1. Lecture #28: Digital Forensics-Part II
Dr.Ramchandra Mangrulkar
September 30, 2020
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 1 / 30
2. Forensics, Forensic science & Forensic scientists
Forensics derived from Forensics medicene
-autopsy examination
Forensic science, also known as criminalistics,
-is the application of science to criminal and civil laws,
-mainly on the criminal side
-during criminal investigation,
-as governed by the legal standards of admissible evidence and
criminal procedure1
Forensic scientists
-collect,
-preserve,
-and analyze
-scientific evidence during the course of an investigation.
1
https://en.wikipedia.org/wiki/Forensic_science
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 2 / 30
3. Forensics, Forensic science & Forensic scientists
Forensics derived from Forensics medicene
-autopsy examination
Forensic science, also known as criminalistics,
-is the application of science to criminal and civil laws,
-mainly on the criminal side
-during criminal investigation,
-as governed by the legal standards of admissible evidence and
criminal procedure1
Forensic scientists
-collect,
-preserve,
-and analyze
-scientific evidence during the course of an investigation.
1
https://en.wikipedia.org/wiki/Forensic_science
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 2 / 30
4. Forensics, Forensic science & Forensic scientists
Forensics derived from Forensics medicene
-autopsy examination
Forensic science, also known as criminalistics,
-is the application of science to criminal and civil laws,
-mainly on the criminal side
-during criminal investigation,
-as governed by the legal standards of admissible evidence and
criminal procedure1
Forensic scientists
-collect,
-preserve,
-and analyze
-scientific evidence during the course of an investigation.
1
https://en.wikipedia.org/wiki/Forensic_science
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 2 / 30
5. Milestones in Computer Forensics
1970 -First crimes cases involving computers, mainly financial fraud
1980
-Financial investigators and courts realize that in some cases all the records and evidences were only on computers.
-Norton Utilities, “Un-erase” tool created Association of Certified Fraud Examiners began to seek training in what
became computer forensics
-SEARCH High Tech Crimes training created
-Regular classes began to be taught to Federal agents in California and at FLETC in Georgia
-HTCIA formed in Southern California
1984 -FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)
1987 -Acces Data – Cyber Forensic Company formed
1988 - Creation of IACIS, the International Association of Computer Investigative Specialists
-First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993 - First International Conference on Computer Evidence held
1995-International Organization on Computer Evidence (IOCE) formed
1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address
high-tech crimes”.
1998 -INTERPOL Forensic Science Symposium
1999 -FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000 -First FBI Regional Computer Forensic Laboratory established
2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 3 / 30
6. Milestones in Computer Forensics
1970 -First crimes cases involving computers, mainly financial fraud
1980
-Financial investigators and courts realize that in some cases all the records and evidences were only on computers.
-Norton Utilities, “Un-erase” tool created Association of Certified Fraud Examiners began to seek training in what
became computer forensics
-SEARCH High Tech Crimes training created
-Regular classes began to be taught to Federal agents in California and at FLETC in Georgia
-HTCIA formed in Southern California
1984 -FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)
1987 -Acces Data – Cyber Forensic Company formed
1988 - Creation of IACIS, the International Association of Computer Investigative Specialists
-First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993 - First International Conference on Computer Evidence held
1995-International Organization on Computer Evidence (IOCE) formed
1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address
high-tech crimes”.
1998 -INTERPOL Forensic Science Symposium
1999 -FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000 -First FBI Regional Computer Forensic Laboratory established
2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 3 / 30
7. Milestones in Computer Forensics
1970 -First crimes cases involving computers, mainly financial fraud
1980
-Financial investigators and courts realize that in some cases all the records and evidences were only on computers.
-Norton Utilities, “Un-erase” tool created Association of Certified Fraud Examiners began to seek training in what
became computer forensics
-SEARCH High Tech Crimes training created
-Regular classes began to be taught to Federal agents in California and at FLETC in Georgia
-HTCIA formed in Southern California
1984 -FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)
1987 -Acces Data – Cyber Forensic Company formed
1988 - Creation of IACIS, the International Association of Computer Investigative Specialists
-First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993 - First International Conference on Computer Evidence held
1995-International Organization on Computer Evidence (IOCE) formed
1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address
high-tech crimes”.
1998 -INTERPOL Forensic Science Symposium
1999 -FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000 -First FBI Regional Computer Forensic Laboratory established
2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 3 / 30
8. Milestones in Computer Forensics
1970 -First crimes cases involving computers, mainly financial fraud
1980
-Financial investigators and courts realize that in some cases all the records and evidences were only on computers.
-Norton Utilities, “Un-erase” tool created Association of Certified Fraud Examiners began to seek training in what
became computer forensics
-SEARCH High Tech Crimes training created
-Regular classes began to be taught to Federal agents in California and at FLETC in Georgia
-HTCIA formed in Southern California
1984 -FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)
1987 -Acces Data – Cyber Forensic Company formed
1988 - Creation of IACIS, the International Association of Computer Investigative Specialists
-First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993 - First International Conference on Computer Evidence held
1995-International Organization on Computer Evidence (IOCE) formed
1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address
high-tech crimes”.
1998 -INTERPOL Forensic Science Symposium
1999 -FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000 -First FBI Regional Computer Forensic Laboratory established
2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 3 / 30
9. Milestones in Computer Forensics
1970 -First crimes cases involving computers, mainly financial fraud
1980
-Financial investigators and courts realize that in some cases all the records and evidences were only on computers.
-Norton Utilities, “Un-erase” tool created Association of Certified Fraud Examiners began to seek training in what
became computer forensics
-SEARCH High Tech Crimes training created
-Regular classes began to be taught to Federal agents in California and at FLETC in Georgia
-HTCIA formed in Southern California
1984 -FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)
1987 -Acces Data – Cyber Forensic Company formed
1988 - Creation of IACIS, the International Association of Computer Investigative Specialists
-First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993 - First International Conference on Computer Evidence held
1995-International Organization on Computer Evidence (IOCE) formed
1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address
high-tech crimes”.
