DIGITAL FORENSICS NOTES

Digital Forensics
Digital forensics is a branch of forensic science that focuses on identifying, acquiring, processing,
analyzing, and reporting on data stored electronically. Electronic evidence is a component of
almost all criminal activities and digital forensics support is crucial for law enforcement
investigations.
Digital Forensics is defined as the process of preservation, identification, extraction,
and documentation of computer evidence which can be used by the court of law. It is a science
of finding evidence from digital media like a computer, mobile phone, server, or network.
It provides the forensic team with the best techniques and tools to solve digital crime.
Digital Forensics gives support for the forensic team to analyse, inspect, identify, and preserve the
digital evidence which is living on various types of electronic devices and storage media.
Objectives of computer forensics
Here are the essential objectives of using Computer forensics:
o It helps to postulate the motive behind the crime and identity of the main culprit.
o It helps to recover, analyze, and preserve computer and related materials in such a manner
that it helps the investigation agency to present them as evidence in a court of law.
o Designing procedures at a suspected crime scene which helps you to ensure that the
digital evidence obtained is not corrupted.
o Data acquisition and duplication: Recovering deleted files and deleted partitions from digital
media to extract the evidence and validate them.
o Helps you to identify the evidence quickly, and also allows you to estimate the
potential impact of the malicious activity on the victim
o Producing a computer forensic report which offers a complete report on the
investigation process.
o Preserving the evidence by following the chain of custody.
What is the Purpose of Digital Forensics?
The most common use of digital forensics is to support or refute a hypothesis in a criminal or civil
court:
Criminal cases: Involving the investigation of any unlawful activity by cybercriminals. These
cases are usually carried out by law enforcement agencies and digital forensic examiners.
Civil cases: Involving the protection of rights and property of individuals or contractual disputes
between commercial entities were a form of digital forensics called electronic discovery
(eDiscovery).

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

Process of Digital forensics [Steps of Forensics Process]

Digital Forensics Process

Identification
It is the first step in the forensic process. The identification process mainly includes things
like what evidence is present, where it is stored, and lastly, how it is stored (in which format).
Electronic storage media can be personal computers, Mobile phones, PDAs, etc.
Preservation
In this phase, data is isolated, secured, and preserved. It includes preventing people from
using the digital device so that digital evidence is not tampered with.
Analysis
In this step, investigation agents reconstruct fragments of data and draw conclusions based
on evidence found. However, it might take numerous iterations of examination to support
a specific crime theory.
Documentation
In this process, a record of all the visible data must be created. It helps in recreating the crime scene
and reviewing it. It Involves proper documentation of the crime scene along with photographing,
sketching, and crime-scene mapping.
Presentation
In this last step, the process of summarization and explanation of conclusions is done.
However, it should be written in a layperson's terms using abstracted terminologies.
All abstracted terminologies should reference the specific details.

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

Types of Digital Forensics

Three types of digital forensics are:
Disk Forensics:
It deals with extracting data from storage media by searching active, modified, or deleted files.
Network Forensics:
It is a sub-branch of digital forensics. It is related to monitoring and analysis of
computer network traffic to collect important information and legal evidence.
Wireless Forensics:
It is a division of network forensics. The main aim of wireless forensics is to offers the
tools need to collect and analyze the data from wireless network traffic.
Database Forensics:
It is a branch of digital forensics relating to the study and examination of databases and
their related metadata.
Malware Forensics:
This branch deals with the identification of malicious code, to study their payload,
viruses, worms, etc.
Email Forensics
Deals with recovery and analysis of emails, including deleted emails, calendars, and contacts.
Memory Forensics:
It deals with collecting data from system memory (system registers, cache, RAM) in raw
form and then carving the data from Raw dump.
Mobile Phone Forensics:
It mainly deals with the examination and analysis of mobile devices. It helps to retrieve
phone and SIM contacts, call logs, incoming, and outgoing SMS/MMS, Audio, videos, etc.
Challenges faced by Digital Forensics
Here, are major challenges faced by the Digital Forensic:
• The increase of PC's and extensive use of internet access
• Easy availability of hacking tools
• Lack of physical evidence makes prosecution difficult.
• The large amount of storage space into Terabytes that makes this investigation job difficult. •
Any technological changes require an upgrade or changes to solutions.

