DIGITAL FORENSICS

3170725

UNIT 3:
DIGITAL FORENSICS
PROCESS MODEL

Prepared by,
Prof. Kaxa Domadia
Assistant Professor
CE Department
V.V.P. Engineering College - Rajkot
DOCUMENTING THE SCENE AND EVIDENCE
 Documentation of a crime scene creates a record
for the investigation.
 It is vital to correctly trace the place of the scene;

the scene itself; the state, power status, and

state of computers, storage media, wireless
network devices, mobile phones, smart
phones, PDAs, and other data storage
devices; Internet and network access; and
other electronic devices.
 The investigating officer should be aware that not

all digital evidence may be closely situated to the

computer or other devices.
 Administrator may require moving a computer or

another electronic device to discover its serial

numbers or other identifiers.
 Moving a computer or another electronic device
though it is on may damage it or the digital
evidence it contains. Computers and other
electronic devices must not be moved till
they are switched off.
 The initial documentation of the scene

should include a detailed record using

video, photography, and notes and
sketches to help recreate or convey the
details of the scene later.
 All activity and processes on display screens

must be fully documented. Documentation of

the scene may comprise the entire location,
including the type, location, and position of
computers, their components and peripheral
equipment, and other electronic devices.
 The scene may develop to several places;
investigating officer should document all
physical links to and from the computers
and other devices.
 Record any network and wireless entrance

centers that may be present and capable of

linking computers and other devices to each
other and the Internet.
 The subsistence of network and wireless
entrance centers may indicate that additional
evidence exists beyond the initial scene.
 A number of conditions may not authorize

investigating officer to collect all electronic

devices or components at a scene or location.
 Applicable laws or other factors may prohibit
collecting some computer systems and other
electronic devices and the information they
enclose; however, these devices should be
incorporated in the investigating officer’s
documentation of the scene.
CHAIN OF CUSTODY
 The chain of custody in digital cyber forensics is
also known as the paper trail or forensic link, or
chronological documentation of the evidence.
 Chain of custody indicates the collection,
sequence of control, transfer and analysis.
 It also documents details of each person who

handled the evidence, date and time it was

collected or transferred, and the purpose of the
transfer.
 It demonstrates trust to the courts and to the

client that the evidence has not tampered.

 Digital evidence is acquired from the numerous

devices like a vast number of IoT devices, audio

evidence, video recordings, images, and other
data stored on hard drives, flash drives, and other
physical media.
Importance of maintaining Chain of Custody
Importance to Examiner:
 To preserve the integrity of the evidence.

 To prevent the evidence from contamination, which

can alter the state of the evidence.

 In case you obtained metadata for a piece of

evidence but unable to extract any meaningful

information from the metadata. In such a case, the
chain of custody helps to show where possible
evidence might lie, where it came from, who
created it, and the type of equipment used. This
will help you to generate an exemplar and compare
it to the evidence to confirm the evidence
properties.

Importance to the Court

 If not preserved, the evidence submitted in the

court might be challenged and ruled inadmissible.

Chain of Custody Process
 In order to preserve digital evidence, the

chain of custody should span from the first

step of data collection to examination,
analysis, reporting, and the time of
presentation to the Courts. This is very
important to avoid the possibility of any
suggestion that the evidence has been
compromised in any way.
 Data Collection:
This is where chain of custody process is initiated.
It involves identification, labeling, recording,
and the acquisition of data from all the
possible relevant sources that preserve the
integrity of the data and evidence collected.

 Examination:
During this process, the chain of custody
information is documented outlining the forensic
process undertaken. It is important to capture
screenshots throughout the process to show
the tasks that are completed and the evidence
uncovered.
 Analysis:
This stage is the result of the examination stage.
In the Analysis stage, legally justifiable methods
and techniques are used to derive useful
information to address questions posed in the
particular case.
 Reporting:

This is the documentation phase of the

Examination and Analysis stage. Reporting
includes the following:
 Statement regarding Chain of Custody.
 Explanation of the various tools used.
 A description of the analysis of various data sources.
 Issues identified.
 Vulnerabilities identified.
 Recommendation for additional forensics measures
that can be taken.
PROCEDURE TO ESTABLISH THE
CHAIN OF CUSTODY
 Save the original material
 Take photos of the physical evidence

 Take screenshots of the digital evidence.

 Document date, time, and any other

information on the receipt of the evidence.
 Inject a bit-for-bit clone of digital evidence

content into forensic computers.

 Perform a hash test analysis to authenticate

the working clone.

