Introduction

Subject Name: Digital Forensics

Subject Code: 3170725

• As a society, our heavy use of technology means that we are literally drowning in
electronically stored information

• The impact of our growing digital dependence is being felt in many domains,also
legal system

• digital evidence is finding its way into the world's courts

• This new form of evidence presents some very significant challenges to our legal
system

• Digital evidence is considerably different from paper documents and can't be

handled in the same way
▪ Criminal, civil, and administrative proceedings often focus on digital evidence, which is
foreign to many of the key players, including attorneys and judges
▪ forensic science has been around for years
▪ digital forensics Standards and best practices are still being developed.
▪ It all starts with the 1's and 0's. This binary language underpins not only the function of
the computer but how it stores data as well. We need to understand how these 1's and 0's
are converted into the text, images, and videos we routinely consume and produce on our
computers.
Forensic Science

▪ forensics is the application of science to solve a legal problem

▪ In forensics, the law and science are forever integrated
▪ Neither can be applied without paying homage to the other. The best scientific evidence
in the world is worthless if it's inadmissible in a court of law
▪ Forensic science is the application of science to criminal and civil laws, mainly—on the
criminal side—during criminal investigation, as governed by the legal standards
of admissible evidence and criminal procedure.
▪ What is Computer Forensics?
▪ It is science of Obtaining, Preserving, and Documenting digital evidence.
▪ You can think of science of applied in digital environment
▪ The collection of digital evidence must be done through carefully prescribed and recognized
procedures (Video)
▪ Computer Forensics Vs Computer Security
▪ Forensics primarily concerned with proper acquisition, preservation and analysis of digital evidence,
typically after the cybercrime has taken place
▪ Security primarily concerned with prevention of unauthorized access as well as maintain CIA of
system
 Concepts in Digital Evidence
▪ Hans Gross (1847 -1915): First use of scientific study to head criminal investigations
▪ FBI (1932): Set up a lab to offer forensics services to all field agents and other law authorities across the
USA.
▪ In 1978 the first computer crime was recognized in the Florida Computer Crime Act.
▪ Francis Galton (1982 - 1911): Conducted first recorded study of fingerprints
▪ In 1992, the term Computer Forensics was used in academic literature.
▪ 1995 International Organization on Computer Evidence (IOCE) was formed.
▪ In 2000, the First FBI Regional Computer Forensic Laboratory established.
▪ In 2002, Scientific Working Group on Digital Evidence (SWGDE) published the first book about digital
forensic called "Best practices for Computer Forensics".
▪ Computer Forensics:
▪ It is lawful and ethical seizure, acquisition, analysis, reporting and safeguarding of data and metadata
derived from the digital devices which may contain information (which is meaningful for
investigations)
▪ In short, it is collection of techniques and tools used to find evidence in the computer system
▪ Digital Forensics:
▪ It is the use of scientifically derived and proven methods towards preservation, collection, validation,
identification, analysis, interpretation, documentation and presentation of digital evidence derived
through computer forensics
▪ Role of digital forensics is to:
▪ Uncover and document evidence and leads
▪ Corroborate evidence discovered in other ways (E-discovery)
▪ Case Study
▪ Assist in showing a pattern of events (data mining)
▪ Connect attack and victim computers
▪ Locard’s Exchange Principle
▪ Reveal and end-to-end path of events leading to a compromise attempt, successful or not
▪ Extract data that may be hidden, deleted or otherwise not directly available
 Physical Evidence Digital Evidence
Hard to change/Manipulate Easy to Change/Manipulate

