2. What
It is a branch of forensic science specialized in recovery
and investigation of material found in digital devices.
often related to computer crime.
3. Why
Due to the growth in computer crime
law enforcement agencies began establishing specialized
groups to handle the technical aspects of investigations.
Computer Crimes such as :
Fraud, Forgery , Extortion , Industrial espionage
Virus/Trojan distribution
Homicide investigations
Theft of or destruction of intellectual property
5. How
The process might differ according to the laws enforced
by the country .
But the general process mainly consists of :
● Acquisition
● Preservation
● Identification
● Evaluation
● Presentation
6. Challenges
Legal rules determine whether potential evidence is
admissible in court.
Authenticity and validity of evidence must be ensured.
Evidence can’t damaged, destroyed, or compromised by
the procedures used in identification .
Preventing viruses infections during the analysis process
Extraction process is properly handled to protect from
mechanical or electromagnetic damage.
7. Acquisition
Is the process of acquiring any data that can be used as
evidence , from the confiscated exhibits.
The process must guarantee that the data is not changed
during the acquisition [ ex : no modification date changes ]
Ex: Computer Devices , Network maps , External Devices.
8. General Acquisition Process
Restrict access ( local / remote ) to the machine.
Dump memory ( if possible ).
Document Hardware Configuration ( internal and external ).
Make a digital copy of all applicable storage devices.
Authenticate all copies using Checksums .
Document all the search steps and operations executed.
9. Types of Data
Volatile :
Memory Contents.
Network Traffic.
Non-Volatile:
File System contents [ HD , USB Disks , etc .. ]
10. Preservation
The original state of the data should be preserved exactly
as acquired .
Any operations done on the data should be done on an
exact copy , to guarantee the integrity of the original
confiscated data.
11. Identification
Identifying what data could be recovered and retrieving it
by using Computer Forensic tools.
Identifying and recovering hidden / deleted data using
various tools.
Identification of any tampering or anomalies in the data.
12. General Identification Process
Make a List of Key Search Words.
Evaluate the Windows Swap File.
Evaluate Unallocated Space (Erased Files).
Document File Names, Dates and Times.
Identify File, Program and Storage Anomalies.
Evaluate Program Functionality.
Document Your Findings.
13. Examples of hidden data
Changing file names ,extensions.
Encryption.
Hidden drive space non-partitioned space in-between
partitions.
Slack Space.
Partition waste space.
Bad sectors.
Other steganography ways.
14. Steganography Example
To human eyes, data usually contains known
forms, like images, e-mail, sounds, and text.
Most Internet data naturally includes
gratuitous headers, too.
The duck flies at midnight.
16. Presentation
Presenting of evidence discovered in a manner which
complies with the rules and regulations .
ex:
It understood by lawyers, non-technically staff and
suitable as evidence as determined by country laws.
17. Tools
Digital Forensic experts use a combination of software
and hardware tools.
The tools include disk analysers , steganography analysis
tools , decryption , hex viewers , network monitors , etc ..
List of the most used software tools : https://en.wikipedia.org/wiki/List_of_digital_forensics_tools