Rudiments of Digital Forensics

Shreya Talukdar
15 min readFeb 27, 2022

--

Holaaa readers. Once again welcome to my blog and thank you for choosing this platform. So, in this article I have tried to throw light on basics or overview of Digital Forensics. Hope you enjoy it 👍

When we hear about Digital forensics, it starts with the Locard’s Principle

🔎 The Locard’s PrincipleEVERY CONTACT LEAVES A TRACE 👣

👉 DATA is never deleted, it only changes its form

👉 Every dead body speaks about its own story, we only need to see it.

🔎 WHAT IS THE NEED OF COMPUTER FORENSICS ?

Computer forensics digs out the motive behind the crimes and identifies the main culprit behind it. It also ensures the overall safety and integrity of an organization by safeguarding the network infrastructure, saving money by protecting confidential information and detecting security breaches that may lead to huge potential loss

🔎 Cyber Crime and its types

Cybercrime also known as digital/computer crimes are the illegal activities done by criminals . The types of cybercrimes are Identity theft, crimes via botnets, child pornography, blackmailing, social engineering, online spams and frauds, cryptojacking, cyber bullying etc

🔎 Digital footprints / Artefacts : A digital footprint is the impression you create on the internet through your online activity, which includes browsing, interactions with others, and publication of content. In other words, it is the trail of data — intentional and unintentional — you leave behind while surfing the internet.

🔎 Branches of Computer forensic science :

👉 Windows/Linux/MAC Forensics

👉 Smartphone Forensics

👉 Dark Web Forensics

👉 IOT forensics

👉 Database forensics

👉 Malware forensics

👉 Memory forensics

👉 Email Forensics

👉 Network forensics

👉 Server forensics

👉 Web forensics

👉 Cloud forensics

🔎 The EDRM Framework

The EDRM is a model that marks out the stages of the eDiscovery process. It consists of nine distinct stages that outline what eDiscovery activities during an investigation looks like.

🔎 Process or stages of Computer forensics : (IPAD)

  1. Identification : First, find the evidence, noting where it is stored.
  2. Preservation : Next, isolate, secure, and preserve the data. This includes preventing people from possibly tampering with the evidence.
  3. Analysis : Next, reconstruct fragments of data and draw conclusions based on the evidence found.
  4. Documentation and Presentation : Following that, create a record of all the data to recreate the crime scene. Lastly, summarize and draw a conclusion to present

For more info on IPAD , kindly refer : https://d3pakblog.wordpress.com/2021/04/04/digital-forensics-skillsets/

🔎 WHAT IS DIGITAL EVIDENCE ?

Digital evidence, also known as electronic evidence, contains data/information that offers value during the investigation of digital crime. Every piece of data/information present on the digital device is a source of digital evidence. Some of the digital evidences can be email, messages, screenshots, files, browsing history, orphan files etc.

🔎 CORE COMPONENTS OF DIGITAL FORENSIC SCIENCE

👉 Disk Imaging (Forensic Media Acquisition)

  • It is the processes and tools used in copying a physical storage device bit-by-­bit or bitstream file that’s an exact, unaltered copy of the media being duplicated for conducting investigations and gathering evidence. This copy doesn’t just include files, which are visible to the operating system, but every bit of data, every sector, partition, files, folders, master boot records, deleted files, and unallocated spaces. The image is an identical copy of all the drive structures and contents.
  • Disk imaging of the original evidence is done because investigation should never be carried out on original evidence acquired from the crime scene . Disk imaging protects the original storage media , thus maintaining the integrity of data
  • Damages that can occur to the evidence — Water Damage Occurs, Physical or Mechanical Damage Occurs, PCB or Printed circuit boards Board Damage, Fire Damage, Smoke Damage, and many others.
  • Different disk imaging types are

♦️ RAW (DD) : Its a bit-for-bit copy of the RAW data and here the files only contain unmodified source data. The main disadvantage of the RAW image format is the lack of any metadata, without the text file there is no way to determine the source of the image. It also lacks any form of compression making the images as large as the source drive

♦️ E01(EnCase Evidence File) : It contains a physical bitstream copy stored in a single or multiple files enriched with metadata, this metadata includes Case information, Examiner name, notes, checksums and an MD5 hash. It also offers compression and password protection.

