SlideShare a Scribd company logo

Analysis of digital evidence

Download as PPTX, PDF
R
rakesh mishra

This document discusses digital evidence and its analysis methodology. Digital evidence includes information stored on electronic devices like computers, cell phones, hard drives, etc. It must be properly seized, secured and analyzed to avoid contamination. A bit-stream image of storage devices should be created and verified using hashing. Files, slack space and unallocated space are analyzed for keywords. File dates, names and anomalies are documented. The Information Technology Act of 2000 covers various cybercrimes and penalties.

Education
1 of 30
Downloaded 193 times
1
2
3
Most read
4
5
6
7
8
9
10
Most read
11
12
13
14
15
16
Most read
17
18
19
20
21
22
23
24
25
26
27
28
29
30
RAKESH KUMAR MISHRA 15MSFS035 M.Sc.(FORENSIC SCIENCE) 2ND SEMESTER
Content..  DIGITAL EVIDENCE  PLACE WHERE DIGITAL EVIDENCE FOUND  WHY INVESTIGATE..??  CARDINAL RULES OF COMPUTER FORENSIC  BAISC CONCEPT OF ANALYSIS OF DIGITAL EVIDENCE..  DIGITAL EVIDENCE ANALYSIS METHEDOLOGY..  OFFENCE & PUNISHMENT UNDER THE INFORMATION ACT ,2000
DIGITAL EVIDENCE  Digital evidence is information stored or transmitted in binary form that may be relied on, in court.  Digital evidence includes information on computers, audio files, video recordings, and digital images.  Digital evidence is information and data of value to an investigation that is stored on, received, or transmitted by an electronic device.  This evidence is acquired when data or electronic devices are seized and secured for examination. Digital evidence— ■ Is latent, like fingerprints or DNA evidence. ■ Crosses jurisdictional borders quickly and easily. ■ Is easily altered, damaged, or destroyed. ■ Can be time sensitive.
possible places that digital evidence can reside, including:  Computers  External hard drives  CDs and DVDs  Thumb drives  Floppy disks  Cell phones  Voice over IP phones  Answering machines  iPods POSSIBLE PLACE WHERE DIGITAL EVIDENCE FOUND……
 Electronic game devices  Digital video recorders (Tivos)  Digital cameras  PDAs  GPSs  Routers  Switches  Wireless access points  Servers  Fax machines  Printers that buffer files  Photo-copiers that buffer files  Scanners that buffer files Continue…..
First we will need to consider the complaint or the initial reason for conducting an investigation. Some typical reasons that may warrant an investigation include but are not limited to: Unauthorised access on computer or Network Internet usage exceeds norm Using e−mail inappropriately Why Investigate..??
 Use of Internet, e−mail, or PC in a non−work−related manner Theft of information Violation of security policies or procedures Intellectual property Infringement Electronic tampering Online or Economic Fraud Software Piracy Telecommunication Fraud Terrorism (Homeland Security)  Child Abuse or Exploitation Continue…..
CARDINAL RULES OF COMPUTER FORENSIC…  The cardinal rules have been evolved to facilitate a forensically sound examination of computer media and enable a forensic scientist to testify in court in respect of their handling a particular piece of evidence.  The five cardinal rules are…Never Mishandle the EvidenceNever Work on the original Evidence Never trust the Subject’s Operating System. Document everything The Result should be repeatable and verifiable by a third
SEIZURE ACQUISTION ANALYSIS PRESENTATION
SEIZURE…  Prior to the actual examination digital media will be seized.  In criminal cases this will often be performed by law enforcement personnel trained as technicians to ensure the preservation of evidence.  In civil matters it will usually be a company officer, often untrained. Various laws cover the seizure of material.  In criminal matters law related to search warrants is applicable.  In civil proceedings the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are observed.
ACQUISTION… A Tableau forensic write blocker  Once exhibits have been seized an exact sector level duplicate (or "forensic duplicate") of the media is created, usually via a write blocking device, a process referred to as Imaging or Acquisition.  The duplicate is created using a hard-drive duplicator or software imaging tools such as DCFLdd, Iximager, Guymager, TrueBack, EnCase, FTK Imager or FDAS.  The original drive is then returned to secure storage to prevent tampering.
 The acquired image is verified by using the SHA-1 or MD5 hash functions. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state Continue….. Sector….  A sector, being the smallest physical storage unit on the disk.  A sector is a subdivision of a track on a magnetic disk or optical disc.  Each sector stores a fixed amount of user- accessible data, traditionally 512 bytes for hard disk drive (HDDs) and 2048 bytes for CD-ROMs and DVD-ROMs
Write Blockers…  Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents.  There are two ways to build a write- blocker: the blocker can allow all commands to pass from the computer to the drive except for those that are on a particular list.  Alternatively, the blocker can specifically block the write commands and let everything else through.  There are two types of write blockers, Native and Tailgate. A Native device uses the same interface on for both in and out, for example a IDE to IDE write block. A Tailgate device uses one interface for one side and a different one for the other, for example a Firewire to SATA write block. A hard drive attached to a portable write blocker