1998 -INTERPOL Forensic Science Symposium
1999 -FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000 -First FBI Regional Computer Forensic Laboratory established
2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 3 / 30
10. Milestones in Computer Forensics
1970 -First crimes cases involving computers, mainly financial fraud
1980
-Financial investigators and courts realize that in some cases all the records and evidences were only on computers.
-Norton Utilities, “Un-erase” tool created Association of Certified Fraud Examiners began to seek training in what
became computer forensics
-SEARCH High Tech Crimes training created
-Regular classes began to be taught to Federal agents in California and at FLETC in Georgia
-HTCIA formed in Southern California
1984 -FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)
1987 -Acces Data – Cyber Forensic Company formed
1988 - Creation of IACIS, the International Association of Computer Investigative Specialists
-First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993 - First International Conference on Computer Evidence held
1995-International Organization on Computer Evidence (IOCE) formed
1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address
high-tech crimes”.
1998 -INTERPOL Forensic Science Symposium
1999 -FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000 -First FBI Regional Computer Forensic Laboratory established
2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 3 / 30
11. Milestones in Computer Forensics
1970 -First crimes cases involving computers, mainly financial fraud
1980
-Financial investigators and courts realize that in some cases all the records and evidences were only on computers.
-Norton Utilities, “Un-erase” tool created Association of Certified Fraud Examiners began to seek training in what
became computer forensics
-SEARCH High Tech Crimes training created
-Regular classes began to be taught to Federal agents in California and at FLETC in Georgia
-HTCIA formed in Southern California
1984 -FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)
1987 -Acces Data – Cyber Forensic Company formed
1988 - Creation of IACIS, the International Association of Computer Investigative Specialists
-First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993 - First International Conference on Computer Evidence held
1995-International Organization on Computer Evidence (IOCE) formed
1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address
high-tech crimes”.
1998 -INTERPOL Forensic Science Symposium
1999 -FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000 -First FBI Regional Computer Forensic Laboratory established
2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 3 / 30
12. Milestones in Computer Forensics
1970 -First crimes cases involving computers, mainly financial fraud
1980
-Financial investigators and courts realize that in some cases all the records and evidences were only on computers.
-Norton Utilities, “Un-erase” tool created Association of Certified Fraud Examiners began to seek training in what
became computer forensics
-SEARCH High Tech Crimes training created
-Regular classes began to be taught to Federal agents in California and at FLETC in Georgia
-HTCIA formed in Southern California
1984 -FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)
1987 -Acces Data – Cyber Forensic Company formed
1988 - Creation of IACIS, the International Association of Computer Investigative Specialists
-First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993 - First International Conference on Computer Evidence held
1995-International Organization on Computer Evidence (IOCE) formed
1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address
high-tech crimes”.
1998 -INTERPOL Forensic Science Symposium
1999 -FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000 -First FBI Regional Computer Forensic Laboratory established
2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 3 / 30
13. Milestones in Computer Forensics
1970 -First crimes cases involving computers, mainly financial fraud
1980
-Financial investigators and courts realize that in some cases all the records and evidences were only on computers.
-Norton Utilities, “Un-erase” tool created Association of Certified Fraud Examiners began to seek training in what
became computer forensics
-SEARCH High Tech Crimes training created
-Regular classes began to be taught to Federal agents in California and at FLETC in Georgia
-HTCIA formed in Southern California
1984 -FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)
1987 -Acces Data – Cyber Forensic Company formed
1988 - Creation of IACIS, the International Association of Computer Investigative Specialists
-First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993 - First International Conference on Computer Evidence held
1995-International Organization on Computer Evidence (IOCE) formed
1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address
high-tech crimes”.
1998 -INTERPOL Forensic Science Symposium
1999 -FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000 -First FBI Regional Computer Forensic Laboratory established
2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 3 / 30
14. Milestones in Computer Forensics
1970 -First crimes cases involving computers, mainly financial fraud
1980
-Financial investigators and courts realize that in some cases all the records and evidences were only on computers.
-Norton Utilities, “Un-erase” tool created Association of Certified Fraud Examiners began to seek training in what
became computer forensics
-SEARCH High Tech Crimes training created
-Regular classes began to be taught to Federal agents in California and at FLETC in Georgia
-HTCIA formed in Southern California
1984 -FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)
1987 -Acces Data – Cyber Forensic Company formed
1988 - Creation of IACIS, the International Association of Computer Investigative Specialists
-First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993 - First International Conference on Computer Evidence held
1995-International Organization on Computer Evidence (IOCE) formed
1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address
high-tech crimes”.
1998 -INTERPOL Forensic Science Symposium
1999 -FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000 -First FBI Regional Computer Forensic Laboratory established
2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 3 / 30
15. Milestones in Computer Forensics
1970 -First crimes cases involving computers, mainly financial fraud
1980
-Financial investigators and courts realize that in some cases all the records and evidences were only on computers.
-Norton Utilities, “Un-erase” tool created Association of Certified Fraud Examiners began to seek training in what
became computer forensics
-SEARCH High Tech Crimes training created
-Regular classes began to be taught to Federal agents in California and at FLETC in Georgia
-HTCIA formed in Southern California
1984 -FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)
1987 -Acces Data – Cyber Forensic Company formed
1988 - Creation of IACIS, the International Association of Computer Investigative Specialists
-First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993 - First International Conference on Computer Evidence held
1995-International Organization on Computer Evidence (IOCE) formed
1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address
high-tech crimes”.
1998 -INTERPOL Forensic Science Symposium
1999 -FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000 -First FBI Regional Computer Forensic Laboratory established
2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 3 / 30
16. Milestones in Computer Forensics
1970 -First crimes cases involving computers, mainly financial fraud
1980
-Financial investigators and courts realize that in some cases all the records and evidences were only on computers.
-Norton Utilities, “Un-erase” tool created Association of Certified Fraud Examiners began to seek training in what
became computer forensics
-SEARCH High Tech Crimes training created
-Regular classes began to be taught to Federal agents in California and at FLETC in Georgia
-HTCIA formed in Southern California
1984 -FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART)
1987 -Acces Data – Cyber Forensic Company formed
1988 - Creation of IACIS, the International Association of Computer Investigative Specialists
-First Seized Computer Evidence Recovery Specialists (SCERS) classes held
1993 - First International Conference on Computer Evidence held
1995-International Organization on Computer Evidence (IOCE) formed
1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address
high-tech crimes”.
