Lect 3 Digital Forensics
Lect 3 Digital Forensics
Case Scenario
Alex is the computer forensics investigator and has been hired to investigate data theft case in an
organization. The general manager of the organization believes that some of their employees are
involved in illegal activities including the network breach and the transfer of their confidential data,
which is against the organizational policy. Alex has performed his investigation, collected the
evidences and then he submitted his final report. According to the report, two employees were
found responsible for the data theft. Based on this report, a case has been lodged against them.
In the scenario mentioned above, the organization was the client, Alex was the service provider and
the service that was being provided is called computer forensics & digital investigation services.
In the last few years, we have witnessed the increase in crimes that involved computers. As a result,
computer forensics and digital investigation have emerged as a proper channel to identify, collect,
examine, analysis and report the computer crimes.
The scope of computer forensics is not limited to investigating a crime only. Apart from this,
4
computer forensics can be used for:
• Data recovery
• Log monitoring
• Data acquisition (from the retired or damaged devices)
• Fulfill the compliance needs
Identification
The first process of computer forensics is to identify the scenario or to understand the case. At this
stage, the investigator has to identify the purpose of investigation, type of incident, parties that
involved in the incidence, and the resources that are required to fulfill the needs of the case.
Collection
The collection (chain of custody) is one of the important steps because your entire case is based on
the evidence collected from the crime scene. Collection is the data acquisition process from the
relevant data sources while maintaining the integrity of data. Timely execution of the collection
process is crucial in order to maintain the confidentiality and integrity of the data. Important
evidence may lost if not acted as required.
Examination
The aim of third process is to examine the collected data by following standard procedures,
techniques, tools and methodology to extract the meaningful information related to the case.
Analysis
Since all five processes are linked together, the analysis is the procedure to analyze the data
acquired after examination process. At this stage, the investigator search for the possible evidence
5
against the suspect, if any. Use the tools and techniques to analyze the data. Techniques and tools
should be justified legally, because it helps you to create and present your report in front of the
court.
Reporting
This is the final, but the most important step. At this step, an investigator needs to document the
process used to collect, examine and analyze the data. The investigation report also consists the
documentation of how the tools and procedures were being selected. The objective of this step is to
report and present the findings justified by evidences.
Every step mentioned above can be further divided into many parts and every part has its own
standard operating procedures, we look into them in detail in the coming chapters.
6
First Responder
The first responder and the function of the first responder is crucial for computer forensics and
investigation. The first responder is the first person notified, and take action to the security incident.
The first responder toolkit will be discussed in the upcoming chapters, but at this stage, I will
discuss the roles and responsibilities of the first responder.
The first responder is a role that could be assigned to anyone, including IT security engineers,
network administrator and others. The person who is responsible to act as a first responder should
have knowledge, skills and the toolkit of first responders.
The first responder should be ready to handle any situation and his/her action should be planned and
well documented. Some core responsibilities are as follows:
First responder or incident handlers should have first-hand experience of Information security,
different operating systems and their architectures.
Matthew Braid, in his AusCERT paper, ‘Collecting Electronic Evidence after a System
Compromise’ has provided the rules of computer forensics:
7
4. Create Document
Document the behavior, if any changes occur in evidence. An investigator should document the
reason, result and the nature of change occurred with the evidence. Let say, restarting a machine
may change its temporary files, note it down.
5. Get the written permission and follow the local security policy
Before starting an investigation process, you should make sure to have a written permission with
instruction related to the scope of your investigation. It is very important because during the
investigation you need to get access or need to make copies of the sensitive data, if the written
permission is not with you then you may find yourself in trouble for breaching the IT security
policy.
6. Be ready to testify
Since you are collecting the evidence than you should make yourself ready to testify it in the court,
otherwise the collected evidence may become inadmissible.
