SlideShare a Scribd company logo

Digital Evidence by Raghu Khimani

Dr Raghu Khimani
Dr Raghu Khimani

What is digital evidence? , sources of digital evidence, types of digital evidence, the procedure for collecting digital evidence, records, digital vs physical evidence, controlling contamination.

Technology
1 of 39
Electronic Evidences (Digital Evidences) Raghu Khimani Cyber Crime Expert / Advisor Contact: raghukhimani2007@gmail.com
Digital Evidence • Digital evidence or electronic evidence is “any probative information stored or transmitted in digital form that a party to a court case may use at trial” . Section 79A of IT (Amendment) Act, 2008 defines electronic form evidence as “any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, digital video, cell phones, digital fax machines”.
• The main characteristics of digital evidence are, it is latent as fingerprints and DNA, can transcend national borders with ease and speed, highly fragile and can be easily altered, damaged, or destroyed and also time sensitive. For this reason, special precautions should be taken to document, collect, preserve, and examine this type of evidence. When dealing with digital evidence, the principles that should be applied are, actions taken to secure and collect digital evidence should not change that evidence; persons conducting the examination of digital evidence should be trained for this purpose and activity relating to the seizure, examination, storage, or transfer of digital evidence should be fully documented, preserved, and available for review.
DIGITAL EVIDENCE Digital evidence relating to all types of crimes—can be located in many devices including cell phones, GPS, laptops, PC’s and Servers. • Cyber-Threats, • Cyber-Larceny – Frauds – Scams, • Online Credit Card Fraud, • Cyber-Identity Theft, • Internet Counterfeit Products/Labels, • Electronic Funds Transaction Fraud, • Cyber-Harassment, • Cyber-Theft of Trade Secrets, • Computer Desktop Forgery, • Cyber-Vandalism/Destruction, • Electronic Counterfeiting, • Cyber-Stalking, • Cyber-Copyright Infringement, • Online Auction Fraud and more. Types of crimes where digital evidences may have been located:
Sources of Digital Evidence • Floppy Disk(s) • Hard Drive(s) • Voice mail • e Diary • Ext. Hard Drive(s) • CD, DVDs • USB • Mem. Devices • Mag. Tapes • RFID Tags • PDAs • Smart Cards • Web pages • Scanner, Printer • Fax, Photocopier M/c • Digital Phone Set • iPods • Cellphone • Digicam • Config’n settings of digital devices • GPS Device • Digital TVs • CCTV
Latest Digital Devices USB Cookies USB Teddy Bear USB Cork
USB Bottle Opener USB PenUSB Comb USB Gun
USB WatchUSB Lego stick
Types of Digital Evidences Volatile (Non-persistent) Memory that loses its contents, if power is turned off; e.g. Data stored in RAM (semiconductor storage) Non-volatile (Persistent) No change in contents, even if power is turned off; e.g. Data stored in a tape / floppy disk / hard drive (magnetic storage), CD / DVD (optical storage), ROM (semiconductor storage; USB Thumb Drives - EEPROM).
Used Digital Evidences now-a-days • E-mails • Digital photographs • ATM transaction logs • Word processing documents • Instant message • Histories • Files saved from accounting programs • Spreadsheets • Internet browser histories • Databases • The contents of computer memory • Computer backups • Computer printouts • Global Positioning System tracks • Logs from a hotel’s electronic door locks • Digital video or audio files
Rules of Evidence The five properties that evidence must have in order to be useful: Admissible Authentic Complete Reliable Believable
Rules of Evidence (cont’d) Admissible – evidence must be able to be used in court. Failure to comply with this rule is equivalent to not collecting the evidence in the first place, except the cost is higher. Authentic – evidence must be tied to the incident in order to prove something. The evidence must be shown to relate to the incident in a relevant way.
Rules of Evidence (cont’d) Complete – It’s not enough to collect evidence that just shows one perspective of the incident. Not only should you collect evidence that can prove the attacker’s actions, but also evidence that could prove their innocence. For instance, if you can show the attacker was logged in at the time of the incident, you also need to know who else was logged in, and why you think they didn’t do it.
Rules of Evidence (cont’d) Reliable – Your evidence collection and analysis procedures must not cast doubt on the evidence’s authenticity and veracity (whether it is true or false). Believable – The evidence you present should be clearly understandable and believable by a jury.
Do’s and Don’ts Using the preceding five rules, some basic do’s and don’ts can be derived.
Do’s Minimize handling/corruption of original data Account for any changes and keep detailed logs of your actions. Capture as accurate an image of the system as possible. Be prepared to testify. Ensure your actions are repeatable. Work fast
Don’ts Don’t shutdown the system before collecting evidence. Don’t run any programs on the affected system.
General Procedure When collecting an evidence there is a four step general procedure to be followed: Identification of Evidence Preservation of Evidence Analysis of Evidence Presentation of Evidence
Identification of Evidence You must be able to distinguish between evidence and junk data. For this purpose you should know what the data is, where it is located, and how it is stored. Preservation of evidence The evidence you find must be preserved as close as possible to its original state Any changes made during this phase must be documented and justified.
Analysis of evidence The stored evidence must then be analyzed to extract the relevant information and recreate the chain of events. Presentation of evidence Communicating the meaning of your evidence is vitally important – otherwise you can’t do anything with it. The manner of presentation is important, and it must be understandable by a layman (expert of the field) to be effective.
Records Through every step of the procedure, it is crucial (very imp.) to record and document everything that is done and everything that is used. What to record: Who initially reported the suspected incident along with the time, date and circumstances surrounding the suspected incident. Details of initial assessment leading to the formal investigation. Name of all persons conducting the investigation.
More of what to record: The case number of the incident. Reasons for the investigation. A list of all computer systems included in the investigation, along with complete system specifications. Network diagrams. Applications running on the computer systems previously listed. A detailed list of steps used in collecting and analyzing evidence. An access control list of who had access to the collected evidence at what date and time.
Collection of Evidence Step by step guide for collecting evidence: Find the evidence. Find the relevant data. Collect the evidence Document everything
Digital vs. Physical Evidences It can be duplicated exactly and a copy can be examined as if it were the original. Examining a copy will avoid the risk of damaging the original. With the right tools it is very easy to determine if digital evidence has been modified or tampered with by comparing it with the original. It is relatively difficult to destroy. Even if it is “deleted,” digital evidence can be recovered. When criminals attempt to destroy digital evidence, copies can remain in places they were not aware of.
Controlling Contamination The chain of custody: Once the data has been collected, it must be protected from contamination. Originals should never be used in forensic examination– verified duplicates should be used. Chain of Custody: Analysis: Once data has been successfully collected, it must be analyzed to extract the evidence you wish to present and rebuild exactly what happened. Time To reconstruct the events that led to your system being corrupted, you must be able to create a timeline.
Forensic Analysis of backups: When analyzing backups it is best to have a dedicated host for the job. This examination host should be secure, clean and isolated from any network. Document everything you do, ensure that what you do is repeatable and capable of always giving the same results.
Digital Evidence by Raghu Khimani