Analysis… A number of techniques are used during computer forensics investigations and much has been written on the many techniques used by law enforcement in particular……  Cross-drive analysis A forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and to perform anomaly detection.  Live analysis  The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence.  The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
Deleted files…  A common technique used in computer forensics the recovery of deleted files.  Modern forensic software have their own tools recovering or carving out deleted data.  Most operating systems and file systems do always erase physical file data, allowing investigators to reconstruct it from the sectors.  File carving involves searching for known file headers within the disk image and deleted materials
DIGITAL EVIDENCE ANALYSIS METHODOLOGY…  Protect the crime scene  Force shutdown of the computer  Document the hardware configuration of the system  Transport the computer system to a Forensic Laboratory  Make bit stream backups of Hard disk and floppy disk  Authentication the data mathematically on all Storage devices (Hash value)  Document the System Date and time.  List the key words for the search  Evaluate the windows swap file  Evaluate file slack  Evaluation of unallocated Space (erased files)  Searching files , file slack and unallocated space for key words  Document file names, dates and time  Identify file, Programme and storage Anomalies  Evaluation the programme functionality  Document your findings  Retain copies of software used
 Protect the crime scene...  The first and fore most step is to protect the crime scene, for which access to the area around the suspect computer should be restricted only to the individual involved with the investigation.  The scene should be documented in great details. The computer and the surrounding area should be photographed from all angels.  Force shutdown of the computer  This should be done as quickly as possible. Consideration should be given to possible destructive processes that may be operating in the background.  Do not shut down the computer abruptly.
Follow the detailed power shut down procedure for various operating system as given in chart…. Operating system Power Shut Down Procedure MS DOS  Photograph screen and document any programmes running  Pull the power cord from the wall socket  In case of laptop, remove the battery pack UNIX/LINUX  Photograph screen and document any programmes running  Right click the menu  Frome menu, click Console  If root user prompt(#) not present , change user to root by typing su-  If root password not available , pull power cord from the wall socket  If password is available , enter it. At the # sign type sync;sync;halt and the system will shutdown  Pull power cord from wall socket Mac  Photograph screen and document any programmes running  Click Special  Click Shutdown  The window will tell you it is safe to turn off the computer.  Pull power cord from wall socket Windows  Photograph screen and document any programmes running  Pull power cord from wall socket 3.X/95/98/Nt  Pull power cord from wall socket  In case of laptop, remove the battery pack
Document the Hardware Configuration of the System…  Pay close attention to how the computer is set up before it is dismantled, as it will have to be restored to its original condition at a secure location.  In additional to photography, diagram the computer configuration on paper and by labelling which cables are attached and what they are attached to. Transport the computer system to a secure location(Forensic laboratory)…..  Do not leave the subject computer unattended unless it is locked up in a secure location.  Transport the seized equipment to a secure and controlled environment that is trusted to be free of any thing that could modify or destroy the evidence.
Make bit stream backups of Hard disked /floppy disks: Bit stream format.??? A bit stream format is the format of the data found in a stream of bits used in a digital communication or data storage application.  Disconnect the hard drive and boot from a floppy disk (the BIOS may need to be modified to allow boot from a floppy).  The computer should not be operated and computer evidence should not be processed until bit stream backups of all hard disk drives and floppy disks have been made.  The evidence processing should be done on a restored copy of the bit stream backup rather than on the original computer.  The computer forensic scientist should make a bit stream image of the suspect hard drive before anything else
Authentication the data mathematically on all Storage devices…  Proof may have to provide that none of the evidence has been altered after the computer came into possession of the investigation team. Forensic tools are available to mathematically authenticate the data using a 128-bit level of accuracy.  Use a hash algorithm to generate a numeric expression and compare this to the same has algorithm an the data that was backed up, in order to mathematically authenticate the data.  This is used as proof that the files have not been changed. hash algorithm ???  A hash function is any function that can be used to map data of arbitrary size to data of fixed size. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes.  One use is a data structure called a hash table, widely used in computer software for rapid data lookup.  Hash functions accelerate table or database lookup by detecting duplicated records in a large file
