Digital Forensics

Module 1: Computer Forensics and

Investigation

Dr. Nagaraj & Prof Seshu Babu Pulagara,

VIT Chennai
 2

What is digital
forensics?
 There is no standard definition
 Digital forensics is a branch of forensic
science encompassing the recovery and
investigation of material found in digital
devices, often in relation to computer
crime
 ISO standards for digital forensics are
available

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 3

An acceptable definition
 According to Nelson et al. digital
forensics is “the application of computer
science and investigative procedures for
a legal purpose involving the analysis of
digital evidence after proper search
authority, chain of custody, validation
with mathematics, use of validated tools,
repeatability, reporting, and possible
expert presentation.”

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 Laws 4

 Laws vary according to jurisdiction. Laws may

differ from one state to another in a country.
This applies to digital forensics as well.
 In the US, the Fourth Amendment to the US
constitution protects an individual’s right to
be secure from search and seizure.
 When computers just came into existence
there were not many digital crimes, however,
these days they have become rampant

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
Digital forensics Vs. Data 5

recovery

 Digital forensics is not the same as data

recovery. Why?
 Data recovery is used for retrieving data
that was accidentally deleted by or perhaps
lost during a power outage or system crash
 Whereas digital forensics is used for getting
evidence for resolving digital crimes

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
For digital forensics 6

 We have to inspect digital devices

 We need to collect data in a secure manner
 We should inspect suspected data and
determine the origin, the destination etc.
 We have to present digital evidence in courts

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 Exercises 7

 Study the history and origins of digital

forensics
 Look at commercial and open source tools
for digital forensics. Study their merits and
demerits
 Discover the origins of laws related to digital
forensics

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
Relevance of law 8

 Why should those dealing with digital forensics

be concerned with laws?
 Digital forensics experts especially examiners
must be familiar with recent court judgments on
search and seizure in the digital domain
 Often, laws do not keep pace with technological
changes
 When legislative acts don’t exist, a system of
jurisprudence based on judicial precedents rather
than statutory laws is used

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 9

Case study - A computer worm

 https://en.wikipedia.org/wiki/ILOVEYOU
 The outbreak was later estimated to have caused US$5.5–
8.7 billion in damages worldwide, and estimated to cost
US$15 billion to remove the worm.
 Since there were no laws in the origin country against
writing malware at that time, perpetrators were released
with all charges against them dropped by state prosecutors

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 10

Case study - ATM theft

 https://www.nytimes.com/2013/05/10/nyregion/e
ight-charged-in-45-million-global-cyber-bank-
thefts.html

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 11
Digital forensics
professionals
 Must constantly update themselves
 Must be in touch with other experts and know
latest developments
 Must seek the help of other experts when needed
 Must obtain relevant certifications

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 12

Two main types of investigation

 Public sector involving government agencies and
organizations. Cases include heinous acts against the
general public, law and order issues etc. Usually involves
criminal cases.
 Private sector involving private organizations. Disputes
typically include violations of company policy, litigations
between companies etc. Usually involves civil cases.

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 13

Public sector investigations

 Public sector investigations necessitate understanding of

laws related to digital crimes.
 National laws such as the US Fourth Amendment restrict
search and seizure without warrants.
 The US Fourth Amendment prohibits
unreasonable searches and seizures. In addition, it sets
requirements for issuing warrants.

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 14

Public sector cases

 Those dealing with public sector cases must understand

the normal legal procedures
 They should be familiar with the guidelines on search and
seizure of digital evidence
 They should know that laws vary from one state to another
and from one country to another

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 15

Legal processes for criminal cases

 Complaint to the police by witness or victim citing evidence if
available
 Police record the complaint often interviewing the person who brings
an action in a court of law. Such a person is called a plaintiff or
complainant
 Police maintain a report about the crime
 Police use a blotter for this. This is the daily written record of events
in a police station.

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 16

Digital evidence
 For digital crimes, it is necessary to secure digital evidence. So
Digital Evidence First Responders and Digital Evidence Specialists
become important.
 The digital evidence first responder is usually the first person to
encounter a crime scene.
 The first responder is responsible for determining the order of
magnitude of the crime and range of the crime scene. He/she must
secure the crime scene, and maintain the digital evidence.