Duplication is difficult Perfect digital copies can be made

without harming original

Cloning is difficult Possible to create a defensible clone of

the storage device

Visible in nature Invisible in nature

Criminal Investigations
▪ In today's digital world, electronic evidence can be found in almost any criminal investigation
conducted.
▪ Everyday digital devices such as cell phones and gaming consoles can hold a treasure trove of
evidence.
▪ Unfortunately, none of that evidence will ever see a courtroom if it's not first recognized and
collected
▪ Case study
Civil Litigation
▪ The use of digital forensics in civil cases is big business.
▪ As part of a process known as Electronic Discovery (eDiscovery), digital forensics has become a
major component of much high dollar litigation.
▪ eDiscovery “refers to any process in which electronic data is sought, located, secured, and searched
with the intent of using it as evidence in a civil or criminal legal case”
▪ In a civil case, both parties are generally entitled to examine the evidence that will be used against
them prior to trial.
▪ This legal process is known as “discovery.” Previously, discovery was largely a paper-based
exercise, with each party exchanging reports, letters, and memos; however, the introduction of
digital forensics and eDiscovery has greatly changed this practice
▪ Seeing the evidentiary landscape rapidly changing, the courts have begun to modify the rules of
evidence.
▪ The rules of evidence, be they state or federal rules, govern how digital evidence can be admitted
during civil litigation
▪ The legal system and all its players are struggling to deal with this new reality.
Intelligence
▪ Terrorists and foreign governments, the purview of our intelligence agencies, have also joined the
digital age.
▪ Terrorists have been using information technology to communicate, recruit, and plan attacks
▪ In Iraq and Afghanistan, our armed forces are exploiting intelligence collected from digital devices
brought straight from the battlefield. This process is known as DOMEX (Document and Media
Exploitation)
▪ DOMEX is paying large dividends, providing actionable intelligence to support the soldiers on the
ground
▪ Case study
Administrative Matters
▪ Digital evidence can also be valuable for incidents other than litigation and matters of national
security
▪ Violations of policy and procedure often involve some type of electronically stored information,
for example, an employee operating a personal side business, using company computers while on
company time
▪ That may not constitute a violation of the law, but it may warrant an investigation by the company.
▪ Case study
The Digital forensic process
▪ The digital forensic process has the following five basic stages:
▪ Identification – the first stage identifies potential sources of relevant evidence/information
(devices) as well as key custodians and location of data.
▪ Preservation – the process of preserving relevant electronically stored information (ESI) by
protecting the crime or incident scene, capturing visual images of the scene and documenting all
relevant information about the evidence and how it was acquired.
▪ Collection – collecting digital information that may be relevant to the investigation. Collection
may involve removing the electronic device(s) from the crime or incident scene and then imaging,
copying or printing out its (their) content.
▪ Analysis – an in-depth systematic search of evidence relating to the incident being investigated.
The outputs of examination are data objects found in the collected information; they may include
system- and user-generated files. Analysis aims to draw conclusions based on the evidence found.
▪ Reporting – firstly, reports are based on proven techniques and methodology and secondly, other
competent forensic examiners should be able to duplicate and reproduce the same results.
DIFFERENT TYPES OF DIGITAL FORENSICS

▪ Digital forensics is a constantly evolving scientific field with many sub-disciplines. Some of these
sub-disciplines are:
▪ Computer Forensics – the identification, preservation, collection, analysis and reporting on
evidence found on computers, laptops and storage media in support of investigations and legal
proceedings.
▪ Network Forensics – the monitoring, capture, storing and analysis of network activities or events in
order to discover the source of security attacks, intrusions or other problem incidents, i.e. worms,
virus or malware attacks, abnormal network traffic and security breaches.
▪ Mobile Devices Forensics – the recovery of electronic evidence from mobile phones, smartphones,
SIM cards, PDAs, GPS devices, tablets and game consoles.
▪ Digital Image Forensics – the extraction and analysis of digitally acquired photographic images to
validate their authenticity by recovering the metadata of the image file to ascertain its history.
▪ Digital Video/Audio Forensics – the collection, analysis and evaluation of sound and video
recordings. The science is the establishment of authenticity as to whether a recording is original
and whether it has been tampered with, either maliciously or accidentally.
▪ Memory forensics – the recovery of evidence from the RAM of a running computer, also called
live acquisition.
▪ In practice, there are exceptions to blur this classification because the grouping by the provider is
dictated by staff skill sets, contractual requirements, lab space, etc. For example:
▪ Tablets or smartphones without SIM cards could be considered computers.
▪ Memory cards (and other removable storage media) are often found in smartphones and tablets, so
they could be considered under mobile forensics or computer forensics.
▪ Tablets with keyboards could be considered laptops and fit under computer or mobile forensics.
 1. Identification
• Recognize
Incident
• Tools and 2. Search and
6. Reporting
Techniques Seizure
• Summarize
• Search and • Recognize the
• Translate
Warrants Evidence
• Explain
• Authorization • Collect Evidence
Conclusions
Digital
5. Analysis Evidence 3. Preservation
• Determine Documentatio • Secure Evidence
Signature n • Protect the
• Reconstruct Integrity of
Fragment of Data 4. Examination Evidence
• Draw Conclusions • Duplicate
Evidence
• Recover Data

19
Types of Evidence
• Intuitive
• Scientific
• Personal
• Legal
Forensic elements

• Material
– Physical
– Electronic (digital)
• Relevance
– Stakeholders (victims, private individuals, government, insurance companies, legal
institutions, law enforcement agencies)
• Validity (close to relevance and the process of authentication)
Categories of Evidence
• Impressions (fingerprints, toolmarks, marks)
• Bioforensics (blood, body fluids, hair, nailscrapings, and blood stain patterns)