FORENSIC CLONING OF EVIDENCE
 A forensic clone is an exact bit-for-bit copy of a
piece of digital evidence.
 Files, folders, hard drives, and more can be
cloned.
 A forensic clone is also known as a bit-stream
image or forensic image.
 A forensic image of a hard drive captures
everything on the hard drive, from the physical
beginning to the physical end. Performing a
“copy and paste” via the operating system is not
the same as a forensic clone.
 A true forensic image captures both the active
and latent data. That is a key difference between
the two and the primary reason why a forensic
image is preferred.
Cloning v/s Copy-paste

How cloning is different from copy-

pasting?
 Forensic cloning is an exact bit-for-bit copy of

a piece of digital evidence, including all the

deleted data while copy-pasting the data
involves only the files and folders present on
the device and not the deleted files.
 The investigating agencies use the cloning

technique when there is a probability of the

data being deleted or overwritten by the
user.
 Cloning a data storage device can be a pretty time-
consuming process, and for that reason it usually
makes more sense to do the cloning in the lab as
opposed to at the scene. Cloning in the lab
eliminates the need to be on scene for what could
be hours. It also provides a much more stable
environment, affording us better control of the
process.
 Having two clones gives you one to examine and

one to fall back on.

 Ideally, all examinations are done on a clone as

opposed to the original.

Sometimes that isn't an option, especially in a
business setting when the machine and drive must
be returned to service.
 In the eyes of the court, a properly authenticated

forensic clone is as good as the original.

The Cloning Process
 The suspect's drive is known as the source drive and

the drive you are cloning to is called the destination

drive.
 The destination drive must be at least as large (if not

slightly larger) than our source drive.

 The drive we want to clone (the source) is normally

removed from the computer. It's then connected via

cable to a cloning device of some kind or to another
computer.
 t's critical to have some type of write blocking in

place before starting the process.

 A write block is a crucial piece of hardware or

software that is used to safeguard the original

evidence during the cloning process.
 The hardware write block is placed between the

cloning device (PC, laptop, or standalone hardware)

and the source.
 The write block prevents any data from being
written to the original evidence drive. Using
this kind of device eliminates the possibility
of inadvertently compromising the evidence.
Remember, the hardware write blocking
device goes in between the source drive and
the cloning platform.
 There is a little prep work involved in making

a clone. The destination drive must be

forensically cleaned prior to cloning a
suspect's drive to it. Most if not all forensic
imaging tools will generate some type of
paper trail, proving that this cleaning has
taken place. This paperwork becomes part of
the case file.
 Once the connections are made, the process
is started with the press of a couple of
buttons or clicks of a mouse. When complete,
a short report should be generated by the
tool indicating whether or not the cloning
was successful. Cloning is successful when
the hash values (think “digital fingerprint”)
for the source and clone match.
WRITE BLOCKER
 A write blocker is a tool which permits read-only
access to data storage devices without
compromising the integrity of the data. The
original evidence (hard disk) is required to be
connected to a write blocker before imaging.
 A fresh sterilized destination disk where the

original evidence will be imaged to should also be

connected to the write blocker. However, care
should be taken while choosing the source (original
evidence) and destination hard disks in the
Forensic Imaging software.
 On completion of the imaging process, both the

hard disks should be disconnected from the write

blocker, labeled and preserved separately onto
anti-static bags and stored in a safe location.
LIVE AND DEAD SYSTEM
FORENSIC
 METHODS OF ACQUISITION
A. Live Acquisition
B. Dead/Offline Acquisition
Live Acquisition
 A live system refers to system that are up

and running where information may be

altered as data is continuously processed.
 There is a lot of information of evidentiary

value that could be found in a live system.

 Switching it off may cause loss of volatile

data such as running processes, network

connections and mounted file systems.
 In contrast, leaving a computer running may

cause evidence to be altered or deleted. The

investigator therefore needs to decide what
alternative is best in a given situation.
Another approach is to use specialized tools
to extract volatile data from the computer
before shutting it down.
 In Live Acquisition Technique is real world live
digital forensic investigation process.
 For example a common approach to live digital

forensic involves an acquisition tool into read

only mode in system. then attaching writable
media or disk to system and using the tool to
start Live imaging in that tool by using Graphic
User Interface(GUI) if available or use Command
Line Interface(CUI)
Dead/Offline Acquisition

 Dead system forensic can produce some

information, they can’t recover everything.
 In order to create a forensic image of an

entire disk, best practice dictates that the

imaging process should not alter any data on
the disk and that all data, metadata and
unallocated space be included.
 Traditionally, forensic investigators
accomplish this by powering down the
system and removing the disk (or disks)
in order to connect it to a forensic
workstation or hardware or software
write-blocker to create the image. This
is referred to as dead imaging.
 A write-blocker, as its name implies, will prevent
any data from being written to the disk, allowing
read access only.
 Removing a disk from a running system
prevents any further changes due to normal
system operations or process and user
interactions.
 Using a write-blocker during evidence
acquisition preserves the integrity of the file
metadata, such as timestamps that may be
relevant to the investigation.
 Dead systems are systems that are switched off

and no data processing is taking place. To retain

the integrity of the data it is often considered
appropriate to cut the power supply to the
computer, but this will have other implications.
HASHING CONCEPTS TO MAINTAIN
THE INTEGRITY OF EVIDENCE
 A hash value is a fixed length that represents
large amounts of data with a much smaller
value that uniquely identifies that data.
 They are thus useful for authenticating and

verifying the integrity of any given data sets

(files/folders/ storage media) to be used as
evidence in the courts of law across the
world.
 There are different types of hash algorithms

