2. Outline
• Introduction
What is Digital Forensics?
Branches of Digital Forensics.
Objectives of Digital Forensics.
Difference between Cyber Forensics and Cyber Security.
• Digital Evidence
Rules for Digital Evidence.
Handling Digital Evidence.
• Process of Digital Forensic Investigation.
• Things You Should Remember
2
3. Introduction
• What is digital forensics?
Digital Forensics or Cyber Forensics is the process of detecting, and analyzing
the attacks that jeopardizes the Confidentiality, Integrity, and Availability of an
IT System.
3
4. Continued…
• Branches of Digital Forensics
There are four main branches of digital forensics –
o Computer Forensics.
o Network Forensics.
o Mobile Device Forensics.
o Database Forensics.
o Cloud Forensics
o Email and Social Media Forensics
o Malware Forensics etc.
4
5. Continued…
• Objectives of Digital Forensics
The main objective of Digital Forensics is to find out the answer of these three
mysterious questions - What? Why? And How?
To gather Digital Evidences to ensure, that the answers you have found for
above questions are correct and you can present them in the court.
5
6. Digital Evidences
Digital evidence is any information or data of value to an investigation that is
stored on, received by, or transmitted by an electronic device. Text messages,
emails, pictures, videos, and internet searches are some of the most common
types of digital evidence.
6
7. Continued…
• Rules for Digital Evidence
Admissible- Must be able to be used in court or elsewhere.
Authentic- Evidence must be relevant to the case.
Complete- Must not lack any information.
Reliable- No question about authenticity.
Believable- Clear, easy to understand, and believable by a jury.
7
8. Continued…
• Handling Digital Evidence
o No possible evidence should be damaged, destroyed, or otherwise compromised by
the procedures used to search the computer.
o Preventing viruses from being introduced to a computer during the analysis
process.
o Extracted / relevant evidence is properly handled and protected from later
mechanical or electromagnetic damage.
o Establishing and maintaining a continuing chain of custody.
o Limiting the amount of time business operations are affected.
8
9. Process of Digital Forensic Investigation
The investigative process encompasses-
9
Fig. 1 Digital Forensic Investigation Process
10. Continued…
10
• Identification
In the Identification phase these processes took place-
1. Event/Crime Detection.
2. Complaints.
3. Approach Formulation.
4. Case Analysis.
11. Continued…
11
• Preservation
In the Preservation phase these processes took place-
1. Crime Scene Preservation.
2. Chain of Custody.
3. Client permission Form.
4. Case Management.
5. Time Sync.
13. Continued…
13
• Collection
In the Collection phase these processes took place-
1. Preservation.
2. Acquire.
3. Recognize and Collect Evidence.
4. Data Preservation.
15. Continued…
• Examination
In the Examination phase these processes took place-
1. Preservation.
2. Filtering.
3. Pattern Matching.
4. Data Recovery (Hidden Data).
5. Data Extraction.
15
16. Continued…
• Analysis
In the Analysis phase these processes took place-
1. Preservation.
2. Determine Significance.
3. Validation.
4. Find the Link.
5. Draw Conclusion.
16
18. Continued…
• Presentation/Reporting
In the Reporting phase these processes took place-
1. Documentation.
2. Expert Testimony.
3. Recommended Countermeasures.
4. Statistical Interpretation.
18
19. Things You Should Remember!
1. Avoid changing date/time stamps (of files for example)or changing data
itself.
2. Overwriting of unallocated space (which can happen on re-boot for
example).
3. Always calculate/generate hash value of each information/data, collected
during the investigation.
19
Editor's Notes
Confidentiality: The principle of Confidentiality specifies that only the sender and the intended receiver(s) should be able to access the contents of a message.
Integrity: The principle of Integrity specifies the Correctness of Data.
Availability: The principle of Availability states that resources should be available to authorizes parties at all times.
Show all the Forms and Demonstrate Cryptool for calculating Hash and Write Blocker (Mannual)
Demonstration of Website Acquisition, Memory Acquisition and HDD Acquisition