Brief introduction to digital forensics; definition, branches, description of its phases and important concepts.
*
*
*
Subscribe to the YouTube channel:
https://youtube.com/channel/UC4bvx2ub2h7F_FrZKF9QGIg
2. DEFINITION
Digital forensics can be defined as:
“The use of scientifically derived and proven methods
toward the preservation, collection,validation,
identification, analysis, interpretation, documentation
and presentation of digital evidence derived from digital
sources for the purpose of facilitating or furthering the
reconstruction of events [...]”,
Digital Forensic Research Workshop (DFRWS), 2001
3. BRANCHES OF DIGITAL FORENSICS
• Computer forensics
• Disk and filesystem forensics
• Memory forensics
• Mobile forensics
• Network forensics
• Cloud forensics
• IoT forensics and more…
4. PHASES OF DIGITAL FORENSICS
• Assessment
• Acquisition
• Analysis
• Reporting
5. ACQUISITION
• Acquisition involves acquiring a copy or image of
the device(s) or data.
• Always mount the device in read-only mode!
• Always verify the integrity of the image!
6. ANALYSIS
• Analysis includes extraction and recovery of data
from the image and their subsequent examination
and interpretation.
• Always work on the image and not on the original
device or data!
7. REPORTING
• Reporting is about documenting and writing the
report of all the forensic job done in the previous
phases.
• The final report documents the findings as well as
the procedures and tools used.
• Could be very effective for the outcome of the
investigation!
8. ORDER OF VOLATILITY
• The order of volatility (OOV) defines the degree of
volatility of data.
• For example, data in RAM is more volatile than on
hard disk.
• More volatile data should be acquired first.
9. LOCARD'S PRINCIPLE
• Locard's exchange principle states that every
interaction with the crime scene leaves something
and make something to be taken away
• This also applies to the digital world and digital
forensic examinators too, that should be careful not
to corrupt evidence and minimize the effects of her
actions.
10. CHAIN OF CUSTODY
• Chain of custody refers to the complete route of the
evidence from its identification and collection to its
storage and preservation.
• The chain of custody must be properly documented
and cannot be broken for the evidence to be
admissable in a court.
11. COMMERCIAL VS. OPEN SOURCE
FORENSIC TOOLS
• Examples of known commercial forensic suites are
Guidance Encase, Access Data FTK and ProDiscover.
• But quite expensive, closed source and not available
on Linux.
• Open source tools are free and widely accepted by
the digital forensic community.
• Various Linux forensic distros available: SIFT, CSI,
Tsurugi, Caine, Paladin…