence:
• Image computer-media using a write-blocking tool to
ensure that no data is added to the suspect device
• Establish and maintain the chain of custody
• Document everything that has been done
• Only use tools and methods that have been tested and
evaluated to validate their accuracy and reliability

• Care should be taken that evidence does not go

anywhere without properly being traced.
• Things that can go wrong in storage include:
• Decay over time (natural or unnatural)
• Environmental changes (direct or indirect)
• Fires
• Floods
• Loss of power to batteries and other media preserving
mechanisms
• Sometimes evidence must be transported from place
to place either physically or through a network.
• Care should be taken that the evidence is not changed
while in transit.
• Analysis is generally done on the copy of real evidence.
• If there is any dispute over the copy, the real can be
produced in court.
4. Examining/Investigating Digital Evidence
• Forensics specialist should ensure that he/she has
proper legal authority to seize, copy and examine the
data.
• one should not examine digital information unless
one has the legal authority to do so.
• Forensic investigation performed on data at rest
(hard disk) is called dead analysis.
• Many current attacks leave no trace on the
computer’s hard drive.
• The attacker only exploits the information in the
computer’s main memory.
• Performing forensic investigation on main memory is
called live analysis.
• Sometimes the decryption key might be available only in
RAM.
• Turning off the system will erase the decryption key.
• The process of creating and exact duplicate of the
original evidence is called imaging.
• Some tools which can create entire hard drive images
are:
• DCFLdd
• Iximager
• Guymager

• The original drive is moved to secure storage to

prevent tampering/modifying.
• The imaging process is verified by using the SHA-1 or
any other hashing algorithms.
5. Analysis, Interpretation and Attribution
• In digital forensics, only a few sequences of events
might produce evidence.
• But the possible number of sequences is very huge.
• The digital evidence must be analyzed to determine the
type of information stored on it.
• Examples of forensics tools:
• Forensics Tool Kit (FTK)
• EnCase
• Scalpel (file carving tool)
• The Sleuth Kit (TSK)
• Autopsy
Forensic analysis includes the following activities:
• Manual review of data on the media
• Windows registry inspection
• Discovering and cracking passwords
• Performing keyword searches related to crime
• Extracting emails and images
Types of digital analysis:
• Media analysis
• Media management analysis
• File system analysis
• Application analysis
• Network analysis
• Image analysis
• Video analysis
6. Reporting
• After the analysis is done, a report is generated.
• The report may be in oral form or in written form or
both.
• The report contains all the details about the evidence
in analysis, interpretation, and attribution steps.
• As a result of the findings in this phase, it should be
possible to confirm or discard the allegations.
 Some of the general elements in the report are:

• Identity of the report agency

• Case identifier or submission number
• Case investigator
• Identity of the submitter
• Date of receipt
• Date of report
• Descriptive list of items submitted for examination
• Identity and signature of the examiner
• Brief description of steps taken during examination
• Results / conclusions
 7. Testifying
• This phase involves presentation and
cross-examination of expert witnesses.

• An expert witness can testify in the form of:

❖ Testimony is based on sufficient facts or data
❖ Testimony is the product of reliable principles and
methods
❖ Witness has applied principles and methods reliably
to the facts of the case

• Experts with inadequate knowledge are sometimes

chastised by the court.
Precautions to be taken when collecting digital evidence
are:
⁻ No action taken by law enforcement agencies or their
agents should change the evidence
⁻ When a person to access the original data held on a
computer, the person must be competent to do so
⁻ An audit trial or other record of all processes applied to
digital evidence should be created and preserved
⁻ The person in-charge of the investigation has overall
responsibility for ensuring that the law and these are
adhered to
 Chain of Custody
• A chain of custody is the process of validating how
evidences have been gathered, tracked, and protected
on the way to the court of law.
• Forensic professionals know that if you do not have a
chain of custody, the evidence is worthless.
• The chain of custody is a chronological written record of
those individuals who have had custody of the evidence
from its initial acquisition to its final disposition.
• A chain of custody begins when an evidence is collected
and the chain is maintained until it is disposed off.
• The chain of custody assumes continuous
accountability.
 Network Forensics
• Today’s networks are mainly wireless networks.
• Most of the Wi-Fi communications are unprotected.
• Wireless forensics is a part of network forensics, which
in turn is a part of computer forensics.
• Wireless forensics is the methodology and tools
required to collect, analyze the network traffic that can
be presented as valid digital evidence in the court of
law.
• The evidence collected can include plain data, or VoIP
information (voice calls).
 Wireless forensics process involves:

• Capturing all data moving over the Wi-Fi network

• Analyzing network events to uncover anomalies
• Discovering source of security attacks
• Investigating breaches on computers and wireless
networks
Thank you