Recommended

mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
Cleverence Kombe
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
vishnuv43
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
Filip Maertens
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
Difference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxDifference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptx
Applied Forensic Research Sciences
 

Recommended

mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
Cleverence Kombe
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
vishnuv43
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
Filip Maertens
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
Roberto Ellis
 
Difference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxDifference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptx
Applied Forensic Research Sciences
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
Suchita Rawat
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
unnilala11
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
Network forensic
Network forensicNetwork forensic
Network forensic
Manjushree Mashal
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
yash sawarkar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
Incident response process
Incident response processIncident response process
Incident response process
Bhupeshkumar Nanhe
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
Online
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
Bhupeshkumar Nanhe
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigation
Prof. (Dr.) Tabrez Ahmad
 
Audio and Video Forensics
Audio and Video ForensicsAudio and Video Forensics
Audio and Video Forensics
Dipika Sengupta
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
pranjal dutta
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
rakesh mishra
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
Online
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
Priya Manik
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensic
DINESH KAMBLE
 
Cyber
CyberCyber
Cyber
PuttaRahul
 
Daniel_CISSP_Dom7__1_.pdf
Daniel_CISSP_Dom7__1_.pdfDaniel_CISSP_Dom7__1_.pdf
Daniel_CISSP_Dom7__1_.pdf
Alejandro Daricz
 

More Related Content

What's hot

Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
Milap Oza
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
Audio and Video Forensics
Audio and Video ForensicsAudio and Video Forensics
Audio and Video Forensics
Dipika Sengupta
 