♦️ SMART : Used by the SMART tool for Linux. The image is stored in a single or multiple segment files each with metadata.

♦ ️AFF (Advanced Forensics Format) : The Advanced Forensics Format is an open format for the storage of forensic images. It offers a disk imaging format that is not tied to proprietary software

👉 Disk Cloning — Duplicating data from one drive to the other physical device , sector by sector is referred to as cloning. They’ll be arranged in the same physical order including free space and any fragmentation that was on the drive. Also cloning ensures that, not only the files but program configurations, partition tables, boot records, so that if the existing drive fails, the new drive can be connected and used.

Disk cloning

👉 Disk Duplicator—Hardware duplicators are the most well founded method to create forensic image. It copies entire contents quickly and accurately without having to mount the drive in a computer

Tableau Forensic Duplicator

👉 Forensic seizure — The legal term used to describe a law enforcement agent’s examination of a person’s home, vehicle, or business to find evidence that a crime has been committed. If evidence is found, the agent may then “seize” it

👉 Data Carving & Data Mining — Data carving is the process of extracting data from raw data in a structured way based on some format specific characteristics

Data mining is the process of mining or digging out useful information, based on some correlations or patterns from a huge chunk or volume of data, that is very useful in a cyber investigation process.

👉 Hash Value — Hash value is a fixed length of string of plain data that is obtained using an algorithm through the process of hashing. The plain data is combined with a hash function which then gives hash value as output. Its main objective is to provide the overall integrity of digital data. The types of hash values are MD5 hash, SHA-1, SHA-2, CRC-32, Tiger etc

Data integrity and hash value importance in forensics :

👉 It is used to determine the identical nature of any media

👉 Hash values are used to identify and filter duplicate files (i.e. email, attachments, and loose files) from an ESI collection (Employee State Insurance) or verify that a forensic image or clone was captured successfully. Each hashing algorithm uses a specific number of bytes to store a “ thumbprint” of the contents.

👉 It is just like biometric identification of Digital files/folders and even drive

👉 Some of the known hashing algorithms are :

  1. MD5 (Message Digest 5) — 128 bit , 32 char Algo
  2. SHA-1 (Secure Hash Algo 1) — hash values of 160 bits (20-byte), 40 characters
  3. SHA-256 (Secure Hash Algo 256) — 256-bit (32 bytes) hash value, 64 digit

🔎 Hash values change on changing the content of the file, doesn’t matter how much small the change is.

Hence, hashing is important as it makes sure that the digital evidence is not tampered in any way, bit by bit , thereby maintaining the integrity of data

👉 Chain-of-Custody — A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.

  • It is a must to assure the court of law that the evidence is authentic, i.e., it is the same evidence seized at the crime scene. It was, at all times, in the custody of a person designated to handle it and for which it was never unaccounted. Although it is a lengthy process, it is required for evidence to be relevant in the court. The continuity of possession of evidence or custody of evidence and its movement and location from the point of discovery and recovery (at the scene of a crime or from a person), to its transport to the laboratory for examination and until the time it is allowed and admitted in the court, is known as the chain of custody or chain of evidence.

🔎 To protect evidence seized from crime scene from any damage or hardbrick :

👉Anti static bag is used : A lot of electronic components are very sensitive and are at risk of being damaged when it comes to electrostatic discharges. This static electricity can cause major damage to the internal circuitry of components or microprocessors rendering them useless or “fried.

👉Faraday bags : Faraday bags are a type of Faraday cage made of flexible metallic fabric. They are typically used to block remote wiping or alteration of wireless devices recovered in criminal investigations. Designed to shield a mobile phone or small digital device from radio waves entering the bag and reaching the device, or to stop radio waves escaping through the bag from the device. Its more expensive and has advanced features compared to anti-static bags.

🔎 The chip-off technique describes the practice of removing a memory chip, or any chip, from a circuit board and reading it. The chips are often tested and programmed with the “JTAG” method. This is an ultra-modern technology that is done in Damaged Device Forensic Lab.

