Module 5

Understanding Computer Forensics

 TOPICS
1. Introduction

2. Historical Background of Cyber forensics

3. Digital Forensics Science

4. Need for Computer Forensics

5. Cyber Forensics and Digital Evidence

6. Digital Forensic Life cycle

7. Chain of Custody Concepts

8. Network Forensics
 Learning Objectives
• Understand the fundamental concepts in cyber forensics.

• Understand the meaning of the term "cyber forensics and the need
for cyber forensics.”

• Learn what "digital evidence" means along with the base term
"forensics science?

• Get an overview of cardinal rules of computer forensics.

• Learn how cyber forensics is used in cybercrime investigations.

• Understand the legal requirements for cyber forensics and

compliance aspects of cyber forensics.
 Learning Objectives
• Get an overview of the role of forensics experts.

• Understand the "data privacy issues" involved in cyber

forensics.

• Learn about forensic auditing.

• Learn about cyber forensic tool available in the market

• Understand the challenges faced in cyber forensics.

 Introduction

• Computer forensics (also known as computer forensic

science) is a branch of digital forensic science pertaining to
evidence found in computers and digital storage media.

• The goal of computer forensics is to examine digital media in

a forensically sound manner with the aim of
identifying,preserving,recovering,analyzing and presenting
facts and opinions about the digital information.
 Cyber Forensics
Provides digital evidence of a specific or general
activity
Key role in investigation of cybercrime
“Evidence” in the case of “cyber offenses”
Handling of the digital forensics evidence
Computer is either the subject or the object of cyber
crimes or is used as a tool to commit a cybercrime
 History
The Florida Computer Crimes Act was the first computer
crime law to address computer fraud and intrusion.
The application of computer for investigating computer-
based crime has led to development of a new field called
computer forensics.
Sometimes, computer forensics is also referred to as "digital
forensics”
Forensics evidence" is important in the investigation of
cyber crimes,
 History
Computer forensics deals with proving unauthorized access has
taken place while computer security deals with preventing
unauthorized access.
Typically types of data requested for a digital forensics
examination by the law enforcement agencies include

Investigating email Website history

Cell phone usage VOIP usage
File access history File creation or deletion
Chat history
Account login/logout records
 History
Computer forensics is primarily concerned with the
systematic "identification" ,"acquisition”, "preservation"
and "analysis" of digital evidence, typically after an
unauthorized access to computer or unauthorized use
of computer has taken place;
The main focus of "computer security" is the
prevention of unauthorized access to computer systems
as well as maintaining "confidentiality,“ "integrity" and
"availability of computer systems.
 History
There are two categories of computer crime:
 one is the criminal, activity that involves using a
computer to commit a crime.
other is a criminal activity that has a computer as a target.
Forensics means a "characteristic of evidence" that
satisfies its suitability for admission as fact and its ability
to persuade based upon proof (or high statistical
confidence level).
 Computer Forensics (or Digital Forensics)
The use of scientifically derived and proven methods
toward the preservation, collection, validation,
identification, analysis, interpretation, documentation
and presentation of digital evidence derived from
digital sources for the purpose of facilitating or
furthering the reconstruction of events found to be
criminal, or helping to anticipate unauthorized actions
shown to be disruptive to planned operations.
 Computer Forensics (or Digital Forensics)
Digital evidence is required
A fast growing profession as well as business
Computer security and computer forensics are
different from each other.
“Goal of digital forensics is to determine the
“evidential value” of crime scene and related
evidence.”
Digital Forensics Science
Digital forensics is the application of analyses techniques to the
reliable and unbiased collection, analysis, interpretation and
presentation of digital evidence.
Computer forensics is generally considered to be related to the use
of analytical and investigative techniques to identify, collect,
examine and preserve evidence/information which is magnetically
stored or encoded.
The objective of "cyber forensics" is to provide digital evidence
of a specific or general activity.
1.Computer Forensics
The lawful and ethical seizure, acquisition, analysis, reporting
and safeguarding of data and metadata derived from digital
devices which may contain information that is notable and
perhaps of evidentiary value to the trier of fact in managerial,
administrative, civil and criminal investigations.
In other words, it is the collection of techniques and tools used to
find evidence in a computer
2.Digital Forensics
It is the use of scientifically derived and proven methods
toward the preservation, collection, validation, identification,
analysis, interpretation, documentation and presentation of
digital evidence derived from digital sources for the purpose
or facilitation or furthering the reconstruction of events found
to be criminal, or helping to anticipate unauthorized actions
shown to be disruptive to planned operations.
Role of digital forensics is to:
1.Uncover and document evidence and leads.
2. Corroborate evidence discovered in other ways
3. Assist in showing a pattern of events (data mining has an
application here).
4. Connect attack and victim computers (Locard's Exchange
Principle)
5. Reveal an end-to-end path of events leading to a compromise
attempt, successful or not.
6. Extract data that may be hidden, deleted or otherwise not
directly available.
The typical scenarios involved are:
1. Employee Internet abuse
2. Data leak/data breach — unauthorized disclosure of corporate
information and data (accidental and intentional);
3. Industrial espionage (corporate "spying" activities);
4. Damage assessment (following an incident);-
5. Criminal fraud and deception cases;
6. criminal cases (many criminals simply store information on
computers, intentionally or unwittingly) and countless others;
7. copyright violation
Using digital forensics techniques, one can:

