Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Analysis of digital evidence

basic examination of digital evidence. i wish help every one.

  • Login to see the comments

Analysis of digital evidence

  3. 3. DIGITAL EVIDENCE  Digital evidence is information stored or transmitted in binary form that may be relied on, in court.  Digital evidence includes information on computers, audio files, video recordings, and digital images.  Digital evidence is information and data of value to an investigation that is stored on, received, or transmitted by an electronic device.  This evidence is acquired when data or electronic devices are seized and secured for examination. Digital evidence— ■ Is latent, like fingerprints or DNA evidence. ■ Crosses jurisdictional borders quickly and easily. ■ Is easily altered, damaged, or destroyed. ■ Can be time sensitive.
  4. 4. possible places that digital evidence can reside, including:  Computers  External hard drives  CDs and DVDs  Thumb drives  Floppy disks  Cell phones  Voice over IP phones  Answering machines  iPods POSSIBLE PLACE WHERE DIGITAL EVIDENCE FOUND……
  5. 5.  Electronic game devices  Digital video recorders (Tivos)  Digital cameras  PDAs  GPSs  Routers  Switches  Wireless access points  Servers  Fax machines  Printers that buffer files  Photo-copiers that buffer files  Scanners that buffer files Continue…..
  6. 6. First we will need to consider the complaint or the initial reason for conducting an investigation. Some typical reasons that may warrant an investigation include but are not limited to: Unauthorised access on computer or Network Internet usage exceeds norm Using e−mail inappropriately Why Investigate..??
  7. 7.  Use of Internet, e−mail, or PC in a non−work−related manner Theft of information Violation of security policies or procedures Intellectual property Infringement Electronic tampering Online or Economic Fraud Software Piracy Telecommunication Fraud Terrorism (Homeland Security)  Child Abuse or Exploitation Continue…..
  8. 8. CARDINAL RULES OF COMPUTER FORENSIC…  The cardinal rules have been evolved to facilitate a forensically sound examination of computer media and enable a forensic scientist to testify in court in respect of their handling a particular piece of evidence.  The five cardinal rules are…Never Mishandle the EvidenceNever Work on the original Evidence Never trust the Subject’s Operating System. Document everything The Result should be repeatable and verifiable by a third
  10. 10. SEIZURE…  Prior to the actual examination digital media will be seized.  In criminal cases this will often be performed by law enforcement personnel trained as technicians to ensure the preservation of evidence.  In civil matters it will usually be a company officer, often untrained. Various laws cover the seizure of material.  In criminal matters law related to search warrants is applicable.  In civil proceedings the assumption is that a company is able to investigate their own equipment without a warrant, so long as the privacy and human rights of employees are observed.
  11. 11. ACQUISTION… A Tableau forensic write blocker  Once exhibits have been seized an exact sector level duplicate (or "forensic duplicate") of the media is created, usually via a write blocking device, a process referred to as Imaging or Acquisition.  The duplicate is created using a hard-drive duplicator or software imaging tools such as DCFLdd, Iximager, Guymager, TrueBack, EnCase, FTK Imager or FDAS.  The original drive is then returned to secure storage to prevent tampering.
  12. 12.  The acquired image is verified by using the SHA-1 or MD5 hash functions. At critical points throughout the analysis, the media is verified again, known as "hashing", to ensure that the evidence is still in its original state Continue….. Sector….  A sector, being the smallest physical storage unit on the disk.  A sector is a subdivision of a track on a magnetic disk or optical disc.  Each sector stores a fixed amount of user- accessible data, traditionally 512 bytes for hard disk drive (HDDs) and 2048 bytes for CD-ROMs and DVD-ROMs
  13. 13. Write Blockers…  Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents.  There are two ways to build a write- blocker: the blocker can allow all commands to pass from the computer to the drive except for those that are on a particular list.  Alternatively, the blocker can specifically block the write commands and let everything else through.  There are two types of write blockers, Native and Tailgate. A Native device uses the same interface on for both in and out, for example a IDE to IDE write block. A Tailgate device uses one interface for one side and a different one for the other, for example a Firewire to SATA write block. A hard drive attached to a portable write blocker
  14. 14. Analysis… A number of techniques are used during computer forensics investigations and much has been written on the many techniques used by law enforcement in particular……  Cross-drive analysis A forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and to perform anomaly detection.  Live analysis  The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence.  The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.