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 Guidelines for digital evidence first 17

responders
 There are many guidelines for digital evidence first responders.
For e.g.
https://www.iacpcybercenter.org/wp-
content/uploads/2015/04/digitalevidence-booklet-051215.pdf
https://resources.sei.cmu.edu/asset_files/Handbook/2005_002_001_
14429.pdf
https://www.ncjrs.gov/pdffiles1/nij/219941.pdf

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 18

Digital Evidence Specialist

 Digital evidence specialists react to IT system trespasses; find out
the source of unaccredited and possibly illegal network incursions;
and preserve and prepare evidence of unlawful cyber activity for
demonstration perhaps to a court of law

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 19

What is digital evidence?

 According to E. Casey “Digital evidence or electronic evidence is

any probative information stored or transmitted in digital form
that a party to a court case may use at trial. “

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 20

SWGDE
 The Scientific Working Group on Digital Evidence (SWGDE)
brings together organizations actively engaged in the field
of digital and multimedia evidence to foster communication
and cooperation as well as to ensure quality and
consistency within the forensic community.

 https://www.swgde.org/home

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
Private sector investigations
21

 Example of crimes occurring in the private-sector include e-mail

torment, misrepresentation of data, gender and age favoritism,
misappropriation, subverting, and industrial spying

 Private sector investigations usually involve private companies and

lawyers who deal with company policy infringements and litigation
challenges

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 22

Policies
 Private sector companies should bring out acceptable use policies
for their resources such as computers, networks, servers, printers
etc.
 They should have a well-defined “Line of authority” i.e. who in
the company has the legal right to originate an investigation, who
can take ownership of digital evidence, and who can have access
to such evidence

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 23

Warning employees
 Employees have to be informed that the company has the right to
inspect computer systems and networks for misuse. However,
companies have to be careful not to encroach on the privacy of their
employees.

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 24

Warning employees

 Employers  need to be careful not to take things too far in their 

quest of evidence to confirm a hunch of employee  misconduct

 Warning banners can be displayed to indicate illegal users of

systems or networks will be subject to legal proceedings

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 25

 Investigators have to look for digital evidence to support

accusations of infringements of a company’s regulations or an
onslaught on its assets
 Common abuses by employees include e-mail abuse, Internet
abuse, abuse of resources such as printers, scanners etc.
 Bring Your Own Device rules can complicate issues

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 26

Exercise
 Do employees have a right to privacy at work?
 How businesses observe privacy in the workplace?
 What laws protect employee privacy?
 What are the privacy concerns over employer access to
employee social media?

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
Investigators must maintain 27

professional conduct always

 Morals
 Ethics
 Objectivity
 Credibility
 Confidentiality
 Competence
 All these must be observed at all times

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
Readying for a digital forensic 28

investigation
 Collect evidence
 The purpose of collecting evidence is to prove that a suspect
committed a crime or violated a company policy as the case may be
depending on whether it is a criminal case or a civil case
 Preserve the evidence
 Maintain the chain of custody

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 29

Chain of custody
 Chain of custody in legal contexts, is the chronological
documentation or paper trail that records the sequence
of custody, control, transfer, analysis, and disposition of
physical or electronic evidence.
 What is the importance of the chain of custody?
 What happens when chain of custody is broken?

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 30

Exercise
 Name various sources of digital evidence
 What are computer crimes? Give distinct examples.
 Give example of company policy violations.
 Mention a systematic approach for dealing with a digital forensics
case.
 How to plan for an investigation? What are the steps to be
followed?

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 How to secure evidence? 31

 Use evidence bags

 Use antistatic bags
 Use evidence tape
 Maintain temperature and humidity ranges
 Transport safely
 Use secure evidence container

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 32

Exercise – Outline detailed steps

 How will you deal with email abuse cases?
 How will you deal with Internet abuse cases?
 How will you deal with industrial espionage cases?

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai
 33

References
 Bill Nelson, Amelia Philips, Christopher Steuart, “
Guide to Computer Forensics and
Investigations”, Fifth Edition, 2015
 Wikipedia

Dr.Nagaraj S V & Prof Seshu Babu

Pulagara, VIT Chennai