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

Example Uses of Digital Forensics

In recent time, commercial organizations have used digital forensics in following a type
of cases:
• Intellectual Property theft
• Industrial espionage
• Employment disputes
• Fraud investigations
• Inappropriate use of the Internet and email in the workplace
• Forgeries related matters
• Bankruptcy investigations
• Issues concern with the regulatory compliance
Advantages of Digital forensics
Here, are pros/benefits of Digital forensics
• To ensure the integrity of the computer system.
. To ensure the integrity of the computer system.
To produce evidence in the court, which can lead to the punishment of the culprit.
• It helps the companies to capture important information if their computer systems or networks
are compromised.
• Efficiently tracks down cybercriminals from anywhere in the world. • Helps to protect the
organization's money and valuable time.
• Allows to extract, process, and interpret the factual evidence, so it proves the cybercriminal
action’s in the court.
Disadvantages of Digital Forensics
Here, are major cos/ drawbacks of using Digital Forensic
• Digital evidence accepted into court. However, it is must be proved that there is no tampering
• Producing electronic records and storing them is an extremely costly affair • Legal practitioners
must have extensive computer knowledge
• Need to produce authentic and convincing evidence
• If the tool used for digital forensic is not according to specified standards, then in the court of
law, the evidence can be disapproved by justice.

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

• Lack of technical knowledge by the investigating officer might not offer the desired result
Summary:
• Digital Forensics is the preservation, identification, extraction, and documentation of computer
evidence which can be used in the court of law
• Process of Digital forensics includes 1) Identification, 2) Preservation, 3) Analysis,
4) Documentation and, 5) Presentation
• Different types of Digital Forensics are Disk Forensics, Network Forensics,
Wireless Forensics, Database Forensics, Malware Forensics, Email Forensics, Memory
Forensics, etc.
• Digital forensic Science can be used for cases like 1) Intellectual Property theft, 2) Industrial
espionage 3) Employment disputes, 4) Fraud investigations.
--------------------------------------------------------------------------------------------------------------------
Locard’s Exchange Principle
Dr. Edmond Locard’s exchange principle states that whenever two objects come in contact,
a transfer of material occurs. For example, when a killer enters and subsequently departs a
crime scene, the attacker could leave blood, DNA, latent prints, hair, and fibers [4], or pick up
such evidence from the victim.
Locard’s exchange principle also applies to a digital environment. Registry keys and log files can
serve as the digital equivalent to hair and fiber . Like DNA, our ability to detect and analyze these
artifacts relies heavily on the technology available at the time. Look at the numerous cold cases
that are now being solved due to the significant advances in DNA science. Viewing a device or
incident through the “lens” of Locard’s exchange principle can be very helpful in locating and
interpreting not only physical but also digital evidence.
Locard’s Exchange Principle
Dr. Edmond Locard was the director of the world’s first forensic laboratory in France.
He presented Locard’s Exchange Principle, also known as Locard’s Principle of Transference,
in the early 20th century for the purpose of collecting the trace evidence. Locard firmly
believed that no matter what a criminal does or where a criminal goes, he/she will certainly leave
trace evidence at the crime scene. In fact, whenever two or more people come into contact with
one another, a physical transfer takes place. Skin, hair, pollen, clothing fiber, glass
fragments, makeup, debris from clothing, or any other material can be transferred from one person
to another. This material helps the forensic examiners to collect the trace evidence.
The applicability of Locard’s Principle of Transference in computer forensics applies
to cybercrimes involving computer networks, such as identity thefts and electronic bank
frauds. To understand how Locard’s Exchange Principle applies to computer forensics, consider
what happens when a computer is connected to a particular network. To establish an

