Internet Forensics and Cyber Security

Unit 3
Digital Investigations and Forensic Labs and Tools
 Topics
• Conducting Digital Investigations
• Applying Forensic Science to
Computers
• Forensic Laboratories
• Policies and Procedures
• Quality Assurance
• Hardware and Software
• Accreditation vs. Certification
2
 ‫العوامل المستندة إلى الحالة مثل المطالبات المحددة التي سيتم التحقيق فيها‬

Conducting Digital Investigations

• Digital investigations vary depending

on technical factors such as:
– Type of computing or communications
device
– Whether the investigation is in a criminal,
civil, commercial, military, or other context
– Case-based factors such as the specific
claims to be investigated

3
 Conducting Digital Investigations
(cont.)
• Despite this variation in digital
investigations, there exists a sufficient
amount of similarity between the ways
digital investigations are undertaken
that commonalities may be observed
– These commonalities tend to be observed
from a number of perspectives, with the
primary ways being process, principles,
and methodology

4
Digital Investigations Process Models
• A number of models were proposed for describing
investigations, which have come to be known as
“process models”, including:
– Physical Model
– Staircase Model
– Evidence Flow Model
– Subphase Model
– Roles and Responsibilities Model
• The most common steps for conducting a complete and
competent digital investigation are the following five
steps:
1. Preparation
2. Survey
3. Preservation
4. Examination and Analysis
5. Presentation

5
 Process Models (cont.)
1. Preparation: Generating a plan of
action to conduct an effective digital
investigation, and obtaining
supporting resources and materials.
2. Survey: Finding potential sources of
digital evidence
– e.g., at a crime scene, within an
organization, or on the Internet
6
 Process Models (cont.)
3. Preservation: Preventing changes to
digital evidence
– Including isolating the system on the
network, securing relevant log files, and
collecting volatile data that would be lost
when the system is turned off
– This step includes collection or acquisition

7
 Process Models (cont.)
4. Examination and Analysis: Searching for
and interpreting trace evidence
– Forensic examination is the process of
extracting and viewing information from the
evidence, and making it available for analysis
– Forensic analysis is the application of the
scientific method and critical thinking to
address the fundamental questions in an
investigation: who, what, where, when, how,
and why
8
 Process Models (cont.)
5. Presentation: Reporting of findings in
a manner which satisfies the context
of the investigation
– Whether it be legal, corporate, military, or
any other

9
 ‫فحص األدلة الرقمية يماثل قطع الماس‬

Applying Forensic Science to Computers

• Digital evidence examination is

analogous to diamond cutting
– Digital evidence examiners extract
valuable bits from large masses of data
and present them in ways that decision
makers can comprehend
– Flaws in the underlying material or the way
it is processed reduce the value of the final
product
10
Applying Forensic Science (cont.)
• Forensic science is useful:
– Offering carefully tested methods for
processing and analyzing evidence and
reaching conclusions that are reproducible
and free from distortion or bias
– Concepts from forensic science can also
help digital investigators take advantage of
digital evidence

11
Applying Forensic Science (cont.)
• Applying forensic science methodologies to
digital investigations that involve computers
• Each stage of the process is detailed in the
following digital investigation stages:
a) Preparation
b) Survey
c) Documentation
d) Preservation
e) Examination and analysis
f) Reconstruction
g) Reporting results
12
‫ وما هي‬، ‫ يجب البحث في موقع البحث لتحديد معدات الكمبيوتر التي يمكن توقعها‬، ‫أثناء إنشاء أمر بحث‬
‫ وما إذا كانت الشبكة متورطة إذا كان جهاز الكمبيوتر‬، ‫األنظمة المستخدمة‬

a) Preparation
• Planning is especially important in cases that involve
computers
– While generating a search warrant, the search site should
be researched to determine what computer equipment to
expect, what the systems are used for, and if a network is
involved
• If a computer is to be examined on-site, it will be
necessary to know:
– Which operating system the computer is running (e.g., Mac
OS, UNIX, or Windows)
– If there is a network involved and
– If the cooperation of someone who is intimately familiar
with the computers will be required to perform the search

