Download - Analysis of digital evidence
RAKESH KUMAR MISHRA15MSFS035M.Sc.(FORENSIC SCIENCE)2ND SEMESTER
ANALYSIS OF DIGITAL EVIDENCE
Content.. DIGITAL
EVIDENCE PLACE WHERE DIGITAL EVIDENCE FOUND WHY INVESTIGATE..?? CARDINAL RULES OF COMPUTER
FORENSIC BAISC CONCEPT OF ANALYSIS OF DIGITAL EVIDENCE.. DIGITAL EVIDENCE ANALYSIS
METHEDOLOGY.. OFFENCE & PUNISHMENT UNDER THE INFORMATION ACT ,2000
DIGITAL EVIDENCE Digital evidence is information stored or transmitted in
binary form that may be relied on, in court. Digital evidence includes information on computers, audio
files, video recordings, and digital images. Digital evidence is information and data of value to an
investigation that is stored on, received, or transmitted by an electronic device.
This evidence is acquired when data or electronic devices are seized and secured for examination. Digital evidence—
■ Is latent, like fingerprints or DNA evidence. ■ Crosses jurisdictional borders quickly and easily. ■ Is easily altered, damaged, or destroyed. ■ Can be time sensitive.
possible places that digital evidence can reside, including: Computers External hard drives CDs and DVDs Thumb drives Floppy disks Cell phones Voice over IP phones Answering machines iPods
POSSIBLE PLACE WHERE DIGITAL
EVIDENCE FOUND……
Electronic game devices Digital video recorders (Tivos) Digital cameras PDAs GPSs Routers Switches Wireless access points Servers Fax machines Printers that buffer files Photo-copiers that buffer files Scanners that buffer files
Continue…..
First we will need to consider the complaint or the initial reason for conducting an investigation.
Some typical reasons that may warrant an investigation include but are not limited to:
Unauthorised access on computer or Network
Internet usage exceeds normUsing e−mail inappropriately
Why Investigate..??
Use of Internet, e−mail, or PC in a non−work−related manner
Theft of informationViolation of security policies or
proceduresIntellectual property Infringement Electronic tamperingOnline or Economic Fraud Software PiracyTelecommunication Fraud Terrorism (Homeland Security) Child Abuse or Exploitation
Continue…..
CARDINAL RULES OF COMPUTER FORENSIC…
The cardinal rules have been evolved to facilitate a forensically sound examination of computer media and enable a forensic scientist to testify in court in respect of their handling a particular piece of evidence.
The five cardinal rules are…Never
Mishandle the
EvidenceNever Work on
the original
Evidence
Never trust the
Subject’s Operating System.
Document everythin
g
The Result should be repeatable
and verifiable by
a third party.
SEIZURE
ACQUISTION
ANALYSIS
PRESENTATION
SEIZURE… Prior to the actual examination digital media
will be seized. In criminal cases this will often be performed
by law enforcement personnel trained as technicians to ensure the preservation of evidence.
In civil matters it will usually be a company officer, often untrained. Various laws cover the seizure of material.
In criminal matters law related to search warrants is applicable.
In civil proceedings the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are observed.
ACQUISTION…
A Tableau forensic write blocker
Once exhibits have been seized an exact sector level duplicate (or "forensic duplicate") of the media is created, usually via a write blocking device, a process referred to as Imaging or Acquisition.
The duplicate is created using a hard-drive duplicator or software imaging tools such as DCFLdd, Iximager, Guymager, TrueBack, EnCase, FTK Imager or FDAS.
The original drive is then returned to secure storage to prevent tampering.
The acquired image is verified by using the SHA-1 or MD5 hash functions. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state
Continue…..
Sector…. A sector, being the smallest physical storage
unit on the disk. A sector is a subdivision of a track on
a magnetic disk or optical disc. Each sector stores a fixed amount of user-
accessible data, traditionally 512 bytes for hard disk drive (HDDs) and 2048 bytes for CD-ROMs and DVD-ROMs
Write Blockers… Write blockers are devices that allow
acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents.
There are two ways to build a write-blocker: the blocker can allow all commands to pass from the computer to the drive except for those that are on a particular list.
Alternatively, the blocker can specifically block the write commands and let everything else through.
There are two types of write blockers, Native and Tailgate. A Native device uses the same interface on for both in and out, for example a IDE to IDE write block. A Tailgate device uses one interface for one side and a different one for the other, for example a Firewire to SATA write block.
