Chapter 2 DF

DIGITAL FORENSICS
DR. NILAKSHI JAIN

Email ID: [email protected]
2.1 Digital Forensic
2.2 Need
2.3 Rules of Digital Forensic
CHAPTER TWO
2.4 Types
2.5 Ethical Issues
2.6 Investigations
1
2.7 Digital Evidences
Introduction to Digital
2.8 Rules of Digital Evidence Forensics and Digital
2.9 Characteristics
2.10 Types of Evidence Evidences
2.11 Challenges in Evidence
Handling
Introduction to Digital Forensic
2.2 Need
• Forensic science is a well-established science that plays a
critical role in criminal justice systems.
2.4 Types
• Forensic science is often referred to as forensics.
2.5 Ethical Issues • Digital forensics is also referred to as digital forensic science, a
2.6 Investigations branch of computer forensic science that includes the
1
2.7 Digital Evidences restoration and inspection of material detected in digital
devices, often in relation to a cybercrime.
2.8 Rules of Digital Evidence
• Digital Forensic is a series of steps to uncover and analyze
2.9 Characteristics electronic data through scientific method.The major goal of the
2.10 Types of Evidence process is to duplicate original data and preserve original
2.11 Challenges in Evidence evidence then performing the series of the investigation by
collecting, identifying and validating the digital information for
Handling
the purpose of reconstructing past events.
Need of Digital Forensic
2.2 Need
2.3 Rules of Digital Forensic • The meaning of the word “forensics” is “to bring to the
2.4 Types court”.
2.5 Ethical Issues • It is necessary for network administrator and security staff
2.6 Investigations of networked organizations to practice computer forensics
1
2.7 Digital Evidences and should have knowledge of laws, because rate of cyber
crimes is increasing greatly.
• the major goal of computer forensics is to recognize,
2.9 Characteristics
gather, protect and examine data in such a way that
2.10 Types of Evidence
protects the integrity of the collected evidence to use it
2.11 Challenges in Evidence efficiently and effectively in a case.
Handling
2.1 Digital Forensic Rules of Digital Forensic
2.2 Need
Rule 1. An examination should never be performed on the original
2.4 Types media.
2.5 Ethical Issues Rule 2. A copy is made onto forensically sterile media. New media
should always be used if available.
2.6 Investigations
Rule 3. The copy of the evidence must be an exact, bit-by-bit copy
1
2.7 Digital Evidences (Sometimes referred to as a bit-stream copy).
2.8 Rules of Digital Evidence Rule 4. The computer and the data on it must be protected during the
2.9 Characteristics
acquisition of the media to ensure that the data
2.10 Types of Evidence is not modified (Use a write blocking device when
2.11 Challenges in Evidence possible).
Rule 5. The examination must be conducted in such a way as to prevent
Handling any modification of the evidence.
Rule 6. The chain of the custody of all
evidence must be clearly maintained to
provide an audit log of whom might have accessed the
Types of Digital Forensic
1. Computer Forensics – the identification, preservation, collection, analysis and
2.2 Need
reporting on evidence found on computers, laptops, and storage media in
2.3 Rules of Digital Forensic support of investigations and legal proceedings.
2. Network Forensics – the monitoring, capture, storing, and analysis of network
2.4 Types
activities or events in order to discover the source of security attacks,
2.5 Ethical Issues intrusions or other problem incidents, that is, worms, virus, or malware
attacks, abnormal network traffic and security breaches.
2.6 Investigations
3. Mobile Devices Forensics – the recovery of electronic evidence from mobile
1
2.7 Digital Evidences phones, smartphones, SIM cards, PDAs, GPS devices, tablets, and game
consoles. Mobile device forensics involves the recovery of digital evidence or data
from mobile devices.
2.9 Characteristics 4. Digital Image Forensics – the extraction and analysis of digitally acquired
photographic images to validate their authenticity by recovering the metadata
of the image file to ascertain its history
2.11 Challenges in Evidence 5. Digital Video/Audio Forensics – the collection, analysis, and evaluation of
sound and video recordings. The science is the establishment of authenticity as to
Handling
whether a recording is original and whether it has been tampered with,either
maliciously or accidentally.
6. Memory forensics – the recovery of evidence from the RAM of a running
computer, also called live acquisition.