🔎 Preservation of evidence

👉 It is the isolation and protection of digital evidence exactly as found without alteration so that it can later be analyzed

👉 Do not change the current state of the device, Power down the device, Do not leave the device in an open area or unsecured place, Do not plug any external storage media in the device, Do not copy anything to or from the device, Take a picture of the piece of the evidence, Make sure you know the PIN/ Password Pattern of the device, Do not open anything like pictures, applications, or files on the device, Do not trust anyone without forensics training, Make sure you do not Shut down the computer, If required Hibernate it.

👉 Preservation of evidence is done in Evidence lockers — Designed to provide a secure chain of custody for short-term evidence storage

👉 In a crime scene , incident responders/first responders come first to protect the evidence and seal the crime scene so that no one looses the data or evidence intentionally or unintentionally.

🔎 Packaging Electronic Evidence :

  • Make sure the gathered electronic evidence is correctly documented, labeled, and listed before packaging
  • Special attention needs to be paid to hidden or trace evidence, and necessary actions needs to be taken in order to safeguard it
  • Pack magnetic media in antistatic packaging
  • Do not use materials such as plastic bags for packaging because they may produce static electricity
  • Avoid folding and scratching storage devices such as diskettes, DVDs, and tapes
  • Make sure that all containers , carrying evidence are labelled in the appropriate way

🔎 Write blocker is a tool used during investigation by connecting the original media to it so that no individual can tamper the evidence.It permits read-only access to data storage devices without compromising the integrity of the data and blocks the write access to the data. It is of two types: software and hardware write blocker.

♦️ Hardware write blocker : Have write blocking software installed on a controller chip inside a portable physical device, which is connected to the evidence

♦️ Software write blocker : Software write blockers are installed on a forensic computer workstation

HARDWARE WRITE BLOCKER
SOFTWARE WRITE BLOCKER

🔎Order of Volatility — There are protocols for the collecting volatile evidence. Volatile evidence should be collected based on the order of volatility; that is, the most volatile evidence should be collected first, and the least volatile should be collected last.

Most Volatile → Least Volatile

🔎 Types of data in Digital Forensics :

  1. Volatile data/evidence — Evidence that is only present while the computer is running is called volatile evidence and must be collected using live forensic methods. Some types of volatile data :
  • Process info , process memory
  • Clipboard content
  • system time&date
  • service / driver info
  • logged on users
  • open files
  • Shared libraries/DLL’s
  • malware info

2. Transient Data — Data that are created within an application session. At the end of the session, the data are discarded or reset back to their default state. Contains info such as :

  • terminate and stay resident programs (TSR)
  • Open Network connection
  • User logon / logout

3. Non-volatile data — Used for the secondary storage and is long term persisting :

  • Data in hard disk
  • slack space (leftover storage that exists on a computer’s hard disk drive when a computer file does not need all the space it has been allocated by the operating system)
  • swap file
  • data in unallocated clusters
  • registry settings
  • application logs, error and event logs

4. Fragile Data — data saved temporarily on the hdd . Itstored on the hard drive but can be easily altered, especially by a first responder trying to determine if an incident has occurred. These could include access dates on files or temporary files.

5. Temporary accessible data — stored on hdd and can be used for a certain amount of time . Like

6. Active data -

  • Active data is stored on the hdd
  • the data is used for data to day operation in the organization

7. Archived data — Data archived for a long term storage and to keep the record of the organization. Example :

  • This data can be destroyed after its life time as per the data retention policy of the organization

8. Backup data -

  • refers to the copy of the system
  • can be used for the recovery of the system incase of system crash
  • Digital Evidence : Any info of probative value that is stored or transmitted in digital form

🔎 The stepwise procedures for forensic investigation :

  1. Identify the computer crime
  2. Collect the preliminary evidence
  3. Obtain the court warrant for seizure
  4. Perform the first responder procedure
  5. Seize evidence from the crime scene
  6. Transport evidence to FSL
  7. Create / generate 2-bit stream copies of the evidence
  8. Generate md5 checksum on the image
  9. Maintain a chain of custody
  10. Store / preserve the original evidence in a secure place
  11. Analyze the image copy of the evidence
  12. Prepare the forensic report
  13. Submit the report to the client
  14. If required , attain the court and testify as an expert witness

Some computer forensics tools and techniques :

https://toolcatalog.nist.gov/search/

🔎 Evidence can be gathered from audio, video, memory, graphics, Near Field Communication (NFC),other IoT devices, live capture of packets being transmitted, from any other electronic source , in files such as emails, log files, internet browser history, cookies, graphic files, server logs , etc.,.