A hard drive attached to a portable write blocker
Analysis…A number of techniques are used during computer forensics investigations and much has been written on the many techniques used by law enforcement in particular…… Cross-drive analysisA forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and to perform anomaly detection. Live analysis The examination of computers from within the operating system
using custom forensics or existing sysadmin tools to extract evidence.
The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
Deleted files… A common technique used in computer
forensics is the recovery of deleted files.
Modern forensic software have their own tools for recovering or carving out deleted data.
Most operating systems and file systems do not always erase physical file data, allowing investigators to reconstruct it from the physical disk sectors.
File carving involves searching for known file headers within the disk image and reconstructing deleted materials
DIGITAL EVIDENCE ANALYSIS METHODOLOGY…
Protect the crime scene Force shutdown of the computer Document the hardware configuration of the system Transport the computer system to a Forensic Laboratory Make bit stream backups of Hard disk and floppy disk Authentication the data mathematically on all Storage
devices (Hash value) Document the System Date and time. List the key words for the search Evaluate the windows swap file Evaluate file slack Evaluation of unallocated Space (erased files) Searching files , file slack and unallocated space for key
words Document file names, dates and time Identify file, Programme and storage Anomalies Evaluation the programme functionality Document your findings Retain copies of software used
Protect the crime scene...
The first and fore most step is to protect the crime scene, for which access to the area around the suspect computer should be restricted only to the individual involved with the investigation.
The scene should be documented in great details. The computer and the surrounding area should be photographed from all angels.Force shutdown of the computer
This should be done as quickly as possible. Consideration should be given to possible destructive processes that may be operating in the background.
Do not shut down the computer abruptly.
Follow the detailed power shut down procedure for various operating system as given in chart….Operating system Power Shut Down ProcedureMS DOS Photograph screen and document any programmes running
Pull the power cord from the wall socket In case of laptop, remove the battery pack
UNIX/LINUX Photograph screen and document any programmes running Right click the menu Frome menu, click Console If root user prompt(#) not present , change user to root by typing su- If root password not available , pull power cord from the wall socket If password is available , enter it. At the # sign type sync;sync;halt and
the system will shutdown Pull power cord from wall socket
Mac Photograph screen and document any programmes running Click Special Click Shutdown The window will tell you it is safe to turn off the computer. Pull power cord from wall socket
Windows Photograph screen and document any programmes running Pull power cord from wall socket
3.X/95/98/Nt Pull power cord from wall socket In case of laptop, remove the battery pack
Document the Hardware Configuration of the System… Pay close attention to how the computer is
set up before it is dismantled, as it will have to be restored to its original condition at a secure location.
In additional to photography, diagram the computer configuration on paper and by labelling which cables are attached and what they are attached to.
Transport the computer system to a secure location(Forensic laboratory)….. Do not leave the subject computer
unattended unless it is locked up in a secure location.
Transport the seized equipment to a secure and controlled environment that is trusted to be free of any thing that could modify or destroy the evidence.
Make bit stream backups of Hard disked /floppy disks:
Bit stream format.???
A bit stream format is the format of the data
found in a stream of bits used in a digital
communication or data storage application.
Disconnect the hard drive and boot from a floppy disk (the BIOS may need to be modified to allow boot from a floppy).
The computer should not be operated and computer evidence should not be processed until bit stream backups of all hard disk drives and floppy disks have been made.
The evidence processing should be done on a restored copy of the bit stream backup rather than on the original computer.
The computer forensic scientist should make a bit stream image of the suspect hard drive before anything else
Authentication the data mathematically on all Storage devices…
Proof may have to provide that none of the evidence has been altered after the computer came into possession of the investigation team. Forensic tools are available to mathematically authenticate the data using a 128-bit level of accuracy.
Use a hash algorithm to generate a numeric expression and compare this to the same has algorithm an the data that was backed up, in order to mathematically authenticate the data.
This is used as proof that the files have not been changed.hash
algorithm ???
A hash function is any function that can be used to map data of arbitrary size to data of fixed size.
The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes.
One use is a data structure called a hash table, widely used in computer software for rapid data lookup.
Hash functions accelerate table or database lookup by detecting duplicated records in a large file
Document the System Date and time. The dates and times associated
with the computer files can be extremely important from an evidence standpoint.
However, the accuracy of the dates and times is just as important.
Document the system date and time setting at the time the computer is taken into possession.