1998 -INTERPOL Forensic Science Symposium
1999 -FBI CART case load exceeds 2000 cases, examining 17 terabytes of data
2000 -First FBI Regional Computer Forensic Laboratory established
2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 3 / 30
17. Digital Forensics Market Size by Components
-The global digital forensics market size was valued at USD 1.72
billion in 2018 and is expected to expand at a CAGR of 12.3% over
the forecast period.
https://www.grandviewresearch.com/industry-analysis/
digital-forensics-market
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 4 / 30
18. Serial Fraud Investigation Office, Governement of
India
The Naresh Chandra Committee inter-alia recommended setting up
of Corporate Serious Fraud Office.
https://sfio.nic.in/
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 5 / 30
19. Cyber Forensics in India
http://www.cyberforensics.in
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 6 / 30
20. Objectives of Digital Forensics
process to recover, analyze, and preserve computer and related
materials to help investigation agency to present them as
evidence in a court of law.
helps to postulate the motive behind the crime and identity of
the main culprit.
helps to identify the evidence quickly to estimate the potential
impact of the malicious activity on the victim.
produce a computer forensic report on the investigation process.
preserving the evidence by following the chain of custody.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 7 / 30
21. Objectives of Digital Forensics
process to recover, analyze, and preserve computer and related
materials to help investigation agency to present them as
evidence in a court of law.
helps to postulate the motive behind the crime and identity of
the main culprit.
helps to identify the evidence quickly to estimate the potential
impact of the malicious activity on the victim.
produce a computer forensic report on the investigation process.
preserving the evidence by following the chain of custody.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 7 / 30
22. Objectives of Digital Forensics
process to recover, analyze, and preserve computer and related
materials to help investigation agency to present them as
evidence in a court of law.
helps to postulate the motive behind the crime and identity of
the main culprit.
helps to identify the evidence quickly to estimate the potential
impact of the malicious activity on the victim.
produce a computer forensic report on the investigation process.
preserving the evidence by following the chain of custody.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 7 / 30
23. Objectives of Digital Forensics
process to recover, analyze, and preserve computer and related
materials to help investigation agency to present them as
evidence in a court of law.
helps to postulate the motive behind the crime and identity of
the main culprit.
helps to identify the evidence quickly to estimate the potential
impact of the malicious activity on the victim.
produce a computer forensic report on the investigation process.
preserving the evidence by following the chain of custody.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 7 / 30
24. Objectives of Digital Forensics
process to recover, analyze, and preserve computer and related
materials to help investigation agency to present them as
evidence in a court of law.
helps to postulate the motive behind the crime and identity of
the main culprit.
helps to identify the evidence quickly to estimate the potential
impact of the malicious activity on the victim.
produce a computer forensic report on the investigation process.
preserving the evidence by following the chain of custody.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 7 / 30
25. Digital Forensics Process
The process of digital forensics can be broken down into three
categories of activity: acquisition, analysis, and presentation.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 8 / 30
26. Digital Forensics Process:Acquisition
Acquisition refers to the collection of digital media to be
examined.
physical hard drives, optical media, storage cards from digital
cameras, mobile phones, chips from embedded devices, or even
single document files.
creating a duplicate of the original media (the working copy) as
well as maintaining good records of all actions taken with any
original media.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 9 / 30
27. Digital Forensics Process:Acquisition
Acquisition refers to the collection of digital media to be
examined.
physical hard drives, optical media, storage cards from digital
cameras, mobile phones, chips from embedded devices, or even
single document files.
creating a duplicate of the original media (the working copy) as
well as maintaining good records of all actions taken with any
original media.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 9 / 30
28. Digital Forensics Process:Acquisition
Acquisition refers to the collection of digital media to be
examined.
physical hard drives, optical media, storage cards from digital
cameras, mobile phones, chips from embedded devices, or even
single document files.
creating a duplicate of the original media (the working copy) as
well as maintaining good records of all actions taken with any
original media.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 9 / 30
30. Digital Forensics Process:Analysis
Analysis refers to the actual media examination
the “identification, analysis, and interpretation” items from the
DFRWS 2001 definition.4
Identification consists of locating items or items present in the
media in question.
Analysis can be file system analysis, file content examination, log
analysis, statistical analysis, etc.
the examiner interprets results of the analysis based on the
examiner’s training, expertise, experimentation, and experience.
4
https://dfrws.org/
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 11 / 30
31. Digital Forensics Process:Analysis
Analysis refers to the actual media examination
the “identification, analysis, and interpretation” items from the
DFRWS 2001 definition.4
Identification consists of locating items or items present in the
media in question.
Analysis can be file system analysis, file content examination, log
analysis, statistical analysis, etc.
the examiner interprets results of the analysis based on the
examiner’s training, expertise, experimentation, and experience.
4
https://dfrws.org/
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 11 / 30
32. Digital Forensics Process:Analysis
Analysis refers to the actual media examination
the “identification, analysis, and interpretation” items from the
DFRWS 2001 definition.4
Identification consists of locating items or items present in the
media in question.
Analysis can be file system analysis, file content examination, log
analysis, statistical analysis, etc.
the examiner interprets results of the analysis based on the
examiner’s training, expertise, experimentation, and experience.
4
https://dfrws.org/
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 11 / 30
33. Digital Forensics Process:Analysis
Analysis refers to the actual media examination
the “identification, analysis, and interpretation” items from the
DFRWS 2001 definition.4
Identification consists of locating items or items present in the
media in question.
Analysis can be file system analysis, file content examination, log
analysis, statistical analysis, etc.
the examiner interprets results of the analysis based on the
examiner’s training, expertise, experimentation, and experience.
4
https://dfrws.org/
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 11 / 30
34. Digital Forensics Process:Analysis
Analysis refers to the actual media examination
the “identification, analysis, and interpretation” items from the
DFRWS 2001 definition.4
Identification consists of locating items or items present in the
media in question.