1. Corroborate and clarify evidence otherwise discovered.

2.Generate investigative leads for follow-up and

verification in other ways.

3. Provide help to verify an intrusion hypothesis.

4. Eliminate incorrect assumptions.

Need for Computer Forensics
• Convergence of ICT advances and the pervasive use of
computers world wide
• High technical capacity of modern computers/computing
devices
• New risks for computer users

Widespread use of computer forensics is the result of:

• Increasing dependence of law enforcement on digital evidence
• Ubiquity of computers that followed from the microcomputer
revolution
Need for Computer Forensics
Evidence
• Everything that is used to determine or demonstrate the truth of
an assertion.
• Can be used in court to convict people who are believed to
have committed crimes.
• Handle carefully.
Need for Computer Forensics
• The media, on which clues related to cybercrime reside,
would vary from case to case.
• There are many challenges for the forensics investigator
because storage devices are getting miniaturized due to
advances in electronic technology;
• For example, external storage devices such as mini hard
disks (pen drives) are available in amazing shapes shown in
Fig. 7.2
Storage
devices
• Fungibility means the extent to which the components of an
operation or product can be inter-changed with similar
components without decreasing the value of the operation or
product.
• Chain of custody means the chronological documentation trait,
etc. that indicates the seizure, custody, control, transfer, analysis
and disposition of evidence, physical or electronic.
• Chain of custody is also used in most evidence situations to
maintain the integrity of the evidence by providing documentation
of the control, transfer and analysis of evidence.
Cyber forensics and Digital Evidence
Cyber forensics can be divided into 2 domains:-
1.Computer Forensics
2.Network Forensics

• Computer Forensics experts know the techniques to retrieve

the data from files listed in standard directory search, hidden
files, deleted files, deleted E-Mail and passwords, login IDs,
encrypted files, hidden partitions, etc.
• Typically, the evidences reside on computer systems, user
created files, user protected files, computer created files and on
computer networks.
Computer systems have the following:
1.Logical file system that consists of
 File system: It includes files, volumes, directories and folders,
file allocation tables (FAT) as in the older version of Windows
Operating System, clusters, partitions, sectors.
 Random access memory.
 Physical storage media: It has magnetic force microscopy that
can be used to recover data from overwritten area.
 Slack space: It is a space allocated to the file but is not
actually used due to internal fragmentation
unallocated space.
2.User created files: It consists of address books, audio/video files,
calendars, database files, spread-sheets, E-Mails, Internet bookmarks,
documents and text files.
3.Computer created files: It consists of backups, cookies,
configuration files, history files, log files, swap files, system files,
temporary files, etc.
4.Computer networks: It consists of the Application Layer, the
Transportation Layer, the Network Layer, the Datalink Layer.
 Cyber forensics and Digital Evidence
• Network Forensics is the study of network traffic
to search for truth in civil, criminal and administrative
matters to protect users and resources from
exploitation, invasion of privacy and any other crime
fostered by the continual expansion of network
connectivity
 The Rules of Evidence
According to the “Indian Evidence Act 1872,” “Evidence” means
and includes:
1.All statements which the court permits or requires to be made
before it by witnesses, in relation to matters of fact under
inquiry, are called oral evidence.
2.All documents that are produced for the inspection of the court
are called documentary evidence.
Newly added provisions in the Indian evidence Act 1972 through
ITA 2000,constitute the body of law applicable to electronic
evidence (Digital evidence by its nature is invisible to th eye)
• There are number of contexts involved in actually identifying a
piece of digital evidence:
1. Physical context: It must be definable in its physical form,
that is, it should reside on a specific piece of media.
2. Logical context: It must be identifiable as to its logical
position, that is, where does it reside relative to the file
system.
3. Legal context: We must place the evidence in the correct
context to read its meaning. This may require looking at the
evidence as machine language, for example, American
Standard Code for Information Interchange (ASCII).
The path taken by digital evidence can be conceptually depicted as
 Digital Evidence
• Digital evidence originates from a number of sources such as seized
computer hard drives and backup media, real-time &Mail messages, chat
room logs, Internet service provider records, web pages, digital network
traffic, local and virtual databases, digital directories, wireless devices,
memory cards, digital cameras, etc.
• Digital forensics examiners must consider the trust worthiness of this
digital data.
• Many vendors provide technology solutions to extract this digital data
from these devices and networks.
• Once the extraction of the digital evidence has been accomplished,
protecting the digital integrity becomes paramount concern for
investigators, prosecutors and those accused.
Following are some guidelines for the (digital) evidence
collection phase:

