The document discusses digital evidence and its importance in investigations. It defines different types of digital evidence and outlines challenges and best practices for acquiring, handling, and preserving digital evidence. Specifically, it covers defining digital evidence, why it is important, challenges involved, general methodologies including seizure practices and safe acquisition methods, and safeguarding digital evidence. The presentation provides guidance to law enforcement on properly obtaining and securing digital evidence.
What is digital evidence? , sources of digital evidence, types of digital evidence, the procedure for collecting digital evidence, records, digital vs physical evidence, controlling contamination.
What is digital evidence? , sources of digital evidence, types of digital evidence, the procedure for collecting digital evidence, records, digital vs physical evidence, controlling contamination.
Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices.
Cyber crime is an activity done using computers and internet.
Cyber forensics is the science of collecting, examining, analyzing and reporting electronic evidence.
Mobile forensics is a branch of digital forensics. Simply, it is a science of recovering different kinds of evidence from mobile phones. It helps investigators significantly to reach to the criminal.
The development of intelligent network forensic tools to focus on specific type of network traffic analysis is a challenge in terms of future perspective.
This will reduce time delays, less computational resources requirement; minimize attacks, providing reliable and secured evidences, and efficient investigation with minimum efforts
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
Types of Computer Forensics Technology, Types of Military Computer Forensic Technology, Types of Law Enforcement, Computer Forensic Technology, Types of Business Computer Forensic Technology, Specialized Forensics Techniques, Hidden Data and How to Find It, Spyware and Adware, Encryption Methods and Vulnerabilities, Protecting Data from Being Compromised Internet Tracing Methods, Security and Wireless Technologies, Avoiding Pitfalls with Firewalls Biometric Security Systems
Digital Forensics is the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital devices.
Cyber crime is an activity done using computers and internet.
Cyber forensics is the science of collecting, examining, analyzing and reporting electronic evidence.
Mobile forensics is a branch of digital forensics. Simply, it is a science of recovering different kinds of evidence from mobile phones. It helps investigators significantly to reach to the criminal.
The development of intelligent network forensic tools to focus on specific type of network traffic analysis is a challenge in terms of future perspective.
This will reduce time delays, less computational resources requirement; minimize attacks, providing reliable and secured evidences, and efficient investigation with minimum efforts
Computer forensics is a very important branch of computer science in relation to computer and Internet related crimes. Earlier, computers were only used to produce data but now it has expanded to all devices related to digital data. The goal of Computer forensics is to perform crime investigations by using evidence from digital data to find who was the responsible for that particular crime.
For better research and investigation, developers have created many computer forensics tools. Police departments and investigation agencies select the tools based on various factors including budget and available experts on the team.
Types of Computer Forensics Technology, Types of Military Computer Forensic Technology, Types of Law Enforcement, Computer Forensic Technology, Types of Business Computer Forensic Technology, Specialized Forensics Techniques, Hidden Data and How to Find It, Spyware and Adware, Encryption Methods and Vulnerabilities, Protecting Data from Being Compromised Internet Tracing Methods, Security and Wireless Technologies, Avoiding Pitfalls with Firewalls Biometric Security Systems
Electronic or Digital evidence in India Courts
ip address as evidence
cdr address as evidence
electronic evidence under indian evidence act
electronic record in india
With 1.2 billion monthly active users on Facebook alone, it’s not surprising that social media networks can be a rich source of information for investigators. And because Americans spend more time on social media than any other major Internet activity, including email, social media information and evidence is plentiful. You just need to know how to get it.
Finding, preserving and collecting social media evidence often requires some forensic skills, as well as an understanding of the laws that govern its collection and use. It’s important for investigators to be aware of both the possibilities and limitations of social media forensics.
Forensic Anaysis on Twitter including its Privacy and Policy, Terms and Conditions, Cookies, Data dissemination, Login or Sign Up, Payment Options, References, Tweets and many more.