13
 ‫كاميرا رقمية لتوثيق المشهد واألدلة‬

a) Preparation (cont.)
• Some of the fundamental items that can be useful when
dealing with computers as a source of evidence include
the following:
– Evidence bags, tags, and other items to label and package
evidence
– Digital camera to document scene and evidential items
– Forensically sanitized hard drives to store acquired data
– Forensically prepared computer(s) to connect with and
copy data from evidential hard drives onto forensically
sanitized hard drives
– Hardware write blockers for commonly encountered hard
drives (e.g., IDE and SATA)
– Toolkit, including a flashlight, needle-nose pliers, and
screwdrivers for various types and sizes of screws

14
 b) Survey
• In general terms, surveying a crime scene for potential
sources of digital evidence is a twofold process:
– First, digital investigators have to recognize the hardware
(e.g., computers, removable storage media, and network
cables) that contains digital information
– Second, digital investigators must be able to distinguish
between irrelevant information and the digital data that can
establish that a crime has been committed or can provide a
link between a crime and its victim or a crime and its
perpetrator
• During a search, manuals and boxes related to
hardware and software can give hints of what
hardware, software, and Internet services might be
installed/used
15
 b) Survey (cont.)
• Survey of Hardware:
– Computerized products that can hold digital evidence such
as telephones, mobile devices, laptops, desktops, larger
servers, mainframes, routers, firewalls, and other network
devices
– Storage media including compact disks, floppy disks,
magnetic tapes, high capacity flip, zip, and jazz disks,
memory sticks, and USB storage devices
– Less obvious sources of digital evidence include the
following:
• Gaming systems
• Video cameras
• Removable memory cards
• Printers with an internal hard drive
• Digital picture frames
• Nonstandard peripherals connected to computers such as an
antenna or customized circuit board

16
 b) Survey (cont.)
• Survey of Digital Evidence:
– The ability to identify evidence depends on the
digital investigator’s familiarity with the type of
crime that was committed and the operating
system(s) and computer program(s) that are
involved
• Examples:
– Cyber stalkers often use e-mail to harass their victims
– Computer crackers sometimes inadvertently leave evidence of
their activities in log files
– Child pornographers sometimes have digitized images stored
on their computers
• Additionally, operating systems and computer programs
store digital evidence in a variety of places

17
 c) Documentation
• Documentation is essential at all stages of
handling and processing digital evidence, and
includes the following:
– Evidence inventory:
• A list or database of all evidential items
– Chain of custody:
• Who handled the evidence, when, where, and for what
purpose
– Evidence intake:
• Characteristics of each evidential item such as make,
model, and serial number
– Photos, videos, and diagrams:
• Capturing the context of the original evidence

18
 c) Documentation (cont.)
• Documentation includes the following (cont.):
– Preservation guidelines:
• A repeatable process for preserving digital evidence
– Preservation notes:
• Notation of steps taken to preserve each evidential item
– Forensic examination guidelines:
• A repeatable process for examining digital evidence
– Forensic examination notes:
• Notation of actions taken to examine each evidential
item

19
 d) Preservation
• Digital evidence must be preserved in
such a way that it can later be
authenticated
• A major aspect of preserving digital
evidence is preserving it in a way that
minimizes the changes made
• The severity of the crime and the category
of cybercrime will largely determine how
much digital evidence is collected
20
 d) Preservation (cont.)
• Preserving Hardware:
– When a computer is to be moved or stored:
• Evidence tape should be put around the main components of
the computer in such a way that any attempt to open the
casing or use the computer will be evident
• Loose hard drives should be placed in anti-static or paper bags
and sealed with evidence tape
• Digital investigators should write the date and their initials on
each piece of evidence and evidence tape
• Preservation also involves a secure, anti-static environment
such as a climate-controlled room with floor to ceiling solid
construction to prevent unauthorized entry
• Computers and storage media must be protected from dirt,
fluids, humidity, impact, excessive heat and cold, strong
magnetic fields, and static electricity

