CHAPTER 1 : ITT 593 : INTRODUCTION TO

DIGITAL FORENSIC
INTRODUCTION TO
DIGITAL FORENSIC  Key developments
 Digital devices in society
 Technology and culture
 Defining digital forensics
 Digital forensic investigation
process

1 UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
DIGITAL FORENSIC
2

KEY DEVELOPMENTS
 Advances in computer usability
 Digital devices being used by everyone
 Increasing dependence on computer in many aspect
 Low cost hardware

 Pervasive computing
 allowing limitless information exchange
 Network evolution – LAN & WAN
 Any types of data that have flexibility to work on different
platform.

 Nano technology
 Smaller devices – end machine and network equipment

UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
3

DIGITAL DEVICES IN SOCIETY

 Results
of 40 years of innovation, today’s society
become technology dependent.
 Vehicle : engine management in modern car
 Entertainment : MP3 player, CD player, Blueray
 Communications : mobile phone
 Lifestyle management : PDA, smartphone
 Anonymity : society operates globally, but
perform activities locally.
 All users including criminals have equals access
to technology, regardless their intention.

UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
4

TECHNOLOGY AND CULTURES

 Technology has been a driven factor of culture
change.
 People share interest globally - common interest
were express through a particular group.
 Fashion are shared worldwide - results of online
business & supportive communication channel.
 Changes of communication – personal and group
communication.

UITM MELAKA, KAMPUS JASIN

ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
5

UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
6

Computer Forensics
 Determining the past actions that have taken
place on a computer system
 Using artifacts—files, settings, or system changes
that occur when the user or the OS performs a
specific action
 Ex: Creation date of a user's home directory
shows the first time that user logged in
 Testing is essential—don't trust anyone else

UITM MELAKA, KAMPUS JASIN

What You Can Do with Computer
Forensics

 Recover deleted files

 Find out what external devices have been
attached
 Determine what programs have been run
 See what web pages users have viewed, their
email, chat logs
 SMS messages from phones
 Find malware and determine what it has done
IT or Infosec Professionals

 Computer security professionals are drawn into

forensics by incident response
 How did attacker get into a system?
 What damage was done?
 Other issues
 Stalking
 Inappropriate Web use
 Tracking emails
 Incident Response vs.
Computer Forensics
 Incident Response examines a live running system
 Computer Forensics classically focused on post-mortem
analysis of a static disk image
 A forensic image is a complete bitwise copy of an entire hard
disk
 Or SSD, flash drive, RAM, etc.
RAM Analysis

 Until recently, forensics focused on the hard disk

and RAM was considered unimportant
 This has reversed in the last few years
 The projects reflect this
 First we do RAM analysis
 Hard disk images come later
Introduction to Forensic General Terms
Information is the quantity required for
preservation/collection. Information is an element of an
organization’s regular operations
Records are a form of information, regardless of the
medium or format, that have value to an organization.
The term is used to describe both documents and
recorded data.
Evidence can be anything (testimony, documents, tangible
objects) that tends to prove or disprove the existence of
an alleged fact .
E-discovery is a related term that has gained use to
incorporate electronically stored information (ESI) into
the discovery process which is compulsory disclosure, at a
party's request, of information that relates to the
litigation.
Authenticity is “the act of proving that something (as a
document) is true or genuine, especially so that it may be
admitted as evidence.
Chain of custody is a process of handling evidence which
creates and maintains a transaction record for each
individual who assumes or releases possession of the
evidence.
The chain of custody record provides both a continuity of
custody from acquisition to presentation and a list of
individuals who have had possession of the evidence.
Integrity of data is defined as “a requirement that information
and programs are changed only in a specified and authorized
manner”. The unauthorized alteration of data occur
intentionally or unintentionally, can affect the weight of the
evidence in court
Hashing is defined as the process of taking an amount of data
(such as a file or the image of a hard drive) and applying a
“complex mathematical algorithm to generate a relatively
compact numerical identifier (the hash value)unique to that
data”. Two non-identical pieces of data generating the same
hash value are remote

C-DAC All Rights Reserved

 Key Elements of Computer Forensics

Preliminary Analysis Incident

Awareness
Consultation

Deposition/
Affidavit
Image
Acquisition/
Recovery

Detailed Preliminary/ Presentation

Analysis Final Report
Various Data Types
 Volatiledata, which is in use by a system but not written
to media
 data in memory, network status, and connections and
running processes.
 Semi-volatile data: Data that are overwritten after a
period
 Temporary files, program logs
 System and data backups generated as part of an
organization’s regular operations

C-DAC All Rights Reserved

Workflow of Cyber Crime Investigation
Parties Involve in Different Stages of
Investigation
Search warrant to carry out Investigating officer & legal
search & seize advisor

Search, seizure and Investigating officer

transport of digital principal investigator &
evidence legal advisor

Forensic Analysis of Digital forensic expert

Digital evidence

Preparation of analysis
report Forensic expert with
assistance legal advisor

Preparation and Investigating officer ,

presentation of case in principal investigator &
court of law legal advisor
 Cyber Forensic Procedures
Step1
Step 1: Verification

• Verification is concerned with confirming that an

incident or action has occurred that warrants the
initiation of a forensic investigation
• The criteria for verification can come from multiple
sources; an organization’s internal policies, local, state, or
federal law, an organization’s internal policies

C-DAC All Rights Reserved

 Cyber Forensic Procedures: Step Two
Step 2: Identification and System Description:

• From an eDiscovery perspective this is the point at which the

triggering event has occurred and been verified . Potential
sources of data (such as systems), subject matter experts
(such as forensic analysts) and other required resources will
be identified and allocated at this point.

