analysis of digital evidence

Download Analysis of digital evidence

Post on 08-Apr-2017




1 download

Embed Size (px)


PowerPoint Presentation




DIGITAL EVIDENCEDigital evidence is information stored or transmitted in binary form that may be relied on, in court.Digital evidence includes information on computers, audio files, video recordings, and digital images. Digital evidence is information and data of value to an investigation that is stored on, received, or transmitted by an electronic device. This evidence is acquired when data or electronic devices are seized and secured for examination. Digital evidence Is latent, like fingerprints or DNA evidence. Crosses jurisdictional borders quickly and easily. Is easily altered, damaged, or destroyed. Can be time sensitive.

possible places that digital evidence can reside, including:ComputersExternal hard drivesCDs and DVDsThumb drivesFloppy disksCell phonesVoice over IP phonesAnswering machinesiPodsPOSSIBLE PLACE WHERE DIGITAL EVIDENCE FOUND

Electronic game devicesDigital video recorders (Tivos)Digital camerasPDAsGPSsRoutersSwitchesWireless access pointsServersFax machinesPrinters that buffer filesPhoto-copiers that buffer filesScanners that buffer filesContinue..

First we will need to consider the complaint or the initial reason for conducting an investigation.Some typical reasons that may warrant an investigation include but are not limited to:Unauthorised access on computer or NetworkInternet usage exceeds normUsing email inappropriatelyWhy Investigate..??

Use of Internet, email, or PC in a nonworkrelated mannerTheft of informationViolation of security policies or proceduresIntellectual property Infringement Electronic tamperingOnline or Economic Fraud Software PiracyTelecommunication Fraud Terrorism (Homeland Security) Child Abuse or Exploitation Continue..


The cardinal rules have been evolved to facilitate a forensically sound examination of computer media and enable a forensic scientist to testify in court in respect of their handling a particular piece of evidence.The five cardinal rules areNever Mishandle the EvidenceNever Work on the original EvidenceNever trust the Subjects Operating System.Document everything

The Result should be repeatable and verifiable by a third party.


SEIZUREPrior to the actual examination digital media will be seized. In criminal cases this will often be performed bylaw enforcementpersonnel trained as technicians to ensure the preservation of evidence. In civil matters it will usually be a company officer, often untrained. Various laws cover theseizure of material. In criminal matters law related tosearch warrantsis applicable. In civil proceedings the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are observed.


A Tableau forensic write blocker

Once exhibits have been seized an exactsectorlevel duplicate (or "forensic duplicate") of the media is created, usually via awrite blockingdevice, a process referred to asImagingorAcquisition.The duplicate is created using a hard-drive duplicator or software imaging tools such asDCFLdd,Iximager,Guymager, TrueBack,EnCase,FTK Imager or FDAS. The original drive is then returned to secure storage to prevent tampering.

The acquired image is verified by using theSHA-1orMD5hash functions. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state Continue..Sector.A sector, being the smallest physical storage unit on the disk. Asectoris a subdivision of atrackon amagnetic diskoroptical disc. Each sector stores a fixed amount of user-accessible data, traditionally 512bytesforhard disk drive(HDDs) and 2048 bytes forCD-ROMsandDVD-ROMs

Write BlockersWrite blockersare devices that allow acquisition of information on adrivewithout creating the possibility of accidentally damaging the drive contents. There are two ways to build a write-blocker: the blocker can allow all commands to pass from the computer to the drive except for those that are on a particular list.

Alternatively, the blocker can specifically block the write commands and let everything else through.There are two types of write blockers, Native and Tailgate. A Native device uses the same interface on for both in and out, for example a IDE to IDE write block. A Tailgate device uses one interface for one side and a different one for the other, for example a Firewire to SATA write block.A hard drive attached to a portable write blocker

AnalysisA number of techniques are used during computer forensics investigations and much has been written on the many techniques used by law enforcement in particularCross-drive analysisA forensic technique that correlates information found on multiplehard drives. The process, still being researched, can be used to identify social networks and to performanomaly detection.Live analysisThe examination of computers from within the operating system using custom forensics or existingsysadmin toolsto extract evidence. The practice is useful when dealing withEncrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.

Deleted filesA common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data.Mostoperating systemsandfile systemsdo not always erase physical file data, allowing investigators to reconstruct it from the physical disk sectors.File carving involves searching for known file headers within the disk image and reconstructing deleted materials

DIGITAL EVIDENCE ANALYSIS METHODOLOGYProtect the crime sceneForce shutdown of the computerDocument the hardware configuration of the systemTransport the computer system to a Forensic LaboratoryMake bit stream backups of Hard disk and floppy diskAuthentication the data mathematically on all Storage devices (Hash value)Document the System Date and time.List the key words for the searchEvaluate the windows swap fileEvaluate file slackEvaluation of unallocated Space (erased files)Searching files , file slack and unallocated space for key wordsDocument file names, dates and timeIdentify file, Programme and storage AnomaliesEvaluation the programme functionalityDocument your findingsRetain copies of software used

Protect the crime scene...The first and fore most step is to protect the crime scene, for which access to the area around the suspect computer should be restricted only to the individual involved with the investigation.

The scene should be documented in great details. The computer and the surrounding area should be photographed from all angels.Force shutdown of the computer

This should be done as quickly as possible. Consideration should be given to possible destructive processes that may be operating in the background. Do not shut down the computer abruptly.

Follow the detailed power shut down procedure for various operating system as given in chart.Operating system Power Shut Down ProcedureMS DOSPhotograph screen and document any programmes runningPull the power cord from the wall socketIn case of laptop, remove the battery packUNIX/LINUXPhotograph screen and document any programmes runningRight click the menuFrome menu, click ConsoleIf root user prompt(#) not present , change user to root by typing su-If root password not available , pull power cord from the wall socketIf password is available , enter it. At the # sign type sync;sync;halt and the system will shutdownPull power cord from wall socketMacPhotograph screen and document any programmes runningClick SpecialClick ShutdownThe window will tell you it is safe to turn off the computer.Pull power cord from wall socketWindowsPhotograph screen and document any programmes runningPull power cord from wall socket3.X/95/98/NtPull power cord from wall socketIn case of laptop, remove the battery pack

Document the Hardware Configuration of the SystemPay close attention to how the computer is set up before it is dismantled, as it will have to be restored to its original condition at a secure location. In additional to photography, diagram the computer configuration on paper and by labelling which cables are attached and what they are attached to.

Transport the computer system to a secure location(Forensic laboratory)..Do not leave the subject computer unattended unless it is locked up in a secure location. Transport the seized equipment to a secure and controlled environment that is trusted to be free of any thing that could modify or destroy the evidence.

Make bit stream backups of Hard disked /floppy disks:

Bit stream format.???

Abit stream formatis the format of the data found in astream of bits used in adigital communication ordata storageapplication.Disconnect the hard drive and boot from a floppy disk (the BIOS may need to be modified to allow boot from a floppy). The computer should not be operated and computer evidence should not be processed until bit stream backups of all hard disk drives and floppy disks have been made. The evidence processing should be done on a restored copy of the bit stream backup rather than on the original c


View more >