UNIT III.

BASICS OF DIGITAL
FORENSICS

MR. S. P. KHOLAMBE
LECTURER IN CO DEPTT., MET BKC IOTP NASHIK
 Digital Forensics

 Digital forensics is a branch of forensic science that includes the

identification, recovery, investigation, validation, and presentation
of facts regarding digital evidence found on computers or similar
digital storage media devices.
 Digital forensics is a branch of forensic science focused on recovery
and investigation of artifacts found on digital devices.
 Any devices that store data (e.g. computers, laptops, smartphones,
thumb drives, memory cards or external hard drives) are within the
ambit of digital forensics. Given the proliferation of digital devices,
there has been a ramp-up in use of digital forensics in legal cases and
investigations.

2
The Digital Forensic Process

4
 The Digital Forensic Process

 The digital forensic process has the following five basic stages:
1. Identification – the first stage identifies potential sources of relevant
evidence/information (devices) as well as key custodians and location of
data.
2. Preservation – the process of preserving relevant electronically stored
information (ESI) by protecting the crime or incident scene, capturing
visual images of the scene and documenting all relevant information about
the evidence and how it was acquired.
3. Collection – collecting digital information that may be relevant to the
investigation. Collection may involve removing the electronic device(s)
from the crime or incident scene and then imaging, copying or printing
out its (their) content.

5
 The Digital Forensic Process

4. Analysis – an in-depth systematic search of evidence relating to the

incident being investigated. The outputs of examination are data objects
found in the collected information; they may include system- and user-
generated files. Analysis aims to draw conclusions based on the evidence
found.
5. Reporting – firstly, reports are based on proven techniques and
methodology and secondly, other competent forensic examiners should
be able to duplicate and reproduce the same results.

6
 Rules Of Digital Forensic
7

1. The secure collection of digital data

2. The examination of suspect data to determine details such
as origin and content
3. The presentation of computer based information to courts
of law (if necessary)
4. The application of a country’s laws to computer practice.
 Different Types Of Digital Forensics

 Digital forensics is a constantly evolving scientific field with many sub-

disciplines. Some of these sub-disciplines are:
1. Computer Forensics – the identification, preservation, collection,
analysis and reporting on evidence found on computers, laptops and
storage media in support of investigations and legal proceedings.
2. Network Forensics – the monitoring, capture, storing and analysis of
network activities or events in order to discover the source of security
attacks, intrusions or other problem incidents, i.e. worms, virus or malware
attacks, abnormal network traffic and security breaches.
3. Mobile Devices Forensics – themobile phones, smartphones, SIM cards,
PDAs, GPS devices, tablets and game consoles.
4. recovery of electronic evidence from

8
 Different Types Of Digital Forensics

4. Digital Image Forensics – the extraction and analysis of digitally acquired

photographic images to validate their authenticity by recovering the
metadata of the image file to ascertain its history.
5. Digital Video/Audio Forensics – the collection, analysis and evaluation
of sound and video recordings. The science is the establishment of
authenticity as to whether a recording is original and whether it has
been tampered with, either maliciously or accidentally.
6. Memory forensics – the recovery of evidence from the RAM of a running
computer, also called live acquisition.

9
 Digital Forensics Goal

 The main object in the digital forensic analysis is the digital device related
to the security incident under investigation.
 The digital device was either used to commit a crime, to target an attack,
or is a source of information for the analyst.
 The goals of the analysis phase in the digital forensics process differ from
one case to another.
 It can be used to support or refute assumptions against individuals or
entities, or it can be used to investigate information security incidents
locally on the system or over a network.

10
 Models of Digital Forensic Investigation

1. Digital Forensic Research Workshop Group (DFRWS) Investigative Model

2. Abstract Digital Forensics Model (ADFM)
3. Integrated Digital Investigation Process (IDIP)
4. End to End digital investigation process (EEDIP)
5. An extended model for cybercrime investigation
6. UML modeling of digital forensic process model (UMDFPM)

11
Digital Forensic Research Workshop Group
(DFRWS) Investigative Model

12
 Digital Forensic Research Workshop Group
(DFRWS) Investigative Model
13

 DFRWS Investigative model started with an

 Identification Phase: in which profile detection, system monitoring, audit
analysis, etc, were performed.
 Preservation Phase: involving tasks such as setting up a proper case
management and ensuring an acceptable chain of custody. This phase is
crucial so as to ensure that the data collected is free from contamination.
 Collection Phase: in which relevant data are being collected based on the
approved methods utilizing various recovery techniques.
 Examination phase and Analysis phase. In these two phases, tasks such as
evidence tracing, evidence validation, recovery of hidden/encrypted data,
data mining, timeline, etc, were performed.
 Presentation phase: Tasks related to this phase are documentation, expert
testimony, etc.
Abstract Digital Forensics Model (ADFM)