Document the System Date and time.  The dates and times associated with the computer files can be extremely important from an evidence standpoint.  However, the accuracy of the dates and times is just as important.  Document the system date and time setting at the time the computer is taken into possession.List the key words for the search..  Forensic tools are available to search for the relevant evidence. Usually, some information is known about the allegations, the computer user and the alleged associates that may be involved.  Information gathered from the individuals, who are familiar with the case, would help in compelling a list of
Evaluate the windows swap file  The windows swap file is a potentially valuable source of evidence and leads.  The evaluation of the swap file can be automated with forensic tools.  New technologies Inc. has tools and programmes that will capture erased file space and create a file that can be searched for key words that can be added to the list.Evaluate file slack  File slack is a data storage area about which most of the computer users are not aware.  It is a source of significant security leakage and consist of raw memory dumps that occur during the work session, as the files are closed.  The data dumped from the memory ends up being stored at the end of allocated files, beyond the reach or view of the user.  Forensic tools are required to view and evaluate the file slack
Evaluation of unallocated Space (erased files)  The ‘delete’ function of DOS and Windows does not completely erase the file names or the file contents.  Unallocated space may still contain these erased files and the file slack associated with erased files.  The DOS undelete programme can be used to restore the previously erased files. Searching files, file slack and unallocated space for key words The list of relevant key words, identified in the previous step, should be used to search all relevant computer hard disk drives and floppy disks.
Document file names, dates and time  From an evidence standpoint, file names, their date of creation and last modification can be relevant.  Therefore, it is important to catalogue all this date and time of existing and erased files.Identify file, Programme and storage Anomalies  Encrypted, compressed and graphic files store data in binary format.  As a result, a text search programme cannot identify text data stored in these formats.  Manual evaluation of these file is required and in case of encrypted files, more efforts may be involved. Reviewing the portions on seized hard disk drive is also important.
. Evaluation the programme functionality Depending on the application software involved, running programmes to learn their purpose may necessary. Document your findings  As indicated in the preceding steps, it is very important to document the finding as issues are identified and as evidence is found.  It is also important to document the software that was used in the forensic evaluation of the evidence, including the version numbers of the programmers. Retain copies of software used  As part of the documentation process, it is recommended that a copy of the forensic tool software used be include.  Often it is necessary to duplicate the forensic processing result during or before trial.  Duplication of result can be difficult or impossible to achieve if the software has been upgraded and the original version used was not retained.
Offence & Punishment under the Information Act ,2000 Offence….. The offences included in the IT Act 2000 are as follows: 1. Tampering with the computer source documents. 2. Hacking with computer system. 3. Publishing of information which is obscene in electronic form. 4. Power of Controller to give directions 5. Directions of Controller to a subscriber to extend facilities to decrypt information 6. Protected system 7. Penalty for misrepresentation 8. Penalty for breach of confidentiality and privacy 9. Penalty for publishing Digital Signature Certificate false in certain particulars 10. Publication for fraudulent purpose 11. Act to apply for offence or contravention committed outside India 12. Confiscation 13. Penalties or confiscation not to interfere with other punishments. 14. Power to investigate offences.
Punishment  Section 43 of IT Act states any act of destroying, altering or stealing computer system/network or deleting information with act of damaging data or information without authorization of owner of that computer is liable for payment to be made to owner as compensation for damages  Section 43A of IT Act states any corporate body dealing with sensitive information and negligent with implementing reasonable security practices causing loss or wrongful gain to any other person will also be liable as convict for compensation to the affected party  Section 66 states hacking of computer system by individual with dishonesty or fraudulently with 3 yrs. imprisonment with fine of Rs. 5,00,000 or both  Section 66A states any offensive information with demean
 Section 66 B,C,D for fraudulently or dishonesty using or transmitting information or Identity theft is punishable with 3 yr imprisonment or 1,00,000 fine or both  Section 66 E for Violation of privacy by transmitting image of private area is punishable with 3 yr imprisonment or 2,00,000 fine or both  Section 66 F on Cyber Terrorism affecting unity, integrity security, sovereignity of India through digital medium is liable for life imprisonment  Section 67 states publishing obscene information or pornography or transmitting obscene information in public is liable for imprisonment upto 5 years or penalty of Rs. 10,00,000 or both Continue….
Analysis of digital evidence