Analysis can be file system analysis, file content examination, log
analysis, statistical analysis, etc.
the examiner interprets results of the analysis based on the
examiner’s training, expertise, experimentation, and experience.
4
https://dfrws.org/
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 11 / 30
35. Digital Forensics Labs
5 6
5
www.google.com
6
Scientific Working Group on Digital Evidence http://www.swgde.org
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 12 / 30
36. Digital Forensics Process:Presentation
Presentation refers to the process by which the examiner shares
results of the analysis phase
This consists of generating a report of actions taken by the
examiner, artifacts uncovered, and the meaning of those
artifacts.
The presentation phase can also include the examiner defending
these findings under challenge.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 13 / 30
37. Digital Forensics Process:Presentation
Presentation refers to the process by which the examiner shares
results of the analysis phase
This consists of generating a report of actions taken by the
examiner, artifacts uncovered, and the meaning of those
artifacts.
The presentation phase can also include the examiner defending
these findings under challenge.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 13 / 30
38. Digital Forensics Process:Presentation
Presentation refers to the process by which the examiner shares
results of the analysis phase
This consists of generating a report of actions taken by the
examiner, artifacts uncovered, and the meaning of those
artifacts.
The presentation phase can also include the examiner defending
these findings under challenge.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 13 / 30
39. Key Technical Terms: Bits, Bytes, and Numbering
Schemes
Intimate knowledge of the inner workings of a computer is critical for
the digital forensics practitioner.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 14 / 30
40. Key Technical Terms: File Carving
examiners must look at the data at the “bit” and “byte” level to
find, extract, and interpret the evidence.
This is most evident in a process called file carving. File carving
is done to locate and mine out files from amorphous blobs of
data, like the unallocated space (also known as drive-free space).
The first step : identify the potential file. The file is identified
by the header, if it has. one.
Identify footer, extracted file through a simple copy and
paste(continuous).
A fragmented file is far more difficult to recover (Casey, 2011).
The ability to interpret binary and hex makes file carving
possible.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 15 / 30
41. Key Technical Terms: File Carving
examiners must look at the data at the “bit” and “byte” level to
find, extract, and interpret the evidence.
This is most evident in a process called file carving. File carving
is done to locate and mine out files from amorphous blobs of
data, like the unallocated space (also known as drive-free space).
The first step : identify the potential file. The file is identified
by the header, if it has. one.
Identify footer, extracted file through a simple copy and
paste(continuous).
A fragmented file is far more difficult to recover (Casey, 2011).
The ability to interpret binary and hex makes file carving
possible.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 15 / 30
42. Key Technical Terms: File Carving
examiners must look at the data at the “bit” and “byte” level to
find, extract, and interpret the evidence.
This is most evident in a process called file carving. File carving
is done to locate and mine out files from amorphous blobs of
data, like the unallocated space (also known as drive-free space).
The first step : identify the potential file. The file is identified
by the header, if it has. one.
Identify footer, extracted file through a simple copy and
paste(continuous).
A fragmented file is far more difficult to recover (Casey, 2011).
The ability to interpret binary and hex makes file carving
possible.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 15 / 30
43. Key Technical Terms: File Carving
examiners must look at the data at the “bit” and “byte” level to
find, extract, and interpret the evidence.
This is most evident in a process called file carving. File carving
is done to locate and mine out files from amorphous blobs of
data, like the unallocated space (also known as drive-free space).
The first step : identify the potential file. The file is identified
by the header, if it has. one.
Identify footer, extracted file through a simple copy and
paste(continuous).
A fragmented file is far more difficult to recover (Casey, 2011).
The ability to interpret binary and hex makes file carving
possible.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 15 / 30
44. Key Technical Terms: File Carving
examiners must look at the data at the “bit” and “byte” level to
find, extract, and interpret the evidence.
This is most evident in a process called file carving. File carving
is done to locate and mine out files from amorphous blobs of
data, like the unallocated space (also known as drive-free space).
The first step : identify the potential file. The file is identified
by the header, if it has. one.
Identify footer, extracted file through a simple copy and
paste(continuous).
A fragmented file is far more difficult to recover (Casey, 2011).
The ability to interpret binary and hex makes file carving
possible.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 15 / 30
45. Key Technical Terms: File Carving
examiners must look at the data at the “bit” and “byte” level to
find, extract, and interpret the evidence.
This is most evident in a process called file carving. File carving
is done to locate and mine out files from amorphous blobs of
data, like the unallocated space (also known as drive-free space).
The first step : identify the potential file. The file is identified
by the header, if it has. one.
Identify footer, extracted file through a simple copy and
paste(continuous).
A fragmented file is far more difficult to recover (Casey, 2011).
The ability to interpret binary and hex makes file carving
possible.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 15 / 30
46. Key Technical Terms: File Extensions and File
Signature Analysis
files are strings or sequences of bits and bytes.
identify the file type by the file extension, if the system is
configured.
The file extension is very easily changed
Forensic tools identify files based on the header, not the file
extension.
separate out those files whose header does not match the
extension, known as file signature analysis.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 16 / 30
47. Key Technical Terms: File Extensions and File
Signature Analysis
files are strings or sequences of bits and bytes.
identify the file type by the file extension, if the system is
configured.
The file extension is very easily changed
Forensic tools identify files based on the header, not the file
extension.
separate out those files whose header does not match the
extension, known as file signature analysis.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 16 / 30
48. Key Technical Terms: File Extensions and File
Signature Analysis
files are strings or sequences of bits and bytes.
identify the file type by the file extension, if the system is
configured.
The file extension is very easily changed
Forensic tools identify files based on the header, not the file
extension.
separate out those files whose header does not match the
extension, known as file signature analysis.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 16 / 30
49. Key Technical Terms: File Extensions and File
Signature Analysis
files are strings or sequences of bits and bytes.
identify the file type by the file extension, if the system is
configured.
The file extension is very easily changed
Forensic tools identify files based on the header, not the file
extension.
separate out those files whose header does not match the
extension, known as file signature analysis.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 16 / 30
50. Key Technical Terms: File Extensions and File
Signature Analysis
files are strings or sequences of bits and bytes.
identify the file type by the file extension, if the system is
configured.