• Trace evidence (residue of the things used for committing the crime like arson
accelerant,paint, glass, fibers).
• Material evidence (letters, folders, scrapped paper – in a way a hard copy stuff)
Where to focus and how to start
• What are we going to work with:
– Policies ,technical procedures , permissions , billing system utilities,
applications, and various logs
• Whom and what we want to monitor:
– Employees, employers, access rights, email, surfing logs, and chat room records.
Case assessment and requirements

• Situation – local and global environment

• Nature of the case
• Specifics
• Types of evidence
• Operating system – working environment
• Archive storage formats
• Location of evidence
Handling evidence
• Includes extraction and establishment of a chain-of- custody, which also
involves packaging, storage, and transportation
• Who extracted the evidence and how?
• Who packed it?
• Who stored the evidence, how and where?
• Who transported it?
Handling evidence
• Case
– Number
– Investigator/institution/organization
– Nature of the case
• Equipment
– For all computers and devices involved – manufacturer, vendor, model,
and serial number
• Evidence
– Location
– Recording entity
– Time and date of recording
All of this sometimes is qualified as a chain-of-evidence.
Evidence recovery
• Extraction depends on the nature of the incident and the type of equipment or
system involved (computer, operating environment, network)
• Rule of thumb – extract and collect as much as you can (avoid going back –
most of the time it is impossible)
• Compress the evidence with lossless compression tools
• Some hashing (MD5, CRC, or SHA-1/2/3) should be done for
integrity after storage and transportation
 Locard’s Exchange Principle in Forensic Science

1. Locard's exchange principle is an

important part of forensic science
investigation.

2. It states that any criminal leaves

behind a trace when committing a
violent crime.

3. It is the investigator's duty to find this trace

evidence and reconstruct the events of the
crime.
Locard’s Exchange Principle in Forensic Science

1. Dusting of Finger prints

2. Toe tag and pen on human foot in morgue
3. FBI reveals ctriminals who hack
Locard’s Exchange Principle in Forensic Science

As long as the criminal remains upon two legs so long must there be some indentation, some abrasion,
some trifling displacement which can be detected by the scientific researcher.
~ Sherlock Holmes, The Adventure of Black Peter

Forensic science has changed the way crime investigations are handled.
By examining and analyzing the physical evidence and reconstructing the circumstances of the crime,
forensic investigators are able to come up with scientific information that they can present in court.
A person who is responsible for one of the most important principles in forensic science is
Edmond Locard.

He came up with the Locard’s exchange principle or Locard’s theory which states that “Any action of an
individual, and obviously, the violent action constituting the crime, cannot occur without leaving a
trace.”
Locard’s Exchange Principle in Forensic Science
1. A devout viewer of crime investigative series on television will be able to understand the importance of
this principle.

2. Haven’t we all observed how the investigator goes to the site of a grisly murder and examines the crime
scene, to check for blood stains, footprints or fingerprints, murder weapons and even the slightest of
traces of blood in the nails?

3. This is known as trace evidence, and according to Locard’s principle whenever a crime is committed,
trace evidence no matter how small or less, will always be present.
 Understanding Locard’s Exchange Principle

1. To understand Locard’s theory it is important to understand how important trace evidence is to

forensic investigation.

2. When a crime is committed, the police and investigators are left with fragmented pieces of a
puzzle.

3. The forensic team helps in reconstructing the puzzle with the help of trace evidence which
refers to evidence left behind by the criminal on the crime scene.

4. This can be anything from hair, fibers, pieces of clothing, blood, fingerprints, etc.
Understanding Locard’s Exchange Principle
According to noted forensic scientist Paul L. Kirk

1. “Wherever he steps, whatever he touches, whatever he leaves, even

unconsciously, will serve as a silent witness against him.
2. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass
he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or
collects.
3. All of these and more, bear mute witness against him. This is evidence that does not forget.
It is not confused by the excitement of the moment.
4. It is not absent because human witnesses are.
5. It is factual evidence.
6. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent.
7. Only human failure to find it, study and understand it, can diminish its value.”
Development of Locard’s Exchange Principle

1. Before the 19th century, most of the time in court and during investigation,
witness testimonies were favored as opposed to evidence.

2. Most investigators refused to perform invasive procedures on the dead body due to emotional
respect, squeamishness and sometimes even superstitions.

3. With the progression of scientific studies in anatomy and microscopy, science

was integrated into criminal investigations.

4. The first known use of science and logic for crime investigation was done by Alphonse
Bertillon in the late 1800s.
Development of Locard’s Exchange Principle

1. He developed Bertillonage, a simple procedure which involved recording a series of body

measurements and noting other physical characteristics.