More Related Content

PPTX
Digital Forensic ppt
Suchita Rawat
 
PPTX
Network forensic
Manjushree Mashal
 
PPTX
cyber stalking
Rishabh Kataria
 
PPTX
Cyber Forensics Overview
Yansi Keim
 
PPT
Collecting and preserving digital evidence
Online
 
PPTX
Email investigation
Animesh Shaw
 
PPT
Digital Forensic
Cleverence Kombe
 
PPTX
Network forensics and investigating logs
anilinvns
 
Digital Forensic ppt
Suchita Rawat
 
Network forensic
Manjushree Mashal
 
cyber stalking
Rishabh Kataria
 
Cyber Forensics Overview
Yansi Keim
 
Collecting and preserving digital evidence
Online
 
Email investigation
Animesh Shaw
 
Digital Forensic
Cleverence Kombe
 
Network forensics and investigating logs
anilinvns
 

What's hot (20)

PPTX
Forensic imaging
DINESH KAMBLE
 
PPTX
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
PDF
Digital forensic principles and procedure
newbie2019
 
PPTX
Mobile Forensics
primeteacher32
 
PPTX
Mobile Forensics
abdullah roomi
 
PPTX
mobile forensic.pptx
Ambuj Kumar
 
PPTX
Digital forensics
vishnuv43
 
PDF
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
PPTX
Digital forensic tools
Parsons Corporation
 
PDF
A brief Intro to Digital Forensics
Manik Bhola
 
PDF
Digital Evidence in Computer Forensic Investigations
Filip Maertens
 
PPTX
Computer forensics toolkit
Milap Oza
 
PPTX
Incident response process
Bhupeshkumar Nanhe
 
PPTX
Mobile forensic
DINESH KAMBLE
 
PDF
Cloud-forensics
anupriti
 
PPTX
Computer forensic ppt
Priya Manik
 
PPTX
Memory forensics.pptx
9905234521
 
PPTX
Data recovery tools
university of Gujrat, pakistan
 
PPT
Mobile forensics
noorashams
 
PPTX
Digital forensics
Roberto Ellis
 
Forensic imaging
DINESH KAMBLE
 
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
Digital forensic principles and procedure
newbie2019
 
Mobile Forensics
primeteacher32
 
Mobile Forensics
abdullah roomi
 
mobile forensic.pptx
Ambuj Kumar
 
Digital forensics
vishnuv43
 
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
Digital forensic tools
Parsons Corporation
 
