digital forensics
TRANSCRIPT
Digital Forensics
By:-Kausar SorathiyaZainab ShekhaniMalay PunjaniRonak Bafna
Contents:-
• Definition• History• Uses• Forensic Process• Branches• Advantage and Disadvantage • Conclusion
Definition
• Digital forensics is the forensic science related to computer operations, software, and files, as well as the digital or electronic files contained on other technology-based appliances or storage devices.
OR• Digital forensics (sometimes Digital forensic science) is a
branch of forensic science encompassing the recovery and investigation of material found in digital devices.
History - A look at the past of the digital forensics
• In 1980’s crimes involving computers were dealt with using existing laws.
• The first computer crimes were recognized in the 1978 Florida Computer Crimes Act which included legislation against the unauthorized modification or deletion of data on a computer system
• In the next few years the range of computer crimes being committed increased, and laws were passed to deal with issues of copyright, privacy/harassment and child pornography.
• Canada was the first country to pass legislation in 1983.
• This was followed by the US Federal Computer Fraud and Abuse Act in 1986.
• In response to the growth in computer crime during the 1980s and 1990s law enforcement agencies began to establish specialized investigative groups, usually at the national level.
• In the early 1990s a number of tools were created to allow investigations to take place without the risk of altering data. As demand for digital evidence grew more advanced commercial tools were developed.
• Recently the same progression of tool development has occurred for mobile devices; initially investigators accessed data directly on the device, these were soon replaced with specialist tools.
Uses-The main use of digital forensics is to recover evidence of a crime.
The diverse range of data held in digital devices can help with other areas of investigation.
1. Attribution - Meta data and other logs can be used to attribute actions to an individual.For example, personal documents on a computer drive might identify its owner.
2. Alibis and statements - Information provided by those involved can be cross checked with digital evidence.
For example, during the investigation into the Soham murders, the offenders alibi was disproven when mobile phone records of the person he claimed to be with showed she was out of town at the time.
3. Intent - Finding objective evidence of a crime being committed, investigations can also be used to prove the intent .
For example, the Internet history of convicted killer Neil Entwistle included references to a site discussing How to kill people.
4. Evaluation of source - File artifacts and meta-data can be used to identify the origin of a particular piece of data.
For example, older versions of Microsoft Word embedded a Global Unique Identifer into files which identified the computer it had been created on.
Proving whether a file was produced on the digital device being examined or obtained from elsewhere (e.g., the Internet) can be very important.
5. Document authentication – Related to "Evaluation of Source", meta data associated with digital documents can be easily modified.
For example, by changing the computer clock you can affect the created date of a file.
Document authentication relates to detecting and identifying falsification of such details.
Forensic Process
A digital forensic investigation commonly consists of 3 stages –
Acquisition or imaging of exhibits.Analysis.Reporting.
Acquisition• Once exhibits have been seized an exact sector level duplicate
(or "forensic duplicate") of the media is created, usually via a write blocking device, a process referred to as Acquisition.
• The duplicate is created using a hard-drive duplicator or software imaging tools.
• The original drive is then returned to secure storage to prevent tampering.
• The acquired image is verified. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state.
• In corporate environments seeking civil or internal charges, such steps are generally overlooked due to the time required to perform them
Analysis• After acquisition the contents of image files are analysed to identify
evidence that either supports or contradicts a hypothesis or for signs of tampering (to hide data).
• In 2002 the International Journal of Digital Evidence referred to this stage as "an in-depth systematic search of evidence related to the suspected crime“.
• During the analysis an investigator usually recovers evidence material using a number of different methodologies , often beginning with recovery of deleted material.[Many forensic tools use hash signatures to identify notable files or to exclude known ones; acquired data is hashed and compared to pre-compiled lists .
• Once evidence is recovered the information is analysed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialist staff.
• Digital investigators, particularly in criminal investigations, have to ensure that conclusions are based upon data and their own expert knowledge.
Reporting• When an investigation is completed the information is often
reported in a form suitable for non-technical individuals. • Reports may also include audit information and other meta-
documentation.• When completed reports are usually passed to those
commissioning the investigation, such as law enforcement (for criminal cases) or the employing company (in civil cases), who will then decide whether to use the evidence in court.
• Generally, for a criminal court, the report package will consist of a written expert conclusion of the evidence as well as the evidence itself (often presented on digital media).
Branches
Digital forensics includes several sub-branches relating to the investigation of various types of devices, media or artefacts –
1. Computer forensics2. Mobile device forensics3. Network forensics4. Database forensics
Computer Forensics• Computer forensics is a branch of digital forensic science
pertaining to legal evidence found in computers and digital storage media.
• The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of recovering, linking and understanding information.
• It is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings.
• Computer forensics can deal with a broad range of information; from logs (such as internet history) through to the actual files on the drive.