The file extension is very easily changed
Forensic tools identify files based on the header, not the file
extension.
separate out those files whose header does not match the
extension, known as file signature analysis.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 16 / 30
53. Key Technical Terms: Storage and Memory
Data are generally created in three different ways:
electromagnetism, microscopic electrical transistors (flash), and
reflecting light (CDs, DVDs, etc).
Volatile versus Nonvolatile Memory
Some instant messaging applications, for example, don’t write to
the hard drive unless the logging feature is turned on. AOL
Instant Messenger and MSN fall into that category.
So, if logging is off (which it is by default), the only evidence
will be found in RAM while the machine is running.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 19 / 30
54. Key Technical Terms: Storage and Memory
Data are generally created in three different ways:
electromagnetism, microscopic electrical transistors (flash), and
reflecting light (CDs, DVDs, etc).
Volatile versus Nonvolatile Memory
Some instant messaging applications, for example, don’t write to
the hard drive unless the logging feature is turned on. AOL
Instant Messenger and MSN fall into that category.
So, if logging is off (which it is by default), the only evidence
will be found in RAM while the machine is running.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 19 / 30
55. Key Technical Terms: Storage and Memory
Data are generally created in three different ways:
electromagnetism, microscopic electrical transistors (flash), and
reflecting light (CDs, DVDs, etc).
Volatile versus Nonvolatile Memory
Some instant messaging applications, for example, don’t write to
the hard drive unless the logging feature is turned on. AOL
Instant Messenger and MSN fall into that category.
So, if logging is off (which it is by default), the only evidence
will be found in RAM while the machine is running.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 19 / 30
56. Key Technical Terms: Storage and Memory
Data are generally created in three different ways:
electromagnetism, microscopic electrical transistors (flash), and
reflecting light (CDs, DVDs, etc).
Volatile versus Nonvolatile Memory
Some instant messaging applications, for example, don’t write to
the hard drive unless the logging feature is turned on. AOL
Instant Messenger and MSN fall into that category.
So, if logging is off (which it is by default), the only evidence
will be found in RAM while the machine is running.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 19 / 30
57. Key Technical Terms: Computing Environments
Not all computing “environments” are created equal.
These disparities will have a significant impact on your collection
process, where you look for data, the tools you will use, and the
level of complexity required.
A stand-alone computer is one that is not connected to another
computer.
A networked computer is connected to at least one other
computer and potentially many, many others.
A mainframe system centralizes all of the computing power into
one location. Processors, storage, and applications can all be
located and controlled from a single location.
Cloud Computing : IaaS, PaaS, SaaS
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 20 / 30
58. Key Technical Terms: Computing Environments
Not all computing “environments” are created equal.
These disparities will have a significant impact on your collection
process, where you look for data, the tools you will use, and the
level of complexity required.
A stand-alone computer is one that is not connected to another
computer.
A networked computer is connected to at least one other
computer and potentially many, many others.
A mainframe system centralizes all of the computing power into
one location. Processors, storage, and applications can all be
located and controlled from a single location.
Cloud Computing : IaaS, PaaS, SaaS
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 20 / 30
59. Key Technical Terms: Computing Environments
Not all computing “environments” are created equal.
These disparities will have a significant impact on your collection
process, where you look for data, the tools you will use, and the
level of complexity required.
A stand-alone computer is one that is not connected to another
computer.
A networked computer is connected to at least one other
computer and potentially many, many others.
A mainframe system centralizes all of the computing power into
one location. Processors, storage, and applications can all be
located and controlled from a single location.
Cloud Computing : IaaS, PaaS, SaaS
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 20 / 30
60. Key Technical Terms: Computing Environments
Not all computing “environments” are created equal.
These disparities will have a significant impact on your collection
process, where you look for data, the tools you will use, and the
level of complexity required.
A stand-alone computer is one that is not connected to another
computer.
A networked computer is connected to at least one other
computer and potentially many, many others.
A mainframe system centralizes all of the computing power into
one location. Processors, storage, and applications can all be
located and controlled from a single location.
Cloud Computing : IaaS, PaaS, SaaS
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 20 / 30
61. Key Technical Terms: Computing Environments
Not all computing “environments” are created equal.
These disparities will have a significant impact on your collection
process, where you look for data, the tools you will use, and the
level of complexity required.
A stand-alone computer is one that is not connected to another
computer.
A networked computer is connected to at least one other
computer and potentially many, many others.
A mainframe system centralizes all of the computing power into
one location. Processors, storage, and applications can all be
located and controlled from a single location.
Cloud Computing : IaaS, PaaS, SaaS
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 20 / 30
62. Key Technical Terms: Computing Environments
Not all computing “environments” are created equal.
These disparities will have a significant impact on your collection
process, where you look for data, the tools you will use, and the
level of complexity required.
A stand-alone computer is one that is not connected to another
computer.
A networked computer is connected to at least one other
computer and potentially many, many others.
A mainframe system centralizes all of the computing power into
one location. Processors, storage, and applications can all be
located and controlled from a single location.
Cloud Computing : IaaS, PaaS, SaaS
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 20 / 30
63. Key Technical Terms: Data Types
Data can be lumped into three broad categories: active, latent,
and archival.
Active Data
-Active data are the data that we use every day on our
computers. The operating system “sees” and tracks these files.
-These are the files that reside in the allocated space of the drive.
-These data can be acquired with standard forensic cloning
techniques.
Latent Data
-Data that has been deleted or partially overwritten are classified
as latent.
-No longer tracked by the operating system and are therefore
“invisible” to the average user.
-A bit stream or forensic image is required to collect these data.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 21 / 30
64. Key Technical Terms: Data Types
Data can be lumped into three broad categories: active, latent,
and archival.
Active Data
-Active data are the data that we use every day on our
computers. The operating system “sees” and tracks these files.
-These are the files that reside in the allocated space of the drive.
-These data can be acquired with standard forensic cloning
techniques.
Latent Data
-Data that has been deleted or partially overwritten are classified
as latent.
-No longer tracked by the operating system and are therefore
“invisible” to the average user.