A brief Intro to Digital Forensics
Manik Bhola
 
Digital Evidence in Computer Forensic Investigations
Filip Maertens
 
Computer forensics toolkit
Milap Oza
 
Incident response process
Bhupeshkumar Nanhe
 
Mobile forensic
DINESH KAMBLE
 
Cloud-forensics
anupriti
 
Computer forensic ppt
Priya Manik
 
Memory forensics.pptx
9905234521
 
Data recovery tools
university of Gujrat, pakistan
 
Mobile forensics
noorashams
 
Digital forensics
Roberto Ellis
 

Similar to Analysis of digital evidence (20)

PDF
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
PPTX
Computer forensics
deaneal
 
PPTX
Latest presentation
Adetunji Adeoje
 
PPT
Role of a Forensic Investigator
Agape Inc
 
PPT
Computer forensics
Lalit Garg
 
PPT
Fs Ch 18
warren142
 
PPT
computer forensics
Akhil Kumar
 
PPT
Cyber forensics
pranjal dutta
 
PPTX
Introduction To Forensic Methodologies
Ledjit
 
PDF
Cyber Forensics Module 2
Manu Mathew Cherian
 
PDF
Debian Linux as a Forensic Workstation
Vipin George
 
PDF
02 Types of Computer Forensics Technology - Notes
Kranthi
 
PPTX
OwnYIT CSAT + SIEM
NCS Computech Ltd.
 
PPTX
Computer forensics Slides
Varun Sehgal
 
PPTX
Computer forensics powerpoint presentation
Somya Johri
 
DOCX
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
PPTX
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
MoshoodKareemOlawale
 
PDF
Computer Forensic
willemvandrunen
 
PPT
Anti-Forensic Rootkits
amiable_indian
 
ODP
Portakal Teknoloji Otc Lyon Part 1
bora.gungoren
 
computerforensics-140529094816-phpapp01 (1).pdf
Gnanavi2
 
Computer forensics
deaneal
 
Latest presentation
Adetunji Adeoje
 
Role of a Forensic Investigator
Agape Inc
 
Computer forensics
Lalit Garg
 
Fs Ch 18
warren142
 
computer forensics
Akhil Kumar
 
Cyber forensics
pranjal dutta
 
Introduction To Forensic Methodologies
Ledjit
 
Cyber Forensics Module 2
Manu Mathew Cherian
 
Debian Linux as a Forensic Workstation
Vipin George
 
02 Types of Computer Forensics Technology - Notes
Kranthi
 
OwnYIT CSAT + SIEM
NCS Computech Ltd.
 
Computer forensics Slides
Varun Sehgal
 
Computer forensics powerpoint presentation
Somya Johri
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
smile790243
 
digitalforensicpptlatest28-230522192202-1d9b832e (1).pptx
MoshoodKareemOlawale
 
Computer Forensic
willemvandrunen
 
Anti-Forensic Rootkits
amiable_indian
 
Portakal Teknoloji Otc Lyon Part 1
bora.gungoren
 

Recently uploaded (20)

PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Classroom Observation Tools for Teachers
Nicaramirez
 
master seminar digital applications in india
ananyaray35
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 