2.1 Digital Forensic Ethical Issues
2.2 Need
• “Ethics” is derived from the ancient Greek word ethikos, meaning
2.4 Types
“moral, showing moral character”. Ethics in digital forensics field
2.5 Ethical Issues can be defined as a set of moral principles that regulate the use of
2.6 Investigations computers; some common drawbacks of computer forensics
1
2.7 Digital Evidences include intellectual property resources, privacy concerns, and the
impact of computers on the society.
• Ethical decision-making in digital forensics work comprises of one
2.9 Characteristics or more of the following:
2.10 Types of Evidence 1. Honesty toward the investigation.
2.11 Challenges in Evidence 2. Prudence means carefully handling the digital evidences.
Handling
3. Compliance with the law and professional norms.
General Ethics Norms for Investigator in Digital
2.1 Digital Forensic Forensic Field
2.2 Need
2.4 Types Before starting the investigation in the digital forensic field, the
2.5 Ethical Issues investigator should satisfy the following points.
2.6 Investigations 1. Should contribute to the society and human being.
1
2. Should avoid harm to others.
3. Should be honest and trustworthy.
4. Should be fair and take action not to discriminate.
2.9 Characteristics 5. Should honor property rights, including copyrights and
2.10 Types of Evidence patents.
2.11 Challenges in Evidence 6. Should give proper credit to intellectual property.
7. Should respect the privacy of others.
Handling
8. Should honor confidentiality.
Unethical Norms for Digital Forensic Investigation
2.2 Need
2.3 Rules of Digital Forensic The investigator should not:
2.4 Types 1. Uphold any relevant evidence.
2. Declare any confidential matters or knowledge learned in an
2.5 Ethical Issues
investigation without an order from a court of competent
2.6 Investigations jurisdiction or without the client’s consent.
1
2.7 Digital Evidences 3. Express an opinion on the guilt or innocence belonging to any
2.8 Rules of Digital Evidence party.
4. Engage or involve in any kind of unethical or illegal conduct.
2.9 Characteristics
5. Deliberately or knowingly undertake an assignment beyond his
2.10 Types of Evidence or her capability.
2.11 Challenges in Evidence 6. Distort or falsify education, training or credentials.
Handling 7. Display bias or prejudice in findings or observations.
8. Exceed or outpace authorization in conducting examinations.
Digital Forensic Investigations
2.2 Need
2.3 Rules of Digital Forensic • Digital investigations, DFIs, forensic examination, and forensic
investigations have been used to describe an investigation where
2.4 Types
a digital device forms part of the incident.
2.5 Ethical Issues • A DFI is thus a special type of investigation wherever scientific
2.6 Investigations procedures and techniques used can permit the results, that is, the
1
2.7 Digital Evidences digital proof, to be allowable in a court of law.
• The results of a DFI should have a legal basis. Proof cannot be
directly read, and a few tools are employed to look at the state of
2.9 Characteristics
the information.
2.10 Types of Evidence • Digital forensic investigation or DFI is a special type of
2.11 Challenges in Evidence investigation where the scientific procedures and techniques used
Handling will be allowed to view the results – digital evidence – to be
admissible in a court of law.
Introduction to Digital Evidences
2.2 Need
2.3 Rules of Digital Forensic • Digital evidence is any
information or data of
2.4 Types
value to an investigation
2.5 Ethical Issues that is stored on, received
2.6 Investigations by, or transmitted by an
1
2.7 Digital Evidences electronic device.
• Evidence can be stated as
any information that can
2.9 Characteristics
be confident or trusted and
2.10 Types of Evidence can prove something
2.11 Challenges in Evidence related to a case in trial,
Handling that is, indicating that a
certain substance or
condition is present.
Introduction to Digital Evidences
2.2 Need The Best Evidence Rule:
• The best evidence rule is that the original or true writing or recording
must be confessed in court to prove its contents without any expectations.
2.4 Types • We define best evidence as the most complete copy or a copy which
2.5 Ethical Issues includes all necessary parts of evidence, which is closely related to the
original evidence.
2.6 Investigations
• It states that multiple copies of electronic files may be a part of the
1
2.7 Digital Evidences “original” or equivalent to the “original”.
Original Evidence:
