Mathematical authentication of digital evidence is achieved by using suitable hash functions. The MD5 hash algorithm that at one time was considered suitable. MD5 was prescribed as suitable by Rule 6 of the Information Technology (Certifying Authorities) Rules, 2000.MD5 was subsequently proven weak by mathematicians. In fact, Asian School of Cyber Laws had filed a public interest litigation in the Bombay High Court on the same issue.Subsequently, the Information Technology (Certifying Authorities) Amendment Rules, 20091 amendedthe Rule 6 mentioned above and MD5 was replaced by SHA-2.It is advised that in Digital Forensics and Investigations, mathematical authentication of digital evidence must be done using either SHA-1 or SHA-2. MD5 must not be used as such evidence may be unacceptable in a court of law.
Computer ForensicsA process of applying scientific and analyticaltechniques to computer Operating Systemsand File Structures to determining thepotential Legal Evidence.
Computer Forensics It is the practice of lawfully establishing evidenceand facts.This is science involving legal evidence that is foundin digital storage mediums and in computers. Subdivisions: - Disk forensics Network forensics Mobile forensics
Role of Computer forensic investigator Evidence Collection and Chain of Custody Who Who handled the evidence? What What procedures were performed on the evidence? When When was the evidence collected and/or transferred to another party? Where Where was the evidence collected and stored? How How was the evidence collected and stored? Why For what purpose was the evidence collected?
Forensics process Acquire data to be examined Photographs Make an image Review of logical file structure Review of unallocated space and file slack Recover deleted data (If any) Report Expert testimony
Importance of Evidence"Evidence" is anything the judge allows a jury toconsider in reaching a verdict.This can include the testimony ofwitnesses, photographs of the scene and "demonstrativeevidence" such as charts or sample equipment.
Source of Evidence Slack, Free, Swap, Recycle Bin Event Logs Registry Application files, temp files E-mail Browser history and cache
Types of ForensicsLive Forensics Non - Live Forensics Post Acquisition Analysis Technologies
Live Forensics Non - Live Forensics•Recovery of volatile data •Imaging•Gathering system information •Cloning•Gathering USB device history•System Explorer•Imaging and Cloning Post Acquisition Analysis •Mathematical authentication of data (Hash) •Virtualization •Malware analysis •Detection of obscene content •Image ballistics •Use of spyware (keyloggers) in investigations •Digital Evidence Analysis
Select the algorithm•The Information Technology (Certifying Authorities) Amendment Rules, 2009amended Rule 6 of the Information Technology (Certifying Authorities) Rules, 2000•It is advised that mathematical authentication of digital evidence must be done usingeither SHA-1 or SHA-2.•MD5 must not be used as such evidence may be unacceptable in a court of law.
Mathematical authentication of digital evidence achieved by using SHA-2.
Types of Evidence Direct Evidence Real Evidence Documentary Evidence Demonstrative Evidence
Computer Evidence Processing Guidelines Pull the Plug Document the Hardware Configuration of theSystem Transport the Computer System to a Secure Location (Forensics lab) Make Bit Stream Backups of Hard Disks and Floppy Disks
Computer Evidence Processing Guidelines Mathematically Authenticate Data on all storage devices (Hash) Document the System Date and Time Make a List of Key Search Words Evaluate the Windows Swap File Evaluate File Slack
Computer Evidence Processing Guidelines Evaluate Unallocated Space (Erased Files) Search Files, File Slack and Unallocated Space for Key Words Document File Names, Dates and Times Identify File, Program and Storage
Computer Evidence Processing Guidelines Evaluate Program Functionality Document Your Findings Retain Copies of Software Used
Why forensics? Confirms or dispels whether an incident occurred Promotes accumulation of accurate information Establishes controls for proper retrieval and handling of evidence Protects privacy rights established by law and policy Minimizes disruption to business and network operations
Why forensics? Allows for criminal or civil action against perpetrators Provides accurate reports and useful recommendations Provides rapid detection and containment Minimizes exposure and compromise of proprietary data
Why forensics? Protects your organization’s reputation and assets Educates senior management Promotes rapid detection and/or prevention of such incidents in the future (via lessons learned, policy changes, and so on)