What's hot (20)

Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Incident response process
Incident response processIncident response process
Incident response process
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Cybercrime investigation
Cybercrime investigationCybercrime investigation
Cybercrime investigation
 
Audio and Video Forensics
Audio and Video ForensicsAudio and Video Forensics
Audio and Video Forensics
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensic
 

Similar to Digital Evidence by Raghu Khimani

Computer Forensics MethodologiesList them and explain each one.P.pdf
Computer Forensics MethodologiesList them and explain each one.P.pdfComputer Forensics MethodologiesList them and explain each one.P.pdf
Computer Forensics MethodologiesList them and explain each one.P.pdf
feetshoemart
 

Similar to Digital Evidence by Raghu Khimani (20)

Cyber
CyberCyber
Cyber
 
Daniel_CISSP_Dom7__1_.pdf
Daniel_CISSP_Dom7__1_.pdfDaniel_CISSP_Dom7__1_.pdf
Daniel_CISSP_Dom7__1_.pdf
 
Computer Forensics MethodologiesList them and explain each one.P.pdf
Computer Forensics MethodologiesList them and explain each one.P.pdfComputer Forensics MethodologiesList them and explain each one.P.pdf
Computer Forensics MethodologiesList them and explain each one.P.pdf
 
Ethical Hacking And Computer Forensics
Ethical Hacking And Computer ForensicsEthical Hacking And Computer Forensics
Ethical Hacking And Computer Forensics
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensics
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.ppt
 
Sued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital ForensicsSued or Suing: Introduction to Digital Forensics
Sued or Suing: Introduction to Digital Forensics
 
Computer forensics Slides
Computer forensics SlidesComputer forensics Slides
Computer forensics Slides
 
Computer forensics powerpoint presentation
Computer forensics powerpoint presentationComputer forensics powerpoint presentation
Computer forensics powerpoint presentation
 
Cyber evidence at crime scene
Cyber evidence at crime sceneCyber evidence at crime scene
Cyber evidence at crime scene
 
Evidence Collection Process
Evidence Collection ProcessEvidence Collection Process
Evidence Collection Process
 
Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014Cyber forensics 02 mit-2014
Cyber forensics 02 mit-2014
 
Digital emerging trends in computer engineering Evidences.pptx
Digital emerging trends in computer engineering Evidences.pptxDigital emerging trends in computer engineering Evidences.pptx
Digital emerging trends in computer engineering Evidences.pptx
 
Digital emerging trends in computer engineering Evidences.pptx
Digital emerging trends in computer engineering Evidences.pptxDigital emerging trends in computer engineering Evidences.pptx
Digital emerging trends in computer engineering Evidences.pptx
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docx
 
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
 
Evidence and data
Evidence and dataEvidence and data
Evidence and data
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic tools
 

More from Dr Raghu Khimani

More from Dr Raghu Khimani (14)

Tracing An IP Address or Domain Name by Raghu Khimani
Tracing An IP Address or Domain Name by Raghu KhimaniTracing An IP Address or Domain Name by Raghu Khimani
Tracing An IP Address or Domain Name by Raghu Khimani
 
Mobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniMobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu Khimani
 
Guideline for Call Data Record Analysis by Raghu Khimani
Guideline for Call Data Record Analysis by Raghu KhimaniGuideline for Call Data Record Analysis by Raghu Khimani
Guideline for Call Data Record Analysis by Raghu Khimani
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail Investigation
 
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu KhimaniInvestigative Tools and Equipments for Cyber Crime by Raghu Khimani
Investigative Tools and Equipments for Cyber Crime by Raghu Khimani
 
Introduction to Cyber Crime
Introduction to Cyber CrimeIntroduction to Cyber Crime
Introduction to Cyber Crime
 
Social Media Awareness
Social Media AwarenessSocial Media Awareness
Social Media Awareness
 
Precursor chemicals
Precursor chemicalsPrecursor chemicals
Precursor chemicals
 
Poisons
PoisonsPoisons
Poisons
 
Introduction to Toxicology and Forensic Toxilogical Examination and it's sign...
Introduction to Toxicology and Forensic Toxilogical Examination and it's sign...Introduction to Toxicology and Forensic Toxilogical Examination and it's sign...
Introduction to Toxicology and Forensic Toxilogical Examination and it's sign...
 
