Digital Forensics Module 1

Computer forensics Introduction Digital Evidence and Computer Crime History and Terminology of Computer Crime Investigation
1 Computer forensics Introduction
2 Digital Evidence and Computer Crime
3 History and Terminology of Computer Crime Investigation
4 Technology and Law
5 The Investigative Process
6 Investigative Reconstruction
7 Modus Operandi
8 Digital Evidence in the Courtroom
(GITAM School of Technology) Digital forensics July 20, 2022 2 / 28

Computer forensics Introduction

1 Computer forensics, also referred to as computer forensic analysis, elec-
tronic discovery, electronic evidence discovery, digital discovery, data
recovery, data discovery, computer analysis, and computer examina-
tion, is the process of methodically examining computer media (hard
disks, diskettes, tapes, etc.) for evidence.
2 A thorough analysis by a skilled examiner can result in the reconstruc-
tion of the activities of a computer user.
3 In other words, computer forensics is the collection, preservation, anal-
ysis, and presentation of computer-related evidence. Computer evi-
dence can be useful in criminal cases, civil disputes, and human re-
sources/employment proceedings.

Digital evidence and Computer crime

Digital evidence is information stored or transmitted in binary form that
may be relied on in court. It can be found on a computer hard drive,
a mobile phone, among other places. Digital evidence is commonly
associated with electronic crime, or e-crime, such as child pornography
or credit card fraud.The process of acquiring, examining, and apply-
ing digital evidence is crucial to the success of prosecuting a cyber
criminal.Computers can be involved in a wide variety of crimes includ-
ing white-collar crimes, violent crimes such as murder and terrorism,
counterintelligence, economic espionage, counterfeiting, and drug deal-
ing etc. called computer crime

History and Terminology of Computer Crime Investigation

2
1 A 2003 FBI survey reported that the average bank robbery netted
$6,900, whereas the average computer crime netted $900,000.
2 The Internet has made targets much more accessible, and the risks
involved for the criminal are much lower than with traditional crimes.
A person can sit in the comfort of his home or a remote site and hack
into a bank and transfer millions of dollars to a fictitious account, in
essence robbing the bank, without the threat of being gunned down
while escaping.
3 The same FBI survey revealed that both public and private agencies
face serious threats from external as well as internal sources. Out of
the 849 organizations that responded to the survey, 30% claimed
theft of proprietary information, 23% reported sabotage of data or
their networks, 35% experienced system penetration from an outside
source, and 12% claimed financial fraud.

cont...
4 Recently a survey was conducted to determine where the FBI was
focusing their computer forensic efforts. An alarming 74% of their
workload is centered on whitecollar crime.
5 This type of crime includes health care fraud, government fraud
including erroneous IRS and Social Security benefit payments, and
financial institution fraud. These are high-dollar crimes made easy by
technology.
6 The other 26% of the workload is split equally among violent crime
(child pornography, interstate theft), organized crime (drug dealing,
criminal enterprise), and counterterrorism and national security. As
shown by this survey, computer crime is widespread and has infiltrated
areas unimaginable just a few years ago. The FBI caseload has gone
from near zero in 1985 to nearly 10,000 cases in 2003. It is no doubt
considerably higher today.

Roles of a Computer in a Crime: A computer can play one of three roles in

a computer crime.
1 A computer can be the target of the crime.
2 It can be the instrument of the crime.
3 It can serve as an evidence repository storing valuable information
about the crime.
In some cases, the computer can have multiple roles. It can be the
“smoking gun” serving as the instrument of the crime. It can also
serve as a file cabinet storing critical evidence. For example, a hacker
may use the computer as the tool to break into another computer and
steal files, then store them on the computer. When investigating a
case, it is important to know what roles the computer played in the
crime and then tailor the investigative process to that particular role.

Technology and Law

Technologies
1 Behavioral Analytics: Behavioral analytics looks at data to
understand how people behave on websites, mobile applications,
systems, and networks.
2 Blockchain : Blockchain is a type of database that securely stores
data in blocks. It connects the blocks through cryptography.
Blockchain allows information to be collected, but not edited or
deleted.
3 Cloud Encryption: Cloud services improve eﬀiciency, help
organizations offer improved remote services, and save money.
However, storing data remotely in the cloud can increase data
vulnerabilities.
4 Context-Aware Security : Context-aware security is a type of
cybersecurity technology that helps businesses make better security
decisions in real time.
5 Defensive Artificial Intelligence (AI): Cybersecurity professionals can

use defensive artificial intelligence (AI) to detect or stop cyberattacks.
6 Extended Detection and Response (XDR): Extended detection and
response (XDR) is a type of advanced cybersecurity technology that
detects and responds to security threats and incidents.
7 Manufacturer Usage Description (MUD): Manufacturer usage
description (MUD) is a standard created by the Internet Engineering
Task Force to strengthen security for IoT devices in small business
and home networks.
8 Zero Trust: Traditional network security followed the motto
quot;trust but verify,quot; assuming that users within an
organization39;s network perimeter were not malicious threats.

