Digital ForensicsThere are three primary goals with digital fore.docx
Role of Digital Forensics in Meeting Indian Legal Requirements for Digital Preservation
1. Role of Digital Forensics in Digital Preservation as per the
Indian Legal Requirements
2. Quick OverviewQuick Overview
• Indian Legal Requirements
– IT Act 2000/2008
• Retention of the electronic records
• Facilitate the identification of the origin, destination, date and
time of dispatch or receipt of such electronic records.
• Electronic records are retained in the format in which it was
originally generated, sent or received
• Defines the conditions for legal admissibility of electronic
records
– RTI Act
• Digital information could be searched and reproduced in legally
admissible manner to fulfill the right to information where
required.
• Digital forensics and digital preservation
– Technology Watch Report 12-03: Digital Forensics and Preservation
by Jeremy Leighton John
– The Bit Curator Project
– Case Scenarios
• Digital forensics for Email preservation
• Digital forensics for Storage media preservation
• Digital forensics for Mobile data preservation
3. • Purpose
– To find the legal digital evidences
– Mapping with preservation metadata of the OAIS
• Open Archival Information System(ISO 14721)
• Approach
– Open source digital forensics tools
– Establish the aspects of digital preservation in terms of provenance, integrity, authenticity and
reliability
Quick OverviewQuick Overview
4. • Legal requirement of email message preservation
– Department of Electronics and Information Technology (DeitY), Government of
India is already formulating the e-Mail policy for all central and state government
organizations in India for the purpose of e-mail data protection, which will also be
subjected to preservation in various cases.
• Email is consists of two major sections :
– Body
• The actual message of the email
– Header
• Hidden part of the email, extra information
• Important evidences can be extracted from header
• Each header field is key:value pair, defined in rfc 4021
• Common header fields:
– from (sender), to (receivers), and date (time), subject
Evidences in e-Mail HeaderEvidences in e-Mail Header
8. Authentication and IntegrityAuthentication and Integrity
IntegrityIntegrity
Verifying that the content is not alteredVerifying that the content is not altered
in transit.in transit.
“Content“Content--MD5”MD5”
Authentication:Authentication:
Validate the identities of the parties whoValidate the identities of the parties who
participated in transferring a message.participated in transferring a message.
Domain Authentication:Domain Authentication:
DKIMDKIM--SignatureSignature
User Authentication:User Authentication:
Sender’s digital signatureSender’s digital signature
9. • Single Email:
– Eml format
– ASCII file
– Open Specification
• Email Account:
– mbox format
– Most email client applications supports
mbox
– All the emails in single MBOX file
– MIME Attachments in base64
• XML
– Self descriptive language, suitable for
preservation
Capturing EmailCapturing Email
• Email must have object file which is in
– Non-proprietary format
– Standard format
– Open Specification
– Externally Independent
• Available File format for email object
Extension File Type Description
bina Netscape mail file
boe Microsoft Outlook Express backup file
eml Email message file
emlx Apple Mail email message
ezm EasyOffice mail file
nfs Lotus mailbox file
mbs Opera mailbox file
mbox Email mailbox file
pst Microsoft Outlook personal folder file
10. • Example:
– National Archives receives Hard disk from a government
organization for long term preservation
• Forensics disk image
– Exact replica of the original source media
• Preservation metadata of a disk image
– Reference information
• Serial number of the storage device
– Fixity information
• Hash value of the disk image
– Digital provenance information
• Chain of custody information
– case number
– list of tools used
– examiner name
– short description
– the path where the digital evidence is initially
stored,
– time of acquisition
– MACB times
Storage media preservationStorage media preservation
11. • Disk image formats
• Open Source Forensics disk imaging tools
– dd
– Guymager
– dcfldd
– dd_rescue
– AIR
– Autopsy(TSK)
Storage media preservationStorage media preservation
13. • Misuse of cell phone device
– Device may be harden to commit criminal activity or destructive purpose
• Example:
– At crime-scene it is important digital evidence.
• Challenges:
– Court case runs for 10-15 years.
– Rapid Technological obsolescence in mobile industry.
• Help in e-court mission mode project
– Capturing and preserving mobile data that has evidentiary value.
Mobile Data PreservationMobile Data Preservation
14. • Data-Digital Forensic process
• Preservation Metadata
– Digital provenance information
• Date-Time
• IMEI/MEID/ICCID
• Make/Model
• SW/HW information
– Integrity
• MD5 or SHA1 checksums
– Inferential Authenticity & Reliability
• Information such as SMS logs, call logs captured from mobile device.
• Corroborated information from service provider.
• Capturing identical information from different source.
• List of tools
– AFLogical OSE
– viaForensic viaExtract
Mobile Data PreservationMobile Data Preservation
17. Mobile Data PreservationMobile Data Preservation
Source: viaForensic viaExtract shows browser history
Information such as Call logs, Contacts, SMS logs, installed applications, data stored in external
memory such as images, video, audio, etc can be captured.
18. • Bit curator
– Collection of tools for
• Disk imaging (Guymager)
• Data triage
• Private and individually identifying information (PII) discovery
• File system analytics and reporting
• Metadata exports (Fiwalk and bulk extractor)
• XENA (Xml Electronic Normalising for Archives)
– Xena Digital Preservation Software, http://xena.sourceforge.net/
• Dd
– UNIX tool that copies data from one file to another.
• AF Logical OSE
– https://viaforensics.com/resources/tools/android-forensics-tool/
• ADB (Android Debug Bridge)
– http://developer.android.com/tools/help/adb.html
• Fiwalk
– http://www.forensicswiki.org/wiki/Fiwalk
• viaForensics viaExtract
– https://viaforensics.com/products/viaextract/
• Guymager
– http://guymager.sourceforge.net/
List of digital forensics tools testedList of digital forensics tools tested
20. • Software solution
– Pre-ingest process of OAIS to preserve e-mails, storage media and cell
phone data
– Capture the metadata from e-mails/storage media/ cell phones
– Maps metadata with the preservation description information
– Filtration of preservation format (Proprietary and Non-proprietary)
– Generate Submission information packages
Future DirectionsFuture Directions