👉 Evidences are mainly gathered from Hard drive of the seized system .

👉 Evidences can also be stored in thumb drives (elec. storage device with usb connection), Memory card (imp storage media used in PDA’s, digital camera, etc.)

👉 Evidences can also be found in smart card has memory and stores encryption key or pass and digital certificate

👉 Biometrics scanner, digital camera, modem, printer(contains memory buffer and stores data)

🔎 Characteristics of Digital Evidence :

👉 Admissible — In front of law in “proving” document and copies

👉 Authentic — Linking data to specific individual and events

👉 Accurate — In terms of the reliability of the computer process

👉 Complete — With a full story of particular circumstances

👉 Convincing to juries — To have probative value, subjective and practical test of presentation

🔎 Evidence examination

👉 Forensic examination of different kind of media may require different methods of examination

👉 Investigator must be a trained professional

👉 Examination should not be conducted on the original media

👉 There are 2 types of extraction process for evidence examination :

  • Physical extraction : Identifies and recovers data across the entire physical drive without the logical file system (users can request file operations by system call)It will create a bit-for-bit replica of all of the data contained within the device, including hidden and slack space. For example it can recover deleted passwords deleted files, photos and videos, deleted Snapchat pics, deleted text messages, contacts and call logs, location tags & GPS fixes etc.
  • Logical extraction : When the time is limited, consider using logical or sparse acquisition data copy method. Logical acquisition captures only specific types of files of interest . It does not include slack space. Foe example, database investigation that requires collection of .db files only

🔎 Digital Forensics analysis include :

  • Analysis of storage media
  • Analysis of Host data
  • Application and file analysis
  • Analysis of network related and configuration data
  • Analysis of possible data hiding
  • The content of the image file has to be hashed before analysis
  • Depending on the nature of the analysis, the investigator must determine whether the file has to be exported or not
  • Hash list needs to be created for all files exported for further investigation with 3rd party tools

🔎 First responder and expert witness procedures :

  • 1st responder is the first person at the crime scene from the investigation team
  • They (1st responder) must Identify the crime scene, Protect the crime scene and preserve temporary and fragile evidence
  • The crime scene needs to be photographed
  • All the items seized has to be recorded .

🔎 Forensic Investigator

  • A trained person carrying out the digital forensic examination
  • The security and integrity of the evidence item is completely his/her responsibility once acquired

🔎 Expert witness

  • Person who is subject matter expert and whose credentials can convince others to believe his opinions on that subject to believe his opinions on that subject in a court of law
  • Most of the time “expert” witness will be from the law enforcement or government specialized in forensics.

🔎 The role of expert witness :

  • He/she will assists the court in understanding intricacies of the evidence produced and its interpritation
  • Aid the attorney (practice law in court) to get the truth of the evidence
  • The expert witness can express the truth on the analysis of the evidence but have no right to say whether someone is guilty or not.

🔎 Preservation of digital evidence :

  • Preservation of digital evidence item, its security and the integrity is the responsibility of the investigation team
  • He is liable for any loss or damage of the evidence item
  • The first thing that the investigator must do is to preserve the volatile memory (RAM), as RAM has enormous amount of evidence . Once the system is shut down, all data will be lost.
  • The changes and actions during the forensic examination must be recorded
  • Don’t run any software like the antivirus soft. or anything on the evidence item, as it may change the date and time of each file scanned
  • Disconnect the evidence item from internet connection to prevent any attcaks
  • Photograph the entire crime scene including the connection system (including all the cables)
  • Before transporting the seized evidence items, everything must be labelled and recorded properly
  • Label the electronic devices like pda, cell phones , collect the charger and transport them along with the device.

Dear readers,

Thank you for reading till the end . This blog is for my learning purpose. If there is any comment or feedback please share.

For any queries , feel free to reach at :

✏️ LinkedIn : https://www.linkedin.com/in/shreya4n6/

✏️ Twitter : https://twitter.com/shreya4n6

--

--

Shreya Talukdar

Security researcher | Cyber Forensics | Malware Analysis | Threat hunting | Speaker | Blogger | Learner