Digital Forensics - Unit I - IBM Course.

IBM ICE (Innovation Centre for
Education)
9.1
Computer Forensics
© Copyright IBM Corporation

IBM ICE (Innovation Centre for Education)
Unit objectives
After completing this unit, you should be able to:
• Implement the Standard operating procedure to handle any Security Incident and
collect the vital digital evidence without corrupting it.
• Properly identify and verify the system that has been affected by the attack.
• Take the image of the storage device for preservation and for further process.
• Clearly follow the methods and techniques to recover the erased and damaged data.
• Understand the concept and technology of cryptography and data compression
including the different types of algorithm used.
• Search the evidence from the storage devices that are seized from the scene of
Security Incident.
• Handle the various digital forensic tools to analyze the data that is available in the
storage device.

Digital Forensics
Digital Forensics - Definition
• The former director of the Defense Computer Forensics Laboratory, Ken Zatyko deines
as “[t]he application of computer science and investigative procedures for a legal
purpose involving the analysis of digital evidence (information of probative value that is
stored or transmitted in binary form) after proper search authority, chain of custody,
validation with mathematics (hash function), use of validated tools, repeatability,
reporting and possible expert presentation”

Digital Forensics
Standard Procedure of Computer Forensics
• Law enforcement and legal entities realizes the importance as Cybercrime is on the rise
• Investigators can connect cyber communications and digitally stored information to physical
evidence of criminal activity
• CF allows the investigators to uncover premeditated criminal intent in the field – aids in
preventing cyber crimes
Policy and Procedure Development
• Digital evidence is highly delicate and sensitive
• Procedures – Include details about ,
• When the investigators are authorized to recover potential digital evidence
• How to properly prepare systems for evidence retrieval & where to store
• How to document these activities to help ensure the authenticity of the data

Digital Forensics- The stages

Digital Forensics
Evidence Assessment
• Clear understanding of the details of the case at the hand – To determine the type of the
evidences required to be assessed
• Define the types of evidence sought and understand how to preserve the pertinent data
Evidence Acquisition
• Extensive documentation is required in the acquisition process
• Policies related to preserving the integrity of potential evidence are most applicable in this
step
• Acquiring evidence must be accomplished in a manner both deliberate and legal
Evidence Examination
• Procedures for retrieving, copying, and storing evidence within appropriate databases
• Analyzing file names, date and time information etc., using the tools
Documenting and Reporting
• CF-I must keep an accurate record of all activities related to the investigation, actions taken

Digital Forensics
Documenting and Reporting
• Ensuring the integrity of the evidences collected, photographing and video graphing the
evidences is mandatory
• Hard drives must be handled with antistatic gloves to avoid the static current discharge
from the CF-I

Digital Forensics

Issues Computer Forensics Face
• Technical issues
• Encryption
• Increasing storage space
• New technologies
• Anti-forensics
• Legal issues
• Legislative Domains
• Legal Arguments
• Administrative issues
• Accepted standards

Standard Procedure
1. Secure subject digital evidence including devices from any kind of destruction
including electrical short circuits.
2. Photograph the subject digital evidence and devices, document the network and
other devices attached to it.
3. Disassemble the casing of the subject digital evidence device and thoroughly examine
the physical access of the storage devices.
4. Use antistatic gloves while handling the electronic components including storage
devices
5. Identify storage devices that need to be acquired. These devices can be internal,
external, or both
6. Document internal storage devices and hardware configuration
a) Drive condition (e.g., make, model, geometry, size, jumper settings, location, drive interface)
b) Internal components (e.g., sound card; video card; network card, including media access
control (MAC) address)
7. Disconnect storage devices (by removing the power connector or data cable from the
back of the storage drive or from the motherboard).

Incident Verification
1. Whenever required, perform the data acquisition using the examiner’s Forensic
system. When attaching the subject evidence and storage device to the examiner’s
Forensic system, configure the storage device so that it will be recognized
2. Proper Write Protection should be initiated (Hardware or software) while connecting
the subject evidence storage device to preserve and protect the original evidence from
being altered automatically by the operating system of examiner’s system.
3. The examiner should create a Hash value of the subject evidence storage device by
performing an independent standard Hash calculation using MD5 or SHA algorithm
and this has to be noted down along with the subject evidence identification number.
4. Ensure that the examiner’s storage device is forensically clean when acquiring the
evidence
5. Investigate the geometric properties of the storage devices in order to ensure that all
space is accounted (every bit), including host-protected data areas (e.g., non-host
specific data such as the partition table matches the physical geometry of the drive)
6. Capture the electronic serial number of the drive and other user-accessible devices.

System identification
1. Arrange a meeting with the IT manager to interview him and pick up the storage
media
2. After interviewing the IT manager, fill out the evidence form, have him/her sign it, and
then sign it yourself.
3. Store the storage media in an evidence bag which includes anti-static cover and
bubble cover, and then transport it to your forensic Facility.
4. Carry the evidence in a secure container, such as a locker, cabinet, or safe.
5. Complete the evidence custody form. If there is a procedure to use a multi-evidence
form, then can store the forms in the file folder for the case. If a single-evidence form
is used then store them along with the secure container with the evidence. Reduce
the risk of tampering by limiting access to the forms.
6. Secure the evidence by locking the container

Recovery of Erased and damaged data
1. Most volumes contain reams of potentially interesting data outside of the viewable,
allocated files on a mounted file system. This includes several categories of “deleted
data.”
2. Deleted files are the “most recoverable.”
3. Orphaned files are similar to deleted files except the link between the file name
and metadata structure is no longer accurate.
4. Unallocated files have their once-allocated file name entry and associated metadata
structure have become unlinked and/or reused.
5. Overwritten files have one or more of their data units reallocated to another file
which is also called file slack.