21
 ‫احصل على كل شيء بدءًا من أجهزة الكمبيوتر ووسائط التخزين‬

d) Preservation (cont.)
• Preserving Digital Evidence:
– There are several approaches to preserving
digital evidence on a computer:
1. Place the evidential computers and storage media
in secure storage for future reference
2. Extract just the information needed from
evidential computers and storage media
3. Acquire everything from evidential computer and
storage media
– The approach that a digital investigator takes
will depend on the specifics of the case and
the items of evidence

22
‫يجب أن يحتوي االستحواذ الجنائي على األقل على البيانات التي يمكن للمستخدم العادي الوصول إليها للكمبيوتر‬

d) Preservation (cont.)
• Preserving Digital Evidence (cont.):
– Whether acquiring all data or just a subset,
there are two empirical laws of digital
evidence collection and preservation that
should always be remembered:
• Empirical Law #1:
– If you only make one copy of digital evidence, that
evidence will be damaged or completely lost
• Empirical Law #2:
– A forensic acquisition should contain at least the
data that is accessible to a regular user of the
computer

23
 d) Preservation (cont.)
• Preserving Digital Evidence (cont.):
– Applying the two empirical laws:
• Applying Empirical Law #1:
– Always make at least two copies of digital evidence and
check to make certain that the copies were successful
• Applying Empirical Law #2:
– Verify that tools used to copy digital evidence capture
all of the desired information (including metadata such
as date-time stamps that are associated with acquired
files)
» Example: when acquiring digital evidence from a
cell phone, a forensic acquisition should at least
acquire the data that was visible to the user

24
 e) Examination & Analysis
• The forensic examination and subsequent
analysis:
– Should preserve the integrity of the digital
evidence
– Should be repeatable
– Should be free from distortion or bias
• The number of data files contained in a
digital evidence can be overwhelming
– Examiners need to filter out irrelevant,
confidential, or privileged data
25
e) Examination & Analysis (cont.)
• Three fundamental questions that need to be
addressed when examining a piece of digital evidence:
– What is it? (identification)
• Example: a file with a “.doc” extension is a Microsoft Word or
WordPerfect document
– What characteristics distinguish it? (classification or
individualization)
• Example: is the “.doc” file a Microsoft Word or WordPerfect
document or JPEG file that has been renamed with a “.doc”
– May be necessary to examine the header, footer, and other
class characteristics of the file
– Where did it come from? (evaluation of source)
• Example: in computer intrusion investigations, it is ultimately
necessary to determine:
– If items on the suspect’s computer originated from the
compromised system
– If items on the compromised system originated from the
suspect’s computer

26
e) Examination & Analysis (cont.)
• In general, when a file is deleted, the data it contained
actually remain on a disk for a time and can be recovered
– Recovering and reconstructing digital evidence depend on:
• The kind of data
• The condition of data
• The operating system
• The type of hardware and software
• The configuration of the hardware and software
• When a deleted file is partially overwritten, part of it
may be found in slack space and/or in unallocated
space
– It may be possible to extract and reconstitute such
fragments to view them in their near original state

27
 f) Reconstruction
• Investigative reconstruction leads to a more complete
picture of a crime
– What happened, who caused the events when, where, how, and
why
• Three fundamental types of reconstruction:
– Functional (how)
• Assess how a computer system functioned
• What was possible and impossible
– Relational (who, what, where)
• Identify relationships/connections between suspects, victims, and
crime scene
• Components of crime, their positions, and interactions
– Temporal (when)
• Determine the time and sequence of event
• Helps identify sequences and patterns in time of events

28
 g) Reporting
• Integrate all findings and conclusions into a final
report that conveys the findings to others and may
need to present in court
– One of the most important stages of the process
because it is the only view that others have of the
entire process in order for them to appreciate the
significance of the findings
– Assumptions and lack of foundation in evidence result
in a weak report
– It is important to build solid arguments by providing
all supporting evidence and demonstrating that the
explanation provided is the most reasonable one