1. Adhere to your site's security policy and engage the appropriate

incident handling and law enforcement personnel.
2. Capture a picture of the system as accurately as possible.
3. Keep detailed notes with dates and times. If possible, generate an
automatic transcript (e.g., on Unix systems the "script" program
can be used; however, the output file it generates should not be
given to media as that is a part of the evidence). Notes and
printouts should be signed and dated.
4. Note the difference between the system clock and Coordinated
Universal Time (UTC). For each timestamp provided, indicate
whether UTC or local time is used (since 1972 over 40 countries
throughout the world have adopted UTC as their official time
source).
5. Be prepared to testify (perhaps years later) outlining all actions
you took and at what times. Detailed notes will be vital.
6. Minimize changes to the data as you are collecting it. This is not
limited to content changes; avoid updating file or directory
access times.
7. Remove external avenues for change.
8.When confronted with a choice between collection and analysis you
should do collection first and analysis later.
9. Needless to say, your procedures should be implementable. As
with any aspect of an incident response policy, procedures should
be tested to ensure feasibility, particularly, in a crisis. If possible,
procedures should be automated for reasons of speed and
accuracy. Being methodical always helps.
10.For each device, a systematic approach should be adopted to
follow the guidelines laid down in your collection procedure.
Speed will often be critical; therefore, where there are a number
of devices requiring examination, it may be appropriate to
spread the work among your team to collect the evidence in
parallel. However, on a single given system collection should be
done step by step.
11.Proceed from the volatile to the less volatile; order of volatility is as
follows:
• Registers, cache (most volatile, i.e,, contents lost as soon as the
power is turned OFF);
• Routing table, Address Resolution Protocol (ARP) cache, process
table, kernel statistics, memory;
• temporary file systems;
• disk;
• remote logging and monitoring data that is relevant to the system
in question;
• physical configuration and network topology;
• archival media (least volatile, i.e., holds data even after power is
turned OFF).
12.You should make a bit-level copy of the system’s media.If you wish to
do forensic analysis you should make a bit-level copy of your evidence
copy for that purpose, as your analysis will almost certainly alter file
access times. Try to avoid doing forensics on the evidence copy.
Chain of Custody Concept
 It is the central concept in cyber forensics/digital forensics
investigation.
 It is the process of validating how many kinds of evidences have been
gathered, tracked and protected on the way to a court of law.
 Forensic professionals know that if you do not have a chain of custody
the evidence is worthless.
 It is essential to get in the habit of protecting all evidences equally so
that they will hold up in court.
 The purpose is that the proponent of a piece of evidence must
demonstrate that it is what it purports to be.
Chain of Custody Concept
The chain of custody is a chronological written record of
those individuals who have had custody of the evidence
from its initial acquisition until its final disposition.
A chain of custody begins when an item of relevant evidence
is collected, and the chain is maintained until the evidence is
disposed off.
The chain of custody assumes continuous accountability.
This Accountability is important because if not properly
maintained, an item(evidence) may be inadmissible in court.
Network Forensics
Today's networks are mainly wireless networks
Most of the Wi-Fi communications are unprotected
Wireless forensics is a part of network forensics, which in
turn part of computer forensics
Wireless forensics is the methodology and tools required
to collect, analyze the network traffic that can be
presented as valid digital evidence in the court of law.
Network Forensics
This discipline is included within the computer forensics
science.
The goal is to provide the methodology and tools
required to collect and analyze (wireless) network traffic.
It involves capturing all data moving over Wi-Fi network
and analyzing network events.
The security analyst must follow the same general
principles that apply to computer forensics.
Network Forensics
The evidence collected can include plain data or VoIP
information
Wireless forensics process involves:
 Capturing all data moving over the Wi-Fi network
 Analyzing network events to uncover anomalies
 Discovering source of security attacks
 Investigating breaches on computers and wireless networks.
Digital Forensics Life Cycle
 As per FBI’s (Federal Bureau of Investigation) view, digital evidence is
present in nearly every crime scene. That is why law enforcement must
know how to recognize, seize, transport and store original digital
evidence to preserve it for forensics examination.
 Figure 7.5 shows the process model for understanding a seizure and
handling of forensics evidence legal framework
The cardinal rules to remember are that evidence
1. is admissible
2. is authentic
3. is complete
4. is reliable
5. is understandable and believable.
Digital Forensics Process
Digital forensics evidence consists of exhibits.
The exhibits are introduced as evidence by either side.
Testimony is presented to establish the process.
The party must show the evidence.
Digital forensics evidence can be challenged.
Forensics experts formulate a cost proposal.
Proposed timeline of activities, lists of anticipated deliverables
and a plan for production and turnover of evidence.
Submission of a preliminary risk analysis for the forensics
service being proposed.
Phases in Computer Forensics/Digital Forensics
• The investigator must be properly trained to perform the specific kind
of investigation that is at hand. Tools that are used to generate reports
for court should be validated.
• One should determine the proper tool to be used based on the case.
Broadly speaking, the forensics life cycle involves the following
phases:
1. Preparation and identification