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

internet connection, the computer must have a network interface card (NIC). Once the connection
is successfully established, the NIC transmits its MAC address to a relevant DHCP server.
After that, the DHCP server logs record this MAC address and assign an IP address to the
computer, which would receive and store this IP address. Noticeably, the interaction between
computer and DHCP server causes the exchange of information, such as MAC and IP addresses,
between both devices. This interaction can help the forensic experts to determine the specified
date and time of the day when this interaction took place.
The Inman-Rudin Paradigm
Locard’s Exchange Principle set the stage for various other forensic scientists to develop
new ways of investigating and analyzing evidence. Later on, the Inman-Rudin Paradigm
was designed by Keith Inman and Norah Rudin. This paradigm, in fact, expanded the
Locard’s Exchange Principle into two principles and four processes that were applicable not only
in physical forensics but also in computer forensics.
The principles are:
1. Transfer: The transfer, in fact, is Locard’s Exchange Principle, the exchange of
material between two persons.
2. The divisibility of matter: This represents the ability to impute the characteristics to the whole
of something from a separate piece of it.
Four processes:
1. Identification defines the physico-chemical nature of the evidence; for example, the number
of heads, cylinders, and sectors of the hard drive.
2. Classification/Individualization—Classification attempts to determine the source, whereas
the individualization employs some characteristics to uniquely identify a specimen. For example,
a security camera captured the crime scene and showed an unidentified perpetrator who killed the
victim. On the other hand, the image was clear enough to recognize his gun. The investigators
examined the bullet recovered from the victim corpse and found the gun manufacturer, based on
bullet’s composition, size, and weight. In fact, these are all class characteristics.
When the perpetrator was arrested, the weapon recovered from him was the same as the
weapon identified in the examination. Consequently, it was proved that the bullet had a common
origin and, therefore was “class evidence.” This is a process of identification that provides
the “individual evidence.”
Classification/individualization can be applied to digital evidence. For example, the structure and
location of data on storage media can determine the file system and partition type.
3. Association links a person with a crime. In computer forensics, the experts necessarily identify
the items, such as files, data structures, and code, that need to be associated and to determine

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

where they might be stored and what tools could be used to locate these items. The experts then
extract the required information and determine the associations.
4. Reconstruction tries to answer the questions of “How? Where? And When?” the crime had
taken place. For example, in computer forensics, the date and time relating to data, file system,
and network communication can be utilized to demonstrate a sequence of events in the computer
system.
What Is the Chain of Custody in Computer Forensics?
The chain of custody in digital forensics can also be referred to as the forensic link, the paper trail,
or the chronological documentation of electronic evidence. It indicates the collection, sequence
of control, transfer, and analysis. It also documents each person who handled the evidence, the
date/time it was collected or transferred, and the purpose for the transfer.
Why Is It Important to Maintain the Chain of Custody?
It is important to maintain the chain of custody to preserve the integrity of the evidence
and prevent it from contamination, which can alter the state of the evidence. If not preserved,
the evidence presented in court might be challenged and ruled inadmissible.
Importance to the Examiner
Suppose that, as the examiner, you obtain metadata for a piece of evidence. However, you
are unable to extract meaningful information from it. The fact that there is no
meaningful information within the metadata does not mean that the evidence is insufficient. The
chain of custody in this case helps show where the possible evidence might lie, where it came
from, who created it, and the type of equipment that was used. That way, if you want to create
an exemplar, you can get that equipment, create the exemplar, and compare it to the evidence
to confirm the evidence properties.
Importance to the Court
It is possible to have the evidence presented in court dismissed if there is a missing link in
the chain of custody. It is therefore important to ensure that a wholesome and meaningful chain
of custody is presented along with the evidence at the court.
What Is the Procedure to Establish the Chain of Custody?
In order to ensure that the chain of custody is as authentic as possible, a series of steps must
be followed. It is important to note that, the more information a forensic expert obtains
concerning the evidence at hand, the more authentic is the created chain of custody. Due to this,
it is important to obtain administrator information about the evidence: for instance,
the administrative log, date and file info, and who accessed the files. You should ensure
the following procedure is followed according to the chain of custody for electronic evidence:

