This is a draft presentation of the 2nd video of the course "Digital forensics with Kali Linux" published by Packt Publishing in May 2017: https://www.packtpub.com/networking-and-servers/digital-forensics-kali-linux In this presentation, we introduce digital forensics and cover the fundamental concepts that should be learned to fully understand the hands-on part of the course. The first part of the video gives a definition of what digital forensics is, explains which application areas it has and the various sub-branches in which is divided. The second part covers the different steps of digital forensics: assessment, acquisition, analysis and reporting. Next, the video explains important concepts like Locard’s principle, order of volatility and chain of custody. Finally, there is a comparison between commercial and open source tools.

1. Digital forensics with Kali Linux
Marco Alamanni
Video 1.2
Brief introduction to digital
forensics

2. In this Video, we are going to take a look at…
• Introduction to digital forensics: definition and applications
• Phases of digital forensics
• Important concepts: Locard's principle, order of volatility, chain of custody
• Commercial vs. open source tools

3. Introduction to digital forensics - definition
Digital forensics can be defined as “The use of scientifically derived and
proven methods toward the preservation, collection,
validation, identification, analysis, interpretation, documentation and
presentation of digital evidence derived from digital sources for the purpose
of facilitating or furthering the
reconstruction of events [...]”, Digital Forensic Research Workshop
(DFRWS), 2001

4. Introduction to digital forensics - applications
●
Main application of digital forensics is in criminal or civil investigations
●
Can also be applied to incident response and internal investigations

5. Introduction to digital forensics – sub-branches
Includes various sub-branches, for example:
•
Disk and filesystem forensics
•
Memory forensics
•
Mobile forensics
•
Network forensics

6. Phases of digital forensics
Main phases of digital forensics (Kruse and Heiser, 2001):
●
Assessment
●
Acquisition
●
Analysis
●
Reporting

7. Phases of digital forensics - Acquisition
●
Acquisition involves acquiring a copy or image of the device(s) or data.
●
Always mount the device in read-only mode!
●
Always verify the integrity of the image!

8. Phases of digital forensics - Analysis
●
Analysis includes extraction and recovery of data from the image
and their subsequent examination and interpretation.
●
It's the most technical part and we are going to cover it for the major part of the
course.
●
Always work on the image and not on the original device or data!

9. Phases of digital forensics - Reporting
●
Reporting is about documenting and writing the report of all the forensic job
done in the previous phases.
●
The final report documents the findings as well as the procedures and tools
used.
●
Could be very effective for the outcome of the investigation!

10. Important forensic concepts – Order of volatility
●
The order of volatility (OOV) defines the degree of volatility of data.
●
For example, data in RAM is more volatile than on hard disk.
●
More volatile data should be acquired first.

11. Important forensic concepts – Locard's principle
●
Locard's exchange principle states that every interaction with the crime
scene leaves something and make something to be taken away
●
This is also true in the digital world and for the forensic examiner too, that
should be careful not to corrupt evidence and minimize the effects of her
actions.

12. Important forensic concepts – Locard's principle
●
Locard's exchange principle states that every interaction with the crime
scene leaves something and make something to be taken away
●
This is also true in the digital world and for the forensic examiner too, that
should be careful not to corrupt evidence and minimize the effects of her
actions.

13. Important forensic concepts – Chain of custody
●
Chain of custody refers to the complete route of the evidence from its
identification and collection to its storage and preservation.
●
The chain of custody must be properly documented and cannot be broken for
the evidence to be admissable in a court.

14. Commercial vs. open source forensic tools
●
Examples of known commercial forensic suites are Guidance Encase, Access
Data FTK and ProDiscover.
●
But quite expensive, closed source and not available on Linux.
●
Open source tools are free and widely accepted by the digital forensic
community.
●
Kali Linux includes the majority of the forensic open source tools!

15. Video summary
●
Introduction to digital forensics and its applications.
●
Description of its main phases.
●
Introduction to important forensic concepts.
●
Comparison between commercial and open source tools.

16. Next Video
Downloading and installing Kali Linux