This PDF is of a Nearpod presentation about evaluating websites' trustworthiness which you can view in its entirety at http://npps.co/internetsleuthpdf. It will give you a glimpse of what you can expect from Nearpod and its capabilities to enhance your classroom experience. Via this presentation, your students will become internet sleuths by evaluating websites' trustworthiness and credibility, and distinguishing fact from fiction online. ELA. Elementary School. Age: 8+
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
This is a draft presentation of a video lesson taken from the course "Digital forensics with Kali Linux" published by Packt Publishing in May 2017: https://www.packtpub.com/networking-and-servers/digital-forensics-kali-linux
In this presentation we are going to cover the recovery of deleted files from a disk image using three CLI file carving tools pre-installed on Kali Linux: Foremost, Scalpel and Photorec.
The Allotrope Foundation led discussion on building an open framework for laboratory data - recommending a holistic approach to build upon & promote industry standards & best practices by providing software that instantiates them.
Find out what sets IEF apart, and why it’s the defacto standard in law enforcement. Internet Evidence Finder (IEF) is a digital forensics solution that can search a hard drive, live RAM captures, or files for Internet-related evidence. IEF was designed with digital forensics examiners/investigators in mind.
Defining a Legal Strategy ... The Value in Early Case AssessmentAubrey Owens
Early Case Assessment provides the framework for litigators to identify and analyze electronically stored information in response to a litigation hold and.or discovery request.
Federal Rules of Civil Procedure and Evidence Lifecycle ManagementAubrey Owens
Discussing the impact of the Federal Rules of Civil Procedure and the impact it brings to handling electronic evidence. Presented to the Virgina Office of Protection Advocay during their 2007 CLE Conference and other educational series since.
February 2010 8 Things You Cant Afford To Ignore About eDiscoveryJohn Wang
8 Things You Can't Afford to Ignore About eDiscovery. Unstructured content is growing at an unprecedented rate, reaching 650% over five years, with Fortune 1000 companies managing petabytes of data. With electronically stored information (ESI) being formally covered under the Federal Rules of Civil Procedure (FRCP), organizations need new tools to effectively manage, analyze, and review ESI. This article presents 8 techniques and technologies that can be used to lower costs and improve litigation success.
Similar to Digital Evidence in Computer Forensic Investigations (20)
Cannes Lions Innovation, unlocking mobile personalisation using sensorsFilip Maertens
As smartphones and wearables are packed with sensors and computing power, they introduce a new type of data: sensor data that contains realtime and accurate observations of the world around a mobile user.
With the Internet of Everything booming, our homes, cars and phones are increasingly interconnected, as they become valuable channels to interact with the world around us in new and more intelligent ways.
Our increasingly sensor equipped world brings us the opportunity of a growing level of ambient intelligence that is capable of understanding and predicting human behavior, emotions and context, so that mobile applications can engage with us in a proactive and hyperpersonalized manner.
Digital Evidence in Computer Forensic Investigations
1. : YSECORP
Importance of Digital Evidence
IFA Presentation 2007
IFA, 8th March 2007 - Presentation
2. Agenda : YSECORP
Defining Digital Evidence
Why Important
Challenges
General Methodologies
Seizure Practices
Safe Acquisition Methods
Safeguarding Digital Evidence
IFA, 8th March 2007 - Presentation
3. : YSECORP
Importance of Digital Evidence
IFA Presentation 2007
IFA, 8th March 2007 - Presentation
4. Defining Digital Evidence : YSECORP
Some Definitions :
Digital Evidence
Information stored or transmitted in binary form that may be relied upon in
court.
Original Digital Evidence
Physical items and those data objects, which are associated with those items at
the time of seizure.
Duplicate Digital Evidence
A duplicate is an accurate digital reproduction of all data objects contained on
the original physical item.
Copy
A copy is an accurate reproduction of information contained in the data objects
independent of the original physical item.