14
 Abstract Digital Forensics Model (ADFM)
15
 Identification phase: In this phase, the task to recognize and determine type of
incident is performed. Once the incident type was ascertained.
 Preparation phase is conducted, followed by Approach Strategy phase. Physical
and digital data acquired must be properly isolated, secured and preserved.
 There is also a need to pay attention to a proper chain of custody. All of these
tasks are performed under Preservation phase.
 Collection phase: data extraction and duplication were done. Identification and
locating the potential evidence from the collected data, using a systematic
approach are conducted in the next following phase, known as Examination
phase.
 The task of determining the significant of evidence and drawing conclusion
based on the evidence found is done in Analysis phase.
 Presentation phase, the findings are summarized and presented. The
investigation processes is completed with the carrying out of Returning
Evidence phase.
Integrated Digital Investigation Process (IDIP)

16
 Integrated Digital Investigation Process (IDIP)
17

 The process started with a phase that require for the physical and
operational infrastructure to be ready to support any future
investigation.
 In this Readiness phase, the equipment's must be ever ready and the
personnel must be capable to use it effectively. This phase is indeed an
ongoing phase throughout the lifecycle of an organization. It also
consists of 2 sub-phases namely, Operation Readiness and
Infrastructure Readiness.
 Deployment phase, which provide a mechanism for an incident to
be detected and confirmed. Two sub-phases are further introduced,
namely, Detection & Notification and Confirmation & Authorization.
 Integrated Digital Investigation Process (IDIP)
18

 Collecting and analyzing physical evidence are done in Physical

Crime Scene Investigation phase.
 The sub-phases introduced are Preservation, Survey, Documentation,
Search & Collection, Reconstruction and Presentation.
 Digital Crime Scene Investigation is similar to Physical Crime Scene
Investigation with exception that it is now focusing on the digital
evidence in digital environment.
 The last phase is Review phase. The whole investigation processes are
reviewed to identify areas of improvement that may results in new
procedures or new training requirements
End To End Digital Investigation Process (EEDIP)

19
End To End Digital Investigation Process (EEDIP)
20

 The investigation process started with Readiness phase and the tasks
performed are the same as in IDIP.
 Deployment phase, provides a mechanism for an incident to be
detected and confirmed. It consists of 5 sub-phases namely. Unlike
DIP, this phase includes both physical and digital crime Detection &
Notification, Physical Crime Scene Investigation, Digital Crime
Scene Investigation, Confirmation and lastly, Submission scene
investigations and presentation of findings to legal.
 In Traceback phase, tracking down the source crime scene, including
the devices and location is the main objective. It is supported by two
sub-phases namely, Digital Crime Scene Investigation and
Authorization.
End To End Digital Investigation Process (EEDIP)
21

 Dynamite phase In this phase, investigation are conducted at the

primary crime scene, with the purpose of identifying the potential
culprit(s). Consist of 4 sub-phases, namely, Physical Crime Scene
Investigation, Digital Crime Scene Investigation, Reconstruction
and Communication. In Reconstruction sub-phase, pieces of
information collected are put together so as to construct to possible
events that could have happened. The Communication sub-phase is
similar to the previous Submission phase.
 The investigation process ended with Readiness phase and the
tasks performed are the same as in IDIP.
AN EXTENDED MODEL FOR CYBERCRIME
INVESTIGATION

22
UML Modeling Of Digital Forensic Process Model
(UMDFPM)

23
 Ethical Issues In Digital Forensic
24

 Ethics in digital forensic field can be defined as set of moral

principles that regulate the use of computers.
 Ethical decision making in digital forensic work comprise of one or
more of the following:
1. Honesty towards the investigation.
2. Carefully handling physical evidences.
3. Compliance with the law & professional norms.
 General Ethical Norms For Investigators
25

 Investigators should satisfy the following points:

1. To contributes to the society & human being.
2. To avoid harms to others.
3. To be honest & trustworthy.
4. To be fair & take action not to discriminate.
5. To honor property rights, including copyrights & patents.
6. To give proper credit to intellectual property.
7. To respect the privacy of others.
8. To honor confidentiality.
 Unethical Norms For Investigation
26

 Investigators should not:

1. Upload any relevant evidence.
2. Declare any confidential matter or knowledge.
3. Express an opinion an the guilty belonging to any party.
4. Engage in any kind of unethical conduct.
5. Knowingly undertake as assignment beyond him or her
capacity.
6. Falsify education, finding or observation.
7. Display bias in finding .
8. Exceed authorization in conducting examination.