  15. 15. Deleted files…  A common technique used in computer forensics the recovery of deleted files.  Modern forensic software have their own tools recovering or carving out deleted data.  Most operating systems and file systems do always erase physical file data, allowing investigators to reconstruct it from the sectors.  File carving involves searching for known file headers within the disk image and deleted materials
  16. 16. DIGITAL EVIDENCE ANALYSIS METHODOLOGY…  Protect the crime scene  Force shutdown of the computer  Document the hardware configuration of the system  Transport the computer system to a Forensic Laboratory  Make bit stream backups of Hard disk and floppy disk  Authentication the data mathematically on all Storage devices (Hash value)  Document the System Date and time.  List the key words for the search  Evaluate the windows swap file  Evaluate file slack  Evaluation of unallocated Space (erased files)  Searching files , file slack and unallocated space for key words  Document file names, dates and time  Identify file, Programme and storage Anomalies  Evaluation the programme functionality  Document your findings  Retain copies of software used
  17. 17.  Protect the crime scene...  The first and fore most step is to protect the crime scene, for which access to the area around the suspect computer should be restricted only to the individual involved with the investigation.  The scene should be documented in great details. The computer and the surrounding area should be photographed from all angels.  Force shutdown of the computer  This should be done as quickly as possible. Consideration should be given to possible destructive processes that may be operating in the background.  Do not shut down the computer abruptly.
  18. 18. Follow the detailed power shut down procedure for various operating system as given in chart…. Operating system Power Shut Down Procedure MS DOS  Photograph screen and document any programmes running  Pull the power cord from the wall socket  In case of laptop, remove the battery pack UNIX/LINUX  Photograph screen and document any programmes running  Right click the menu  Frome menu, click Console  If root user prompt(#) not present , change user to root by typing su-  If root password not available , pull power cord from the wall socket  If password is available , enter it. At the # sign type sync;sync;halt and the system will shutdown  Pull power cord from wall socket Mac  Photograph screen and document any programmes running  Click Special  Click Shutdown  The window will tell you it is safe to turn off the computer.  Pull power cord from wall socket Windows  Photograph screen and document any programmes running  Pull power cord from wall socket 3.X/95/98/Nt  Pull power cord from wall socket  In case of laptop, remove the battery pack
  19. 19. Document the Hardware Configuration of the System…  Pay close attention to how the computer is set up before it is dismantled, as it will have to be restored to its original condition at a secure location.  In additional to photography, diagram the computer configuration on paper and by labelling which cables are attached and what they are attached to. Transport the computer system to a secure location(Forensic laboratory)…..  Do not leave the subject computer unattended unless it is locked up in a secure location.  Transport the seized equipment to a secure and controlled environment that is trusted to be free of any thing that could modify or destroy the evidence.
  20. 20. Make bit stream backups of Hard disked /floppy disks: Bit stream format.??? A bit stream format is the format of the data found in a stream of bits used in a digital communication or data storage application.  Disconnect the hard drive and boot from a floppy disk (the BIOS may need to be modified to allow boot from a floppy).  The computer should not be operated and computer evidence should not be processed until bit stream backups of all hard disk drives and floppy disks have been made.  The evidence processing should be done on a restored copy of the bit stream backup rather than on the original computer.  The computer forensic scientist should make a bit stream image of the suspect hard drive before anything else
  21. 21. Authentication the data mathematically on all Storage devices…  Proof may have to provide that none of the evidence has been altered after the computer came into possession of the investigation team. Forensic tools are available to mathematically authenticate the data using a 128-bit level of accuracy.  Use a hash algorithm to generate a numeric expression and compare this to the same has algorithm an the data that was backed up, in order to mathematically authenticate the data.  This is used as proof that the files have not been changed. hash algorithm ???  A hash function is any function that can be used to map data of arbitrary size to data of fixed size. The values returned by a hash function are called hash values, hash codes, hash sums, or simply hashes.  One use is a data structure called a hash table, widely used in computer software for rapid data lookup.  Hash functions accelerate table or database lookup by detecting duplicated records in a large file