29
 g) Reporting (cont.)
• A sample report structure:
– Introduction: case number, who requested the report and what was sought, and
who the wrote report, when, and what was found
– Evidence Summary: summarize what evidence was examined and when, hash
values, laboratory submission numbers, when and where the evidence was
obtained and from whom, and its condition
– Examination Summary: summarize tools used to perform the examination, how
important data were recovered, and how irrelevant files were eliminated
– File System Examination: inventory of important files, directories, and
recovered data that are relevant to the investigation with important
characteristics
– Analysis: describe and interpret temporal, functional, and relational analysis
– Conclusions: summary of conclusions should follow logically from previous
sections in the report and should reference supporting evidence
– Glossary of Terms: explanations of technical terms used in the report
– Appendix of Supporting Exhibits: digital evidence used to reach conclusions,
clearly numbered for ease of reference

30
 ‫يتم تشغيل معظمها من قبل وكاالت إنفاذ القانون‬

Forensic Labs
• Digital forensics isn’t cheap, so not every
agency can afford to train and equip their own
examiners
– Most are run by law enforcement agencies
– FBI's (Federal Bureau Investigation) crime lab in
Quantico, VA is largest in the world
– Regional Computer Forensic Laboratory (RCFL)
• FBI Program
• 16 facilities throughout US
• They process smartphones, hard drives, GPS units, and
flash drives

31
 ‫مستودع األدلة منفصل عن الفاحص‬

Virtual Labs
• Evidence repository separate from the
examiner
– This is how the FBI does it
– Saves money, increases access to
resources
• Role-based access
– Examiners and management get full
access
– Investigators, prosecutors, and attorneys
get restricted access

32
 ‫تكاليف بدء التشغيل كبيرة‬

Concerns with Virtual Labs

• Security
– Must retain integrity or evidence will be
inadmissible in court
• Performance
– High-speed connectivity is required
• Slow connection will quickly impact the
organization’s ability to function
• Cost
– Startup costs are substantial

33
 Lab Security
• Physical security
– Keep unauthorized people out of critical
areas
• Examination stations
• Evidence storage
– Keys, swipe cards, access codes
– Digital access control is better than keys
• Keeps an audit trail to support chain of
custody
– Protection from fire, flood … etc.
34
 Chain of Custody
• Chain of custody is defined as:
– The route that evidence takes from the
time it is seized by the investigator until
the case goes to court (or is otherwise
closed)
• Evidence must be signed in and out of storage
• Evidence log must be completed each and
every time the evidence is removed or returned
to the evidence room or vault
• If chain of custody is broken, evidence
will be inadmissible in court
35
 ‫حمي األدلة من العبث‬

Evidence Storage
• Data safe
– Protects evidence from tampering
– Fireproof and waterproof
• Evidence log
– Must record who entered, when, and what
they removed or returned
• Data storage lockers must be kept
locked

36
 Work in Isolation
• Forensic examination computer should
not be connected to the Internet
– This avoids arguments over contamination
by malware
• Evidence drives may contain malware
– Scan them with antivirus software

37
 Standard Operating Procedures
(SOPs)
• Documents that detail evidence
collection, examinations … etc.
– These ensure consistency and reliability
– Very important to handle questions in
court
– Unusual situations will often require
special handling

38
 ‫تاكيد الجودة‬

Quality Assurance
• A well-documented system of protocols
used to assure accuracy and reliability
• A good QA program will cover a wide
array of subjects including:
– Peer reviews of reports
– Evidence handling
– Case documentation
– Training of lab personnel

39
 Reviews
• Technical review
– Focuses on results and conclusions
– Are the results reported supported by the
evidence?
• Administrative review
– Ensures all paperwork is present and
completed correctly

40
 Proficiency Testing
• Examiner's competency must be confirmed and
documented on regular basis
• There are four types of proficiency tests:
– Open test
• Examiner is aware they are being tested
– Blind test
• Examiner is not aware they are being tested
– Internal test
• Conducted by agency itself
– External test
• Conducted by independent agency
• Results must be documented
– At some point, the analyst’s skills and abilities may be
called into question during a court proceeding
41
 ‫السجالت الورقية ضرورية إلثبات ذلك‬