2. This information was then placed on a single identification card in a police file.

3. Prior to the use of fingerprint recognition, this was the most used system of
tracking and identifying criminals.

4. Apart from body measurement, Bertillon was also responsible for development of photography
for criminal identification.
Development of Locard’s Exchange Principle
1. It was Bertillon’s contribution to the forensic sciences that influenced Dr. Edmond Locard, the
vanguard of forensic science.
2. He was the director of the first crime laboratory, in Lyon, France and worked as a
medical examiner during World War I.
3. Like Alphonse Bertillon, Locard too advocated the use of scientific studies
for criminal investigation.
4. According to him, “It is impossible for a criminal to act, especially considering the intensity
of a crime, without leaving traces of his presence.”
5. He tested this principle of exchange during many of his investigations.
Other significant contributions by Locard involves dactylography, which is an area of study that
deals with fingerprints. He developed poroscopy, which is the study of fingerprint pores and the
impressions produced by these pores.
Application of Locard’s Exchange Principle

1. One of the best ways to demonstrate how Locard ‘s theory is applied, we take an instance of an
investigation done by Locard himself.
2. In 1912, while investigating the death of a Frenchwoman named Marie Latelle, the police
questioned her boyfriend Emile Gourbin.
3. He claimed he was playing cards with his friends, and when questioned, the friends attested to
this fact.
4. When the corpse was examined by Locard he found evidence of death by strangulation.
5. He scraped underneath the boyfriend’s fingernails to look for skin cell samples.
6. On close examination under a microscope, Locard found a pink dust in the cell samples.
7. He figured this was makeup and although popular, makeup was not very
widely manufactured.
8. After searching further he found a chemist who made custom-made powder for the deceased
woman and a match was made.
9. With all evidence against him, Gourbain confessed of murder and tricking his friends into
believing his excuse.
The Drawbacks of Locard’s Theory

 One of the greatest drawbacks of Locard’s exchange theory lies in evidence dynamics.
 This refers to the alteration of physical evidence before it has been
examined by investigators.
There are many factors that can lead to the tampering and destruction of evidence.
1.Staging (manipulation of objects in crime scene) by the
offender
2.Secondary transfer of evidence
3.Actions of the victim before the
crime
4.Witness actions
5.Natural factors like animal or insect activity, weather,
decomposition.
6.Fire suppression efforts
7.Actions of police, scene technicians and medical personnel.
 These factors can lead to the removal or obliteration of the evidence.
 They can often mislead the investigators and cause problems with crime reconstruction.
 Misinterpretations or misleading evidence can lead to inaccurate crime reconstruction.
 To avoid this, the investigator needs to make sure that the crime scene investigation and
reconstruction is carried out with care.
Scientific Models
1. As an emerging discipline in forensic science, digital forensics is
undergoing some expected growing pains.
2. As of today, digital forensics lacks the vast foundation and long-term track record set
by
forensic DNA.
3. DNA is now considered by many to be the “gold standard” of the forensic sciences.
4. Digital forensics simply lacks the years of development, testing, refining,
and legal challenges DNA has undergone since its inception.
5. Plotting the course forward are several organizations that are looked on to establish the
protocols, standards, and procedures that will push digital forensics ahead.
6. There are several organizations that make significant contributions to the discipline
of digital forensics year in and year out.
7. These organizations not only set standards and establish best practices, they provide
leadership as well.
8. Examiners should be familiar with these entities, the roles they play, and the contributions
they make.
9. As professionals, it's our responsibility to participate in one or more of
these organizations.
Scientific Working Group on Digital Evidence

 Standards and techniques are an essential part of valid and accurate forensic science.
 They are its foundation, its core.
 Along with other federal agencies, the FBI has supported the formation and efforts of a wide range
of Scientific Working Groups (SWGs) and Technical Working Groups (TWGs) (Federal Bureau of
Investigation).
 These collaborative groups draw their members from “forensic, industrial, commercial, academic
and in some cases international communities” (Federal Bureau of Investigation).
 Some examples include the Scientific Working Group for DNA Analysis Methods (SWGDAM) and
the Scientific Working Group for Firearms and Toolmarks (SWGGUN).
 Digital evidence has now joined the party with the formation of SWGDE.