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

• Save the original materials: You should always work on copies of the digital evidence as
opposed to the original. This ensures that you are able to compare your work products to the
original that you preserved unmodified.
• Take photos of physical evidence: Photos of physical (electronic) evidence establish the chain
of custody and make it more authentic.
• Take screenshots of digital evidence content: In cases where the evidence is intangible, taking
screenshots is an effective way of establishing the chain of custody.
• Document date, time, and any other information of receipt. Recording the timestamps of
whoever has had the evidence allows investigators to build a reliable timeline of where the
evidence was prior to being obtained. In the event that there is a hole in the timeline, further
investigation may be necessary.
• Inject a bit-for-bit clone of digital evidence content into our forensic computers.
This ensures that we obtain a complete duplicate of the digital evidence in question.
• Perform a hash test analysis to further authenticate the working clone. Performing a hash
test ensures that the data we obtain from the previous bit-by-bit copy procedure is not corrupt and
reflects the true nature of the original evidence. If this is not the case, then the forensic analysis
may be flawed and may result in problems, thus rendering the copy non-authentic.
The procedure of the chain of custody might be different. depending on the jurisdiction in which
the evidence resides; however, the steps are largely identical to the ones outlined above.
What Considerations Are Involved with Digital Evidence?
A couple of considerations are involved when dealing with digital evidence. We shall take a look
at the most common and discuss globally accepted best practices.
1. Never work with the original evidence to develop procedures: The biggest consideration
with digital evidence is that the forensic expert has to make a complete copy of the evidence for
forensic analysis. This cannot be overlooked because, when errors are made to working copies or
comparisons are required, it will be necessary to compare the original and copies.
2. Use clean collecting media: It is important to ensure that the examiner’s storage device
is forensically clean when acquiring the evidence. This prevents the original copies from damage.
Think of a situation where the examiner’s data evidence collecting media is infected by malware.
If the malware escapes into the machine being examined, all of the evidence can become
compromised.
3. Document any extra scope: During the course of an examination, information of evidentiary
value may be found that is beyond the scope of the current legal authority. It is recommended that
this information be documented and brought to the attention of the case agent because the
information may be needed to obtain additional search authorities. A comprehensive report must
contain the following sections:

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

o Identity of the reporting agency

o Case identifier or submission number
o Case investigator
o Identity of the submitter
o Date of receipt
o Date of report
o Descriptive list of items submitted for examination, including serial number, make, and model
o Identity and signature of the examiner
o Brief description of steps taken during examination, such as string searches, graphics image
searches, and recovering erased files
o Results/conclusions
4. Consider safety of personnel at the scene. It is advisable to always ensure the scene
is properly secured before and during the search. In some cases, the examiner may only have the
opportunity to do the following while onsite:
o Identify the number and type of computers.
o Determine if a network is present.
o Interview the system administrator and users.
o Identify and document the types and volume of media, including removable media.
Digital Forensics Notes
o Document the location from which the media was removed.
o Identify offsite storage areas and/or remote computing locations.
o Identify proprietary software.
o Determine the operating system in question.
The considerations above need to be taken into account when dealing with digital evidence due to
the fragile nature of the task at hand.
What is acquisition in digital forensics?
Data acquisition in digital forensics encompasses all the procedures involved in gathering digital
evidence including cloning and copying evidence from any electronic source. It
involves producing a forensic image from digital devices including CD ROM, hard drive,
removable hard drives, smartphones, thumb drive, gaming console, servers, and other
computer technologies that can store electronic data.

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

In digital forensics investigation, data acquisition is perhaps the most critical stage and it involves
a demanding, thorough, and well-crafted plan for acquiring digital evidence. Thorough
information must be stored and preserved, as well as all software and hardware provisions, the
computer media applied during the investigation process, and the forensic evidence being
considered.
Data acquisition methods
There are different types of data acquisition methods including logical disk-to-disk file, disk to-
disk copy, sparse data copy of a file or folder, and disk-to-image file. There are also
different approaches used for data acquisition. This will depend on the type of digital device
you’re applying to. For instance, the approach you’ll utilize for retrieving evidence from a
smartphone will be different from the technique needed to acquire digital evidence from a
computer hard drive.
Except you’re performing a live acquisition, the forensics evidence is typically obtained from the
digital media seized and stored at the forensics lab (static acquisition). The seized digital forensics
evidence is regarded as the primary source of evidence during a forensics investigation. It is called
an ‘exhibit’ in legal vocabulary. Although, the digital forensics professional does not obtain data
directly from the primary source so as not to corrode or compromise the evidence.

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

Digital Signatures and Certificates

Encryption – Process of converting electronic data into another form, called ciphertext, which
cannot be easily understood by anyone except the authorized parties. This assures data security.
Decryption– Process of translating code to data.
• The message is encrypted at the sender’s side using various encryption algorithms
and decrypted at the receiver’s end with the help of the decryption algorithms.
• When some message is to be kept secure like username, password, etc., encryption
and decryption techniques are used to assure data security.
Types of Encryption
Data encryption transforms information into a code that is only accessible to those with a password
or secret key, sometimes referred to as a decryption key. Data that has not been encrypted is
referred to as plaintext, whereas data that has been encrypted is referred to as ciphertext. In today’s
business sector, encryption is one of the most popular and effective data protection solutions. By
converting data into ciphertext, which can only be decoded with a special decryption key generated
either before or at the time of the encryption, data encryption serves to protect the secrecy of data.
• Symmetric Encryption:
Data is encrypted using a key and the decryption is also done using the same key.There are a few
strategies used in cryptography algorithms. For encryption and decryption processes, some
algorithms employ a unique key. In such operations, the unique key must be secured since the
system or person who knows the key has complete authentication to decode the message for
reading.