Laws
E-governance In the IT Act of 2000, discusses electronic governance issues,
procedures and the legal recognition of electronic records dealt with in detail
followed by the description of procedures on electronic records, storage and
maintenance,
(GITAM School of Technology) Digital forensics July 20, 202210 / 28

Figure: India act cont.

Figure: Penal code
There are varius laws enforced in western countries like USA, UK, Australia
etc.
The Investigative Process

Investigating Process steps:
• There are many models available from globally recognised standards
such as the International Organisation of Standardisation (ISO) /
International Electrochemical Commission (IEC) ISO/IEC 27041,
27042, 27043 and National Institute of Standards and Technology
(NIST).
• The NIST 800-86 model states the following process should be
conducted for digital forensics: Collection, Examination, Analysis, and
Reporting.

Figure: Investigative process elaborated steps

1. Identification
The identification phase focuses on identifying potential sources of relevant
evidence, as well as key custodians (suspects) and physical locations of data.
2. Collection
The collection phase involves collecting the relevant evidence at the crime
scene or client site that was identified in the identification phase for forensic
analysis back in the forensics lab.
3. Preservation
The preservation stage involves the process of protecting the evidence while
maintaining the integrity of the source data.
4. Examination
The examination stage involves processing the working copy evidence that
was collected and preserved utilising various tools and techniques, following
a defined, repeatable step by step process.

5. Analysis
In this phase, the processed evidence is analysed to answer the questions
of the investigation of Who, What, When, Why, Where, and How. The
forensics team analyses specific artefacts from the processed data depending
on the type of investigation.
6. Presentation
The presentation phase and final step involve taking the findings from the
analysis stage and presenting the information in a detailed report as the
deliverable to the internal client.

Investigative Reconstruction (with Digital Evidence)

• Be aware that crime is not always committed in a straightforward
manner.
• Recognize that investigative reconstruction refers to the systematic
process of piecing together evidence.
• Recognize the need to conduct equivocal forensic analysis to assure
that evidence is evaluated objectively. Be aware that the results of
investigative reconstruction may need additional influences and
preconceived theories.
• Recognize that evidence that is used to reconstruct
crimes falls into three categories:
1 Relational
2 Functional
3 Temporal

Recognize the role of victimology in the course of an investigation. Recog-

nize the connection between crime scene characteristics and modus operandi.
Be aware that the two most common types of reports are:
• A threshold assessment (a preliminary summary of findings)
• A full investigative report

Modus Operandi
• Be aware that introduction of any new technologies may have
unintended consequences.
• Recognize that the technology is not evil – however, its application
may be.
• Recognize that “modus operandi” answers the “How” part of the
investigation.
• Recognize that adopting new technologies into a criminal modus
operandi is not new.
• Recognize that “motive” answers the “Why” part of the investigation.
• Be aware that “offense behaviors” classify criminal acts into discrete
categories:
1 Power reassurance
2 Power assertive
3 Anger retaliatory
4 Sadistic
5 Opportunistic
6 Profit oriented
Motive and Technology

Motivation
1. Financial Gain
The primary motivation of a hacker is money, and getting it can be done
with a variety of methods.
Example: They could directly gain entry to a bank or investment account;
steal a password to your financial sites and then transfer the assets over
to one of their own; swindle an employee into completing a money transfer
through a complicated spear phishing technique, or conduct a ransomware
attack on your entire organization.
The possibilities are endless, but most hackers are out to make a profit.
2. Recognition Achievement
Some hackers are motivated by the sense of achievement that comes with
cracking open a major system. Some may work in groups or independently,
but, on some scale, they would like to be recognized.
This also ties into the fact that cyber criminals are competitive by nature,
and they love the challenge their actions bring.
3. Insider Threats
Individuals who have access to critical information or systems can eas-
ily choose to misuse that access—to the detriment of their organization.
These threats can come from internal employees, vendors, a contractor or
a partner—and are viewed as some of the greatest cyber security threats to
organizations.
4.Political Motivation – “Hacktivism”

Some cyber criminal groups use their hacking skills to go after large or-
ganizations. They are usually motivated by a cause of some sort, such as
highlighting human rights or alerting a large corporation to their system
vulnerabilities or they may go up against groups whose ideologies do not
align with their own.

5.State Actors
State-sponsored actors receive funding and assistance from a nation-state.
They are specifically engaged in cyber crime to further their nation’s own
interests. Typically, they steal information, including “intellectual property,
personally identifying information, and money to fund or further espionage
and exploitation causes.”
6.Corporate Espionage
This is a form of cyber attack used to gain an advantage over a competing
organization. Conducted for commercial or financial purposes, corporate es-
pionage involves: Acquiring property like processes or techniques, locations,
customer data, pricing, sales, research, bids, or strategies Theft of trade
secrets, bribery, blackmail, or surveillance.