Examples –• Computer forensics has played a pivotal role in many cases.• Dennis Rader was convicted of a string of serial killings that
occurred over a period of sixteen years. Towards the end of this period, Rader sent letters to the police on a floppy disk. Metadata within the documents implicated an author named "Dennis" at "Christ Lutheran Church"; this evidence helped lead to Rader's arrest.
• Joseph E. Duncan III A spreadsheet recovered from Duncan's computer contained evidence which showed him planning his crimes. Prosecutors used this to show premeditation and secure the death penalty.
• Sharon Lopatka Hundreds of emails on Lopatka's computer lead investigators to her killer, Robert Glass
TechniquesA number of techniques are used during computer forensics investigations. • Cross-drive analysis -A forensic technique that correlates information
found on multiple hard drives. The process, which is still being researched, can be used for identifying social networks and for performing detection.
• Live analysis - The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
• Deleted files - A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data. Most operating systems and file systems do not always delete physical file data, allowing it to be reconstructed from the physical disk sectors
Mobile Device Forensics• Mobile device forensics is a sub-branch of digital forensics relating
to recovery of digital evidence or data from a mobile device.• Investigations usually focus on simple data such as call data and
communications (SMS/Email) rather than in-depth recovery of deleted data.
• SMS data from a mobile device investigation helped to exonerate Patrick Lumumba in the murder of Meredith Kercher.
• Mobile devices are also useful for providing location information; either from inbuilt gps/location tracking or via cell site logs (which track the devices within their range). Such information was used to track down the kidnappers of Thomas Onofri in 2006.
Data Types - As mobile device technology advances, the amount and types
of data that can be found on a mobile device is constantly increasing.
Types of data that can be found on mobile devices can include :• multimedia files (sounds, music, images, video, podcasts)• messages (SMS, MMS, Twitter, Chat)• e-mails• browser history/bookmarks/cookies• personal information (Calendars, Contacts, Notes)• log files (calls, networks, applications)• maps (Google, OpenStreetMap)• connection information (Bluetooth, WLAN, VPN)• GPS positions• running processes• routing tables• network and connectivity statistics• boot sequence, default libraries
Forensic Process in Mobile Devices
• Preservation : First step in digital evidence recovery. It is the process of seizing a suspect's property without altering or changing the contents of the data that reside on devices or removable media.
• Acquisition : The second step in the forensic process is acquisition, the process of retrieving material from a device.This process can take place either at the crime scene or laboratory.
• Examination & analysis : The examination process uncovers digital evidence, including that which may be hidden or obscured. The results are gained through applying established scientifically based methods, and should describe the content and state of the data fully, including the source and the potential significance. Data reduction, separating relevant from irrelevant information, occurs once the data is exposed. The analysis process differs from examination in that it looks at the results of the examination for its direct significance and probative value to the case.
• Reporting : Reporting is the process of preparing a detailed summary of all the steps taken and conclusions reached in the investigation of a case. Reporting depends on maintaining a careful record of all actions and observations, describing the results of tests and examinations, and explaining the inferences drawn from the evidence
Network Forensics
• Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence or intrusion detection.
• Network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation
• Systems used to collect network data for forensics use usually come in two forms:
• "Catch-it-as-you-can" Where all packets passing through certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage.
• "Stop, look and listen" Where each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires a faster processor to keep up with incoming traffic.
Database Forensics• Database Forensics is a branch of digital forensic science relating to the
forensic study of databases and their related metadata.[1]
• The discipline is similar to computer forensics, following the normal forensic process and applying investigative techniques to database contents and metadata.
• A forensic examination of a database may relate to the timestamps that apply to the update time of a row in a relational table being inspected and tested for validity in order to verify the actions of a database user. Alternatively, a forensic examination may focus on identifying transactions within a database system or application that indicate evidence of wrong doing, such as fraud.
• Currently many database software tools are in general not reliable and precise enough to be used for forensic work as demonstrated in the first paper published on database forensics.
• The forensic study of relational databases requires a knowledge of the standard used to encode data on the computer disk.
Advantages• It aids in finding and explaining complex facts
to a jury, and at least in theory provides neutral, scientifically supported information.
• Its ability to search and analyze a mountain of data quickly and efficiently
Disadvantages1.Privacy Concern : One of the primary concerns of computer forensics is the impact it will have on
the computer owner's privacy. Computer forensics can prove to be a disadvantage if proper safeguards are not
in place to ensure that data is protected. 2. Cost : The cost to maintain a laboratory containing appropriate computers,
computer analysis tools, software and security implements to safeguard information can be enormous.
3. Data Corruption : There is the inherent danger that the investigator will somehow alter the original
data in the process of attempting to acquire it. The non-permanent nature of computer data can make it highly suspect in legal
cases.
Conclusion
• The science of digital media forensics has come a long way and, as time passes will become a staple of the corporate information security officer.
• A general understanding is the first step, the realization of its necessity comes next.
• Forensics will play a larger part in the planning and execution of policy.
• It is further intended to help identify the information security officer's need for digital media forensics capabilities.
Thank You