IFA, 8th March 2007 - Presentation
5. Defining Digital Evidence : YSECORP
Some Definitions (cont’d) :
Chain of Custody
A means of accountability, that shows who obtained the evidence, where and
when the evidence was obtained, who secured the evidence, who had control or
possession of the evidence.
Rules of Evidence
Evidence must be competent, relevant, and material to the issue.
IFA, 8th March 2007 - Presentation
6. Defining Digital Evidence : YSECORP
5 Rules of Evidence :
Admissible
Must be able to be used in court or elsewhere
Authentic
Evidence relates to incident in relevant way
Complete (no tunnel vision)
Exculpatory evidence for alternative suspects
Reliable
No question about authenticity & veracity
Believable
Clear, easy to understand, and believable by a jury
IFA, 8th March 2007 - Presentation
7. Defining Digital Evidence : YSECORP
The Evidence Life Cycle :
Collection & identification
Storage, preservation, and transportation
Presentation of Evidence
Return to production, owner, or court
IFA, 8th March 2007 - Presentation
8. Defining Digital Evidence : YSECORP
Categories of Evidence :
Best evidence
Primary evidence used in trail
Usually documentation falls into this category
Secondary evidence
Not viewed as reliable & strong in proving innocence or guilt
Oral evidence
Direct evidence
Proves a fact all by itself
Eye witness testimony
IFA, 8th March 2007 - Presentation
9. Defining Digital Evidence : YSECORP
Categories of Evidence (cont’d) :
Conclusive evidence
Irrefutable and cannot be contradicted
Circumstantial evidence
Proves an intermediate fact that can be used to deduce or assume the
existence of another fact
Corroborative evidence
Supporting evidence used to help prove an idea or point
Opinion evidence
Pertains to witness testimony
Witness must testify to only the facts of the issue and not their opinion of the facts
IFA, 8th March 2007 - Presentation
10. Defining Digital Evidence : YSECORP
Digital Evidence is everywhere !
IFA, 8th March 2007 - Presentation
11. Defining Digital Evidence : YSECORP
Digital Evidence is electronically data based, therefore difficult to handle :
Volatile Data
RAM memory, cache, network status, etc.
Stored Data
Fragile : May be destroyed upon startup (e.g. digital booby-trap) or MAC
times may be changing
Hidden : Slack spaces, Hidden Files
Temporary : Only active when application is running
Manipulated Data
Encryption
Steganography
IFA, 8th March 2007 - Presentation
12. Defining Digital Evidence : YSECORP
I present you, The Data Iceberg :
- Filenames
- Folders
- Log File Entries
-…
- File and Memory Slack
- NTFS streams
- Alien Binaries
- Swap Files
- Hidden Files
-…
IFA, 8th March 2007 - Presentation
13. Agenda : YSECORP
Defining Digital Evidence
Why Important
Challenges
General Methodologies
Seizure Practices
Safe Acquisition Methods
Safeguarding Digital Evidence
IFA, 8th March 2007 - Presentation
14. Why Important : YSECORP
Q : Important to adequately acquire and investigate digital media ?
A : You think about the impact of following scenarios :
The recovery of deleted files on a computer indicate Jon Doe is trading
in a network of pedophiles.
Recovered numbers and cell location data on a cell phone prove Jane
Doe was not around the crime scene during the night of that murder.
Using ―steganography‖ methods, seemingly harmless holiday pictures
hide messages that synchronize terrorist attacks worldwide.
IFA, 8th March 2007 - Presentation
15. Why Important : YSECORP
Some Examples :
IFA, 8th March 2007 - Presentation
16. Why Important : YSECORP
Characteristics of Digital Evidence :
Evidence needs to be handled carefully to be usable in court.
Digital evidence is difficult to handle.
Special requirements to keep the chain of custody intact.
An evidence may need to be presented in court in person, yet an
evidence is not a personal assumption.
Judge decides, whether evidence is good enough.