  22. 22. Document the System Date and time.  The dates and times associated with the computer files can be extremely important from an evidence standpoint.  However, the accuracy of the dates and times is just as important.  Document the system date and time setting at the time the computer is taken into possession.List the key words for the search..  Forensic tools are available to search for the relevant evidence. Usually, some information is known about the allegations, the computer user and the alleged associates that may be involved.  Information gathered from the individuals, who are familiar with the case, would help in compelling a list of
  23. 23. Evaluate the windows swap file  The windows swap file is a potentially valuable source of evidence and leads.  The evaluation of the swap file can be automated with forensic tools.  New technologies Inc. has tools and programmes that will capture erased file space and create a file that can be searched for key words that can be added to the list.Evaluate file slack  File slack is a data storage area about which most of the computer users are not aware.  It is a source of significant security leakage and consist of raw memory dumps that occur during the work session, as the files are closed.  The data dumped from the memory ends up being stored at the end of allocated files, beyond the reach or view of the user.  Forensic tools are required to view and evaluate the file slack
  24. 24. Evaluation of unallocated Space (erased files)  The ‘delete’ function of DOS and Windows does not completely erase the file names or the file contents.  Unallocated space may still contain these erased files and the file slack associated with erased files.  The DOS undelete programme can be used to restore the previously erased files. Searching files, file slack and unallocated space for key words The list of relevant key words, identified in the previous step, should be used to search all relevant computer hard disk drives and floppy disks.
  25. 25. Document file names, dates and time  From an evidence standpoint, file names, their date of creation and last modification can be relevant.  Therefore, it is important to catalogue all this date and time of existing and erased files.Identify file, Programme and storage Anomalies  Encrypted, compressed and graphic files store data in binary format.  As a result, a text search programme cannot identify text data stored in these formats.  Manual evaluation of these file is required and in case of encrypted files, more efforts may be involved. Reviewing the portions on seized hard disk drive is also important.
  26. 26. . Evaluation the programme functionality Depending on the application software involved, running programmes to learn their purpose may necessary. Document your findings  As indicated in the preceding steps, it is very important to document the finding as issues are identified and as evidence is found.  It is also important to document the software that was used in the forensic evaluation of the evidence, including the version numbers of the programmers. Retain copies of software used  As part of the documentation process, it is recommended that a copy of the forensic tool software used be include.  Often it is necessary to duplicate the forensic processing result during or before trial.  Duplication of result can be difficult or impossible to achieve if the software has been upgraded and the original version used was not retained.
  27. 27. Offence & Punishment under the Information Act ,2000 Offence….. The offences included in the IT Act 2000 are as follows: 1. Tampering with the computer source documents. 2. Hacking with computer system. 3. Publishing of information which is obscene in electronic form. 4. Power of Controller to give directions 5. Directions of Controller to a subscriber to extend facilities to decrypt information 6. Protected system 7. Penalty for misrepresentation 8. Penalty for breach of confidentiality and privacy 9. Penalty for publishing Digital Signature Certificate false in certain particulars 10. Publication for fraudulent purpose 11. Act to apply for offence or contravention committed outside India 12. Confiscation 13. Penalties or confiscation not to interfere with other punishments. 14. Power to investigate offences.
  28. 28. Punishment  Section 43 of IT Act states any act of destroying, altering or stealing computer system/network or deleting information with act of damaging data or information without authorization of owner of that computer is liable for payment to be made to owner as compensation for damages  Section 43A of IT Act states any corporate body dealing with sensitive information and negligent with implementing reasonable security practices causing loss or wrongful gain to any other person will also be liable as convict for compensation to the affected party  Section 66 states hacking of computer system by individual with dishonesty or fraudulently with 3 yrs. imprisonment with fine of Rs. 5,00,000 or both  Section 66A states any offensive information with demean
  29. 29.  Section 66 B,C,D for fraudulently or dishonesty using or transmitting information or Identity theft is punishable with 3 yr imprisonment or 1,00,000 fine or both  Section 66 E for Violation of privacy by transmitting image of private area is punishable with 3 yr imprisonment or 2,00,000 fine or both  Section 66 F on Cyber Terrorism affecting unity, integrity security, sovereignity of India through digital medium is liable for life imprisonment  Section 67 states publishing obscene information or pornography or transmitting obscene information in public is liable for imprisonment upto 5 years or penalty of Rs. 10,00,000 or both Continue….