Symmetric Encryption

• Asymmetric Encryption
Asymmetric Cryptography is also known as public-key cryptography. It uses public and private
keys for the encryption and decryption od message. One key in the pair which can be shared with
everyone is called the public key. The other key in the pair which is kept secret and is only known
by the owner is called the private key.

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

Asymmetric Encryption
Public key– Key which is known to everyone. Ex-public key of A is 7, this information is
known to everyone.
Private key– Key which is only known to the person who’s private key it is.
Authentication-Authentication is any process by which a system verifies the identity of a user
who wishes to access it.
Non- repudiation– Non-repudiation is a way to guarantee that the sender of a message cannot
later deny having sent the message and that the recipient cannot deny having received the
message.
Integrity– to ensure that the message was not altered during the transmission.
Message digest -The representation of text in the form of a single string of digits, created using a
formula called a one way hash function. Encrypting a message digest with a private key creates a
digital signature which is an electronic means of authentication..

Digital Signature
A digital signature is a mathematical technique used to validate the authenticity and integrity of a
message, software, or digital document.
1. Key Generation Algorithms: Digital signature is electronic signatures, which assure that the
message was sent by a particular sender. While performing digital transactions authenticity and
integrity should be assured, otherwise, the data can be altered or someone can also act as if he
was the sender and expect a reply.
2. Signing Algorithms: To create a digital signature, signing algorithms like email programs
create a one-way hash of the electronic data which is to be signed. The signing algorithm then
encrypts the hash value using the private key (signature key). This encrypted hash along with
other information like the hashing algorithm is the digital signature. This digital signature is
appended with the data and sent to the verifier. The reason for encrypting the hash instead of the
entire message or document is that a hash function converts any arbitrary input into a much shorter
fixed-length value. This saves time as now instead of signing a long message a shorter hash value
has to be signed and moreover hashing is much faster than signing.

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

3. Signature Verification Algorithms : Verifier receives Digital Signature along

with the data. It then uses Verification algorithm to process on the digital signature and the public
key (verification key) and generates some value. It also applies the same hash function on the
received data and generates a hash value. If they both are equal, then the digital signature is valid
else it is invalid.
The steps followed in creating digital signature are :
1. Message digest is computed by applying hash function on the message and then message
digest is encrypted using private key of sender to form the digital signature. (digital
signature = encryption (private key of sender, message digest) and message digest =
message digest algorithm(message)).
2. Digital signature is then transmitted with the message.(message + digital signature is
transmitted)
3. Receiver decrypts the digital signature using the public key of sender.(This assures
authenticity, as only sender has his private key so only sender can encrypt using his private
key which can thus be decrypted by sender’s public key).
4. The receiver now has the message digest.
5. The receiver can compute the message digest from the message (actual message is sent
with the digital signature).
6. The message digest computed by receiver and the message digest (got by decryption on
digital signature) need to be same for ensuring integrity.
Message digest is computed using one-way hash function, i.e. a hash function in which
computation of hash value of a message is easy but computation of the message from hash value
of the message is very difficult.

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

Assurances about digital signatures

The definitions and words that follow illustrate the kind of assurances that digital signatures offer.
1. Authenticity: The identity of the signer is verified.
2. Integration: Since the content was digitally signed, it hasn’t been altered or
interfered with.
3. Non-repudiation: demonstrates the source of the signed content to all parties. The
act of a signer denying any affiliation with the signed material is known as repudiation.
4. Notarization: Under some conditions, a signature in a Microsoft Word, Microsoft
Excel, or Microsoft PowerPoint document that has been time-stamped by a secure time-
stamp server is equivalent to a notarization.