IFA, 8th March 2007 - Presentation
17. Agenda : YSECORP
Defining Digital Evidence
Why Important
Challenges
General Methodologies
Seizure Practices
Safe Acquisition Methods
Safeguarding Digital Evidence
IFA, 8th March 2007 - Presentation
18. Challenges : YSECORP
Digital/ Electronic evidence is extremely volatile !
Once the evidence is contaminated it cannot be de-contaminated ! The
process of manipulation is irreversible.
The courts acceptance is based on the best evidence principle.
With computer data, printouts or other output readable by sight, and bit
stream copies adhere to this principle.
IFA, 8th March 2007 - Presentation
19. Challenges : YSECORP
Technical Challenges that hinder law enforcement’s ability to find and
prosecute criminals operating online or work organized.
Legal Challenges resulting from laws and legal frameworks required to
investigate cybercrime that lag behind technological, structural and
social changes (e.g. international and online investigations).
Resource Challenges to ensure we have satisfied critical investigative
and prosecutorial needs at all levels of the government.
IFA, 8th March 2007 - Presentation
20. Challenges : YSECORP
Post Mortem analysis is commonly growing to be an established
computer forensic practice :
Knowledgeable on Operating System knowledge and Data Storage
principles
Increased maturity of digital evidence handling frameworks and methods
Increasing set of forensically challenged software is available
Growing marketplace of experience professionals
Live Analysis is a problem :
Knowledgeable on Operating System knowledge, TCP/IP knowledge, Data
Storage principles, cybercriminal profiling and hacking, etc.
Highly stressful situations that encourage mistakes !
Low maturity in handling procedures and professionalism when dealing
with live investigations.
IFA, 8th March 2007 - Presentation
21. Agenda : YSECORP
Defining Digital Evidence
Why Important
Challenges
General Methodologies
Seizure Practices
Safe Acquisition Methods
Safeguarding Digital Evidence
IFA, 8th March 2007 - Presentation
22. General Methodologies : YSECORP
Basically :
Acquiring the evidence without altering or damaging the original
Authenticating the image
Analyzing the data without modifying it
IFA, 8th March 2007 - Presentation
23. General Methodologies : YSECORP
Methodology in Belgium
Methodology international
Based on International Organization of Computer Evidence www.ioce.org
G8 Principles
Need for a framework and standards
Digital Forensics Research Workshop (DFRWS) Digital Investigation
Framework
Two-Tier Digital Investigations Process Framework
IFA, 8th March 2007 - Presentation
24. General Methodologies : YSECORP
Based on a specific law (―Wet Computercriminaliteit Wet van 28
november 2000 inzake informaticacriminaliteit (WIC), B.S. 03-02-2001,
2909‖)
Actual implementation described in circulaire (―Circulaire 01/2002 van
de Procureurs-generaal bij de Hoven van Beroep inzake de wet
Informaticacriminaliteit‖)
– Principles are explained
– Technical annex (Definitions)
– It’s important to use the same vocabulary ( Law Enforcement – Private
Sector)
Based on international principles.
IFA, 8th March 2007 - Presentation
25. General Methodologies : YSECORP
General principles of the IOCE – International Organization on
Computer Evidence (www.ioce.org) :
– Definitions
– General principles – evidence material handling
– Special considerations
IFA, 8th March 2007 - Presentation
26. General Methodologies : YSECORP
Definitions (IOCE) :
– Digital evidence
– Original digital evidence
– Media
– File system
– Active file
– Free or unallocated space
– Slack space
– Unused space
– Forensic copy
– File level copy
IFA, 8th March 2007 - Presentation
27. General Methodologies : YSECORP
General principles (IOCE) :
– When dealing with digital evidence, all of the general forensic and
procedural principles must be applied.
– Upon seizing digital evidence, actions taken should not change that
evidence.
– When it is necessary for a person to access original digital evidence, that
person should be trained for the purpose.
