LEcture #28-#30

1. Lecture #28: Digital Forensics-Part II Dr.Ramchandra Mangrulkar September 30, 2020 Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 1 / 30

2. Forensics, Forensic science & Forensic scientists Forensics derived from Forensics medicene -autopsy examination Forensic science, also known as criminalistics, -is the application of science to criminal and civil laws, -mainly on the criminal side -during criminal investigation, -as governed by the legal standards of admissible evidence and criminal procedure1 Forensic scientists -collect, -preserve, -and analyze -scientiﬁc evidence during the course of an investigation. 1 https://en.wikipedia.org/wiki/Forensic_science Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 2 / 30

5. Milestones in Computer Forensics 1970 -First crimes cases involving computers, mainly ﬁnancial fraud 1980 -Financial investigators and courts realize that in some cases all the records and evidences were only on computers. -Norton Utilities, “Un-erase” tool created Association of Certiﬁed Fraud Examiners began to seek training in what became computer forensics -SEARCH High Tech Crimes training created -Regular classes began to be taught to Federal agents in California and at FLETC in Georgia -HTCIA formed in Southern California 1984 -FBI Magnetic Media Program created. Later it become Computer Analysis and Response Team (CART) 1987 -Acces Data – Cyber Forensic Company formed 1988 - Creation of IACIS, the International Association of Computer Investigative Specialists -First Seized Computer Evidence Recovery Specialists (SCERS) classes held 1993 - First International Conference on Computer Evidence held 1995-International Organization on Computer Evidence (IOCE) formed 1997-The G8 countries in Moscow declared that “Law enforcement personnel must be trained and equipped to address high-tech crimes”. 1998 -INTERPOL Forensic Science Symposium 1999 -FBI CART case load exceeds 2000 cases, examining 17 terabytes of data 2000 -First FBI Regional Computer Forensic Laboratory established 2003 FBI CART case load exceeds 6500 cases, examining 782 terabytes of data Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 3 / 30

17. Digital Forensics Market Size by Components -The global digital forensics market size was valued at USD 1.72 billion in 2018 and is expected to expand at a CAGR of 12.3% over the forecast period. https://www.grandviewresearch.com/industry-analysis/ digital-forensics-market Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 4 / 30

18. Serial Fraud Investigation Oﬃce, Governement of India The Naresh Chandra Committee inter-alia recommended setting up of Corporate Serious Fraud Oﬃce. https://sfio.nic.in/ Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 5 / 30

19. Cyber Forensics in India http://www.cyberforensics.in Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 6 / 30

20. Objectives of Digital Forensics process to recover, analyze, and preserve computer and related materials to help investigation agency to present them as evidence in a court of law. helps to postulate the motive behind the crime and identity of the main culprit. helps to identify the evidence quickly to estimate the potential impact of the malicious activity on the victim. produce a computer forensic report on the investigation process. preserving the evidence by following the chain of custody. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 7 / 30

25. Digital Forensics Process The process of digital forensics can be broken down into three categories of activity: acquisition, analysis, and presentation. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 8 / 30

26. Digital Forensics Process:Acquisition Acquisition refers to the collection of digital media to be examined. physical hard drives, optical media, storage cards from digital cameras, mobile phones, chips from embedded devices, or even single document ﬁles. creating a duplicate of the original media (the working copy) as well as maintaining good records of all actions taken with any original media. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 9 / 30

29. Digital Evidences 3 3 https://www.latestlaws.com/articles/ electronic-evidence-under-indian-evidence-act-1872-by-roopali-lamba Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 10 / 30

30. Digital Forensics Process:Analysis Analysis refers to the actual media examination the “identification, analysis, and interpretation” items from the DFRWS 2001 definition.4 Identification consists of locating items or items present in the media in question. Analysis can be file system analysis, file content examination, log analysis, statistical analysis, etc. the examiner interprets results of the analysis based on the examiner’s training, expertise, experimentation, and experience. 4 https://dfrws.org/ Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 11 / 30

35. Digital Forensics Labs 5 6 5 www.google.com 6 Scientiﬁc Working Group on Digital Evidence http://www.swgde.org Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 12 / 30

36. Digital Forensics Process:Presentation Presentation refers to the process by which the examiner shares results of the analysis phase This consists of generating a report of actions taken by the examiner, artifacts uncovered, and the meaning of those artifacts. The presentation phase can also include the examiner defending these ﬁndings under challenge. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 13 / 30

39. Key Technical Terms: Bits, Bytes, and Numbering Schemes Intimate knowledge of the inner workings of a computer is critical for the digital forensics practitioner. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 14 / 30

40. Key Technical Terms: File Carving examiners must look at the data at the “bit” and “byte” level to find, extract, and interpret the evidence. This is most evident in a process called file carving. File carving is done to locate and mine out files from amorphous blobs of data, like the unallocated space (also known as drive-free space). The first step : identify the potential file. The file is identified by the header, if it has. one. Identify footer, extracted file through a simple copy and paste(continuous). A fragmented file is far more difficult to recover (Casey, 2011). The ability to interpret binary and hex makes file carving possible. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 15 / 30

46. Key Technical Terms: File Extensions and File Signature Analysis files are strings or sequences of bits and bytes. identify the file type by the file extension, if the system is configured. The file extension is very easily changed Forensic tools identify files based on the header, not the file extension. separate out those files whose header does not match the extension, known as file signature analysis. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 16 / 30