Benefits of Digital Signatures

• Legal documents and contracts: Digital signatures are legally binding. This makes
them ideal for any legal document that requires a signature authenticated by one or
more parties and guarantees that the record has not been altered.
• Sales contracts: Digital signing of contracts and sales contracts authenticates the
identity of the seller and the buyer, and both parties can be sure that the signatures are
legally binding and that the terms of the agreement have not been changed.
• Financial Documents: Finance departments digitally sign invoices so customers can
trust that the payment request is from the right seller, not from a bad actor trying to
trick the buyer into sending payments to a fraudulent account.
• Health Data: In the healthcare industry, privacy is paramount for both patient
records and research data. Digital signatures ensure that this confidential information
was not modified when it was transmitted between the consenting parties.
Drawbacks of Digital Signature
• Dependency on technology: Because digital signatures rely on technology, they are
susceptible to crimes, including hacking. As a result, businesses that use digital
signatures must make sure their systems are safe and have the most recent security
patches and upgrades installed.
• Complexity: Setting up and using digital signatures can be challenging, especially for
those who are unfamiliar with the technology. This may result in blunders and errors
that reduce the system’s efficacy. The process of issuing digital signatures to senior
citizens can occasionally be challenging.
• Limited acceptance: Digital signatures take time to replace manual ones since
technology is not widely available in India, a developing nation.

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

Digital Certificate
Digital certificate is issued by a trusted third party which proves sender’s identity to the receiver
and receiver’s identity to the sender.
A digital certificate is a certificate issued by a Certificate Authority (CA) to verify the identity of
the certificate holder. Digital certificate is used to attach public key with a particular individual
or an entity.
Digital certificate contains
• Name of certificate holder.
• Serial number which is used to uniquely identify a certificate, the individual or the
entity identified by the certificate
• Expiration dates.
• Copy of certificate holder’s public key.(used for decrypting messages and digital
signatures)
• Digital Signature of the certificate issuing authority.
Digital certificate is also sent with the digital signature and the message.
Advantages of Digital Certificate
• NETWORK SECURITY : A complete, layered strategy is required by modern
cybersecurity methods, wherein many solutions cooperate to offer the highest level of
protection against malevolent actors. An essential component of this puzzle is digital
certificates, which offer strong defence against manipulation and man-in-the-middle
assaults.
• VERIFICATION : Digital certificates facilitate cybersecurity by restricting access
to sensitive data, which makes authentication a crucial component of cybersecurity.
Thus, there is a decreased chance that hostile actors will cause chaos. At many different
endpoints, certificate-based authentication provides a dependable method of identity
verification. Compared to other popular authentication methods like biometrics or one-
time passwords, certificates are more flexible.
• BUYER SUCCESS : Astute consumers demand complete assurance that the
websites they visit are reliable. Because digital certificates are supported by certificate
authority that users’ browsers trust, they offer a readily identifiable indicator of
reliability.
Disadvantages of Digital Certificate
• Phishing attacks: To make their websites look authentic, attackers can fabricate
bogus websites and obtain certificates. Users may be fooled into providing sensitive

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

information, such as their login credentials, which the attacker may then take advantage
of.
• Weak encryption: Older digital certificate systems may employ less secure
encryption methods that are open to intrusions.
• Misconfiguration: In order for digital certificates to work, they need to be set up
correctly. Websites and online interactions can be attacked due to incorrectly
configured certificates.
Digital certificate vs digital signature
Digital signature is used to verify authenticity, integrity, non-repudiation ,i.e. it is assuring that the
message is sent by the known user and not modified, while digital certificate is used to verify the
identity of the user, maybe sender or receiver. Thus, digital signature and certificate are different
kind of things but both are used for security. Most websites use digital certificate to enhance trust
of their users

Feature Digital Signature Digital Certificate

A digital signature secures

the integrity of a digital Digital certificate is a file
document in a similar way that ensures holder’s identity
as a fingerprint or and provides security.
Basics / Definition attachment.

Hashed value of original It is generated by CA

data is encrypted using (Certifying Authority) that
sender’s private key to involves four steps: Key
generate the digital Generation, Registration,
Process / Steps signature. Verification, Creation.

Authenticity of
It provides security
Sender, integrity of the
and authenticity of
document and non-
certificate holder.
Security Services repudiation.

It follows Digital Signature It follows X.509 Standard

Standard Standard (DSS). Format

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

What is Operating system forensics?