but the most common ones are MD5

(Message Digest), SHA-1 (Secure Hashing
Algorithm), SHA-2, etc.
 Digital forensics professionals use hashing
algorithms such as MD5 and SHA1 to generate
hash values of the original files they use in
investigation.
 This ensures that the information isn’t altered

during the course of investigation since various

tools and techniques are involved in data
analysis and evidence collection that can affect
the data’s integrity.
 Another reason why hash values are important is

that electronic documents are shared with legal

professionals and other parties during
investigation, and it’s important to ensure that
everyone has identical copies of the files.
MD5 AND SHA1 HASHING
ALGORITHMS
 MD5 and SHA1 are two most popular hashing
algorithms used by digital forensics
professionals today.
 MD5: MD5 aka Message Digest algorithm is

a hashing algorithm that was created by Ron

Rivest to replace previous hash algorithm
MD4. MD5 is the fifth and latest version of
the original algorithm MD and it creates hash
values of 128 bits.
 SHA1: SHA1 aka Secure Hash Algorithm is

another popular hashing algorithm which is

modelled after MD5. It’s more powerful than
MD5 and produces hash values of 160 bits.
 The use of MD5 and SHA1 hash algorithms is
a standard practice in digital forensics. These
algorithms allow investigators to preserve
digital evidence from the moment they
acquire it to the point it’s produced in court.

Differentiating
MD5 SHA1
Factor
Length of hash
128 bits 160 bits
value
Security level Poor Moderate
Speed Fast Slow
Algorithm
Simple Complex
complexity
REPORT DRAFTING
 The main goal of Computer forensics is to
perform a structured investigation on a
computing device to find out what happened
or who was responsible for what happened,
while maintaining a proper documented
chain of evidence in a formal report.
 Syntax or template of a Computer Forensic

Report is as follows :
Executive Summary :

 Executive Summary section of computer

forensics report template provides background
data of conditions that needs a requirement for
investigation.
 Executive Summary or the Translation Summary

is read by Senior Management as they do not

read detailed report.
 This section must contain short
description, details and important points.
This section could be one page long.
 Executive Summary Section consists of
following
 Taking account of who authorized the
forensic examination.
 List of the significant evidences in a short
detail.
 Explaining why a forensic examination of
computing device was necessary.
 Including a signature block for the
examiners who performed the work.
 Full, legitimate and proper name of all
people who are related or involved in case,
Job Titles, dates of initial contacts or
communications.
Objectives :

 Objectives section is used to outline all tasks

that an investigation has planned to complete.
 In some cases, it might happen that forensics

examination may not do a full fledged

investigation when reviewing contents of
media.
 The prepared plan list must be discussed and

approved by legal council, decision makers and

client before any forensic analysis.
 This list should consist tasks undertaken and

method undertaken by an examiner for each

task and status of each task at the end of
report.
Computer Evidence Analyzed :
 The Computer Evidence Analyzed section is where
all gathered evidences and its interpretations are
introduced.
 It provides detailed information regarding

assignment of evidence’s tag numbers, description

of evidence and media serial numbers.

Relevant Findings :
 This section of Relevant Findings gives summary of
evidences found of probative Value When a
match is found between forensic science material
recovered from a crime scene e.g., a fingerprint, a
strand of hair, a shoe print, etc. and a reference
sample provided by a suspect of case, match is
widely considered as strong evidence that suspect
is source of recovered material.
 However, probative value of evidence can vary
widely depending on way in which evidence is
characterized and hypothesis of its interest. It
answers questions such as “What related
objects or items were found during
investigation of case ?”.

Supporting Details :
 Supporting Details is section where in-depth

analysis of relevant findings is done. ‘How we

found conclusions outlined in Relevant
Findings?’, is outlined by this section. It
contains table of vital files with a full path
name, results of string searches, Emails/URLs
reviewed, number of files reviewed and any
other relevant data.
 All tasks undertaken to meet objectives is
outlined by this section.
 In Supporting Details we focus more on
technical depth. It includes charts, tables and
illustrations as it conveys much more than
written texts. To meet outlined objectives, many
subsections are also included.
 This section is longest section. It starts with

giving background details of media analyzed.

 It is not easy to report number of files reviewed

and size of hard drive in a human

understandable language. Therefore, your
client must know how much data you wanted to
review to arrive at a conclusion.
Investigative Leads :

 Investigative Leads performs action items that

could help to discover additional information
related to the investigation of case.
 The investigators perform all outstanding tasks

to find extra information if more time is left.

 Investigative Lead section is very critical to law

enforcement. This section suggests extra tasks

that discovers information needed to move on
case. e.g. finding out if there are any firewall
logs that date any far enough into past to give a
correct picture of any attacks that might have
taken place.
 This section is important for a hired forensic

consultant.
Additional Subsections :

 Various additional subsections are included in a

forensic report. These subsections are dependent
on clients want and their need. The following
subsections are useful in specific cases :
 Attacker Methodology
 User Applications
 Internet Activity
 Recommendations

For sample Report, please refer :

https://www.rnyte-cyber.com/uploads/9/8/5/9/98595764/
exampledigiforensicsrprt_by_ryan_nye.pdf