Analysis of digital evidence

  • 2. Content..  DIGITAL EVIDENCE  PLACE WHERE DIGITAL EVIDENCE FOUND  WHY INVESTIGATE..??  CARDINAL RULES OF COMPUTER FORENSIC  BAISC CONCEPT OF ANALYSIS OF DIGITAL EVIDENCE..  DIGITAL EVIDENCE ANALYSIS METHEDOLOGY..  OFFENCE & PUNISHMENT UNDER THE INFORMATION ACT ,2000
  • 3. DIGITAL EVIDENCE  Digital evidence is information stored or transmitted in binary form that may be relied on, in court.  Digital evidence includes information on computers, audio files, video recordings, and digital images.  Digital evidence is information and data of value to an investigation that is stored on, received, or transmitted by an electronic device.  This evidence is acquired when data or electronic devices are seized and secured for examination. Digital evidence— ■ Is latent, like fingerprints or DNA evidence. ■ Crosses jurisdictional borders quickly and easily. ■ Is easily altered, damaged, or destroyed. ■ Can be time sensitive.
  • 4. possible places that digital evidence can reside, including:  Computers  External hard drives  CDs and DVDs  Thumb drives  Floppy disks  Cell phones  Voice over IP phones  Answering machines  iPods POSSIBLE PLACE WHERE DIGITAL EVIDENCE FOUND……
  • 5.  Electronic game devices  Digital video recorders (Tivos)  Digital cameras  PDAs  GPSs  Routers  Switches  Wireless access points  Servers  Fax machines  Printers that buffer files  Photo-copiers that buffer files  Scanners that buffer files Continue…..
  • 6. First we will need to consider the complaint or the initial reason for conducting an investigation. Some typical reasons that may warrant an investigation include but are not limited to: Unauthorised access on computer or Network Internet usage exceeds norm Using e−mail inappropriately Why Investigate..??
  • 7.  Use of Internet, e−mail, or PC in a non−work−related manner Theft of information Violation of security policies or procedures Intellectual property Infringement Electronic tampering Online or Economic Fraud Software Piracy Telecommunication Fraud Terrorism (Homeland Security)  Child Abuse or Exploitation Continue…..
  • 8. CARDINAL RULES OF COMPUTER FORENSIC…  The cardinal rules have been evolved to facilitate a forensically sound examination of computer media and enable a forensic scientist to testify in court in respect of their handling a particular piece of evidence.  The five cardinal rules are…Never Mishandle the EvidenceNever Work on the original Evidence Never trust the Subject’s Operating System. Document everything The Result should be repeatable and verifiable by a third
  • 10. SEIZURE…  Prior to the actual examination digital media will be seized.  In criminal cases this will often be performed by law enforcement personnel trained as technicians to ensure the preservation of evidence.  In civil matters it will usually be a company officer, often untrained. Various laws cover the seizure of material.  In criminal matters law related to search warrants is applicable.  In civil proceedings the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are observed.
  • 11. ACQUISTION… A Tableau forensic write blocker  Once exhibits have been seized an exact sector level duplicate (or "forensic duplicate") of the media is created, usually via a write blocking device, a process referred to as Imaging or Acquisition.  The duplicate is created using a hard-drive duplicator or software imaging tools such as DCFLdd, Iximager, Guymager, TrueBack, EnCase, FTK Imager or FDAS.  The original drive is then returned to secure storage to prevent tampering.
  • 12.  The acquired image is verified by using the SHA-1 or MD5 hash functions. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state Continue….. Sector….  A sector, being the smallest physical storage unit on the disk.  A sector is a subdivision of a track on a magnetic disk or optical disc.  Each sector stores a fixed amount of user- accessible data, traditionally 512 bytes for hard disk drive (HDDs) and 2048 bytes for CD-ROMs and DVD-ROMs
  • 13. Write Blockers…  Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents.  There are two ways to build a write- blocker: the blocker can allow all commands to pass from the computer to the drive except for those that are on a particular list.  Alternatively, the blocker can specifically block the write commands and let everything else through.  There are two types of write blockers, Native and Tailgate. A Native device uses the same interface on for both in and out, for example a IDE to IDE write block. A Tailgate device uses one interface for one side and a different one for the other, for example a Firewire to SATA write block. A hard drive attached to a portable write blocker
  • 14. Analysis… A number of techniques are used during computer forensics investigations and much has been written on the many techniques used by law enforcement in particular……  Cross-drive analysis A forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and to perform anomaly detection.  Live analysis  The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence.  The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