Tool Validation
• Each tool, software or hardware, must
be tested before it is used on an actual
case
• Paper records are necessary to prove
this

42
 Documentation
• “If you didn’t write it down, it didn’t happen” are
truly words to live by in this industry
• Case File
– Case submission forms ‫نماذج تقديم القضية‬
– Requests for assistance ‫طلبات المساعدة‬
– Chain of custody reports
– Examiner's notes
– Crime scene reports
– Examiner's final reports
– Copy of search authorization
• Preprinted forms help maintain uniformity

43
 ‫المناقشات مع الالعبين الرئيسيين بما في ذلك المدعين العامين والمحققين‬

Examiner Notes
• Must be detailed enough to enable another
examiner to duplicate the process
– Discussions with key players including
prosecutors and investigators
– Irregularities found and actions taken
– OS versions and patches
– Passwords
– Changes made to the system by lab personnel
and law enforcement
• It may be years before trial, and you will need
to understand your notes
44
 Examiner's Final Report
• Formal document delivered to
prosecutors, investigators, opposing
counsel … etc.
• Remember the audience is
nontechnical
• Avoid jargon, acronyms, and
unnecessary details

45
Examiner's Final Report Sections
• Summary
– Brief description of the results
• Detailed findings
– Files pertaining to the request
– Files that support the findings
– Email, Web cache, chat logs, etc.
– Keyword searches
– Evidence of ownership of the device
• Glossary
46
 Digital Forensic Tools
• Hardware Tools
– Very powerful computer System
• Multiple multicore processors
• As much RAM as possible
• Large, fast hard drives
– Cloning devices
– Cell phone acquisition devices
– Write blockers
– Portable storage devices
– Adapters
– Cables
… much more
47
 Digital Forensics Tools
Example

One of the workstations in the West Virginia State Police Digital

Forensics Lab

48
 ‫مجموعات مسرح الجريمة‬

Non-PC Hardware
• Universal Forensic Extraction Device (UFED) to
handle small scale devices
– Supports over 3,000-4000 phones, PDAs, and GPS units
• Hardware Cloners
– Faster, can clone multiple drives at once
– Provide write protection, hash authentication, drive
wiping, audit trail … etc.
• Crime scene kits
– Preloaded with supplies to collect digital evidence
– Pens, digital camera, forensically clean storage media,
evidence bags, evidence tape, report forms, markers …
etc.

49
Non-PC Hardware Examples

50
 Open-Source Software Tools
• SANS Investigative Forensic Toolkit (SIFT)
– SIFT Workstation is free, based on Linux Ubuntu
operating system
• SIFT Capabilities:
– Analyzing multiple file systems on common
operation systems
– File carving
– Web history
– Recycle bin
– Memory
– Timeline
51
SIFT Workstation

52
 Commercial Software Tools
• Popular general software tools are EnCase and
FTK
• Have similar “Swiss Army knife”–like capabilities:
– E-mail analysis
– Sorting
– Reporting
– Password cracking
– Searching
• E-mail addresses
• Names
• Phone numbers
• Keywords
• Web addresses
• File types
• Date ranges

53
 Don't Trust Tools
• Using a tool without understanding
what it's doing is a trap
• Verify all findings with a second tool,
like a simple hex editor
• You must figure out how the data got
on the system and what it means

54
 ‫إقرار سياسات وإجراءات مختبر الجريمة‬

Accreditation vs. Certification

• Accreditation
– Endorsement of a crime lab's policies and
procedures
• ASCLD/LAB and ASTM does this
– Very burdensome to achieve
– Not possible for every lab
‫مرهقة جدا لتحقيقه‬
• Certification
– Applies to examiners, not the lab
• SWGDE Core Competencies for Forensic Practitioner
Certification
– Pre-examination procedures and legal issues
– Media assessment and analysis
– Data recovery
– Specific analysis of recovered data
– Documentation and reporting
– Presentation of findings

55