2.9 Characteristics
• we define original evidence as the truth or real(original) copy of the
2.10 Types of Evidence evidence media which is given by a client/victim.
2.11 Challenges in Evidence • We define best incidence as the most complete copy, which includes all
the necessary parts of the evidence that are closely related to the original
Handling
evidence.
• There should be an evidence protector which will store either the best
evidence or original evidence for every investigation in the evidence safe.
Rules of Digital Evidence
2.2 Need • Rule of evidence is also called as law of evidence.
• It surrounds the rules and legal principles that govern all the proof
of facts.
2.4 Types
• The rules must be:
2.5 Ethical Issues 1. Admissible: The evidence must be usable in the court.
2.6 Investigations 2. Authentic: The evidence should act positively to an incident.
1
2.7 Digital Evidences 3. Complete: A proof that covers all perspectives.
4. Reliable: There ought to be no doubt about the reality of the
specialist’s decision.
2.9 Characteristics 5. Believable: The evidence should be understandable and believable
2.10 Types of Evidence to the jury.
2.11 Challenges in Evidence Rule 103: Rule of evidence
Handling
1. Maintaining a claim of error.
2. No renewal of objection or proof.
3. Aim an offer of proof.
4. Plain error taken as notice.
Rules of Digital Evidence
• Evidence collection should always be performed to ensure that it will
2.2 Need
withstand legal proceedings. Key criteria for handling such evidence are
2.3 Rules of Digital Forensic outlined as follows:
2.4 Types 1. The proper protocol should be followed for acquisition of the evidence
irrespective of whether it physical or digital. Gentle handling should be
2.5 Ethical Issues exercised for those situations where the device may be damaged (e.g., dropped
2.6 Investigations or wet).
2. Special handling may be required for some situations. For example, when the
1
2.7 Digital Evidences device is actively destroying data through disk formatting, it may need to be
2.8 Rules of Digital Evidence shut down immediately to preserve the evidence. On the other hand, in some
situations, it would not be appropriate to shut down the device so that the
2.9 Characteristics digital forensics expert can examine the device’s temporary memory.
2.10 Types of Evidence 3. All artifacts, physical and/or digital should be collected, retained, and
transferred using a preserved chain of custody.
2.11 Challenges in Evidence 4. . All materials should be date and time stamped, identifying who collected the
Handling evidence and the location it is being transported to after initial collection.
5. . Proper logs should be maintained when transferring possession.
6. . When storing evidence, suitable access controls should be implemented and
tracked to certify the evidence has only been accessed by authorized
individual.
Characteristics of Digital Evidence
2.2 Need 1. Locard’s Exchange Principle :
2.3 Rules of Digital Forensic • According to Edmond Locard’s principle, when two items
2.4 Types make contact, there will be an interchange.
• When an incident takes place, a criminal will leave a hint
2.5 Ethical Issues
evidence at the scene and remove a hint evidence from the
2.6 Investigations scene. This alteration is known as the Locard exchange
1
2.7 Digital Evidences principle.
2. Digital Stream of Bits
2.9 Characteristics
• Cohen refers to digital evidence as a bag of bits, which in
2.10 Types of Evidence turn can be arranged in arrays to display the information.
2.11 Challenges in Evidence • The information in continuous bits will rarely make sense,
Handling and tools are needed to show these structures logically so
that it is readable.
2.1 Digital Forensic Types of Evidence
2.2 Need
2.4 Types
There are many types of evidence, each with their own
2.5 Ethical Issues specific or unique characteristics. Some of the major types
2.6 Investigations of evidence are as follows:
1
2.7 Digital Evidences 1. Illustrative evidence
2. Electronic evidence
3. Documented evidence
2.9 Characteristics 4. Explainable evidence
2.10 Types of Evidence 5. Substantial evidence
2.11 Challenges in Evidence 6. Testimonial
Handling
Types of Evidence
1.Illustrative Evidence:
2.2 Need Illustrative evidence is also called as demonstrative evidence. It is generally a
2.3 Rules of Digital Forensic representation of an object which is a common form of proof. For example,
photographs, videos, sound recordings, X-rays, maps, drawing, graphs, charts,