• From a forensic investigation perspective this is the point at

which detailed descriptions of the systems in scope will be
collected by the forensic analyst or security practitioner.

C-DAC All Rights Reserved

 Cyber Forensic Procedures: Step Three
Step3: Preservation, Collection and Evidence Acquisition:

• concerned with acquiring relevant data in scope in a manner

that minimizes data loss in a manner that is legally defensible,
auditable, proportionate, reasonable and efficient.
• Forensic investigation is primarily concerned with the
following four principles; the minimization of data loss, the
recording of detailed notes, the analysis of collected data
and reporting findings
• Systems and data in scope should be handled in such a way
to avoid data destruction and a preservation plan should be
developed prior to execution
 Step 3 Guidelines
Guide lines of step 3
• Consistency of Process: Organizations should perform forensic
investigations using a consistent process to preserve/collect data in a
legally defensible manner.
• Use Forensic Toolkits
• Live Acquisition is Best: When possible, the acquisition of a
“live” system (including volatile data) should be achieved. This type
of acquisition will capture a snapshot of the system in question
including the contents of memory, running processes, and network
connections as well as allocated and deleted file
 Step 3 Guidelines
• Bit Stream Imaging: Bit stream imaging (a.k.a. disk imaging)
generates a bit-for-bit copy of the original media including
unallocated (deleted) data. Bit stream imaging requires access to the
entire volume, a requirement more easily accomplished with low-
capacity systems.
Logical backups copy the directories and files from a volume .This
process does not capture additional data from the media, such as
deleted files or residual data stored in slack space.
 Make No Changes: During the preservation/collection process do not
alter, delete or add data within reason. The use of forensic toolkits
will help reduce the impact of acquisition and collection on the
target media in read only mood.
 Step 3 Guidelines
 Take Hash Value: After All electronic data should be hashed at
the point of acquisition, transfer of custody and modification .
 MD5, SHA-1 hash algorithm can be used for hashing
 Log Everything: Forensic analysts should keep detailed logs of
the actions they perform through the acquisition and collection
process.
 Logs can be created and maintained either on paper or in electronic
form.
 Record and Preserve Chain of Custody:The chain of custody
should be recorded begin with data acquisition, and be
maintained until acceptance as evidence.
 Cyber Forensic Procedures: Step Four
Step 4: Processing/Review/Analysis and Media Analysis,
String/Byte Search, Timeline Analysis, Data Recovery:

 This stage involves analyzing the data that has been

collected during step3.
 Processing this data is the most time consuming portion of the
eDiscovery/Forensic Investigation process.
 This involves applying the details of the incident, the verification
and system description information and making educated
decisions when examining this “snapshot” of data for relevant
evidence
 Content Analysis
 Content (what type of data)
 Comparison (against known data)
 Transaction (sequence)
 Extraction (of data)
 Deleted Data Files (recovery)
 Format Conversion
 Keyword Searching
 Password (decryption)
 Limited Source Code (analysis or compare)
 Storage Media (many types)
Content Analysis Flow Diagram
Is there more data No
for analysis
Yes
If item or discovered If new Data Search
Who/What information can generate new Leads generated start
•Who/What application created , modified, sent,
received the file Data Search Leads, document Preparation/Extraction
•Who is this item linked to and identified with new leads to “Data search
Lead List”
Where
•Where was it found/where did it came from
•Does it show where relevant event took place If new source of data
lead” generated start
When If item or discovered
•When was it created, accessed, modified, deleted, sent information can generate “Obtaining Imaging
•Time Analysis: what else happened on the system at the Forensic Data”
same time “New Source of Data” ,
document lead on “new
How source of data lead list”
•How did it originated in the media
•How was it created, transmitted, modified, used Start “Forensic
•Does it show how relevant events occurred
Reporting” to
Mark “Relevent Data” item Document findings
Associated artifacts/ Metadata processed on “Relevent Data
•Registry entry
•Application/System logs analysis List”

Use timeline or other methods to

document findings on “Analysis
Results List”
Cyber Forensic Procedures: Step Five
Step 5 Production

 involves the preparation and production of ESI in a In

order to meet the requirement for ESI to be presented in
an agreed upon and usable format
 ESI may need to be converted into a standardized,
searchable format that has already been agreed to by
the parties
 The usable requirement in the presentation of ESI can
involve factors such as search ability, fielded data,
redaction, metadata and summaries.
Cyber Forensic Procedures: Step Six
Step 6 : Presentation and Reporting Results

 Atthis final stage the ESI that has been identified,

acquired, analyzed and prepared will be displayed to an
audience.
 The goal of this stage is to provide targeted evidence to
prove or disprove statement of facts in the overall
context of eliciting further information, validate
existing facts or positions, or persuade an audience
 Target was hacked with
RAM Scrapers
 Credit card #s are
unencrypted in RAM
 Link Ch 1c
 ITT 593 : INTRODUCTION TO
30
DIGITAL FORENSICs

UITM MELAKA, KAMPUS JASIN