1. Formed in 1998, the Scientific Working Group on Digital Evidence (SWGDE) is made up of
“federal government agency, state or local law enforcement agency involved in the digital and
multimedia forensic profession” (Scientific Working Group on Digital Evidence).
The mission of SWGDE is as follows: “Brings together organizations actively engaged in the field of
digital and multimedia evidence to foster communication and cooperation as well as ensuring
quality and consistency within the forensic community” (Scientific Working Group on Digital
Evidence).
American Academy of Forensic Science
1. The American Academy of Forensic Sciences (AAFS) is considered the premier forensic
organization in the world.
2. Members of the Academy work for the National Institute of Standards and
Technology (NIST) and National Academy of Sciences (NAS)
3. The directors of most federal crime labs are members of AAFS.
4. Members of AAFS are also active in the various Scientific Working Groups including
SWGDE.
5. The Academy plays a critical role in developing consensus standards of practice for the forensic
community.
6. The Forensic Science Education Programs Accreditation Commission (FEPAC) was a creation of
AAFS to ensure quality forensic science education and background for future forensic scientists.
American Academy of Forensic Science
7. The AAFS has approximately six thousand members and is divided into “eleven sections spanning
the forensic enterprise.”

8. The Academy comprises “physicians, attorneys, dentists, toxicologists, physical anthropologists,

document examiners, psychiatrists, physicists, engineers, criminalists, educators, digital evidence
experts, and others” (American Academy of Forensic Sciences).

9. The Digital & Multimedia Sciences section represents digital forensics.

10. As of November 3, 2010, the Digital Evidence section had 103 members.

11. Despite the name, the reach of the AAFS is truly global, representing over sixty countries around the
world (American Academy of Forensic Sciences).
 American Society of Crime Laboratory
Directors/LaboratoryAccreditation Board

ASCLD/LAB (pronounced as-clad lab). The ASCLD is to forensic laboratories what

Underwriters Labs is to household products.
ASCLD/LAB is the “oldest and most well known crime/forensic laboratory
accrediting body in the world.”
 ASCLD/LAB accredited labs are the “gold standard” in the world of forensics.
 A lab becomes accredited only after successfully meeting all of the standards and
requirements set forth in the ASCLD/LAB accreditation manual.
 These requirements and standards cover every aspect of a lab's operation and must be strictly
followed.
 Adherence to these standards must be thoroughly and completely documented
(American Society of Crime Laboratory Directors/Laboratory Accreditation Board).
National Institute of Standards and Technology (NIST)

National Institute of Standards and Technology (NIST) was founded in 1901 and is a part of the
U.S. Department of Commerce.
It was the first federal physical science research laboratory.
Some of NIST's areas of focus include bioscience and health, chemistry, physics, math, quality,
and information technology (National Institute of Standards and Technology).

NIST is heavily involved in digital forensics. Some of the programs and projects include:
 National Initiative Cyber Security Education (NICE)—A national cybersecurity education
program teaching sound cyber practices that will improve the country's security.
 National Software References Library—A collection of known software file signatures that can be
used by examiners to quickly exclude files that have no investigative value.
 This would include things like operating system files. This can really reduce the time spent on an
examination.
 Computer Forensic Tool Testing—Intended to develop testing methodologies and standards
for forensic hardware and software.
 American Society for Testing and Materials (ASTM)

 Another major player in the development of standards is ASTM.

 ASTM is a global organization that has developed approximately twelve thousand standards that are
used to “improve product quality, enhance safety, facilitate market access and trade, and build
consumer confidence.”

 ASTM, founded in 1898, comprises about 30,000 members broken into 141 committees.

 The Forensics Sciences committee, known as E30, is further divided into several
subcommittees.

 The Digital and Multimedia Evidence subcommittee is known as E30.12 (ASTM).

Role of the Forensic Examiner in the Judicial System
▪ The digital forensics practitioner most often plays the role of an expert witness. What makes them
different than non expert witnesses? Other witnesses can only testify to what they did or saw. They
are generally limited to those areas and not permitted to render an opinion. Experts, by contrast,
can and often do give their opinion. What makes someone an “expert?” In the legal sense, it's
someone who can assist the judge or jury to understand and interpret evidence they may be
unfamiliar with. To be considered an expert in a court of law, one doesn't have to possess an
advanced academic degree. An expert simply must know more about a particular subject than the
average lay person. Under the legal definition, a doctor, scientist, baker, or garbage collector could
be qualified as an expert witness in a court of law. Individuals are qualified as experts by the court
based on their training, experience, education.
▪ What separates a qualified expert from a truly effective one? It is their ability to communicate with
the judge and jury. They must be effective teachers. The vast majority of society lacks technical
understanding to fully grasp this kind of testimony without at least some explanation.
▪ Digital forensic examiners must carry out their duties without bias. Lastly, a digital forensics
examiner must go where the evidence takes them without any preconceived notions.