– All activity relating to the seizure, access, storage or transfer of digital
evidence must be fully documented, preserved and available for review.
– An Individual is responsible for all actions taken with respect to digital
evidence whilst the digital evidence is in their possession.
– Any agency, which is responsible for seizing, accessing, storing or
transferring digital evidence is responsible for compliance with these
principles.
IFA, 8th March 2007 - Presentation
28. General Methodologies : YSECORP
Additional Framework and Standards :
– Digital Forensics Research Workshop (www.dfrws.org)
– European Network of Forensic Science Institutes Forensic ( www.enfsi.org)
– Forensic Science Service (www.forensic.gov.uk)
– International Organization of Computer Evidence (www.ioce.org)
– Scientific Working Group on Digital Evidence (www.swgde.org)
IFA, 8th March 2007 - Presentation
29. Agenda : YSECORP
Defining Digital Evidence
Why Important
Challenges
General Methodologies
Seizure Practices
Safe Acquisition Methods
Safeguarding Digital Evidence
IFA, 8th March 2007 - Presentation
30. Seizure Practices : YSECORP
Mere Best Practices, no strict regulatory requirements :
1. Control the scene
2. Allow only authorized persons access
3. Record the names of all individuals present during the search
4. Confirm when the system was last accessed
5. Establish a chronology of access to the media
6. Photograph or video tape the entire scene including the contents on
the monitor.
IFA, 8th March 2007 - Presentation
31. Seizure Practices : YSECORP
Some more :
If the computer is ―Off‖ do not turn it on.
Disconnect all remote access to the system (e.g., LAN cables, Modem
cables etc.). Be sure to tag and label all cables and connectors.
Physically examine the system (i.e., remove covers and photograph).
Document model and serial numbers of the system and its
components.
Inventory all peripherals (PDAs, Printers, Scanners, WAP’s, Fax
machines etc.).
Search scene for secondary storage media (USB drives, devices,
diskettes, wireless hard disks, tapes etc.)
IFA, 8th March 2007 - Presentation
32. Seizure Practices : YSECORP
First Responder Interviews are often overlooked :
Separate and identify all persons (witnesses, subjects, or others) at the
scene and record their location at time of entry.
Passwords. Any passwords required to access the system, software, or
data. (An individual may have multiple passwords, e.g., BIOS, system
login, network or ISP, application files, encryption pass phrase, e-mail,
access token, scheduler, or contact list.)
Determine the ―Purpose‖ of the system :
Any unique security schemes or destructive devices.
Any offsite data storage.
Any documentation explaining the hardware or software installed on the
system.
IFA, 8th March 2007 - Presentation
33. Seizure Practices : YSECORP
Document everything and preserve the Chain of Custody :
Protects integrity of the evidence :
Effective process of documenting the complete journey of the evidence
during the life of the case
Allows you to answer the following questions :
Who collected it?
How & where?
Who took possession of it?
How was it stored & protected in storage?
Who took it out of storage & why?
IFA, 8th March 2007 - Presentation
34. Seizure Practices : YSECORP
Some hardware tools for your Forensic Fieldkit :
Documentation Tools
Cable tags.
Indelible felt tip markers.
Stick-on labels.
Disassembly and Removal Tools
Flat-blade and Philips-type screwdrivers. Secure-bit drivers.
Anti-static Straps Small tweezers.
Hex-nut drivers. Vendor Specific screwdrivers
Standard and Needle-nose pliers. Star-type nut drivers.
Wire cutters.
IFA, 8th March 2007 - Presentation
35. Seizure Practices : YSECORP
Some forensic tools for your Forensic Fieldkit :
Rubber Gloves
Hand truck.
Large rubber bands.
List of contact telephone numbers for assistance.
Magnifying glass.
Printer paper.
Seizure disk.
Small flashlight.
Unused floppy diskettes (3.5 and 5.25 inch).
Blank & Zeroed Hard Drives.