List the key words for the search.. Forensic tools are available to
search for the relevant evidence. Usually, some information is known about the allegations, the computer user and the alleged associates that may be involved.
Information gathered from the individuals, who are familiar with the case, would help in compelling a list of key words that are relevant to the investigation.
These can be used to search the disk drives.
Evaluate the windows swap file
The windows swap file is a potentially valuable source of evidence and leads.
The evaluation of the swap file can be automated with forensic tools.
New technologies Inc. has tools and programmes that will capture erased file space and create a file that can be searched for key words that can be added to the list.
Evaluate file slack File slack is a data storage area about which
most of the computer users are not aware. It is a source of significant security leakage
and consist of raw memory dumps that occur during the work session, as the files are closed.
The data dumped from the memory ends up being stored at the end of allocated files, beyond the reach or view of the user.
Forensic tools are required to view and evaluate the file slack and it can provide a wealth of information and investigative leads.
Evaluation of unallocated Space (erased files)
The ‘delete’ function of DOS and Windows does not completely erase the file names or the file contents.
Unallocated space may still contain these erased files and the file slack associated with erased files.
The DOS undelete programme can be used to restore the previously erased files.Searching files, file slack and unallocated space for key words
The list of relevant key words, identified in the previous step, should be used to search all relevant computer hard disk drives and floppy disks.
Document file names, dates and time
From an evidence standpoint, file names, their date of creation and last modification can be relevant.
Therefore, it is important to catalogue all this date and time of existing and erased files.Identify file, Programme and storage
Anomalies Encrypted, compressed and graphic files
store data in binary format. As a result, a text search programme cannot
identify text data stored in these formats. Manual evaluation of these file is required
and in case of encrypted files, more efforts may be involved. Reviewing the portions on seized hard disk drive is also important.
Use disk utilise such as ‘undelete’ to recover as much of the deleted data as possible.
. Evaluation the programme functionality
Depending on the application software involved, running programmes to learn their purpose may necessary.
Document your findings As indicated in the preceding steps, it is very important to document
the finding as issues are identified and as evidence is found. It is also important to document the software that was used in the
forensic evaluation of the evidence, including the version numbers of the programmers.Retain copies of software
used As part of the documentation process, it is recommended that a copy of the forensic tool software used be include.
Often it is necessary to duplicate the forensic processing result during or before trial.
Duplication of result can be difficult or impossible to achieve if the software has been upgraded and the original version used was not retained.
Offence & Punishment under the Information Act ,2000Offence….
.The offences included in the IT Act 2000 are as follows:1. Tampering with the computer source documents.2. Hacking with computer system.3. Publishing of information which is obscene in electronic form.4. Power of Controller to give directions5. Directions of Controller to a subscriber to extend facilities to decrypt information6. Protected system7. Penalty for misrepresentation8. Penalty for breach of confidentiality and privacy9. Penalty for publishing Digital Signature Certificate false in certain particulars10. Publication for fraudulent purpose11. Act to apply for offence or contravention committed outside India12. Confiscation13. Penalties or confiscation not to interfere with other punishments.14. Power to investigate offences.
Punishment Section 43 of IT Act states any act of destroying,
altering or stealing computer system/network or deleting information with act of damaging data or information without authorization of owner of that computer is liable for payment to be made to owner as compensation for damages
Section 43A of IT Act states any corporate body dealing with sensitive information and negligent with implementing reasonable security practices causing loss or wrongful gain to any other person will also be liable as convict for compensation to the affected party
Section 66 states hacking of computer system by individual with dishonesty or fraudulently with 3 yrs. imprisonment with fine of Rs. 5,00,000 or both
Section 66A states any offensive information with demean character or information known as false but sent for purpose of causing annoyance, inconvenience, danger, enmity, hatred or criminal intimidation to mislead the recipient is liable for imprisonment upto 3 years with (or) without fine
Section 66 B,C,D for fraudulently or dishonesty using or transmitting information or Identity theft is punishable with 3 yr imprisonment or 1,00,000 fine or both
Section 66 E for Violation of privacy by transmitting image of private area is punishable with 3 yr imprisonment or 2,00,000 fine or both
Section 66 F on Cyber Terrorism affecting unity, integrity security, sovereignity of India through digital medium is liable for life imprisonment
Section 67 states publishing obscene information or pornography or transmitting obscene information in public is liable for imprisonment upto 5 years or penalty of Rs. 10,00,000 or both
Continue….