Disk imaging and preservation
1. A bit-stream copy is a bit-by-bit copy (also known as a sector copy) of the original drive
or storage medium and is an exact duplicate.
2. The more exact the copy, the better chance you have of retrieving the evidence you
need from the disk. This process is usually referred to as “acquiring an image” or
“making an image” of a suspect drive.
3. A bit-stream copy is different from a simple backup copy of a disk. Backup software
can only copy or compress files that are stored in a folder or are of a known file type.
Backup software can’t copy deleted files and e-mails or recover file fragments.
4. Acquire the “Bit Stream Image” (copy) of the subject evidence storage device to the
examiner’s storage device using the appropriate software and hardware tools.
5. Verify successful acquisition by comparing Hash values of the original subject storage
evidence device with the Hash value of the bit stream image copy or by doing a sector-
by- sector comparison of the original subject evidence storage device to the bit stream
image copy.

Data encryption and compression
1. Encrypted files are encoded to prevent unauthorized access..
2. To decode an encrypted file, users supply a password or passphrase.
3. Without the passphrase, recovering the contents of encrypted files is difficult.
4. Many commercial encryption programs use a technology called key escrow, which is
designed to recover encrypted data if users forget their passphrases or if the user key
is corrupted after a system failure.
5. Most graphics file formats, including GIF and JPEG, compress data to save disk space
and reduce the file’s transmission time. Other formats, such as BMP, rarely compress
data or do so inefficiently.
6. Data compression is the process of coding data from a larger form to a smaller form.
Graphics files and most compression tools use one of two data compression schemes:
lossless or lossy.
7. Lossless compression techniques reduce file size without removing data.
8. Lossy compression is different because it compresses data by permanently discarding
bits of information in the file. Some discarded bits are redundant, but others are not.

Forensic software
1. EnCase
2. Autopsy
3. FTK
4. ProDiscovery
5. Helix3
Enterprise
6. CAINE

Checkpoint
1When shutting down a computer, what information is typically
lost? A Data in RAM memory
B Running processes
C Current network
connections D Current
logged-in users
E All of the above
2With remote acquisitions, what problems should you be aware
of? A Data transfer speeds
B Access permissions over the network
C Antivirus, antispyware, and firewall
programs D All of the above
3What two data-copying methods are used in software data
acquisitions? A Remote and local
B Local and logical
C Logical and physical
D Physical and
compact

Checkpoint
4Hashing, filtering, and file header analysis make up which function of
computer forensics tools?
A Validation and
discrimination B Acquisition
C
Extraction
D
Reporting
5Which of the following is true of most drive-imaging
tools? A They perform the same function as a backup.
B They ensure that the original drive doesn’t become corrupt and damage the
digital evidence.
C They create a copy of the original
drive. D They must be run from the
command line
6 Make sure you always document the
following points, except:
A Who collected the evidence, how they did it and where they
got it B Who took possession of it

Checkpoint
7Make sure you always label any hardware with the following,
except: A part number
B case number
C short description of the hardware
D The time and date you got the
evidence E Your signature
8The following general computer evidence processing steps have been
provided, except:
A Shut down the computer.
B Document the hardware configuration of the system.
C Transport the computer system to an unsecure
location. D Make bit stream backups of hard disks and
floppy disks. E Mathematically authenticate data on all
storage devices

Checkpoint
9When two different keys encrypt a plaintext message into the same ciphertext,
this situation is known as:
A Public key
cryptography B
Cryptanalysis
C Key
clustering D
Hashing
10Which of the following is a problem with symmetric key
encryption? A It is slower than asymmetric key encryption.
B Most algorithms are kept proprietary.
C Work factor is not a function of the key size.
D It provides secure distribution of the secret key.

Checkpoint Solutions
1. E. When the system is shut down normally or the plug is pulled, all of the
above live system-state data is lost.
2. D. Should be aware of all the parameters
3. C. Logical and Physical
4. B. Acquisition
5. C. They create a copy of the original drive.
6. D. How it was stored and unprotected
7. A. A part number
8. C. Transport the computer system to an unsecure location
9. A. Public key cryptography
10. D. It provides secure distribution of the secret key

Unit summary
Having completed this unit, you should be able to:
• Implement the Standard operating procedure to handle any Security Incident and
collect the vital digital evidence without corrupting it.
• Properly identify and verify the system that has been affected by the attack.
• Take the image of the storage device for preservation and for further process.
• Clearly follow the methods and techniques to recover the erased and damaged data.
• Understand the concept and technology of cryptography and data compression
including the different types of algorithm used.
• Search the evidence from the storage devices that are seized from the scene of
Security Incident.
• Handle the various digital forensic tools to analyze the data that is available in the
storage device.

Digital Forensics - Unit I - IBM Course.

More Related Content

Similar to Digital Forensics - Unit I - IBM Course.

More from nirmalanr2

Recently uploaded

Digital Forensics - Unit I - IBM Course.

Editor's Notes