2. Collection and recording

3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation and attribution
6. Reporting 7. Testifying
• The process involves the following activities:
1. Prepare: Case briefings, engagement terms, interrogatories,
spoliation prevention, disclosure and discovery planning,
discovery requests.
2. Record: Drive imaging, indexing, profiling, search plans, cost
estimates, risk analysis.
3. Investigate: Triage images, data recovery, keyword searches,
hidden data review, communicate, iterate.
4. Report: Oral vs. written, relevant document production, search
statistic reports, chain of custody reporting, case log reporting.
5. Testify: Testimony preparation, presentation preparation,
testimony.
1. Preparing for the Evidence and Identifying the Evidence
In order to be processed and applied, evidence must first be
identified as evidence.
It can happen that there is an enormous amount of potential
evidence available for a legal matter, and it is also possible
that the vast majority of the potential evidence may never get
identified.
Consider that every sequence of events within a single
computer might cause interactions with files and the file
systems in which they reside, other processes and the
programs they are executing and the files they produce and
manage, and log files and audit trails of various sorts.
1. Preparing for the Evidence and Identifying the Evidence
In a networked environment, this extends to all networked
devices, potentially all over the world.
Evidence of an activity that caused digital forensics evidence
to come into being might be contained in a time stamp
associated with a different program in a different computer on
the other side of the world that was offset from its usual
pattern of behavior by a few microseconds.
 If the evidence cannot be identified as relevant evidence, it
may never be collected or processed at all, and it may not even
continue to exist in digital form by the time it is discovered to
have relevance.
2. Collecting and Recording Digital Evidence
Computers
Cell phones
Digital cameras
Hard drives
CD-ROM
USB memory devices
Digital thermometers
Black boxes inside automobiles
RFID tags and webpages
2. Collecting and Recording Digital Evidence
• Special care must be taken when handling computer evidence:
most digital information is easily changed, and once changed
it is usually impossible to detect that a change has taken place
(or to revert the data back to its original state) unless other
measures have been taken.
• For this reason, it is common practice to calculate a
cryptographic hash of an evidence file and to record that
hash elsewhere, usually in an investigator's notebook, so that
one can establish at a later point in time that the evidence has
not been modified as the hash was calculated
3. Storing and Transporting Digital Evidence
1. Image computer media using a write-blocking tool to ensure
that no data is added to the suspect device
2. Establish and maintain the chain of custody
3. Document everything that has been done
4. Only use tools and methods that have been tested and evaluated
to validate their accuracy and reliability.
5. Care must be taken in transportation to prevent spoliation (in a
hot car, digital media tends to lose bits).
6. Care must be taken to preserve chain of custody and assure that
a witness can testify accurately about what took place.
4. Examining/Investigating Digital Evidence
• Special care must be taken to ensure that the forensics
specialist has the legal authority to seize, copy and
examine the data.
• Sometimes authority stems from a search warrant.
• As a general rule, one should not examine digital
information unless one has the legal authority to do
so.
• Amateur forensics examiners should keep this in mind
before starting any unauthorized investigation.
5.Analysis, Interpretation and Attribution
• Analysis, interpretation and attribution of evidence are the most
difficult aspects encountered by most forensics analysts.
• Analysis, interpretation and attribution of digital forensics
evidence can be reconciled with non-digital evidence.
• Digital forensics evidence can be externally stipulated.
• Open-source tools are available to conduct analysis of open ports,
mapped drives on the live computer system.
• Holding unpowered RAM below −60°C will help preserve the
residual data by an order of magnitude, thus improving the
chances of successful recovery. However, it is impractical to do
this during a field examination.
 Examples of digital analysis types include:
1. Media analysis: It is analysis of the data from a storage device. This analysis does
not consider any partitions or other operating system (OS)-specific data structures. If
the storage device uses a fixed size unit, such as a sector, then it can be used in this
analysis.
2. Media management analysis: It is analysis of The management s-ystern used to
organize media. This typically involves partitions and may include volume management
or redundant array of indepen-dent (or inexpensive) disks systems that merge data from
multiple storage devices into a single virtual storage device.