Definition: Operating System Forensics is the process of retrieving useful information from the
Operating System (OS) of the computer or mobile device in question. The aim of collecting this
information is to acquire empirical evidence against the perpetrator.
Overview: The understanding of an OS and its file system is necessary to recover data for
computer investigations. The file system provides an operating system with a roadmap to data on
the hard disk. The file system also identifies how hard drive stores data. There are many file
systems introduced for different operating systems, such as FAT, exFAT, and NTFS for Windows
Operating Systems (OSs), and Ext2fs, or Ext3fs for Linux OSs. Data and file recovery techniques
for these file systems include data carving, slack space, and data hiding. Another important aspect
of OS forensics is memory forensics, which incorporates virtual memory, Windows memory,
Linux memory, Mac OS memory, memory extraction, and swap spaces. OS forensics also involves
web browsing artifacts, such as messaging and email artifacts. Some indispensable aspects of OS
forensics are discussed in subsequent sections.
What are the types of Operating systems?
The most popular types of Operating Systems are Windows, Linux, Mac, iOS, and Android.
Windows
Windows is a widely used OS designed by Microsoft. The file systems used by Windows include
FAT, exFAT, NTFS, and ReFS. Investigators can search out evidence by analyzing the following
important locations of the Windows:
• Recycle Bin: This holds files that have been discarded by the user. When a user deletes
files, a copy of them is stored in recycle bin. This process is called “Soft Deletion.”
Recovering files from recycle bin can be a good source of evidence.
• Registry: Windows Registry holds a database of values and keys that give useful pieces of
information to forensic analysts. For example, see the table below that provides registry
keys and associated files that encompasses user activities on the system.
• Thumbs.db Files: These have images’ thumbnails that can provide relevant information.
• Browser History: Every Web Browser generates history files that contain significant
information. Microsoft Windows Explorer is the default web browser for Windows OSs.
However, some other supported browsers are Opera, Mozilla Firefox, Google Chrome, and
Apple Safari.
• Print Spooling: This process occurs when a computer prints files in a Windows
environment. When a user sends a print command from a computer to the printer, the print
spooling process creates a “print job” to some files that remain in the queue unless the print
operation is completed successfully. Moreover, the printer configuration is required to be
set in either EMF mode or RAW mode. In a RAW mode, the print job merely provides a

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

straight graphic dump of itself, whereas with an EMF mode, the graphics are converted
into the EMF image format (Microsoft Enhanced Metafile). These EMF files can be
indispensable and can provide an empirical evidence for forensic purposes. The path to
EMF files is:For Windows NT and 2000: Winntsystem32spoolprintersFor Windows
XP/2003/Vista/2008/7/8/10: Windowssystem32spoolprintersOS forensic tools can
automatically detect the path; there is no need to define it manually.
A Real-world scenario involving print job artifacts
A love triangle of three Russian students led to a high-profile murder of one of them. A female
defendant stalked her former lover for a couple of months in order to kill his new girlfriend. Once
a day, she found the right moment and drove to her boyfriend’s apartment where his new girlfriend
was alone. She murdered the girl and tried not to leave any evidence behind to assist the
investigation process. However, she used used her computer extensively in the plotting of the
crime, a fact that later provided strong material evidence during the entire process of her trail. For
example, she made three printouts for directions from her home to her boyfriend’s apartment.
The forensic examiners took her computer into custody and recovered the spool files (or EME
files) from her computer. Among one of the three pages within spool files provide substantial
evidence against her (defendant). The footer at the bottom of the page incorporates the defendant’s
address and her former lover’s address, including the date and time when the print job was
performed. This evidence later proved to be a final nail in her coffin.
Linux
Linux is an open source, Unix-like, and elegantly designed operating system that is compatible
with personal computers, supercomputers, servers, mobile devices, netbooks, and laptops. Unlike
other OSs, Linux holds many file systems of the ext family, including ext2, ext3, and ext4. Linux
can provide an empirical evidence if the Linux-embedded machine is recovered from a crime
scene. In this case, forensic investigators should analyze the following folders and directories.
/etc [%SystemRoot%/System32/config]
This contains system configurations directory that holds separate configuration files for each
application.
/var/log
This directory contains application logs and security logs. They are kept for 4-5 weeks.
/home/$USER
This directory holds user data and configuration information.
/etc/passwd
This directory has user account information.