IFA, 8th March 2007 - Presentation
36. Agenda : YSECORP
Defining Digital Evidence
Why Important
Challenges
General Methodologies
Seizure Practices
Safe Acquisition Methods
Safeguarding Digital Evidence
IFA, 8th March 2007 - Presentation
37. Safe Acquisition Methods : YSECORP
Acquisition is often referred to as : Forensic Duplication or Bit-to-Bit
Image :
It’s a 1:1 bitwise copy of a complete physical storage medium
Most important rule (1) : no changes to the original storage medium
must be tolerated !
Some changes happen automatically and without notification !
Acquiring evidence into a live operating system using SCSI, (S)ATA cables
may already be faulty, due to bit changes to the hard disk (Microsoft
Windows).
Specialized read only equipment recommended : WriteBlocker,
Tableau, etc.
IFA, 8th March 2007 - Presentation
38. Safe Acquisition Methods : YSECORP
Second most important rule (2) : all acquired data must be authentic
and relate in full integrity to its original evidence.
Hashing algorithms are mandatory, yet often overlooked :
Mostly used as For Your Information, yet may prove to be of utmost
importance
Choose a secure Hashing algorithm; e.g. RIPEMD-160. Not MD5…
IFA, 8th March 2007 - Presentation
39. Safe Acquisition Methods : YSECORP
Most important Rule of Thumb (3) : the chain of custody must be
protected at all times.
Be your own picky secretary ! Note down every activity, build a credible
case.
Basically, all manipulations must be recorded in time, and must allow one
to redo all actions and find the same results !
Common rookie mistake : allow yourself to a structured approach in
recording, labeling and storing digital evidence.
Prepare yourself !!
When dealing with multiple data sources, it is very easy to lose track of
digital evidence.
IFA, 8th March 2007 - Presentation
40. Safe Acquisition Methods : YSECORP
Hint from the trenches (4) : never manipulate live systems.
Uncontrolled handling may destroy critical evidence ! Common mistakes
include :
— Killing unknown system processes
— Using the OS GUI
— Browsing the Internet or File System, hereby altering timestamps
— Running commands without logging
— Patching systems
— Installing forensic tools, etc.
Using non-intrusive methods, i.e. FireWire memory dumps, one can acquire
volatile data from a live system.
IFA, 8th March 2007 - Presentation
41. Safeguarding Digital Evidence : YSECORP
Properly inventory the system & peripherals
Disconnect all peripherals
Label all cables
In the case of multiple systems label and code each system
Place all magnetic media in antistatic packaging
Properly label all containers used to hold the evidence
Leave a ―Blank‖ of Forensic Boot disk in the diskette or CD-ROM drive
In the case of media only properly be properly grounded prior to
removing the media (i.e., the use of a grounding wrist device is
recommended).
In the case of media only record make, model, ser #, and stenciled
drive geometry
IFA, 8th March 2007 - Presentation
42. Safeguarding Digital Evidence : YSECORP
Transportation and Storage :
Keep electronic evidence away from magnetic sources (e.g., radio
transmitters, speaker magnets and heated seats)
Protect evidence from extremes in temperature
Use proper anti-shock packing material in all containers (i.e., bubble
wrap, Styrofoam etc.)
Maintain the chain of custody on all evidence transported.
Warning prolonged storage can result in alteration of system evidence
(dates, times etc.) as batteries have a limited life span.
Store all seized evidence in a properly secured storage area (e.g.,
locked cabinet, restricted access lab, etc.)
IFA, 8th March 2007 - Presentation
43. Safeguarding Digital Evidence : YSECORP
Transportation and Storage Tools :
Antistatic bags.
Antistatic bubble wrap.
Cable ties.
Evidence bags.
Evidence tape.
Packing materials (avoid materials that can produce static
electricity such as Styrofoam or Styrofoam peanuts).
Packing tape.
Sturdy boxes of various sizes.
IFA, 8th March 2007 - Presentation