3. File system analysis: It is the analysis of the file system data inside a partition or
disk. This typically involves processing the data to extract the contents of a file or to
recover the contents of a deleted file.
4. Application analysis: It is the analysis of the data inside a file. Files are created by
users and applications. The format of the contents is application-specific.
 Examples of digital analysis types include:
5.Network analysis: It is the analysis of data on a communications network. Network
packets can be examined using the OSI Model to interpret the raw data into an
application-level stream. Application analysis is a large category of analysis techniques
because there are many application types.
Some of the most common ones are as follows:
•OS analysis: An OS is an application, although it is a special application because
it is the first one that is run when a computer starts. This analysis examines the
configuration files and output data of the OS to determine what events may have
occurred.
•Executable analysis: Executables are digital objects that can cause events to
occur and they are frequently examined during intrusion investigations because the
investigator needs to determine what events the executable could cause.
 Examples of digital analysis types include:
6.Image analysis: It was mentioned that the "image" is a single searchable file. Digital
images are the target of many digital investigations because some are contraband. This
type of analysis looks for information about where the picture was taken and who or
what is in the picture. Image analysis also includes examining images for evidence of
steganography
7.Video analysis: Digital video is used in security cameras and in personal video
cameras and webcams. Investigations of online predators can sometimes involve digital
video from webcams. This type of anal-ysis examines the video for the identification of
objects in the video and the location where it was shot.
6. Reporting
• A report is generated.
• The report may be in a written form or an oral testimony (or
combination of the two).
• Evidence, analysis, interpretation and attribution to be presented in the
form of expert reports, depositions and testimony.
• Presentation of the report (a complex and tricky process)
Broad-Level Elements of the Report
1. Identity of the reporting agency
2. Case identifier or submission number
3. Case investigator
4. Identity of the submitter
5. Date of receipt
6. Date of report
7. Serial number, make and model
8. Identity and signature of the examiner
9. Steps taken during examination
10. Results/conclusions
7. Testifying
• This phase involves presentation and cross-examination of expert
witnesses.
• Depending on the country and legal frameworks in which a cybercrime
case is registered, certain standards may apply with regard to the issues
of expert witnesses.
• Digital forensics evidence is normally introduced by expert witnesses
except in cases where non-experts can bring clarity to non-scientific
issues by stating what they observed or did.
7. Testifying
• For example, a non-expert who works at a company may introduce the
data he/she extracted from a company database and discuss how the
database works and how it is normally used from a non-technical
standpoint. To the extent that the witness is the custodian of the system
or its content, he/she can testify to matters related to that custodial role
as well.
7. Testifying
• Only expert witnesses can address issues based on scientific, technical
or other specialized knowledge. A witness qualified as an expert by
knowledge, skill, experience, training or education may testify in the
form of an opinion or otherwise
• if (a) the testimony is based on sufficient facts or data,
(b) the testimony is the product of reliable principles and methods,
(c) the witness has applied the principles and methods reli-ably to the
facts of the case.
if Facts are reasonably relied upon by experts in forming opinions or
inferences, the facts need not he admissible for the opinion or inference
to be admitted; however, the expert may in any event be required to
disclose the underlying facts or data on cross-examination.
Precautions to be Taken when Collecting Electronic Evidence
Principles to maintain the integrity of digital evidence
1. Principle 1: No action taken by law enforcement agencies or their agents should change
data held on a computer or storage media, which may subsequently be relied upon in court.

2. Principle 2: In exceptional circumstances, where a person finds it necessary to access

original data held on a computer or on storage media that person must be competent to do
so and be able to give evidence explaining the relevance and the implications of his/her
actions.

3. Principle 3: An audit trail or other record of all processes applied to computer-based

electronic evidence should be created and preserved. An independent third party should be
able to examine those processes and achieve the same result.

4. Principle 4: The person in-charge of the investigation (the case officer) has overall
responsibility for ensuring that the law and these principles are adhered to.