Technology
• Behavioral Analytics
• Blockchain
• Cloud Encryption
• Context-Aware Security
• Defensive Artificial Intelligence
• Extended Detection and Response (XDR)
• Manufacturer Usage Description (MUD)
• Zero Trust

Digital Evidence in the Courtroom:

Be aware of the difference between concerns of the law and scientific knowl-
edge.
Be aware of the concerns of the court in regard to forensic examination of
digital evidence.
• The integrity of the digital investigator
• Authenticity of the digital evidence they present

1 Be aware of the US Federal Rules of Evidence and how they relate to

the authenticity of evidence.
2 Recognize that the duty of experts is to present objective unbiased
truth in the matters before the court. - Recognize that digital
examiners have a duty to resist influences, both subtle and overt, to
form an opinion on a case.
3 Recognize that every case is unique and be aware of the problem of
preconceived theories.
4 Be aware that in the courts, theories based on scientific truth are
subordinate to the legal judgment.

• Be aware of the connection between proper evidence handling and

admissibility.
• Be aware of the connection between authorization to search and
admissibility.
• Be aware of four considerations when searching and seizing digital
evidence:
• Does the Fourth Amendment and/or Electronic Communications
Privacy Act (ECPA) apply?
Have Fourth Amendment and/or ECPA requirements been met?
How long can investigators remain at the scene?
What do investigators need to reenter?
• Be aware of the role of chain of custody in assuring evidence
authenticity.

• Be aware of the concept of “best evidence.”

• Be aware of why hearsay evidence may not be admissible.
• Recognize that there are exceptions to the hearsay rule.
• Be aware of the application of levels of certainty to digital evidence.
• Recognize that there is a difference between direct and circumstantial
evidence.
• Be aware of the four criteria for evaluating scientific theories and
techniques.
• Recognize that a well-written report can bolster a weak case, and
that a poorly written report can undermine a strong case.

• Be aware that a digital investigator, before taking the stand, must

first be recognized as an expert by the court.
• The foundation of a case involving digital evidence is proper evidence
handling from proper practices of seizing, storing, and accessing
evidence, and verification that evidence was properly handled.
• It is important to emphasize that digital investigators will be
presenting their findings to a non-technical audience. Therefore, is
imperative that digital investigators are able to convey complex
concepts in easier to understand terms.

Digital Forensics Module 1

Uploaded by

Digital Forensics Module 1

Uploaded by

Computer forensics Introduction Digital Evidence and Computer Crime History and Terminology of Computer Crime Investigation

1 Computer forensics Introduction

2 Digital Evidence and Computer Crime

3 History and Terminology of Computer Crime Investigation

4 Technology and Law

5 The Investigative Process

8 Digital Evidence in the Courtroom

(GITAM School of Technology) Digital forensics July 20, 2022 2 / 28

Computer forensics Introduction

(GITAM School of Technology) Digital forensics July 20, 2022 3 / 28

Digital evidence and Computer crime

(GITAM School of Technology) Digital forensics July 20, 2022 4 / 28

History and Terminology of Computer Crime Investigation

(GITAM School of Technology) Digital forensics July 20, 2022 5 / 28

(GITAM School of Technology) Digital forensics July 20, 2022 6 / 28

Roles of a Computer in a Crime: A computer can play one of three roles in

(GITAM School of Technology) Digital forensics July 20, 2022 7 / 28

Technology and Law

5 Defensive Artificial Intelligence (AI): Cybersecurity professionals can

(GITAM School of Technology) Digital forensics July 20, 2022 9 / 28

(GITAM School of Technology) Digital forensics July 20, 202210 / 28

Figure: India act cont.

(GITAM School of Technology) Digital forensics July 20, 202211 / 28

Figure: Penal code

The Investigative Process

(GITAM School of Technology) Digital forensics July 20, 202213 / 28

Figure: Investigative process elaborated steps

(GITAM School of Technology) Digital forensics July 20, 202214 / 28

(GITAM School of Technology) Digital forensics July 20, 202215 / 28

(GITAM School of Technology) Digital forensics July 20, 202216 / 28

Investigative Reconstruction (with Digital Evidence)

(GITAM School of Technology) Digital forensics July 20, 202217 / 28

Recognize the role of victimology in the course of an investigation. Recog-

(GITAM School of Technology) Digital forensics July 20, 202218 / 28

Motive and Technology

4.Political Motivation – “Hacktivism”

(GITAM School of Technology) Digital forensics July 20, 202221 / 28

(GITAM School of Technology) Digital forensics July 20, 202222 / 28

(GITAM School of Technology) Digital forensics July 20, 202223 / 28

Digital Evidence in the Courtroom:

(GITAM School of Technology) Digital forensics July 20, 202224 / 28

1 Be aware of the US Federal Rules of Evidence and how they relate to

(GITAM School of Technology) Digital forensics July 20, 202225 / 28

• Be aware of the connection between proper evidence handling and

(GITAM School of Technology) Digital forensics July 20, 202226 / 28

• Be aware of the concept of “best evidence.”

(GITAM School of Technology) Digital forensics July 20, 202227 / 28

• Be aware that a digital investigator, before taking the stand, must

(GITAM School of Technology) Digital forensics July 20, 202228 / 28

You might also like