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

Mac OS X
Mac OS X is the UNIX-based operating system that contains a Mach 3 microkernel and a
FreeBSD-based subsystem. Its user interface is Apple-like, whereas the underlying architecture is
UNIX-like.
Mac OS X offers a novel technique to create a forensic duplicate. To do so, the perpetrator’s
computer should be placed into a “Target Disk Mode.” Using this mode, the forensic examiner
creates a forensic duplicate of perpetrator’s hard disk with the help of a Firewire cable connection
between the two PCs.
iOS
Apple iOS is the UNIX-based operating system first released in 2007. It is a universal OS for all
of Apple’s mobile devices, such as iPhone, iPod Touch, and iPad. An iOS embedded device
retrieved from a crime scene can be a rich source of empirical evidence.
Android
Android is a Google’s open-source platform designed for mobile devices. It is widely used as the
mobile operating system in the handsets industry. The Android operating system runs on a Linux-
based kernel which supports core functions, such as power management, network infrastructure,
and device drivers. Android’s Software Development Kit (SDK) contains a very significant tool
for generic and forensic purposes, namely Android Debug Bridge (ADB). ADB employs a USB
connection between a computer and a mobile device.
What are the examination steps in operating system forensics?
There are five basic steps necessary for the study of Operating System forensics. These five steps
are listed below:
1. Policies and Procedure Development
2. Evidence Assessment
3. Evidence Acquisition
4. Evidence Examination
5. Documenting and Reporting
Data acquisition methods for operating system forensics
There are four Data Acquisition methods for Operating System forensics that can be performed on
both Static Acquisition and Live Acquisition. These methods are:
Disk-to-image file: A forensic examiner can make a one or more than one copy of a drive under
the operating system in question. The tools used for these methods are iLookIX, X-Ways, FTK,
EnCase, or ProDiscover.

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

Disk-to-disk copy: This works best when the disk-to-image method is not possible. Tools for this
approach include SnapCopy, EnCase, or SafeBack.
Disk-to-data file: This method creates a disk-to-data or disk-to-disk file.
The Sparse copy of a file: This is a preferable method if time is limited and the disk has a large
volume of data storage.
For both Linux and Windows Operating Systems, write-blocking utilities with Graphical User
Interface (GUI) tools must be used in to gain access to modify the files. A Linux Live CD offers
many helpful tools for digital forensics acquisition.

EXAMINATION STEPS
There are a number of methodologies for the forensic process, which define how forensic
examiners should gather, process, analyze, and extract data. Digital forensics investigations
commonly consist of four stages:
1. Seizure: Prior to actual examination, the digital media is seized. In criminal cases, this will
be performed by law enforcement personnel to preserve the chain of custody.
2. Acquisition: Once the assets are seized, a forensic duplicate of the data is created, using a
hard drive duplicator or software imaging tool. Then the original drive is returned to secure
storage to prevent tampering. The acquired image is verified with SHA-1 or MD5 hash
functions and will be verified again throughout the analysis to verify the evidence is still
in its original state.
3. Analysis: After the acquisition of the evidence, files are analyzed to identify evidence to
support or contradict a hypothesis. The forensic analyst usually recovers evidence material
using a number of methods (and tools), often beginning with the recovery of deleted
information. The type of data analyzed varies but will generally include email, chat logs,
images, internet history, and documents. The data can be recovered from accessible disk
space, deleted space, or the operating system cache.
4. Reporting: Once the investigation is complete, the information is collated into a report
that is accessible to non-technical individuals. It may include audit information or other
meta-documentation.
DATA ACQUISITION
The gathering and recovery of sensitive data during a digital forensic investigation is known as
data acquisition. Cybercrimes often involve the hacking or corruption of data. There are four data
acquisition techniques that can be used for both static and live acquisition in operating system
forensics. These approaches are:
• Disk-to-image file: A drive running the relevant operating system can be copied once or
more by a forensic examiner. Disk imaging is a form of hard drive backup that places all

Compiled and Rebuilt by Er. Anal Salshingikar

 DIGITAL FORENSICS NOTES

of a hard drive’s data into a compressed file. That file can be stored on other devices, in a
file system, or in the cloud. Disk imaging allows individuals and businesses to recover all
data that was on a computer when the image was made.
• Disk-to-disk copy: Sometimes it is not possible to create a bit-stream disk-to-image file
due to software or hardware errors or incompatibilities. Investigators face such issues while
trying to acquire data from older drives. Through this method, certain parameters of the
hard drive may be changed but the files will remain the same.
• Logical acquisition: Logical acquisition involves collecting files that are specifically
related to the case under investigation. This technique is typically used when an entire drive
or network is too large to be copied.
• Sparse Acquisition: Sparse acquisition is similar to logical acquisition. Through this
method, investigators can collect fragments of unallocated (deleted) data. This method is
very useful when it is not necessary to inspect the entire drive.

Compiled and Rebuilt by Er. Anal Salshingikar