Digital Evidence
Digital devices are not limited to computer, mobile phones and internet only; every electronic
device having processing and storage capability can be used in crime. For example, mp3 player can
be used to transfer the encoded message; electronic appliances might be used as storage to store the
illegal documents.
The duty of investigator or first responder is to identify and seize the digital device for further
investigation.
Digital information expressed or represent by the binary units of 1's (ones) and 0's (zeros). Digital
information is stored in electronic devices by sending the instructions via software, program or
code. The same way this information can be retrieved from the electronic device by using the
program, here computer forensics software comes.
So what is digital evidence and where are the key sources to get the evidence?
9
• Just like fingerprints or any other biometric evidence, digital evidence is also hidden or
latent, which requires a process to unearth.
• Digital evidence might be destroyed or damaged. Quick response and chain of custody is the
key in computer forensics, you need to act according to the situation otherwise the important
data might be damaged (intentionally or unintentionally).
Rules of Evidence
Matthew Braid, in his AusCERT paper, ‘Collecting Electronic Evidence after a System Com
promise’ has defined the five rules of evidence:
1. Admissible
The first and the most important rule is that your evidence should be able to use in court as an
evidence.
2. Authentic
Evidence should be authentic and it should be related and relevant to the case, you need to prove in
front of the court that the collected evidence is authentic. Fail to do so, means the failure of the
investigation.
3. Complete or Whole
The court will not accept half evidence, you should be unbiased during your investigation and your
evidence should not show the one prospective of the incident. As Matthew says, “it is vital to
collect evidence that eliminates alternative suspects. For instance, if you can show the attacker was
logged in at the time of the incident, you also need to show who else was logged in and demonstrate
why you think they didn’t do it. This is called Exculpatory Evidence and is an important part of
proving a case. ”
4. Reliable
Reliability of the evidence is important, but the process is also important and it should not create
any doubt on the evidence.
5. Believable or Acceptable
The evidence presented in the court should be in layman’s language, clear and easy to understand.
You should present a well-crafted version of the document with the reference to the technical
document.
Chain of Custody
This particular term is not only related to the computer forensics, any case or even any investigation
has this important aspect. “Chain of Custody” is the process to acquire, secure, move and store the
evidence until the time it is presented in court. While seizing the electronic device, you should tag it
with the date/time of acquiring, case number and evidence numbers. This information is crucial
while creating a case in the court. Evidence custodian is responsible to collect, transfer and store the
evidence in the forensics lab. Anyone doing this job should understand its importance and he/she
should not waste the valuable time.
Chain (strong metal use to connect or link between stuff) of custody, as the name says, “chain of
custody shows how the evidence is acquired, managed, transferred or transported during the
investigation process. And who involve in the process, what their responsibilities are and for how
10
much time they store the evidence and how they transfer it to someone else.” This important
process tells the story of the evidence, if not carefully done then the opposite attorney can challenge
and even dismiss the presented evidence.
In order to justify the chain of custody, you need to provide the evidence. You must provide the
evidence that you maintained, documenting the chain-of-custody during the investigation process
and you or anyone has not damaged or altered the evidence whether intentionally or unintentionally.
“Chain of custody form” is the tool used to keep record of every important aspect, here is the
sample chain-of-custody form:
11
Computer forensics expert organizations should have the guidelines and process that should support
the admissibility of evidence into legal actions, including information on how the evidences have
been acquired and handled, preserving the integrity of tools and equipment, maintaining the chain
of custody, and storing evidence appropriately. The court might dismiss the case, if you fail to
maintain the proper chain-of-custody, because the evidence can be challenged on the basis of every
rule of evidence discussed earlier:
•Admissibility: How you will prove what you are presenting as evidence? There is no way; you
need a document to support your argument.
•Authentic: If there is no chain-of-custody, then you will fail to prove that the presented evidence
is authentic and gathered from the crime scene.
•Complete or whole: Again, you need a document to prove it.
•Reliable: Who is going to believe that you or anyone else have not altered or modified the
evidence? You need to have a signed document and the people who can testify.