-A bit stream or forensic image is required to collect these data.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 21 / 30
65. Key Technical Terms: Data Types
Data can be lumped into three broad categories: active, latent,
and archival.
Active Data
-Active data are the data that we use every day on our
computers. The operating system “sees” and tracks these files.
-These are the files that reside in the allocated space of the drive.
-These data can be acquired with standard forensic cloning
techniques.
Latent Data
-Data that has been deleted or partially overwritten are classified
as latent.
-No longer tracked by the operating system and are therefore
“invisible” to the average user.
-A bit stream or forensic image is required to collect these data.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 21 / 30
66. Key Technical Terms: Data Types
Archival Data
-Archival data, or backups, viz. External hard drives, DVDs, and
backup tapes.
-Acquisition of archival data can range from simple to extremely
complex.
-The type and age of the backup media are major factors in
determining the complexity of the process.
Backup tapes were made with software or hardware that is no
longer in production. These same tools will be needed to restore
the data into a form that can be understood and manipulated.
It could be an older version of the software is no longer available
or the company is no longer in business. This is known as legacy
data.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 22 / 30
67. Key Technical Terms: Data Types
Archival Data
-Archival data, or backups, viz. External hard drives, DVDs, and
backup tapes.
-Acquisition of archival data can range from simple to extremely
complex.
-The type and age of the backup media are major factors in
determining the complexity of the process.
Backup tapes were made with software or hardware that is no
longer in production. These same tools will be needed to restore
the data into a form that can be understood and manipulated.
It could be an older version of the software is no longer available
or the company is no longer in business. This is known as legacy
data.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 22 / 30
68. Key Technical Terms: Data Types
Archival Data
-Archival data, or backups, viz. External hard drives, DVDs, and
backup tapes.
-Acquisition of archival data can range from simple to extremely
complex.
-The type and age of the backup media are major factors in
determining the complexity of the process.
Backup tapes were made with software or hardware that is no
longer in production. These same tools will be needed to restore
the data into a form that can be understood and manipulated.
It could be an older version of the software is no longer available
or the company is no longer in business. This is known as legacy
data.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 22 / 30
69. Key Technical Terms: File Systems
The file system tracks the drive’s free space as well as the
location of each file.
The free space, also known as unallocated space, is either empty
or the file that previously occupied that location has been
deleted.
File Allocation Table (FAT) is the oldest of the common files
system. It comes in four flavors: FAT12, FAT16, FAT32, and
FATX.
The New Technology File System (NTFS) is the system used
currently by Windows 7, Vista, XP, and Windows
Server.(Automatic Recovery, Encryptions)
Hierarchical File System (HFS+) (HFS+) Larger disk space,
cross-platform compatibility, and international-friendly file
names.
Apple File System (APFS) is a proprietary file system for macOS
High Sierra (10.13) and later, iOS 10.3.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 23 / 30
70. Key Technical Terms: File Systems
The file system tracks the drive’s free space as well as the
location of each file.
The free space, also known as unallocated space, is either empty
or the file that previously occupied that location has been
deleted.
File Allocation Table (FAT) is the oldest of the common files
system. It comes in four flavors: FAT12, FAT16, FAT32, and
FATX.
The New Technology File System (NTFS) is the system used
currently by Windows 7, Vista, XP, and Windows
Server.(Automatic Recovery, Encryptions)
Hierarchical File System (HFS+) (HFS+) Larger disk space,
cross-platform compatibility, and international-friendly file
names.
Apple File System (APFS) is a proprietary file system for macOS
High Sierra (10.13) and later, iOS 10.3.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 23 / 30
71. Key Technical Terms: File Systems
The file system tracks the drive’s free space as well as the
location of each file.
The free space, also known as unallocated space, is either empty
or the file that previously occupied that location has been
deleted.
File Allocation Table (FAT) is the oldest of the common files
system. It comes in four flavors: FAT12, FAT16, FAT32, and
FATX.
The New Technology File System (NTFS) is the system used
currently by Windows 7, Vista, XP, and Windows
Server.(Automatic Recovery, Encryptions)
Hierarchical File System (HFS+) (HFS+) Larger disk space,
cross-platform compatibility, and international-friendly file
names.
Apple File System (APFS) is a proprietary file system for macOS
High Sierra (10.13) and later, iOS 10.3.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 23 / 30
72. Key Technical Terms: File Systems
The file system tracks the drive’s free space as well as the
location of each file.
The free space, also known as unallocated space, is either empty
or the file that previously occupied that location has been
deleted.
File Allocation Table (FAT) is the oldest of the common files
system. It comes in four flavors: FAT12, FAT16, FAT32, and
FATX.
The New Technology File System (NTFS) is the system used
currently by Windows 7, Vista, XP, and Windows
Server.(Automatic Recovery, Encryptions)
Hierarchical File System (HFS+) (HFS+) Larger disk space,
cross-platform compatibility, and international-friendly file
names.
Apple File System (APFS) is a proprietary file system for macOS
High Sierra (10.13) and later, iOS 10.3.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 23 / 30
73. Key Technical Terms: File Systems
The file system tracks the drive’s free space as well as the
location of each file.
The free space, also known as unallocated space, is either empty
or the file that previously occupied that location has been
deleted.
File Allocation Table (FAT) is the oldest of the common files
system. It comes in four flavors: FAT12, FAT16, FAT32, and
FATX.
The New Technology File System (NTFS) is the system used
currently by Windows 7, Vista, XP, and Windows
Server.(Automatic Recovery, Encryptions)
Hierarchical File System (HFS+) (HFS+) Larger disk space,
cross-platform compatibility, and international-friendly file
names.
Apple File System (APFS) is a proprietary file system for macOS
High Sierra (10.13) and later, iOS 10.3.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 23 / 30
74. Key Technical Terms: File Systems
The file system tracks the drive’s free space as well as the
location of each file.
The free space, also known as unallocated space, is either empty
or the file that previously occupied that location has been
deleted.
File Allocation Table (FAT) is the oldest of the common files
system. It comes in four flavors: FAT12, FAT16, FAT32, and
FATX.