51. File Signature Analysis Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 17 / 30

52. File Signature Analysis Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 18 / 30

53. Key Technical Terms: Storage and Memory Data are generally created in three different ways: electromagnetism, microscopic electrical transistors (flash), and reflecting light (CDs, DVDs, etc). Volatile versus Nonvolatile Memory Some instant messaging applications, for example, don’t write to the hard drive unless the logging feature is turned on. AOL Instant Messenger and MSN fall into that category. So, if logging is off (which it is by default), the only evidence will be found in RAM while the machine is running. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 19 / 30

57. Key Technical Terms: Computing Environments Not all computing “environments” are created equal. These disparities will have a signiﬁcant impact on your collection process, where you look for data, the tools you will use, and the level of complexity required. A stand-alone computer is one that is not connected to another computer. A networked computer is connected to at least one other computer and potentially many, many others. A mainframe system centralizes all of the computing power into one location. Processors, storage, and applications can all be located and controlled from a single location. Cloud Computing : IaaS, PaaS, SaaS Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 20 / 30

63. Key Technical Terms: Data Types Data can be lumped into three broad categories: active, latent, and archival. Active Data -Active data are the data that we use every day on our computers. The operating system “sees” and tracks these files. -These are the files that reside in the allocated space of the drive. -These data can be acquired with standard forensic cloning techniques. Latent Data -Data that has been deleted or partially overwritten are classified as latent. -No longer tracked by the operating system and are therefore “invisible” to the average user. -A bit stream or forensic image is required to collect these data. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 21 / 30

66. Key Technical Terms: Data Types Archival Data -Archival data, or backups, viz. External hard drives, DVDs, and backup tapes. -Acquisition of archival data can range from simple to extremely complex. -The type and age of the backup media are major factors in determining the complexity of the process. Backup tapes were made with software or hardware that is no longer in production. These same tools will be needed to restore the data into a form that can be understood and manipulated. It could be an older version of the software is no longer available or the company is no longer in business. This is known as legacy data. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 22 / 30

69. Key Technical Terms: File Systems The file system tracks the drive’s free space as well as the location of each file. The free space, also known as unallocated space, is either empty or the file that previously occupied that location has been deleted. File Allocation Table (FAT) is the oldest of the common files system. It comes in four flavors: FAT12, FAT16, FAT32, and FATX. The New Technology File System (NTFS) is the system used currently by Windows 7, Vista, XP, and Windows Server.(Automatic Recovery, Encryptions) Hierarchical File System (HFS+) (HFS+) Larger disk space, cross-platform compatibility, and international-friendly file names. Apple File System (APFS) is a proprietary file system for macOS High Sierra (10.13) and later, iOS 10.3. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 23 / 30

75. Feed your Head : Exercise 1 The date is 21 December 2012. During a forensic examination you locate several files. Along with files you can see the size of the file and the file type. Digging deeper, you also notice the date those files were created and the last time each file was opened or modified. Look at each of the following files and see if any file looks suspicious. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 24 / 30

76. Feed your Head : Exercise 1 Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 25 / 30

77. Key Technical Terms: Allocated and Unallocated Space Windows can’t see data in this unallocated space. To the Operating System, files located in unallocated space are essentially invisible. It’s important, however, to understand that “not used” does not always mean “empty.” Host Protected Areas (HPAs) and Device Configuration Overlays (DCOs) refer to hidden areas on a hard drive Created by manufacturers that can be “accessed, modified, and written to by end users using specific open source and freely available tools, allowing data to be stored and/or hidden in these areas” Data Persistence: With the massive amount of storage space available on today’s hard drives, a file stands a good chance of never being overwritten. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 26 / 30

82. Digital Evidence Digital evidence is defined as any information of value in a court of law that is either stored or transmitted in a digital form. Information gathered from digital storage media, network information, or duplicate copies of data found during forensic investigations. Digital evidence includes files such as: • Graphic files, Audio and video recording files • Browser histories,Cookies • Server/system event, security and audit logs • Word processing and spreadsheet files • Email, Registry files, Cellphone system data • Firewall, router, and IDS log files 7 7 “I’ve seen things you people wouldn’t believe. Files deleted and wiped coming back to life. I watched hard drive heads. . . glitter in the dark of cleanrooms. All those . . . data will never be lost . . . in time, we can get it all back.” (Blade Runnerish). Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 27 / 30

85. Digital Evidence : Common Places Oﬃce desktop computers/workstations Network servers Home computers/personal USB drives/cdroms/dvds/portable media devices Laptops, netbooks PDAs, tablets, audio players Cell phones/smart phones/portable hot spots Fax machines, photocopiers Backup Storages: System-wide backups (monthly/weekly/incremental), Disaster recovery backups (stored oﬀ site), Personal or “ad hoc” backups (look for CDs/DVDs, USB drives and other portable media), Cloud storage accounts Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 28 / 30

93. Characteristics of Digital Evidence Admissible: evidence must be related to the fact being proven. Authentic: evidence must be real and related to the incident in a proper way. Complete: evidence must prove the entirety of the activity. Reliable: evidence must have proven authenticity and veracity (truthfulness). Believable: evidence must be clear and understandable by the judges in court. Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 29 / 30

98. Digital Evidence : Volatile Data • system time • logged-on user (s) • open ﬁles • network connections • process information • process-to-port mapping • process memory • network status • clipboard contents • service/driver information • command history • mapped drives, shares Dr.Ramchandra Mangrulkar Lecture #28: Digital Forensics-Part II September 30, 2020 30 / 30

LEcture #28-#30

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Similar to LEcture #28-#30

Similar to LEcture #28-#30 (20)

More from Dr. Ramchandra Mangrulkar

More from Dr. Ramchandra Mangrulkar (20)

Recently uploaded

Recently uploaded (20)

LEcture #28-#30