  • 15. Deleted files…  A common technique used in computer forensics the recovery of deleted files.  Modern forensic software have their own tools recovering or carving out deleted data.  Most operating systems and file systems do always erase physical file data, allowing investigators to reconstruct it from the sectors.  File carving involves searching for known file headers within the disk image and deleted materials
  • 16. DIGITAL EVIDENCE ANALYSIS METHODOLOGY…  Protect the crime scene  Force shutdown of the computer  Document the hardware configuration of the system  Transport the computer system to a Forensic Laboratory  Make bit stream backups of Hard disk and floppy disk  Authentication the data mathematically on all Storage devices (Hash value)  Document the System Date and time.  List the key words for the search  Evaluate the windows swap file  Evaluate file slack  Evaluation of unallocated Space (erased files)  Searching files , file slack and unallocated space for key words  Document file names, dates and time  Identify file, Programme and storage Anomalies  Evaluation the programme functionality  Document your findings  Retain copies of software used
  • 17.  Protect the crime scene...  The first and fore most step is to protect the crime scene, for which access to the area around the suspect computer should be restricted only to the individual involved with the investigation.  The scene should be documented in great details. The computer and the surrounding area should be photographed from all angels.  Force shutdown of the computer  This should be done as quickly as possible. Consideration should be given to possible destructive processes that may be operating in the background.  Do not shut down the computer abruptly.
  • 18. Follow the detailed power shut down procedure for various operating system as given in chart…. Operating system Power Shut Down Procedure MS DOS  Photograph screen and document any programmes running  Pull the power cord from the wall socket  In case of laptop, remove the battery pack UNIX/LINUX  Photograph screen and document any programmes running  Right click the menu  Frome menu, click Console  If root user prompt(#) not present , change user to root by typing su-  If root password not available , pull power cord from the wall socket  If password is available , enter it. At the # sign type sync;sync;halt and the system will shutdown  Pull power cord from wall socket Mac  Photograph screen and document any programmes running  Click Special  Click Shutdown  The window will tell you it is safe to turn off the computer.  Pull power cord from wall socket Windows  Photograph screen and document any programmes running  Pull power cord from wall socket 3.X/95/98/Nt  Pull power cord from wall socket  In case of laptop, remove the battery pack
  • 19. Document the Hardware Configuration of the System…  Pay close attention to how the computer is set up before it is dismantled, as it will have to be restored to its original condition at a secure location.  In additional to photography, diagram the computer configuration on paper and by labelling which cables are attached and what they are attached to. Transport the computer system to a secure location(Forensic laboratory)…..  Do not leave the subject computer unattended unless it is locked up in a secure location.  Transport the seized equipment to a secure and controlled environment that is trusted to be free of any thing that could modify or destroy the evidence.
  • 20. Make bit stream backups of Hard disked /floppy disks: Bit stream format.??? A bit stream format is the format of the data found in a stream of bits used in a digital communication or data storage application.  Disconnect the hard drive and boot from a floppy disk (the BIOS may need to be modified to allow boot from a floppy).  The computer should not be operated and computer evidence should not be processed until bit stream backups of all hard disk drives and floppy disks have been made.  The evidence processing should be done on a restored copy of the bit stream backup rather than on the original computer.  The computer forensic scientist should make a bit stream image of the suspect hard drive before anything else
  • 21. Authentication the data mathematically on all Storage devices…  Proof may have to provide that none of the evidence has been altered after the computer came into possession of the investigation team. Forensic tools are available to mathematically authenticate the data using a 128-bit level of accuracy.  Use a hash algorithm to generate a numeric expression and compare this to the same has algorithm an the data that was backed up, in order to mathematically authenticate the data.  This is used as proof that the files have not been changed. hash algorithm ???  A hash function is any function that can be used to map data of arbitrary size to data of fixed size. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes.  One use is a data structure called a hash table, widely used in computer software for rapid data lookup.  Hash functions accelerate table or database lookup by detecting duplicated records in a large file
  • 22. Document the System Date and time.  The dates and times associated with the computer files can be extremely important from an evidence standpoint.  However, the accuracy of the dates and times is just as important.  Document the system date and time setting at the time the computer is taken into possession.List the key words for the search..  Forensic tools are available to search for the relevant evidence. Usually, some information is known about the allegations, the computer user and the alleged associates that may be involved.  Information gathered from the individuals, who are familiar with the case, would help in compelling a list of