Narcotic Drugs & Psychotropic Subtances
Narcotic Drugs & Psychotropic SubtancesNarcotic Drugs & Psychotropic Subtances
Narcotic Drugs & Psychotropic Subtances
 
Analysis of illicit liquor including methyl & ethyl alcohol
Analysis of illicit liquor including methyl & ethyl alcoholAnalysis of illicit liquor including methyl & ethyl alcohol
Analysis of illicit liquor including methyl & ethyl alcohol
 
Examination of chemicals in trap cases
Examination of chemicals in trap casesExamination of chemicals in trap cases
Examination of chemicals in trap cases
 
Analysis of jaggery
Analysis of jaggeryAnalysis of jaggery
Analysis of jaggery
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Recently uploaded (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 

Digital Evidence by Raghu Khimani

  • 1. Electronic Evidences (Digital Evidences) Raghu Khimani Cyber Crime Expert / Advisor Contact: raghukhimani2007@gmail.com
  • 2. Digital Evidence • Digital evidence or electronic evidence is “any probative information stored or transmitted in digital form that a party to a court case may use at trial” . Section 79A of IT (Amendment) Act, 2008 defines electronic form evidence as “any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, digital video, cell phones, digital fax machines”.
  • 3. • The main characteristics of digital evidence are, it is latent as fingerprints and DNA, can transcend national borders with ease and speed, highly fragile and can be easily altered, damaged, or destroyed and also time sensitive. For this reason, special precautions should be taken to document, collect, preserve, and examine this type of evidence. When dealing with digital evidence, the principles that should be applied are, actions taken to secure and collect digital evidence should not change that evidence; persons conducting the examination of digital evidence should be trained for this purpose and activity relating to the seizure, examination, storage, or transfer of digital evidence should be fully documented, preserved, and available for review.
  • 4. DIGITAL EVIDENCE Digital evidence relating to all types of crimes—can be located in many devices including cell phones, GPS, laptops, PC’s and Servers. • Cyber-Threats, • Cyber-Larceny – Frauds – Scams, • Online Credit Card Fraud, • Cyber-Identity Theft, • Internet Counterfeit Products/Labels, • Electronic Funds Transaction Fraud, • Cyber-Harassment, • Cyber-Theft of Trade Secrets, • Computer Desktop Forgery, • Cyber-Vandalism/Destruction, • Electronic Counterfeiting, • Cyber-Stalking, • Cyber-Copyright Infringement, • Online Auction Fraud and more. Types of crimes where digital evidences may have been located:
  • 5. Sources of Digital Evidence • Floppy Disk(s) • Hard Drive(s) • Voice mail • e Diary • Ext. Hard Drive(s) • CD, DVDs • USB • Mem. Devices • Mag. Tapes • RFID Tags • PDAs • Smart Cards • Web pages • Scanner, Printer • Fax, Photocopier M/c • Digital Phone Set • iPods • Cellphone • Digicam • Config’n settings of digital devices • GPS Device • Digital TVs • CCTV
  • 6.
  • 7. Latest Digital Devices USB Cookies USB Teddy Bear USB Cork
  • 8. USB Bottle Opener USB PenUSB Comb USB Gun
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18. Types of Digital Evidences Volatile (Non-persistent) Memory that loses its contents, if power is turned off; e.g. Data stored in RAM (semiconductor storage) Non-volatile (Persistent) No change in contents, even if power is turned off; e.g. Data stored in a tape / floppy disk / hard drive (magnetic storage), CD / DVD (optical storage), ROM (semiconductor storage; USB Thumb Drives - EEPROM).
  • 19. Used Digital Evidences now-a-days • E-mails • Digital photographs • ATM transaction logs • Word processing documents • Instant message • Histories • Files saved from accounting programs • Spreadsheets • Internet browser histories • Databases • The contents of computer memory • Computer backups • Computer printouts • Global Positioning System tracks • Logs from a hotel’s electronic door locks • Digital video or audio files
  • 20. Rules of Evidence The five properties that evidence must have in order to be useful: Admissible Authentic Complete Reliable Believable
  • 21. Rules of Evidence (cont’d) Admissible – evidence must be able to be used in court. Failure to comply with this rule is equivalent to not collecting the evidence in the first place, except the cost is higher. Authentic – evidence must be tied to the incident in order to prove something. The evidence must be shown to relate to the incident in a relevant way.
  • 22. Rules of Evidence (cont’d) Complete – It’s not enough to collect evidence that just shows one perspective of the incident. Not only should you collect evidence that can prove the attacker’s actions, but also evidence that could prove their innocence. For instance, if you can show the attacker was logged in at the time of the incident, you also need to know who else was logged in, and why you think they didn’t do it.