The New Technology File System (NTFS) is the system used
currently by Windows 7, Vista, XP, and Windows
Server.(Automatic Recovery, Encryptions)
Hierarchical File System (HFS+) (HFS+) Larger disk space,
cross-platform compatibility, and international-friendly file
names.
Apple File System (APFS) is a proprietary file system for macOS
High Sierra (10.13) and later, iOS 10.3.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 23 / 30
75. Feed your Head : Exercise 1
The date is 21 December 2012. During a forensic examination
you locate several files. Along with files you can see the size of
the file and the file type. Digging deeper, you also notice the
date those files were created and the last time each file was
opened or modified. Look at each of the following files and see if
any file looks suspicious.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 24 / 30
76. Feed your Head : Exercise 1
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 25 / 30
77. Key Technical Terms: Allocated and Unallocated
Space
Windows can’t see data in this unallocated space. To the
Operating System, files located in unallocated space are
essentially invisible.
It’s important, however, to understand that “not used” does not
always mean “empty.”
Host Protected Areas (HPAs) and Device Configuration Overlays
(DCOs) refer to hidden areas on a hard drive
Created by manufacturers that can be “accessed, modified, and
written to by end users using specific open source and freely
available tools, allowing data to be stored and/or hidden in these
areas”
Data Persistence: With the massive amount of storage space
available on today’s hard drives, a file stands a good chance of
never being overwritten.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 26 / 30
78. Key Technical Terms: Allocated and Unallocated
Space
Windows can’t see data in this unallocated space. To the
Operating System, files located in unallocated space are
essentially invisible.
It’s important, however, to understand that “not used” does not
always mean “empty.”
Host Protected Areas (HPAs) and Device Configuration Overlays
(DCOs) refer to hidden areas on a hard drive
Created by manufacturers that can be “accessed, modified, and
written to by end users using specific open source and freely
available tools, allowing data to be stored and/or hidden in these
areas”
Data Persistence: With the massive amount of storage space
available on today’s hard drives, a file stands a good chance of
never being overwritten.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 26 / 30
79. Key Technical Terms: Allocated and Unallocated
Space
Windows can’t see data in this unallocated space. To the
Operating System, files located in unallocated space are
essentially invisible.
It’s important, however, to understand that “not used” does not
always mean “empty.”
Host Protected Areas (HPAs) and Device Configuration Overlays
(DCOs) refer to hidden areas on a hard drive
Created by manufacturers that can be “accessed, modified, and
written to by end users using specific open source and freely
available tools, allowing data to be stored and/or hidden in these
areas”
Data Persistence: With the massive amount of storage space
available on today’s hard drives, a file stands a good chance of
never being overwritten.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 26 / 30
80. Key Technical Terms: Allocated and Unallocated
Space
Windows can’t see data in this unallocated space. To the
Operating System, files located in unallocated space are
essentially invisible.
It’s important, however, to understand that “not used” does not
always mean “empty.”
Host Protected Areas (HPAs) and Device Configuration Overlays
(DCOs) refer to hidden areas on a hard drive
Created by manufacturers that can be “accessed, modified, and
written to by end users using specific open source and freely
available tools, allowing data to be stored and/or hidden in these
areas”
Data Persistence: With the massive amount of storage space
available on today’s hard drives, a file stands a good chance of
never being overwritten.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 26 / 30
81. Key Technical Terms: Allocated and Unallocated
Space
Windows can’t see data in this unallocated space. To the
Operating System, files located in unallocated space are
essentially invisible.
It’s important, however, to understand that “not used” does not
always mean “empty.”
Host Protected Areas (HPAs) and Device Configuration Overlays
(DCOs) refer to hidden areas on a hard drive
Created by manufacturers that can be “accessed, modified, and
written to by end users using specific open source and freely
available tools, allowing data to be stored and/or hidden in these
areas”
Data Persistence: With the massive amount of storage space
available on today’s hard drives, a file stands a good chance of
never being overwritten.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 26 / 30
82. Digital Evidence
Digital evidence is defined as any information of value in a court
of law that is either stored or transmitted in a digital form.
Information gathered from digital storage media, network
information, or duplicate copies of data found during forensic
investigations.
Digital evidence includes files such as: • Graphic files, Audio and
video recording files
• Browser histories,Cookies
• Server/system event, security and audit logs
• Word processing and spreadsheet files
• Email, Registry files, Cellphone system data
• Firewall, router, and IDS log files
7
7
“I’ve seen things you people wouldn’t believe. Files deleted and wiped
coming back to life. I watched hard drive heads. . . glitter in the dark of
cleanrooms. All those . . . data will never be lost . . . in time, we can get it all
back.” (Blade Runnerish).
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 27 / 30
83. Digital Evidence
Digital evidence is defined as any information of value in a court
of law that is either stored or transmitted in a digital form.
Information gathered from digital storage media, network
information, or duplicate copies of data found during forensic
investigations.
Digital evidence includes files such as: • Graphic files, Audio and
video recording files
• Browser histories,Cookies
• Server/system event, security and audit logs
• Word processing and spreadsheet files
• Email, Registry files, Cellphone system data
• Firewall, router, and IDS log files
7
7
“I’ve seen things you people wouldn’t believe. Files deleted and wiped
coming back to life. I watched hard drive heads. . . glitter in the dark of
cleanrooms. All those . . . data will never be lost . . . in time, we can get it all
back.” (Blade Runnerish).
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 27 / 30
84. Digital Evidence
Digital evidence is defined as any information of value in a court
of law that is either stored or transmitted in a digital form.
Information gathered from digital storage media, network
information, or duplicate copies of data found during forensic
investigations.
Digital evidence includes files such as: • Graphic files, Audio and
video recording files
• Browser histories,Cookies
• Server/system event, security and audit logs
• Word processing and spreadsheet files
• Email, Registry files, Cellphone system data
• Firewall, router, and IDS log files
7
7
“I’ve seen things you people wouldn’t believe. Files deleted and wiped
coming back to life. I watched hard drive heads. . . glitter in the dark of
cleanrooms. All those . . . data will never be lost . . . in time, we can get it all
back.” (Blade Runnerish).