  • 23. Evaluate the windows swap file  The windows swap file is a potentially valuable source of evidence and leads.  The evaluation of the swap file can be automated with forensic tools.  New technologies Inc. has tools and programmes that will capture erased file space and create a file that can be searched for key words that can be added to the list.Evaluate file slack  File slack is a data storage area about which most of the computer users are not aware.  It is a source of significant security leakage and consist of raw memory dumps that occur during the work session, as the files are closed.  The data dumped from the memory ends up being stored at the end of allocated files, beyond the reach or view of the user.  Forensic tools are required to view and evaluate the file slack
  • 24. Evaluation of unallocated Space (erased files)  The ‘delete’ function of DOS and Windows does not completely erase the file names or the file contents.  Unallocated space may still contain these erased files and the file slack associated with erased files.  The DOS undelete programme can be used to restore the previously erased files. Searching files, file slack and unallocated space for key words The list of relevant key words, identified in the previous step, should be used to search all relevant computer hard disk drives and floppy disks.
  • 25. Document file names, dates and time  From an evidence standpoint, file names, their date of creation and last modification can be relevant.  Therefore, it is important to catalogue all this date and time of existing and erased files.Identify file, Programme and storage Anomalies  Encrypted, compressed and graphic files store data in binary format.  As a result, a text search programme cannot identify text data stored in these formats.  Manual evaluation of these file is required and in case of encrypted files, more efforts may be involved. Reviewing the portions on seized hard disk drive is also important.
  • 26. . Evaluation the programme functionality Depending on the application software involved, running programmes to learn their purpose may necessary. Document your findings  As indicated in the preceding steps, it is very important to document the finding as issues are identified and as evidence is found.  It is also important to document the software that was used in the forensic evaluation of the evidence, including the version numbers of the programmers. Retain copies of software used  As part of the documentation process, it is recommended that a copy of the forensic tool software used be include.  Often it is necessary to duplicate the forensic processing result during or before trial.  Duplication of result can be difficult or impossible to achieve if the software has been upgraded and the original version used was not retained.
  • 27. Offence & Punishment under the Information Act ,2000 Offence….. The offences included in the IT Act 2000 are as follows: 1. Tampering with the computer source documents. 2. Hacking with computer system. 3. Publishing of information which is obscene in electronic form. 4. Power of Controller to give directions 5. Directions of Controller to a subscriber to extend facilities to decrypt information 6. Protected system 7. Penalty for misrepresentation 8. Penalty for breach of confidentiality and privacy 9. Penalty for publishing Digital Signature Certificate false in certain particulars 10. Publication for fraudulent purpose 11. Act to apply for offence or contravention committed outside India 12. Confiscation 13. Penalties or confiscation not to interfere with other punishments. 14. Power to investigate offences.
  • 28. Punishment  Section 43 of IT Act states any act of destroying, altering or stealing computer system/network or deleting information with act of damaging data or information without authorization of owner of that computer is liable for payment to be made to owner as compensation for damages  Section 43A of IT Act states any corporate body dealing with sensitive information and negligent with implementing reasonable security practices causing loss or wrongful gain to any other person will also be liable as convict for compensation to the affected party  Section 66 states hacking of computer system by individual with dishonesty or fraudulently with 3 yrs. imprisonment with fine of Rs. 5,00,000 or both  Section 66A states any offensive information with demean
  • 29.  Section 66 B,C,D for fraudulently or dishonesty using or transmitting information or Identity theft is punishable with 3 yr imprisonment or 1,00,000 fine or both  Section 66 E for Violation of privacy by transmitting image of private area is punishable with 3 yr imprisonment or 2,00,000 fine or both  Section 66 F on Cyber Terrorism affecting unity, integrity security, sovereignity of India through digital medium is liable for life imprisonment  Section 67 states publishing obscene information or pornography or transmitting obscene information in public is liable for imprisonment upto 5 years or penalty of Rs. 10,00,000 or both Continue….