  • 23. Rules of Evidence (cont’d) Reliable – Your evidence collection and analysis procedures must not cast doubt on the evidence’s authenticity and veracity (whether it is true or false). Believable – The evidence you present should be clearly understandable and believable by a jury.
  • 24.
  • 25.
  • 26.
  • 27. Do’s and Don’ts Using the preceding five rules, some basic do’s and don’ts can be derived.
  • 28. Do’s Minimize handling/corruption of original data Account for any changes and keep detailed logs of your actions. Capture as accurate an image of the system as possible. Be prepared to testify. Ensure your actions are repeatable. Work fast
  • 29. Don’ts Don’t shutdown the system before collecting evidence. Don’t run any programs on the affected system.
  • 30. General Procedure When collecting an evidence there is a four step general procedure to be followed: Identification of Evidence Preservation of Evidence Analysis of Evidence Presentation of Evidence
  • 31. Identification of Evidence You must be able to distinguish between evidence and junk data. For this purpose you should know what the data is, where it is located, and how it is stored. Preservation of evidence The evidence you find must be preserved as close as possible to its original state Any changes made during this phase must be documented and justified.
  • 32. Analysis of evidence The stored evidence must then be analyzed to extract the relevant information and recreate the chain of events. Presentation of evidence Communicating the meaning of your evidence is vitally important – otherwise you can’t do anything with it. The manner of presentation is important, and it must be understandable by a layman (expert of the field) to be effective.
  • 33. Records Through every step of the procedure, it is crucial (very imp.) to record and document everything that is done and everything that is used. What to record: Who initially reported the suspected incident along with the time, date and circumstances surrounding the suspected incident. Details of initial assessment leading to the formal investigation. Name of all persons conducting the investigation.
  • 34. More of what to record: The case number of the incident. Reasons for the investigation. A list of all computer systems included in the investigation, along with complete system specifications. Network diagrams. Applications running on the computer systems previously listed. A detailed list of steps used in collecting and analyzing evidence. An access control list of who had access to the collected evidence at what date and time.
  • 35. Collection of Evidence Step by step guide for collecting evidence: Find the evidence. Find the relevant data. Collect the evidence Document everything
  • 36. Digital vs. Physical Evidences It can be duplicated exactly and a copy can be examined as if it were the original. Examining a copy will avoid the risk of damaging the original. With the right tools it is very easy to determine if digital evidence has been modified or tampered with by comparing it with the original. It is relatively difficult to destroy. Even if it is “deleted,” digital evidence can be recovered. When criminals attempt to destroy digital evidence, copies can remain in places they were not aware of.
  • 37. Controlling Contamination The chain of custody: Once the data has been collected, it must be protected from contamination. Originals should never be used in forensic examination– verified duplicates should be used. Chain of Custody: Analysis: Once data has been successfully collected, it must be analyzed to extract the evidence you wish to present and rebuild exactly what happened. Time To reconstruct the events that led to your system being corrupted, you must be able to create a timeline.
  • 38. Forensic Analysis of backups: When analyzing backups it is best to have a dedicated host for the job. This examination host should be secure, clean and isolated from any network. Document everything you do, ensure that what you do is repeatable and capable of always giving the same results.

Editor's Notes

  1. Probative = પ્રમાણક (having the quality or function of proving or demonstrating something; affording proof or evidence.)
  2. Latent = Existing but not yet developed (Ex. Latent Fingerprints) Transcend = go beyond the range or limits of Fragile = નાજુક
  3. Larceny = ચોરી Counterfeit = નકલી, બનાવટી Computer Desktop Forgery = Duplicate documents made using a computer Cyber stalking = the use of the Internet or other electronic means to stalk or harass an individual, a group of individuals, or an organization
  4. RFID = Radio Frequency Identification PDA = Personal Digital Assistant
  5. EEPROM = Electrically Erasable Programmable Read Only Memory
  6. Authenticity = પ્રમાણભૂતતા Veracity = સચ્ચાઈ