2.4 Types
simulations, sculptures, and models.
2.5 Ethical Issues
2.6 Investigations 2. Electronic Evidence:
1 Electronic evidence is nothing but digital evidence. As we know, the use of
digital evidence in trials has greatly increased. The evidences or proof that can
2.8 Rules of Digital Evidence be obtained from an electronic source is called as digital evidence (viz.,
2.9 Characteristics emails, hard drives, word-processing documents, instant message logs, ATM
transactions, cell phone logs, etc.)
2.11 Challenges in Evidence 3. Documented evidence:
Handling Documented evidence is similar to demonstrative evidence. However, in
documentary evidence, the proof is presented in writing (viz., contracts, wills,
invoices, etc.). It can include any number of medias. Such documentation can
be recorded and stored (viz., photographs, recordings, films, printed emails,
etc.).
Types of Evidence
2.2 Need
2.3 Rules of Digital Forensic 4. Explainable Evidence (Exculpatory):
This type of evidence is typically used in criminal cases in which it
2.4 Types supports the dependent, either partially or totally removing their guilt in
2.5 Ethical Issues the case. It is also referred to as exculpatory evidence.
2.6 Investigations
5. Substantial Evidence:
1
2.7 Digital Evidences A proof that is introduced in the form of a physical object, whether whole
2.8 Rules of Digital Evidence or in part, is referred to as substantial evidence. It is also called as physical
2.9 Characteristics
evidence. Such evidence might consist of dried blood, fingerprints, and
DNA samples, casts of footprints, or tires at the scene of crime.
2.11 Challenges in Evidence 6. Testimonial Evidence:
It is a kind of evidence spoken by a spectator under oath, or written
Handling
evidence given under oath by an official declaration, that is, affidavit. This
is one of the common forms of evidence in the system.
Challenges in Evidence Handling
2.2 Need
2.4 Types 1. Authentication of Evidence
2.5 Ethical Issues The evidences that are collected by any person/investigator
2.6 Investigations
should be collected using authenticate methods and techniques
because during court proceedings these will become major
1
evidences to prove the crime. In other words, for providing a
2.8 Rules of Digital Evidence piece of evidence of the testimony, it is necessary to have an
2.9 Characteristics authenticated evidence by a spectator who has a personal
2.10 Types of Evidence knowledge to its origin.
Handling
2.1 Digital Forensic Challenges in Evidence Handling
2.2 Need
2.3 Rules of Digital Forensic 2. Maintaining the chain of custody
means that the evidences collected
2.4 Types
should not be accessed by any
2.5 Ethical Issues unauthorized individual and must be
2.6 Investigations stored in a tamper-proof manner. For
1
2.7 Digital Evidences each item obtained, there must be a
complete chain of custody record.
Chain of custody is nothing but the
2.9 Characteristics
requirement that you may be able to
2.10 Types of Evidence trace the location of evidence from
2.11 Challenges in Evidence the moment it was collected to the
Handling moment it was presented in a judicial
proceeding
2.1 Digital Forensic Challenges in Evidence Handling
2.2 Need
2.3 Rules of Digital Forensic 3. Evidence Validation
2.4 Types The challenge is to ensure that providing or obtaining the data that you
2.5 Ethical Issues have collected is similar to the data provided or presented in the court.
Several years pass between the collection of evidence and the
2.6 Investigations
production of evidence at a judiciary proceeding, which is very
1
2.7 Digital Evidences common. To meet the challenge of validation, it is necessary to ensure
2.8 Rules of Digital Evidence that the original media matches the forensic duplication by using MD5
2.9 Characteristics hashes. The evidence for every file is nothing but the MD5 hash values
that are generated for every file that contributes to the case. The verify
function within the Encase application can be used while duplicating a
hard drive with Encase. To perform a forensic duplication using dd, you
Handling must record a MD5 hash for both the original evidence media and
binary files or the files which compose the forensic duplication.
DR. NILAKSHI JAIN
Email ID : • Thank you
[email protected]

Chapter 2 DF

Uploaded by

Copyright:

Available Formats

Chapter 2 DF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 2 DF

Uploaded by

Copyright:

Available Formats

DIGITAL FORENSICS

DR. NILAKSHI JAIN

You might also like