•Believable: The fifth rule is already void if fail to maintain the other four rules.
This is why the chain-of-custody is very important because the entire case is based on the evidence
and the evidence is based on chain-of-custody process.
You should be ready to testify the steps taken while handling the evidence: who did what with the
evidence and why?
You should bring the chain-of-custody of form in the court to justify your words. Technology has
made our life very easy, we have cloud computing; you can store the evidence (soft-copy) in the
cloud to reduce the transfer of the evidence. Now you will have a strong point to be presented in the
court that the real evidence has been uploaded in the cloud in the very place to avoid the risk.
Sources of Evidence
So what are the key sources of evidence or how computer forensics investigator gets the evidence?
Since evidence could be anything and could be everywhere. In one case, you need to get evidence
from mp3 player, and on some other case, evidence has to be retrieved from iPhone. The source is
not limited and it depends on the nature of the case you are working on. Highly technical skills and
expertise are required to examine and acquire the evidence from these sources. This is why this
mini course has been designed. We look into the structure of many hardware devices as well as the
file format of many operating systems. Apart from real evidence (tangible), sometimes you need to
investigate for human testimony. So social engineering or the human skill set is also required to
investigate the human and get the valuable information.
While investigating or acquiring evidence, you need to maintain the integrity and confidentiality of
the data. This is very important as you might damage or retire the evidence, which you should not
do.
As a rule, an investigator look for evidence in every electronic devices directly or indirectly related
to the crime scene.
These are a few sources from where the evidence might be collected:
1. Hard-drive
2. Firewall logs
3. System logs
4. Social networking websites
13
5. Website that was visited
6. Email
7. GPS devices
8. Security camera's
9. Networking equipment
10. PDA (personal digital assistant)
11. Chat room or chat server
There are many sources, think about Internet of things.
• Identification
There is a difference between data, information and an evidence, you should have a clear idea and
you should distinguish between data and evidence. You need to extract evidence from the data, so
identify the possible source from you can extract the evidence.
• Analysis
Mark the qualified people to analyze the collected evidence to find the cause and effect relationship.
14
presented in front of non-technical personnel and linked every step with the technical document for
reference purpose, the presentation is very important to share your work otherwise it has no value.
Volatile Evidence
Under the heading of volatile evidence, we will discuss the process and methodology to collect the
volatile evidence. First, we should look into the volatile data and what volatile data is. What are the
characteristics of a volatile data?
Usually, computer forensics deals with the procedures and techniques to identify, collect, examine,
analyze and report the data available in the storage of an electronic device. However, a smart
investigator always tries to collect information about the current status of the device. The job of the
first responder is crucial to do this. Usually they take the device in custody and shut it down to
move it into the forensics lab. In the forensics lab, the persistence or the stored data, is collected
from the suspicious storage device. However, rebooting or shutdown is the major cause of data loss,
especially the volatile data. In order to collect the volatile data, the first responder needs a running
system.
The first responder has to create their own toolkit to gather the volatile data. In the recent years, we
have seen rapid development of the forensic tools. For example, we have EnCase, NTI's law
enforcement suite, and FTK. However, almost all the tools focus on collecting the persistent data.
There are many open source tools are available that can be the part of the first responder toolkit, and
some of the open source tools are exclusively being created to gather the data, but most of them do
not get the complete set of volatile data. It is highly recommended for a first responder to get their
set of tools. They should also learn the commands to gather the volatile data manually.
As you now understand the concept of volatile data, here are some definitions for reference:
15
• Arp Cache
• Process Table
• Kernel Statistics and Modules
• Main Memory
• Temporary File Systems
• Secondary Memory
• Router Configuration
• Network Topology
System Profiling
An investigator has to get the profile of the system. It is the job of the network administrator to
maintain the profile of every system. However, the system profile can be created in the run time.
Typically, the following information should collected to compile the system profile:
16