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 27 / 30
85. Digital Evidence : Common Places
Office desktop computers/workstations
Network servers
Home computers/personal USB drives/cdroms/dvds/portable
media devices
Laptops, netbooks
PDAs, tablets, audio players
Cell phones/smart phones/portable hot spots
Fax machines, photocopiers
Backup Storages: System-wide backups
(monthly/weekly/incremental), Disaster recovery backups
(stored off site), Personal or “ad hoc” backups (look for
CDs/DVDs, USB drives and other portable media), Cloud
storage accounts
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 28 / 30
86. Digital Evidence : Common Places
Office desktop computers/workstations
Network servers
Home computers/personal USB drives/cdroms/dvds/portable
media devices
Laptops, netbooks
PDAs, tablets, audio players
Cell phones/smart phones/portable hot spots
Fax machines, photocopiers
Backup Storages: System-wide backups
(monthly/weekly/incremental), Disaster recovery backups
(stored off site), Personal or “ad hoc” backups (look for
CDs/DVDs, USB drives and other portable media), Cloud
storage accounts
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 28 / 30
87. Digital Evidence : Common Places
Office desktop computers/workstations
Network servers
Home computers/personal USB drives/cdroms/dvds/portable
media devices
Laptops, netbooks
PDAs, tablets, audio players
Cell phones/smart phones/portable hot spots
Fax machines, photocopiers
Backup Storages: System-wide backups
(monthly/weekly/incremental), Disaster recovery backups
(stored off site), Personal or “ad hoc” backups (look for
CDs/DVDs, USB drives and other portable media), Cloud
storage accounts
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 28 / 30
88. Digital Evidence : Common Places
Office desktop computers/workstations
Network servers
Home computers/personal USB drives/cdroms/dvds/portable
media devices
Laptops, netbooks
PDAs, tablets, audio players
Cell phones/smart phones/portable hot spots
Fax machines, photocopiers
Backup Storages: System-wide backups
(monthly/weekly/incremental), Disaster recovery backups
(stored off site), Personal or “ad hoc” backups (look for
CDs/DVDs, USB drives and other portable media), Cloud
storage accounts
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 28 / 30
89. Digital Evidence : Common Places
Office desktop computers/workstations
Network servers
Home computers/personal USB drives/cdroms/dvds/portable
media devices
Laptops, netbooks
PDAs, tablets, audio players
Cell phones/smart phones/portable hot spots
Fax machines, photocopiers
Backup Storages: System-wide backups
(monthly/weekly/incremental), Disaster recovery backups
(stored off site), Personal or “ad hoc” backups (look for
CDs/DVDs, USB drives and other portable media), Cloud
storage accounts
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 28 / 30
90. Digital Evidence : Common Places
Office desktop computers/workstations
Network servers
Home computers/personal USB drives/cdroms/dvds/portable
media devices
Laptops, netbooks
PDAs, tablets, audio players
Cell phones/smart phones/portable hot spots
Fax machines, photocopiers
Backup Storages: System-wide backups
(monthly/weekly/incremental), Disaster recovery backups
(stored off site), Personal or “ad hoc” backups (look for
CDs/DVDs, USB drives and other portable media), Cloud
storage accounts
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 28 / 30
91. Digital Evidence : Common Places
Office desktop computers/workstations
Network servers
Home computers/personal USB drives/cdroms/dvds/portable
media devices
Laptops, netbooks
PDAs, tablets, audio players
Cell phones/smart phones/portable hot spots
Fax machines, photocopiers
Backup Storages: System-wide backups
(monthly/weekly/incremental), Disaster recovery backups
(stored off site), Personal or “ad hoc” backups (look for
CDs/DVDs, USB drives and other portable media), Cloud
storage accounts
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 28 / 30
92. Digital Evidence : Common Places
Office desktop computers/workstations
Network servers
Home computers/personal USB drives/cdroms/dvds/portable
media devices
Laptops, netbooks
PDAs, tablets, audio players
Cell phones/smart phones/portable hot spots
Fax machines, photocopiers
Backup Storages: System-wide backups
(monthly/weekly/incremental), Disaster recovery backups
(stored off site), Personal or “ad hoc” backups (look for
CDs/DVDs, USB drives and other portable media), Cloud
storage accounts
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 28 / 30
93. Characteristics of Digital Evidence
Admissible: evidence must be related to the fact being proven.
Authentic: evidence must be real and related to the incident in a
proper way.
Complete: evidence must prove the entirety of the activity.
Reliable: evidence must have proven authenticity and veracity
(truthfulness).
Believable: evidence must be clear and understandable by the
judges in court.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 29 / 30
94. Characteristics of Digital Evidence
Admissible: evidence must be related to the fact being proven.
Authentic: evidence must be real and related to the incident in a
proper way.
Complete: evidence must prove the entirety of the activity.
Reliable: evidence must have proven authenticity and veracity
(truthfulness).
Believable: evidence must be clear and understandable by the
judges in court.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 29 / 30
95. Characteristics of Digital Evidence
Admissible: evidence must be related to the fact being proven.
Authentic: evidence must be real and related to the incident in a
proper way.
Complete: evidence must prove the entirety of the activity.
Reliable: evidence must have proven authenticity and veracity
(truthfulness).
Believable: evidence must be clear and understandable by the
judges in court.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 29 / 30
96. Characteristics of Digital Evidence
Admissible: evidence must be related to the fact being proven.
Authentic: evidence must be real and related to the incident in a
proper way.
Complete: evidence must prove the entirety of the activity.
Reliable: evidence must have proven authenticity and veracity
(truthfulness).
Believable: evidence must be clear and understandable by the
judges in court.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 29 / 30
97. Characteristics of Digital Evidence
Admissible: evidence must be related to the fact being proven.
Authentic: evidence must be real and related to the incident in a
proper way.
Complete: evidence must prove the entirety of the activity.
Reliable: evidence must have proven authenticity and veracity
(truthfulness).
Believable: evidence must be clear and understandable by the
judges in court.
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 29 / 30
98. Digital Evidence : Volatile Data
• system time • logged-on user (s) • open files • network
connections • process information • process-to-port mapping •
process memory • network status • clipboard contents •
service/driver information • command history • mapped drives,
shares
Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 30 / 30